20 registrars control 90% of illicit domains, says Knujon

I recently received a note from Garth Bruen, who with his father runs the anti-junk-mail site Knujon (no junk, backwards). Knujon has so far shut down over 50 thousand junk mail sites. The complete message follows: Martin, KnujOn is preparing for a presentation next week training conference at the High Technology Crime Investigation Association Ohio Spring Training Conference, and we thought it might be prudent

I recently received a note from Garth Bruen, who with his father runs the anti-junk-mail site Knujon (no junk, backwards). Knujon has so far shut down over 50 thousand junk mail sites. The complete message follows:

Martin,

KnujOn is preparing for a presentation next week training conference at the High Technology Crime Investigation Association Ohio Spring Training Conference, and we thought it might be prudent to share some statistics featured in the presentation.

Since 2005 Knujon.com has been collecting spam samples from the public. Not to build better filters or blacklists, but rather to use them for illicit site termination, to test the Internet's policy infrastructure, and gather important statistics. Our general goal is to target advertised illicit transaction sites and hopefully take the money incentive out of the spam cycle.

Three years and millions of spam emails later we have discovered some very interesting things. Like many people, we assumed that the real source of the spam problem was finite. What is shocking is how concentrated this problem is. As indicated in the subject line, 90% of the illicit websites (fake pharma, software piracy, knockoffs, etc) tracked by us are registered at just 20 providers.

To clarify this relationship it is important to understand that the botnets sending spam are huge, the smaller population being referred to here are the actual advertised landing sites. It gets confusing when everyone is talking about "sources" and various numbers. Let's take this as an example: A botnet with 100,000 machines sends a 2 million message email blast (example, not real numbers). The spam massages actually only reference 200 - 500 URI links. The URIs are often redirects that boil down to only 100 - 200 real domains, and 90% of these domains are controlled by 2.5% of the registrar population. So, we've got lots of senders, lots of messages, but they are herding victims into a very small corral.

There are over 800 ICANN Accredited Registrars and thousands of ISPs. Most providers are playing by the rules. The ones that are not adhering to policy are wreaking the most havoc across the web. Some of these providers merely have poor verification or auditing, others may be active partners to illicit activity and KnujOn is sorting out just which is which. What this means is that all the zombie-bot generated spam is intended to drive your attention to a very small subset of the Internet's infrastructure.

This situation raises interesting questions about who benefits from the sale of junk products and services or who allows these activities to persist. We're looking forward to discussing this and other topics in Lakeland, OH.

More news on this here.

Thanks, Garth

That raises another interesting question: what would it take to either bring those 20 registrars into line, or shut them down?

Copyright © 2008 IDG Communications, Inc.