McColo and SPAM
brunner at nic-naa.net
Sat Dec 6 07:26:24 CST 2008
I read Gregg Keizer's piece in CW where FireEye's Fengmin Gong is quoted
as "We have registered a couple hundred domains," Gong said, "but we
made the decision that we cannot afford to spend so much money to keep
registering so many [domain] names."
Now interposing on the Srizbi system's attempt to communicate shouldn't
be signing up to do an unlimited number of $6 buys from VGRS plus the
overhead to ICANN and a registrar, after all, it is likely that Srizbi
isn't using real money to do its domain buys ... so I wrote to the dead
mailbox at Gong's company to ask for numbers, and if anyone in the
registrar/registry business units knew why Gong's company was doing a
couple hundred buys, and what T&C they were offered to keep Srizbi
How many domains did FE register, through which registrar(s), and at any
point did FE represent to the registrar(s) or to the registry (or
registries) the purpose of the buys was to keep Srizbi disconnected? If
the registrar(s) or registry(ies) were informed of the purpose of the
buys, what response, if any, did they make to FE's representation?
I want to know what FE's burn rate was in prophylactic domain buys, and
who told FE to let Srizbi resynch its C&C nodes with its bots. I will
discuss what I learn to the ICANN GNSO Council. If Keizer's even
remotely correct on this point, then this is a "should never happen
again" scenario where the GNSO can mandate registry, and registrar
So yeah, collaboration would be good, but FE ain't taking my mail, so if
this is ever going to go to registrar/registry policy land, it will have
to find its own way there. We just lost the unlimited 5 day "Add Grace
Period" due to domainers and (some) registrars using it for tasting, and
carving out a "prophylactic grace period" for things like this is
possible, so that it becomes a no-charge to the interposing buy engine.
my two beads worth,
Paul Ferguson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Fri, Dec 5, 2008 at 11:10 PM, Paul Kelly :: Blacknight
> <paul at blacknight.com> wrote:
>> We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it
>> mirrors spamhaus amoungst other things.
> McColo was just an exercise in "managing" cyber crime operations in the
> Please do not be distracted by the whole "spam" issue, it's just a
> byproduct of much larger criminal operation.
> What this community should really be discussing is how to deal with these
> issue in a collaborative manner, because that is exactly what is need to
> combat it.
> - - ferg
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.3 (Build 3017)
> -----END PGP SIGNATURE-----
More information about the NANOG