COVID Registration Spike and Abuse: Lessons Learned from a Contracted Party Perspective
- Shared screen with speaker view

32:05
Welcome all, all attendees will be on mute until the Q&A asession

32:51
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.

33:25
To chat, please change the dropdown to include All Panelists and All Attendees to ensure everyone can see your message.To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.

34:36
Ashley is being modest - she’s also incoming Chair of the RrSG

43:58
To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.

47:04
RySg website: https://www.rysg.info/

49:12
Webinar recordings will be posted on the RySG website shortly.

49:45
As a reminder, to chat, please change the dropdown to include All Panelists and All Attendees to ensure everyone can see your message.

49:59
@Nathalie, will the presentations also be made available?

50:39
PSWG - the GAC's Public Safety Working Group

50:41
@joanna, the Zoom recording will cover slides, audio as well as chat content.

51:05
Great, thanks @Nathalie!

51:16
my pleasure!

53:34
Welcome to those just joining. All attendees will be on mute until the Q&A session.To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.

56:40
@all: to ensure everyone can see your chat messages, please change the dropdown to include All Panelists and Attendees.

01:00:41
Comment: though we didn’t use this contact point thing having it was useful

01:04:53
connecting with all the different LEA's through the cyber threat coalition helped a lot also to streamline investigations and share info

01:06:02
It’s unfortunate that some companies used keyword based lists to block without verifying first

01:06:35
which caused some legit government domains to be blocked

01:06:40
yup

01:06:55
An Garda Siochana weren’t impressed with one of their sites being blocked

01:08:11
It happens. We had covid19.rs blocked at DNS, I had to email, and then it was unlisted.

01:12:39
It sounds like a few common threads emerging - (1) The vast majority of COVID or CORONA strings were inactive, and some were beneficial, and (2) the “wrapper” of abuse may have been novel, but the tactics and methods were nothing new. Both would indicate that pre-emptively “blocking” strings was not a proportionate response.

01:13:46
+1 James

01:14:38
Yeah, that was tough. “Take Zinc to stop COVID!” Was probably free expression. But “Buy our Zinc, it cures COVID” would cross the line.

01:15:06
+1 James

01:16:22
Blocking depends on your risk posture - who you are and what you are trying to protect from. That is separate from COVID, just a standard risk-management issue. I would like to see data from anti-spam vendors that provide insight into the mystery “parked” domains and their use in spam for example to better understand risks.

01:17:40
I don’t understand how a “parked” domain could be used - you can’t set any DNS records if you point a domain at any of the major parking services

01:17:53
so it’s just serving the parked monetisation pages

01:18:06
the “coming soon” parking is a bit different

01:18:24
but I’ve seen way more hyperbole than actual data

01:19:33
I’ve done exactly that many times for spam honeypots @michele, so not sure that tracks. And yes stats would be much better than hyperbole, hence the ask for data from anti-spam vendors!

01:20:30
Rod - I think we’re mostly on the same page

01:21:45
Great presentation

01:21:59
Comment: At CENTR we did similar research for European ccTLDs. Sample of 12 members showed very similar graphs as presented by Siôn and Graham.

01:22:26
Yes. Very helpful and informative webinar. Comments in the chat were quite helpful too. Thanks for organizing this.

01:23:53
@Michele - the domain name is parked for content and/or does not display content but has MX records so the domain can be use for email. This is the Modus Operandi for phishing. I would be curious if ICANN or anyone else was checking for MX records

01:24:25
@ Michele, AFAIK a domain that is listed as "parked" can still have a related e-mail account and can be used for phishing.

01:24:40
@Marc - oh I get the technical but what I’m referring to is that most mainstream parking platforms require you to change the name servers to the parking company

01:24:50
so there’s no option to add any other DNS records

01:25:15
Correct most of them operate in such a manner parking wise

01:25:23
Realized that Marc already stated what I said, sorry.

01:25:42
Does "parked" necessarily mean using only one of those platforms though? Probably depends on who is doing the study/analysis

01:25:59
Marc - devil is in the details of course

01:26:23
@Michele - yep, we are. I like comprehensive data that explores the entirety of an issue so we don’t draw the wrong conclusions from a narrow viewpoint. Unfortunately, that is very hard to get. Limited viewpoints can lead to assumptions that are both overly pessimistic and optimistic in how things look in fields like abuse. A continuous challenge, and why I find the presentations we have here and have seen elsewhere very interesting and indicative of specific portions of the issues, but not necessarily authoritative for the full picture. Im still looking for data nirvana of course!

01:26:26
During the pandemic I've looked at many domains that are listed as parked but have MX records. So this is just something that varies between hosting providers.

01:26:54
I think we’re not talking about the same concept of “parked"

01:27:05
parked to me means Sedo / Parking Crew / DAN.com

01:27:06
Right. So would love to see an analysis like the ones shown in the presentation that addressed this aspect

01:27:24
hosting providers parking vs PPC parking providers are two different things

01:27:28
Oh no, we have a taxonomy problem!

01:27:37
MX records can of course be monitored - but the presence of a MX record is not determinative, but merely one ‘flag’. The registry / registrar review here would be relying heavily on a level of ‘guesswork’ and connecting very disparate dots. We need to look to the suitability of a registry vs a mail service provider in such instances.

01:27:38
Parking for me = PPC

01:27:39
Haha cybersec always have taxonomy problems

01:27:44
To Gabe re: MX records. Depends on the Rr, and for us on the reseller. Some may deploy MX as part of registration.

01:27:53
+1 to Graeme

01:28:05
a lot of domains with us could have an MX in the DNS but no actual service

01:28:07
And +1 to Graeme too

01:28:38
@michele - do you have any knowledge of what portion of registrars put MX default on during registration?

01:28:39
like 99% of our hosted sites have IPv6 but only about 1% of our clients would even know about it

01:28:49
@Alan Woods - of course MX record is only an indicator and not determinative but still very useful information as part of the overall analysis

01:28:52
@peter - no but JMCC would probably know

01:30:24
The "quarantent" mentioned in Graeme's slide actually made it into a CNN article on interesting COVID-related designs. :-) https://www.cnn.com/style/article/design-competition-coronavirus-spc-intl/index.html

01:30:52
From what I've seen regarding the TLDs we've been looking at most of the "parked" domains are "parked" such as the domains etc are paid for but the customer havent taken any visible action. So If I purchase a domain many of the companies will automatically list it as "parked" while in fact it is being used for e-mail communication. :)

01:32:00
+1 to Anton L - This is what I see in my practice every day when we go after phishers

01:32:48
Can those registries and registrars that want to BRIEFLY provide their insights on this subject please raise their hands now so that know who to call on? We are running short on time. Thanks!

01:32:49
Indeed Anton, that is what both myself and several of my niche customers do routinely

01:33:18
@Marc Connecting to share experiences regarding that would be very beneficial for me.

01:33:48
I think Marc + Anton are calling “parked” what we’d probably call “inactive”

01:33:55
Sharing our site on Covid

01:33:56
https://padlet.com/acalderon/COVID19

01:33:57
or on a “coming soon"

01:34:01
@Michele: Likely

01:34:06
@Anton L- or it appears that the customer hasn't taken any action so when brand owners check monitoring it looks like unused. But in fact, they have set up MX records and are using for email-based fraud

01:34:30
@Marc - Exactly.

01:34:55
Or actually using them for non fraudulent email

01:35:17
@Cheryl - that's possible but I am talking about phishers

01:35:41
I know @Marc, just reminding there is valid use as well ;-)

01:35:51
Phishes everywhere!

01:38:47
I look at thousands of domain names every week and in my experience it is statistically rare (but possible) that a domain name is similar to a well-known brand, has no content but MX records, and is being used for legitimate purposes. Of course if the brand has words that have generic meaning in a different context that number might go up, but not much in my experience.

01:39:45
yes, but do dont see you ;)

01:40:36
@Danko, only panelists can activate their video :)

01:41:53
Not seeing me is a good thing - I forgot to shave today

01:42:31
;)

01:43:07
Not a very experienced Zoom-user, is direct messaging not activated for this chat?

01:43:58
@anton, if you scroll down the chat drop down menu, you will see the individual names of attendees below

01:44:04
It is useful to observe in one of the presentations that the 11th week was the peak time and 21st Week was quite low. I surmise that the "activeness" of the domain names was always comparable. Am I correct in this surmise ?

01:45:31
@Anton, Michele is right, in webinar mode, you can only chat either the panelist group, or all panelists and attendees. Apologies for the confusion!

01:46:15
@Nathalies & Michele: Thanks for the info

01:52:35
I can answer!

01:55:59
Thank you Graeme and Jim for answering. Anne

01:56:19
proactive is similar to prosecution before the crime, so it is case by case

01:57:56
Thanks Brian. Altho a shopping cart is content. :)

01:58:30
Right - it’s something we deployed specifically for this issue.

02:00:20
thank you all, great webinar!

02:00:21
Thanks everyone VERY informative!

02:00:30
Excellent session. Thanks everyone!

02:00:30
Thanks everyone!

02:00:33
Thanks all!