The worst shall be best . . .

Two weeks ago, we had a list of 10,000 spammed domains registered on Xin Net, and only 2% had been removed despite over a year of constant complaints.

Since then the number has swollen to 13,280, ranging back from December 2007 to as recent as May 5, 2008.

Today, all but a handful have been suspended, in a spectacular turn-around.
The results can be seen
* in summmary form and the detailed list of removals can be seen in
* today's removals listing and previous removals in
* the archives listing

Once a registrar takes their role seriously, major turnarounds can be achieved.

Thanks go to Knujon for publicizing the issue, to ICANN for issuing directives to the recalcitrant registrars, and to the Complainterator team for their diligent tracking of the spammed sites. Thanks also to CastleCops for providing the wiki which acted as the trigger for these removals.

What a great birthday present!

I think it was the official messages from ICANN that finally scared them into listening.

Its hard to say which straw broke the camels back. It didn't happen because of any 1 person. It was a team effort applying pressure from all directions. So unless XIN NET or any of the other registrars come out and say exactly why they decided to take action, we can only take what we have done here and apply that to the next registrar that digs in their heals. I am just so glad that something good came out of all of this and we need to keep the momentum going.

Yes indeed, excellent work by everyone and many thanks to all.

The way I look at it is that mounting evidence was collected by the combined efforts of Knujon and SIRT. When certain registars were presented with the evidence, they decided not to act on the complaints for whatever reason.

ICANN took some heat, not necessarily for not trying to stop spam but for their failure to enforce compliance to contractual agreements(re: accreditation) that they had turned a blind eye to for so long.

ICANN and the worst offenders(registars) made the press and were became visible. One thing I can tell you folks, when an issue like this goes public and makes the press, you can pretty well be guaranteed greater accountability and action. The fallout is that the players/targets involved come under more scrutiny from all angles the press, politicians, and authorities(nationally and internationally).

While XINET did the right thing by acting, when you think about it, they really had their backs against the wall. Perhaps, this will serve as an example to other registars that they will no longer be able to provide a safe haven for spammers and there could be serious consequences for not acting, which could draw negative press and publicity and foster a poor corporate image of them.

I have been spam free for 6 months which is a new record for me and I believe that Knujon and SIRT had a major role to play in this. So......many.....many...thanks for all your hard work.

It just occurred to me that HKCERT/Hong Kong police may have had some influence as well. A while back, I reported some botnet-hosted Canadian Pharmacy domains registered with Xin Net, and copied the Hong Kong authorities. (Xin Net's new owners, Sino-i, are located in Hong Kong, and Hong Kong enacted tough laws last year protecting its citizens from internet criminals. We were communicating with them at the time Canadian Pharmacy was registering a couple thousand domains with HKDNR, and HKDNR turned that situation around very dramatically.)

The Hong Kong Office of the Telecommunications Authority wrote me back to get details of how I had gathered the list of bots in Hong Kong, and I gave them the link to tembow's Botscan program. Then I didn't hear any more for a couple months. But with tembow's program, they had all they needed to find as many bots as they wanted for themselves. Now all hell has broken loose.

It may have attracted attention in Beijing if PRC's largest registrar was going afoul of HK's tough internet law. I think the timing of the major registrars acting with such enthusiasm as well as using the same "4.4.4.1" blackhole address (instead of any we had seen before or suggested to them), suggests the Chinese government decided spammers were an embarrassment they didn't need and just put the word out that things had to change. Immediately.

Folks, I would not pop the champagne corks yet. I think we are watching faux compliance here. While it's great to see all these sites go away. Xin Net is NOT changing their overall behavior. There are 100's of new sites every day there controlled by the same folks. The pressure needs to continue!

Definately. We got to keep fighting. While some have moved off to other registrars, others have simply changed their "registrant" e-mail addresses, and moved to new e-mail providers since XIN Net must have blocked their previous registrations based on e-mail address.

"Pressure" can be carrots or sticks. If they are getting attention for doing the right thing and seeing their worldwide prestige increasing, that's a significant incentive to keep it up. The Castlecops wiki apparently has the respect of the PRC government, as the Great Firewall of China usually blocks access to anything called "wiki." So having good press on Castlecops is good business for Xin Net.

As far as new registrations, Xin Net is huge. They probably process thousands of automated registrations daily, maybe hourly. All registrars struggle with detecting the spammers and scammers without becoming a PITA to legitimate businesses. Our "pressure" at this point is to continue to provide feedback so they can develop protocols to detect spammer fingerprints and to update those protocols to keep up with the spammers. Rather than faux compliance, I think we're seeing a learning curve, one we're trying to nurture.

What we're hearing in feedback from the Chinese registrars now is that there has been a lull in suspensions because they are setting up automated systems to perform them, and they feel their time would be best spent getting those systems on line ASAP. Once on line, the automated systems could catch up on the backlog much faster than could be done manually. They're understandably feeling a bit overwhelmed with the amount of work this is turning out to involve.

Yep, hiring a human to shoot them down one by one isn't all too productive

A machined/automated procedure is definately in order.

It's been a long haul though, but it's coming along

Now all they need is better knowledge of shutting down nameservers heheh.

In my conversations with the various Chinese registrars I am impressed with their willingness to tackle the issues, and take the appropriate steps to address the spam and crime wave that has been inflicted upon them.

So far we have seen a big migration away from the registrars that are actively fighting off the onslaught. An excellent case in point is Xiamen, that suddenly came under attack from the spammy registrants, and repelled them totally. Performance of the others can be seen at the summary reporting page.

Two of the newly abused registrars are PublicDomainRegistry (US) and Hichina (HK) so the strategy to move them out of China's registrars is starting to prove fruitful.

Xin Net has ratcheted the spam fighting up a big notch today.

All the requested domain names registered at their company which my team of Camplainterators have been campaigning to have removed, were taken down in one day. This followed a concerted effort to bring them up to speed in the correct process for suspending name servers, which requires a higher skill level than suspending domain names. To ensure they understood the instructions, we had them translated into Chinese, and posted them in the CastleCops Wiki.

So, as a result of
1. seekaybee reporting every XIN NET name server he could find, and
2. the recent translation of the improved name server removal method into Chinese Simp, and
3. XIN NET being informed in several removal requests of the new Chinese instructions, and
4. many, many requests to Xin Net to shut down name servers using those instructions

I am delighted to announce some amazing news today. XIN NET has removed all of these name servers by placing them on Client Hold and setting address records to 61.61.61.61:

ablesingend.com
alldnshost.com
arethughe.com
axrpss.com
baladns.com
beautyrwrite.com
bedeneis.com
begindarksaw.com
bervk.com
besezema.com
boaeoa.com
buenlgoeap.com
cas454.com
ceaiustem.com
censaria.com
cldmusicwhy.com
closegooppeor.com
comardjobi.com
daleakee.com
discountedwears.com
discountperfection.com
dnsandsite.com
dnseuroserver.com
dnshostworld.com
dnsmedicalservers.com
doagens.com
drivetowordlot.com
dustkeeneyed.com
eastminuterm.com
ednsonline.com
exacthill.com
foodspelltwo.com
freigae.com
fuscadns.com
geranema.com
globohosts.com
globonss.com
gomeflymoney.com
goo33.com
gtd44.com
herieapse.com
hersns.com
heywiotta.com
holdsurface.com
hostdockdns.com
huttenus.com
huuut.com
icareken.com
ifreedns.com
ilmuspoia.com
juapeaete.com
kabnenter.com
kreaillen.com
linibbo.com
lohimsthar.com
lutrwpghd.com
man454.com
meanoflint.com
mesetecarg.com
mianbeii.com
mijeisees.com
mop33.com
mskns.com
muchtrlstreet.com
myhasic.com
nameedns.com
nameedns1.com
noeiira.com
ns444.com
ntnimalexample.com
numberthenfeel.com
ohheotme.com
oirogointhis.com
ortheirdont.com
oskboxthese.com
paxerta.com
pijaixe.com
pintkingtheir.com
pisuearek.com
playdeepbed.com
plowusera.com
poasetele.com
posknewgovern.com
procaessin.com
qw22.com
renewwdns.com
riversdgvern.com
rmplacepicture.com
roomlistenoften.com
rootsystemrestore.com
rorfast.com
rundnss.com
scliza.com
sitbetween.com
sjrbofa.com
starsideduring.com
storygreenuntil.com
stronglongor.com
sugahujie.com
ter345.com
thednsplanet.com
thelostif.com
thoughinchnome.com
tiunutoo.com
trangyues.com
usamilydier.com
usuolwoithod.com
vesnyna.com
vqwgds.com
wartyei.com
weblockoll.com
wereane.com
werigneb.com
wnknewthen.com
x44444.com
yuoowrx.com

If you detect any new name servers used for spammed sites, please feel confident to report them.

The knock-on effect of this huge operation are immediately noticeable. Huge numbers of sites spammed in the past months, and more importanttly in the past days and hours are dead, and not recoverable. Spammer affiliates will not be getting paid because of the "zero conversion rate".

Congratulations, team! And a big vote of thanks to the folks at Xin Net.

Why is 61.61.61.61 unroutable?

Not sure the "history" of it, but anything that is "outside" of the compromised network could be deemed "unroutable" AFAIK...(layman's terms I guess lol)

For example, BILT did some strange suspension a while back, using 4.1.1.4 or something weird....since there was no webserver/nameserver at 4.1.1.4 - the domain couldn't load.

I'm sure tembow would have better clarification

Highway 61? Unroutable?

The history is that a couple of years ago when I first started asking Chinese registrars to change the IP to a non-routable address, that is the blackhole address they selected. It also gives us a convenient "fingerprint" so that we know it is in response specifically to our request that the action was taken.

Other registrars in other parts of the world set up their own blackhole IPs in their own range. Examples
AIT 208.234.1.34 216.117.186.139
Spot Domain 66.116.109.47 66.116.109.48
etc

I hope that explains the 61.61.61.61 address!

I agree that if there is no nameserver at 4.1.1.4, the domain will not load. My concern is that a legitimate machine could have the 61.61.61.61 IP address.

I know that 10.0.0.0\8, 127.0.0.0\8, 172.16.0.0\12, 192.168.0.0\16 and 169.254.0.0\16 are reserved for local use and are not routable. I can find no such rule for 61.*.*.*

In fact, whois (whois.apnic.net) reports that the 61.61.0.0-61.61.191.255 is allocated to a Taiwan company called kgex.com

If 61.61.61.61 is indeed a legitimate IP address, changing all of these name server addresses to 61.61.61.61 would be equivalent to launching a denial of service attack on that machine, or even that subnet if the router isn't particularly powerful.

--edit, tembow's answer was posted while i was composing this post.