COVID Registration Spike and Abuse: Lessons Learned from a Contracted Party Perspective - Shared screen with speaker view
Who can see your viewing activity?
Welcome all, all attendees will be on mute until the Q&A asession
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.
To chat, please change the dropdown to include All Panelists and All Attendees to ensure everyone can see your message.To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.
Ashley is being modest - she’s also incoming Chair of the RrSG
To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.
RySg website: https://www.rysg.info/
Webinar recordings will be posted on the RySG website shortly.
As a reminder, to chat, please change the dropdown to include All Panelists and All Attendees to ensure everyone can see your message.
@Nathalie, will the presentations also be made available?
PSWG - the GAC's Public Safety Working Group
@joanna, the Zoom recording will cover slides, audio as well as chat content.
Great, thanks @Nathalie!
Welcome to those just joining. All attendees will be on mute until the Q&A session.To ask a question, click the Q&A box and type in your question. All unanswered questions will be answered at the end of the webinar. You may also raise your hand during the Q&A portion.
@all: to ensure everyone can see your chat messages, please change the dropdown to include All Panelists and Attendees.
Comment: though we didn’t use this contact point thing having it was useful
connecting with all the different LEA's through the cyber threat coalition helped a lot also to streamline investigations and share info
It’s unfortunate that some companies used keyword based lists to block without verifying first
which caused some legit government domains to be blocked
An Garda Siochana weren’t impressed with one of their sites being blocked
It happens. We had covid19.rs blocked at DNS, I had to email, and then it was unlisted.
It sounds like a few common threads emerging - (1) The vast majority of COVID or CORONA strings were inactive, and some were beneficial, and (2) the “wrapper” of abuse may have been novel, but the tactics and methods were nothing new. Both would indicate that pre-emptively “blocking” strings was not a proportionate response.
Yeah, that was tough. “Take Zinc to stop COVID!” Was probably free expression. But “Buy our Zinc, it cures COVID” would cross the line.
Blocking depends on your risk posture - who you are and what you are trying to protect from. That is separate from COVID, just a standard risk-management issue. I would like to see data from anti-spam vendors that provide insight into the mystery “parked” domains and their use in spam for example to better understand risks.
I don’t understand how a “parked” domain could be used - you can’t set any DNS records if you point a domain at any of the major parking services
so it’s just serving the parked monetisation pages
the “coming soon” parking is a bit different
but I’ve seen way more hyperbole than actual data
I’ve done exactly that many times for spam honeypots @michele, so not sure that tracks. And yes stats would be much better than hyperbole, hence the ask for data from anti-spam vendors!
Rod - I think we’re mostly on the same page
Peter Van Roste
Comment: At CENTR we did similar research for European ccTLDs. Sample of 12 members showed very similar graphs as presented by Siôn and Graham.
Yes. Very helpful and informative webinar. Comments in the chat were quite helpful too. Thanks for organizing this.
@Michele - the domain name is parked for content and/or does not display content but has MX records so the domain can be use for email. This is the Modus Operandi for phishing. I would be curious if ICANN or anyone else was checking for MX records
@ Michele, AFAIK a domain that is listed as "parked" can still have a related e-mail account and can be used for phishing.
@Marc - oh I get the technical but what I’m referring to is that most mainstream parking platforms require you to change the name servers to the parking company
so there’s no option to add any other DNS records
Correct most of them operate in such a manner parking wise
Realized that Marc already stated what I said, sorry.
Does "parked" necessarily mean using only one of those platforms though? Probably depends on who is doing the study/analysis
Marc - devil is in the details of course
@Michele - yep, we are. I like comprehensive data that explores the entirety of an issue so we don’t draw the wrong conclusions from a narrow viewpoint. Unfortunately, that is very hard to get. Limited viewpoints can lead to assumptions that are both overly pessimistic and optimistic in how things look in fields like abuse. A continuous challenge, and why I find the presentations we have here and have seen elsewhere very interesting and indicative of specific portions of the issues, but not necessarily authoritative for the full picture. Im still looking for data nirvana of course!
During the pandemic I've looked at many domains that are listed as parked but have MX records. So this is just something that varies between hosting providers.
I think we’re not talking about the same concept of “parked"
parked to me means Sedo / Parking Crew / DAN.com
Right. So would love to see an analysis like the ones shown in the presentation that addressed this aspect
hosting providers parking vs PPC parking providers are two different things
Oh no, we have a taxonomy problem!
MX records can of course be monitored - but the presence of a MX record is not determinative, but merely one ‘flag’. The registry / registrar review here would be relying heavily on a level of ‘guesswork’ and connecting very disparate dots. We need to look to the suitability of a registry vs a mail service provider in such instances.
Parking for me = PPC
Haha cybersec always have taxonomy problems
To Gabe re: MX records. Depends on the Rr, and for us on the reseller. Some may deploy MX as part of registration.
+1 to Graeme
a lot of domains with us could have an MX in the DNS but no actual service
And +1 to Graeme too
Peter Van Roste
@michele - do you have any knowledge of what portion of registrars put MX default on during registration?
like 99% of our hosted sites have IPv6 but only about 1% of our clients would even know about it
@Alan Woods - of course MX record is only an indicator and not determinative but still very useful information as part of the overall analysis
@peter - no but JMCC would probably know
The "quarantent" mentioned in Graeme's slide actually made it into a CNN article on interesting COVID-related designs. :-) https://www.cnn.com/style/article/design-competition-coronavirus-spc-intl/index.html
From what I've seen regarding the TLDs we've been looking at most of the "parked" domains are "parked" such as the domains etc are paid for but the customer havent taken any visible action. So If I purchase a domain many of the companies will automatically list it as "parked" while in fact it is being used for e-mail communication. :)
+1 to Anton L - This is what I see in my practice every day when we go after phishers
Can those registries and registrars that want to BRIEFLY provide their insights on this subject please raise their hands now so that know who to call on? We are running short on time. Thanks!
Indeed Anton, that is what both myself and several of my niche customers do routinely
@Marc Connecting to share experiences regarding that would be very beneficial for me.
I think Marc + Anton are calling “parked” what we’d probably call “inactive”
Sharing our site on Covid
or on a “coming soon"
@Anton L- or it appears that the customer hasn't taken any action so when brand owners check monitoring it looks like unused. But in fact, they have set up MX records and are using for email-based fraud
@Marc - Exactly.
Or actually using them for non fraudulent email
@Cheryl - that's possible but I am talking about phishers
I know @Marc, just reminding there is valid use as well ;-)
I look at thousands of domain names every week and in my experience it is statistically rare (but possible) that a domain name is similar to a well-known brand, has no content but MX records, and is being used for legitimate purposes. Of course if the brand has words that have generic meaning in a different context that number might go up, but not much in my experience.
yes, but do dont see you ;)
@Danko, only panelists can activate their video :)
Not seeing me is a good thing - I forgot to shave today
Not a very experienced Zoom-user, is direct messaging not activated for this chat?
@anton, if you scroll down the chat drop down menu, you will see the individual names of attendees below
It is useful to observe in one of the presentations that the 11th week was the peak time and 21st Week was quite low. I surmise that the "activeness" of the domain names was always comparable. Am I correct in this surmise ?
@Anton, Michele is right, in webinar mode, you can only chat either the panelist group, or all panelists and attendees. Apologies for the confusion!
@Nathalies & Michele: Thanks for the info
I can answer!
Thank you Graeme and Jim for answering. Anne
proactive is similar to prosecution before the crime, so it is case by case
Thanks Brian. Altho a shopping cart is content. :)
Right - it’s something we deployed specifically for this issue.
thank you all, great webinar!
Thanks everyone VERY informative!
Peter Van Roste
Excellent session. Thanks everyone!