FYI...

- http://blog.washingtonpost.com/securityfix/2007/12/top_10_best_worst_antiphishing.html
December 11, 2007 - "...According to the latest stats from the Anti-Phishing Working Group, 84 percent of scam sites spotted in August used a registered Web site name... Most readers are unlikely to recognize any of the registrars in the list of the registrars that lead the industry in fighting phishing. But among the bottom performers, according to MarkMonitor, is Register.com, which took an average of 313 hours - or more than 13 days - to revoke Web site names that were used in phishing scams in the third quarter of 2007. That's more than four times the normal life of a phishing site: The APWG says the average scam site lives online for just over three days..."

(Charts for best and worst available at the URL above.)

That report is greatly flawed - the rating of registrars should not be taken seriously.

I especially like this bit:

By the way: Mark Monitor is a registrar, not a "security firm" as they claim:

-> http://www.icann.org/registrars/accredited-list.html

Also, I have seen very few phishing scams that used a specifically registered domain name for the website (e.g. paypal-team.com); most phishing pages reside on hijacked servers, and registrars should not take down such domain names.

I think it's good to publish such background information on phishing and other web scams, but it really needs a lot more research.

http://www.markmonitor.com/ - what are they trying to accomplish?

MarkMonitor should employ the services of a competent statistician. Statistically inept reports like this one reflect poorly on that company, and does nothing for their reputation.

I started developing a registrar abuse benchmark system once based on response times. The project was abandoned because in the end there was one big problem: it would not be possible to tell if the registrar suspended the domain based on my complaint or one from someone before or after me.

For example:

Spamislame reports phish on Monday to registrar R.
-registrar R received this complaint on Monday...does nothing..
I report the phish on Wednesday morning to the same registrar
-the registrar suspends the domain on Wednesday afternoon from Spamislame's complaint.

I enter in my database that registrar R has a response time of a few minutes. (when in reality it was 3 days!)


Another problem with the rating scale is that each phishing case is different, and so they should not be rated using the same criteria and thus compared.

For example:

* A fraudulent domain that was registered for the purpose of looking like a real bank would be shut down immediately by any self-respecting registrar.

* A hacked website of a legitimate domain would possibly involve the registrar contacting the host, the webmaster, the administrator, etc to first try and delete down the phishing pages. Only if that was impossible, would the registrar then shut down the domain.

* A web host with a customer's account hosted on a subdomain: This would be like the above, but a bit longer due to the potential ramifications of bringing offline an entire web host company.

So, in the end, I decided that there is no way to reliably create a scientific environment to be able to objectively rate registrars on performance and I thus abandoned the project.

I now believe that rating registrars should be done by anecdotal evidence and perhaps cross-referenced with the total number of phishing incidences as a ratio of the total number of domains. This is because such a rating allows for taking into account the community's experience of a registrar, as well as the registrar's "phishing fingerprint", which is going to reflect more closely the actual performance.

http://blog.washingtonpost.com/securityfix/2007/12/top_10_best_worst_antiphishing.html?nav=rss_blog

Anyone feel like replying to antibozo's question? - please do!

Foreign domains are those not registered with a registrar in your own home country, or hosted on an IP not in your own home country.

I remember my first visit to the USA, arriving at the customs clearance. There were two queues, One was labeled US Citizens. The other was labeled Aliens. I surreptitiously retracted my antennae into my frontal lobes and joined the latter.