Thursday, January 24, 2008 9:49 PM
cmosby
Is it Domain Tasting or Domain Misusing? - McAfee Avert Labs Blog
Is it Domain Tasting or Domain Misusing?
Thursday January 24, 2008 at 11:01 am CST
Posted by Francois Paget
Trackback
When a registrar registers a domain name, there is a five-day Add Grace Period (AGP) where he may cancel his request and receive a full credit for the registration fee from the registry. This trend has been gaining popularity since mid 2005, and although it was originally set up for avoiding mistakes, the practice now is frequently abused.
Beside the fact that some domainers use it to track names with a high potential to generate traffic and thus pay-per-click revenues, people who use the fast-flux and rockphish techniques, which we have already discussed here in detail, now use it in proportions that would be interesting to measure. Domain Tasting involves registering names only to release them very quickly and without paying for them. This practice exploded in 2007, and an incredible number of temporary domain names, having definitely been used to carry out malicious activities, were deleted at the end of this add-grace period.
A quick analysis of the activity of registrars that are accredited by the ICANN (Internet Corporation for Assigned Names and Numbers) helps to measure the phenomenon. Already in 2006, during an organizational meeting, a workshop called domain name marketplace looked at figures from Verisign, the register for .COM and the one for .NET. Between May 1 and 31, 2006, they listed 616 registrars that had registered at least one name. Only 18 of them were responsible for 98.1% of this type of activity.
The following graph from Nick Ashton-Hart (Director for At-Large at ICANN) makes this clear:
It shows that the phenomenon is continuing to grow and that it involves more than just a few companies speculating on highly attractive domain names.
Undoubtedly hiding behind this multitude of names, there are blatantly criminal people that create and use random names, registered using more or less automated methods, to then be used a few days, or even a few hours, as temporary sites for selling products offered through spam campaigns or as mirror sites tied to phishing campaigns.
Below is a very brief excerpt from a list spanning several hundred pages that shows a series of domain names that were removed on December 11, 2007. It is clear that these names are not only viewed or used as high potential domain names:
For people interested in the domain tasting issue, I recommend a read of the GNSO Issues Report on Domain Tasting. GNSO (Generic Names Supporting Organisation) is the specific part of ICANN responsible for developing and recommending to the ICANN Board policies relating to generic Top Level Domains (gTLD).
Thanks to Franck Veysset (from France Telecom R&D) who gave me some details on this phenomenon during the last CLUSIF Cybercrime Conference in Paris.