McColo and SPAM

Eric Brunner-Williams brunner at
Sat Dec 6 13:26:24 UTC 2008


I read Gregg Keizer's piece in CW where FireEye's Fengmin Gong is quoted 
as "We have registered a couple hundred domains," Gong said, "but we 
made the decision that we cannot afford to spend so much money to keep 
registering so many [domain] names."

Now interposing on the Srizbi system's attempt to communicate shouldn't 
be signing up to do an unlimited number of $6 buys from VGRS plus the 
overhead to ICANN and a registrar, after all, it is likely that Srizbi 
isn't using real money to do its domain buys ... so I wrote to the dead 
mailbox at Gong's company to ask for numbers, and if anyone in the 
registrar/registry business units knew why Gong's company was doing a 
couple hundred buys, and what T&C they were offered to keep Srizbi 
disconnected ...

No response.

How many domains did FE register, through which registrar(s), and at any 
point did FE represent to the registrar(s) or to the registry (or 
registries) the purpose of the buys was to keep Srizbi disconnected? If 
the registrar(s) or registry(ies) were informed of the purpose of the 
buys, what response, if any, did they make to FE's representation?

I want to know what FE's burn rate was in prophylactic domain buys, and 
who told FE to let Srizbi resynch its C&C nodes with its bots. I will 
discuss what I learn to the ICANN GNSO Council. If Keizer's even 
remotely correct on this point, then this is a "should never happen 
again" scenario where the GNSO can mandate registry, and registrar 

So yeah, collaboration would be good, but FE ain't taking my mail, so if 
this is ever going to go to registrar/registry policy land, it will have 
to find its own way there. We just lost the unlimited 5 day "Add Grace 
Period" due to domainers and (some) registrars using it for tasting, and 
carving out a "prophylactic grace period" for things like this is 
possible, so that it becomes a no-charge to the interposing buy engine.

my two beads worth,

Paul Ferguson wrote:
> Hash: SHA1
> On Fri, Dec 5, 2008 at 11:10 PM, Paul Kelly :: Blacknight
> <paul at> wrote:
>> We saw a dramatic decrease. Attached is our dnsbl mirror in .ie, it
>> mirrors spamhaus amoungst other things.
> McColo was just an exercise in "managing" cyber crime operations in the
> U.S.
> Please do not be distracted by the whole "spam" issue, it's just a
> byproduct of much larger criminal operation.
> What this community should really be discussing is how to deal with these
> issue in a collaborative manner, because that is exactly what is need to
> combat it.
> $.02,
> - - ferg
> Version: PGP Desktop 9.6.3 (Build 3017)
> wj8DBQFJOit+q1pz9mNUZTMRApsmAKDiMWX7DFUCNxcGku6kOPex5NlW9wCdEMAb
> TPtpX7pW20Tl6TgPeudjgP0=
> =n4cP

More information about the NANOG mailing list