Ref: http://www.knujon.com/registrars/

Out of fairness, it should be noted that Xin Net is not the only registrar who has reacted to the ICANN communications to registrars in China, followed by the Knujon report.

Xin Net has now gained the skill level required to shut down name servers.
The tracking site at http://wiki.castlecops.com/XIN_NET_NS_Suspended lists over 120 name servers successfully removed from the spammers.
They have also suspended every spammed site that the Complainterator team has sent in, whether by individual or bulk reports.

We have had a similar response from the others listed in the Knujon report:

* Todaynic since February 2008: Over 28,000 (100% compliance)

* Xin Net since December 2007: Over 16,000 (100% compliance)
Xin Net was losing 20% of all incoming mail until a month ago, when I convinced them to fix their Mail Exchange records which were not RFC compliant. Now all of their mail is getting through.

* Bizcn since December 2007: Over 3,000 (100% compliance)

* Beijing Innovative Linkage Technology since 2007: 1,180 (40% compliance)
This company has unfortunately put spam blocking on incoming mail, which refuses mail containing any spammed URLs. As a result of this they are not receiving complaints for spammed sites in their own registrar base.

From Todaynic in particular we are seeing response times of under 3 hours to shut down as many as 1,000 reported sites on one request. Spammed sites are often shut down by this registrar preemptively before we can even report them. They have proven to be star performers in shutting out the spammers abusing their service.

The Complainterator team is surprised to see no acknowledgment of the changed circumstances from Knujon. Surely when the registrars respond so fully and effectively, Knujon should update their report and give the registrars the credit they deserve.

These statistics are all verifiable at
http://wiki.castlecops.com/Bulk_Spam_Reporting

A few things need to be clarified. First of all, our report covers a 12 month period, most of 2007 and part of 2008. The report is historical and we can’t change history.

The second item, that may be a little misleading, is news reports that Knujon wants “Xin Net Shutdown.” We’ve never said this, and it is in fact not our agenda. What we requested is that they be issued the next level of enforcement and have new registrations blocked. Because they are obviously being victimized by fast-fluxers, stopping registrations temporarily will only help Xin Net’s standing and push the abusers off somewhere else.

We are going to be issuing more reports and more frequently. If at that point Xin Net no longer shows up as a problem, this will clearly be visible in our numbers. To be sure, there is no way off of the KnujOn list except to demonstrate over time that they are addressing various problems. If six months after the last report Xin Net vanished from our top ten we will tell the world and point to them as real example of the ability to address these issues.

I am very impressed with the success you have had with these registrars and hope it continues. This is your experience and it is yours interpret on your own. I cannot change KnujOn’s experience or numbers by looking at your experience and numbers, I hope you understand that. I can certainly point to your success publicly, and I have on many occasions. However, I think a difference of opinion is healthy here.

We have been in direct contact with other registrars on our list and will cooperate with any registrar who contacts us. In the end we want to strengthen the registrar community, but that is about much more than pulling down spam sites.

We’re following a comprehensive plan that we laid out years ago and resisting the temptation to deviate from this plan has been a core strategy. Your success may be data that helps determine our decisions on public disclosure but it is only one data point on a long list.

The more I think about this, the more it bothers me.

The people working at the Chinese registrars are human beings, not statistics. They are clearly under pressure from authorities higher than their own employers, as evidenced by common blackhole addresses used in shutting down nameservers. This pressure began before the Knujon top ten list was released, as evidenced by the fact that Chris at TodayNIC had posted on some blogs reporting that TodayNIC was changing its practices, and by personal communications with our members here that indicated he was under pressure to improve its image abroad. The Knujon report turned up the heat under ICANN, but only served to increase already high levels of pressure on the registrar abuse desk staff members.

These guys are working very closely with us, and frankly, they are busting their butts keeping up with the suspensions. And all Knujon can say is that they are still taking new registrations. It's not by choice, believe me.

Are they succeeding at blocking many of them? Your 100 domains/day figure doesn't indicate what the denominator is. Could they create filters to block more of them? Sure, if they get a minute to think, but then they fall behind on suspensions. And Knujon's statistics are for domains mentioned in spam, with no indication that most of those domains are being suspended before they hit the first in-box -- the spammers just haven't noticed, and they send the spam anyway.

Even for those of us with good English skills, it's been a bit of a challenge to find the pattern the new domain names are following. It's a fun challenge for us, but not for the guys in China. And each day the pattern is different.

They have easily suspended several times more domains in the last few weeks than other registrars have in the past 12 months, and they are doing it within minutes of our reporting them, not six weeks later when the whois is proven false. Most of the registrars we report to don't even suspend then, and they aren't on the Knujon list. So yeah, you don't want to completely ignore the past, but at least give these guys some credit for now doing better than almost everyone else. Maybe you can even shame some of the AIT's and CoreNIC's of the world to clean up their acts by pointing out what compliance looks like.

We need these guys. It took months to develop connections that got us noticed in the sea of Roman character spam they receive. Some were already suspending bulk lists of domains for us for months before the Knujon list; even Xin Net's awakening preceded it by a few weeks. If someone higher up decides their efforts are not working to improve their images, they may replace both the people and the systems that are currently causing spam-domain carnage.

If you want your top ten list to accomplish something useful, it needs to be dynamic, so all registrars get their feet held to the fire. You've got ten registrars frozen on the list, and the dozens that are currently much worse get a free pass.

AlphaCentauri, I respectfully disagree.

And I don't disagree on the merits of your argument, which is cogent, compelling and above all correct, but simply because you're barking up the wrong tree.

You're making a very, very worthwhile case for a new product: a snapshot showing the current state of affairs in as far as registrars go, cooperating with fantastic efforts like the sadly undervalued Complainterator team.

But KnujOn's point also stands: they're looking at a historic period, over which the valid observations made are valid and, sadly for the lesser compliant parties in the past, permanent.

The ones that prove themselves worthy of historic redemption will do so by earning it.

Meanwhile, their consolation for their efforts in changing their ways might be found in a new "Top-10" of current compliant registrars. What's happened has happened - I'm with KnujOn here.

Having said that, I seriously believe your implicit idea of launching such a "current snapshot" Top-10 sounds like more than a good idea, even a potentially highly valuable tool to build such necessary relationships that you allude to.

I understand your being bothered very well, but I disagree with the target you chose. In the end we're all working on and chipping away from different angles at the same beast here.

Since the 10 Worst Registrars list is based upon historical data, it would help just to quote the date range of the data for which the list has been compiled eg. "Jan 2008 - May 2008" on the page and where this list is mentioned.

This puts the list into context and if the web page is not updated for sometime, people won't think it is a current list of worst registrars.

Some Registrars have just been so appalling, I do welcome a list that publicizes the fact as it can be useful in getting attention to the problem, but it should be clear for what date the list applies or it will soon lack credibility.

Our primary constituents are our members. We're going to consult with all of them to see if they want us to back off of the troublesome registrars.

Last comment, in clarification: by indicating more clearly that the top-10 reflects a past period, as well as clearly indicating which time frame (and hence, hint at a real possibility of dramatic change) that would address any misgivings toward the "hall of shame" function of the Top-10. It's one thing to go over forensic evidence and make an observation on the past, but to set up a current "snapshot" top-10 you probably need to set aside resources that are quite probably better employed elsewhere - like properly documenting the ICANN DDoS.

Question: Should KnujOn Back Off Problematic Registrars?

My answer: Definitely not. Backing off now would be counter-productive. Shakin' it up is the most effective way to do this--and it's working.

Some registrars have willingly been the pimps and purveyors of spammers' domains for years without consequence. Exposing them in this way was necessary. The retaliation is an expected by-product of that process. Positive changes will likely result after the upheaval.

ICANN has been inefficient, unorganized, and ill prepared. Perhaps this will shed light on the many problems within that group and lead toward improvements.

NO!

I'm not talking about "backing off." I'm talking about keeping up to date. There are ten registrars on a list of "worst" registrars. Currently, several of them would be on a list of the best registrars. That's what we wanted to accomplish, right? So why not nurture that change instead of ignoring it? Why ignore the fact that other registrars remain very, very unresponsive?

There is more than one criteria for rating registrars:
-- What percentage of all spammed domains do they register?
-- What percentage of their total domains are spammy? (This is not so easy to tell; in the case of a company like Xin Net, they have a massive number of domains, but very few of them would come to the attention of anyone outside of China, so our view is very skewed.)
-- Do they accept abuse reports via email, without spam URL blocklist filtering? What languages are they able to accept reports in?
-- If not, do they have a webform available, and what languages is it available in?
-- If spam is reported, do they investigate for false whois, as almost all spam has fake registrations?
-- Do they have Terms of Service that prohibit advertising domains in spam, and if so, do they enforce them?
-- Do they have standards for bulk mailing so that domains that are advertised by bulk email are not sent to people who should be known not to want it? (For instance, if my email address is on the lists spammers pass around of people who report to spamcop or people who were part of Blue Security, and I never heard of Dynamic Dolphin before the Knujon list, does that indicate Dynamic Dolphin mailers scrub their lists?)
-- Do they have internal measures to look for abusive domains without waiting for abuse reports?
-- Do they have effective measures for preventing spam registrations?
-- Are they showing improvement, or are they clinging to the status quo, ignoring the fact that there is a general movement towards making spamming a violation of registrar terms of service?
-- Have their antispam measures been effective enough for a long enough time that spammers no longer attempt to register domains with them?

The ten worst list never attempted to evaluate on all these measures. And just as Dynamic Dolphin had not ever come up as a registrar on any spam I received, my experience has been quite different as far as the others. Joker was terrible -- until Shane Atkinson's home was raided by police; then it very abruptly dropped off the list. HKDNR was terrible until Hong Kong passed a tough anti-spam law; then they worked with us first in suspending thousands of domains, then developed ways to find and remove those domains themselves. And the spammers went elsewhere. Moniker was terrible, then last August they stopped registering spam nameservers and have been 50-50 on suspending domains, which is 50 percent more than a lot of other registrars that aren't on the list. TodayNIC was not a big spam registrar and was always responsive to reports. But when Xin Net started suspending domains, they suddenly were inundated with Spamit and Sancash registrations and had to deal with it, just as HKDNR did last year. In the past few days we have seen at least one spammer stop registering with TodayNIC. Bizcn.com and BILT have been suspending domains since last summer, but BILT has spam filtering on their abuse email box, and it has not kept up with the improvements shown by the others. Xin Net is receiving far fewer spam registrations, but they are still working on solidifying a reputation as a spammer time-waster, so spam still arrives for domains they register, even if the domains aren't even active by the time it hits your inbox. eNom gets a fair number of spam registrations -- it is a large registrar for domains in general -- but it has always been quite quick to suspend any I domains report, so I'm not sure how it got on a "worst" list in the first place.

Meanwhile, Naunet has become the registrar of choice for Bulker.biz nameservers. They aren't even ICANN accredited, and I am sure if Knujon restricts its attentions to reporting abuse to ICANN, other spammers will get the message. AITDomains has a webform so there is confirmation your reports are getting through, but only a minority of clearly fraudulently registered domains are suspended, even in cases where I know the company issuing the credit card used to pay for the domain took their money back. CoreNIC gives no response at all -- it's impossible to know if my reports get through spam filters. Tucows will suspend domains if tembow reports them, but not if I report the same ones myself. Enetica won't share their whois database with other lookup services, and they won't suspend even the domains with the most ludicrous registration data. Spammers have only recently moved to Enetica, but they are clearly going to be the new Moniker at this rate. OVH, Solid Hub, and Schlund rarely suspend anything, and again, there is no acknowledgment to let you know if your report even got through their spam filters.

So no, I'm not talking about "backing off." I'm talking about having accurate, current information, not a top ten list that ignores a lot of current problem children. And I don't want Knujon to rest on its laurels for another 12 months collecting data -- meanwhile the spammers set up comfortable residences in new places while everyone's eyes remain directed toward the places they used to be. If you consider issuing a top ten list after 12 months and stepping back to admire it to be "not backing off," you'll all be wondering why spam isn't getting better and you'll be missing all the action as we chase spammers into a smaller and smaller circle of spam friendly registrars.

And while I am glad you are asking your contributors for their opinions in this, I would hope the other contributors would consider the experiences of people who have been doing more than just forwarding their spam to someone else. We have a considerable amount of direct data to base our opinions on, and we have been working on the spam problem from many more angles than just ICANN. Please do not become a hindrance to other efforts to curtail spam, especially when those efforts are gathering momentum.

As a Knujon member, I am beginning to see way too much bickering between Knujon and SIRT and that is beginning to bother me. What I would like to see is for both Knujon and SIRT to try and work together in a more cooperative matter. Compare notes, look at comprimises and points of agreement. Look at constructive ways to resolve differences. The only thing that we need to back off on is all the mud slinging that I am beginning to see. Please remember guys, we are all on the same huge anti-spam team and wear the same anti-spam jersey.

As far as backing off some Registars that are beginning to clean up their act, I am all for it, as long as that does not lead to complacency. The reality is that some agencies, businesses, etc., will never act as long as their is no consequences for non-compliance. Bad press or publicity IMHO is a very strong motivator in turning non-compliance to compliance. Let's face it, many of these registars did little if anything to try and follow up on spammers that registered domains with them. Then all the sudden, there is a tide of bad publicity and press that initiates a ICANN crackdown. Then, all of the sudden, the registars decide to get their sh*t together and demonstrate compliance. Is the timing of the bad press and publicity and ICANN breakdown along with greater Registar Compliance, only a coincidence, I don't think so, especially when you consider the historical record and what variables changed during the period of compliance.

I can understand it being available for/as "historical data" - but perhaps revise the page to put it that way.

Give it a couple months, and we'll have another long list of "worst registrars".

KnujOn currently has the "power of the Press" (News, Media, blogs, etc....). If the "Worst registrars" are updated say, every month, or every "Quarter" - it would keep everyone on their toes.

But it could still be good to have a "timeline" of the success. From XIN Net going from the worst, to one of the better (not quite the best yet, but definately better).

don't stop!!! Spam has gotten completely out of hand!!!!!

Power of the press is easy if you are reporting disaster and we are doing just that at the moment. Any data based upon history will change over time and we do need to make sure these changes are reported positively.

I look forward to being able to add our data set to those of others as evidence for our combined success at making life for spamming scum that little bit harder today than it was yesterday and will continue to forward my modest trickle of spam to Knujon to help make this happen.