Article on spammers and their infrastructure

Eric Brunner-Williams brunner at
Thu Dec 31 10:32:20 CST 2009

At the Montevideo ICANN meeting, in August, 2001, I was surprised, and 
disapointed, that the ISP Constituency had reduced to ... a couple of IP 

So, as a point of departure, were one going to advocate policy which 
affects ISPs as ISPs, as opposed to ISPs as trademark portfolio 
managers, one would first have to, as Shakespeare put it, kill all the 

Well, perhaps it would be sufficient to inform the lawyers the ISPs do 
send, who are nice enough people, that ISPs have operational issues 
other than protecting their brand portfolios.

At the Paris meeting two years ago there was a charming presentation on 
GNSO constituency voting behavior, which showed that on the order of all 
the time less noise, the ISP Constituency, voted indistinguishably from 
the Intellectual Property Constituency.

Of course, the same result was shown for the Business Constituency, but 
there I wouldn't bother to inform the incumbents of the end of their 
tenure, should real business ever take an interest in policy formation 

I agree with Fred, IETF has use case requirements such as providing 
competitors with a means to create standards without risk of competition 
policy complications, as well as more benign requirements that fit on 
the backs of tee shirts.

Where the chain of delegation Paul mentions, by way of inviting NANOG 
contributors to do more than suggest ARIN do something, of addresses, 
and the chain of delegation Fred mentions, commenting on registries, 
registrars, and the Add Grace Period (AGP) exploit (aka "domain 
tasting"), or domains, share an anchor is in the IANA function. I've 
mentioned this previously, the delegation of trust down the BGP bunny 
trail and the delegation of trust down the DNS bunny trail, are an area 
where delegation of trust, as a policy issue, is common to both the 
numbers and the names operators.

The back of the envelope for the AGP exploit is that it contributed a 
substantial part of the 35,000,000 monitized domains registrations. With 
that assumption, and using the dominant pricing (.COM), this means on 
the order of $6 to the registries and their operators, on the order of 
$1 to the registrars, and on the order of $0.20 to ICANN. That is $100m 
to COM/NET/ORG (VGRS and PIR/Afilias), and $35m to eNom, Moniker, 
Directi, ... and $6m to ICANN, per year, recurring, for quite a few 
years to come.

NOTE WELL: As a registry operator CORE does not allow, and as a 
registrar, CORE does not pursue AGP exploits.

Where Fred errs is in characterizing the AGP exploit as a means to 
provide operational agility to spammers. Of course it was used that way, 
but the entire point of agility is not avoiding a $6 cost of asset, it 
is having an asset that for some number of weeks, recently days, now 
hours, which allows each particular exploit to meet its ROI goals. The 
overwhelming use case for the AGP exploit was to acquire static, 
recurring revenue resources, monitized by advertizing, and a mature 
market in these assets exists. Greater agility arises from flux and 
double flux, exploits of the rapid update property Paul, and I, 
commented on back in August 2004.

In a nutshell, domainers need low cost means to discover low marginal 
cost to acquire strings exceeding some low multiple of $6/year gross 
recurring revenue.
Spammers (and other rational economic actors, e.g., the Conficker .C 
rendezvous mechanism author(s)) create value in excess of some low 
multiple of $6/day non-recurring revenue through arbitrary string 

Domainers are not the same as spammers, and I've written a draft section 
here (, a 
contribution to a Bolt techlaw paper in progress) that there is at least 
one frame of reference other than trademark interest to view domain name 
speculation as harmful to public policy goals, in particular, IPv4 
address exhaustion. I'd be grateful for informed comments on that note.

It does take more than writing blog posts, and outcomes are not a given. 
I am, at year's end, very disappointed in the registries as a 
constituency, and very disappointed in the registrars as a constituency, 
and profoundly concerned that the ICANN Board has been successfully 
mobbed by domainers moving up the food chain to registry applicants. 
This will either mean "four eyes and more" on deltas to the IANA root 
become a thing of the past, or applications like the Catalan application 
in 2004 will be served after the last monitization exploit, and the last 
brand name, has been stuffed into the anything-for-a-dollar-or-a-laugh 
root. The only thing remotely "good" to come out of ICANN is bidi 
(Arabic and Hebew scripts) and Cyrillic and CJK strings, as a 
presentation layer hack (IDNAbis), as TLDs, enabling root-to-leaf script 
consistency, for some 40 ccTLD operators and their user bases.

The bulk of the 100 or so non-shell registrars [1] were not AGP 
exploiters, and the CAT, COOP, and MUSEUM registries and their 
operators, do not pursue secondary revenue exploits.

Randy suggests the ITU may prey on ICANN. I'm sorry to say that I see 
more likelihood of failure of the mostly private system now then I did 
prior to the transition from the MoU to the AoJ regimes, though not 
because of any change innate to these as legal regimes, but through 
institutional capture by private interest, naturally excluding 
addressing and protocol interests, and unrelated, the executive, Board 
and some staff preference for large for-profit corporations, possibly 
linked to status and individual career choices.

My New Year's resolution is to spend the first week of the year coding, 
and to pick up my old OSF RI work, mk++, like knitting, as therapy.

IANA Registrar ID 15
operator, .CAT
operator, .MUSEUM

[1] shell registrars exist for another exploit, to maximize race 
contention results for the VGRS drop pool, the acquisition of expired 
names which have "name" value or residual traffic monitization value. 
Four companies control 318 US domiciled ICANN accreditations: eNom 
(116), Directi/PDR (47), Dotster (51), and Snapnames (104). Source:

On 12/31/09 12:06 AM, Fred Baker wrote:
> One might say the same about the IETF, which Randy likes to lampoon. 
> Not sure how it comes up in this context, as (as Randy loves to remind 
> us) while many operators attend, it is not first-and-foremost an 
> operational community. As to ICANN, I think Rich may be talking about 
> the registries and registrars for their DNS names, but not the agency 
> that coordinates them. At most, ICANN can give them suggestions. And 
> as for addresses, they get them from their local ISPs.
> What ICANN and many of the registries have in fact done is make an 
> issue of domain name "tasting", which is a means by which some forms 
> of abusers change names rapidly to evade filters. That is a matter of 
> having the fox guard the henhouse, however; the registries make money 
> on names being sold, and "tasting" is a means of making a lot of 
> sales. So while some have good efforts there, not all are motivated to 
> fight abuse.
> As to addresses, we can point to at least one entire ISP shut down as 
> most of the traffic coming from it was abusive. But for ISPs, it 
> becomes at least in part a matter of the amount of trouble they cause 
> their immediate neighbors. If they can link to other ISPs, who they 
> sell their services too is somewhat opaque to the wider world. And 
> since the abusers are not above "owning" systems, every network has 
> some subset of its subscribers to think about.
> I agree with your sentiment, Rich, and empathize with your 
> frustration. Writing comments in blogs doesn't get the hard work of 
> tools and policy done, though. You have to take the next step.
> On Dec 30, 2009, at 8:26 PM, Paul Vixie wrote:
>> Randy Bush <randy at> writes:
>>>> If ARIN and/or RIPE and/or ICANN and/or anyone else were truly
>>>> interested in making a dent in the problem, then they would have 
>>>> already
>>>> paid attention to our collective work product.
>>> the rirs, the ietf, the icann, ... each think they are the top of the
>>> mountain.  we are supposed to come to them and pray.  more likely that
>>> the itu will come to them and prey.
>> ARIN (an RIR) does not think in terms of mountains.  the staff and 
>> company
>> does what members and the elected board and elected advisory council 
>> ask.
>> ARIN is a 501(c)(6) and sticks to its knitting, which thus far means no
>> distinguished role in "spammers and their infrastructure" but that could
>> change if someone writes a policy proposal which is adopted after the
>> normal policy development process.
>> please do consider whether ARIN could help with "spammers and their
>> infrastructure" and if so, write a policy draft to that effect.  ARIN is
>> responsive to community input, and has well established and well 
>> publicized
>> mechanisms for receiving and processing community input.  nobody has to
>> come and pray, but likewise, nobody should expect ARIN to look for 
>> mission
>> creep opportunities.  ARIN will go on doing what the community asks, no
>> less, no more.  ARIN has no mechanism, as a company, for "[paying]
>> attention to [your] collective work product".  our members, and the 
>> public
>> at large who participates in ARIN's policy development process, do that.
>> -- 
>> Paul Vixie
>> Chairman, ARIN BoT

More information about the NANOG mailing list