Wednesday, September 5, 2007

Registrars: The Weakest Link

Why are registrars allowing blatantly fake information to be provided when registering a domain name?

Right now, with virtually any registrar you care to name, you can register a domain name using the name Mickey Mouse and you'll probably be approved. You can do so without ever speaking to a representative of the company who's registering the domain, and your hilarious fake registrant entry will indeed show up once your domain is approved.

Why is this the case?

For several years now, I and several of my colleagues have been documenting and reporting domains used by illegal pharmacy spammers which were registered using the following completely fake personal data:

Paul Gregoire (
175 Montreal Road #304
Vanier, ONTARIO K1L 6E4

175 Montreal Road is actually the address of a single level building housing the Playmate Club, a strip joint on the outskirts of Ottawa. Nobody at that address has ever heard of anyone named "Paul Gregoire."

gary reed
3495 Cambie Street
V5Z 4R3
Phone: +1.6047678695

That phone number leads to nothing but a voicemail box with the robotically slow voice prompt: "Garrrrry..... Reeeed". Nobody will ever call you back if you leave a message there. The postal address is a UPS dropoff location in a tiny mall in Vancouver. Nobody there has any record of anyone named Gary Reed on any of their customer lists. (It's a small list.)

Kevin Benson
1098 Queen St
Halifax, Nova Scotia B3H 2R9

Another bogus address. Nobody there has ever heard of this alleged person either. Phone number never connects.

I could go on and on. Others have. Do a search for Paul Gregoire and you see nothing but complaints about spam, and yet on a daily basis several thousand new domains continue to be registered using this completely fake identity. This is simply not acceptable.

If I know right now that I can register any domain I want - like for example "" - using whatever I want as the personal data, what kind of recourse is there for ordinary citizens to shut down these domains? In the real world, you have to be a living, breathing human being to register a business, and you have to be reachable via tangible physical means, whether that's a postal address, a phone number or a fax number. If not: it throws into question your ability to be trusted, as it should. No such boundaries exist in the domain registration game, which is really a shame since it's the biggest loophole which illegal spammers use to get around having to be held accountable for anything.

Several recent domains were registered using laughably fake personal information, and several hundred thousand domains were all registered and approved even though their only contact phone numbers was (555) 555-5555. Take this one for example


Technical Contact:
Holdings, RJ
6324 N Chatham Ave Suite #300
Kansas City, MO 64151-2473

All fake as well.

Another trick is to use arguably fake personal data from a foreign country, in the hopes that nobody will notice or follow up on it. How legitimate do you think this data is?

Admin Name........... huan huan
Admin Address........ chaoyang avenue 468
Admin Address........
Admin Address........ beijing
Admin Address........ 100438
Admin Address........ BJ
Admin Address........ CN
Admin Email..........
Admin Phone.......... +86.1045875892
Admin Fax............ +86.1093859833

That actually becomes a lot easier to track down thanks to the fact that the phone number doesn't exist, and the email address never responds to a single query as to its legitimacy. It helps to have friends who are familiar with Chinese naming, though. That is a laughably fake name.

Of course, as usual, that email address is pointlessly fake.

If I were out to overhaul any one point of contact in terms of how scammers get away with profiting via sales of illegal drugs, domain registration is the first place I'd start. Want to register a domain? You have to do it manually, and you have to wait for me to verify that you are who you say you are. This would be via phone first, email second. If that fails: no go, buddy. Try again. Further: once I have verified that you are who you say you are, re-verify whenever a change is made. Real, legitimate businesspeople will generally have no problem with this. Scammers definitely will.

I'd also ensure that the whois data contains a genuine abuse contact, which is active and does respond, and not just to test contacts.

Why more registrars are not doing this is beyond me, but rest assured criminal spammers are abusing this gaping loophole in the process. They are well aware that it takes several days of contact to get through to a registrar that something is amiss with a domain which is being used in a rampant spam campaign. They also know that in the time it takes to get someone's attention, investigate the issue, attempt to contact the fake domain and eventually (hopefully) shut it down, they will already have profited several thousand dollars. Large-scale criminals lose very little money from the way things work today. This has to change. Failing tha: ICANN really needs to step up and enforce their accreditation rules. Registering a domain with false contact information is flatly fraudulent behavior.

SiL / IKS / concerned citizen


Anonymous said...

Yea, a favourite gripe of mine. Filtering of commonly used spoofed domain names for phishing could be thwarted, such as "paypal", "ebay", "usbank" etc. - M

Mads Dam said...

Verifying the registrants data seems like an obvious idea. Why hasn't this been implemented long ago?

IKillSpammerz said...

Good question! I've also argued for a long while that there should be some "proving period" for customers who want to automatically register hundreds of domains in one shot. If you can't prove you are who you say you are, you don't get that right. Sadly: no registrar will do this because it's easy money.