[CPWG] The Bulk Registrations issue and why it is complex

Theo Geurts atlarge at dcx.nl
Tue Apr 5 13:10:44 UTC 2022 

Let's say bulk means 50 registrations before alarms start to sound. 

Then the criminals will simply start pulling data from fake ID generator APIs and connect those to the registrar/reseller APIs and generate new unique RNH data/contacts.  If that sounds out of the realm of possibilities, consider I have already seen criminals doing this to avoid detection in 2018. Every BEC fraud domain had a unique registrant and they had registered 200 domains total. Their OPSEC was pretty good on the registrant side of things, on the technical infrastructure side, it was an absolute mess and very easy to track down and shut down such domain names. 

Best, 
Theo 

On Tue, Apr 5, 2022, at 12:40 PM, John McCormac via CPWG wrote:
> On 05/04/2022 12:25, Michele Neylon - Blacknight wrote:
> > John
> > 
> > But what is your definition of “bulk”?
> > 
> 
> It is a very tricky question, Michele,
> I don't have an exact definition yet.
> 
> There can be a lot of activity going on with a gTLD that might appear to 
> be bulk registrations but without WHOIS data to measure the 
> concentration of registrations, a spike due to a registry or registrar 
> promotion might be considered "bulk". The concentration (new domain 
> names to registrants) might help.
> 
> > How many domains registered at once constitute “bulk”?
> > 
> > 10?
> 
> I've definitely registered this many at a time across TLDs for brand 
> protection purposes.
> 
> > 
> > 100?
> > 
> > 1000?
> > 
> > Over what period of time?
> > 
> > Minutes?
> > 
> > Hours?
> > 
> > Days?
> 
> It would have to be over a few months at least. Otherwise celebrity and 
> event driven registrations and speculative bubbles will get lumped into 
> the set.
> 
> > Can the “definition” be applied to all TLDs?
> 
> Not unless there is a data element. It would be better to approach it on 
> a TLD-specific basis that takes the performance of the TLD into account. 
> Some TLDs may not have bulk registration issues.
> 
> > I’d argue that there’s a massive difference between say 100 domains 
> > being registered in .bank vs in .store (as a silly example)
> 
> Agreed. Heavy discounting is now an established feature of many gTLDs. 
> The problem is that the absence of WHOIS data and registration patterns 
> makes it a lot more difficult to identify abusive registrations. Without 
> heavy discounting, some new gTLDs would have to spend a lot more money 
> on marketing their gTLD in a highly competitive market and would end up 
> with far fewer registrations than they have now.
> 
> There was a recommendation in the CCT report that ICANN track pricing 
> data. If ICANN had this kind of data to hand then it would be very 
> helpful in defining bulk registrations and identifying trends that are 
> direct results of heavy discounting. It still gets back to the problem 
> of identifying what registrations are registered for malicious purposes 
> and that's getting into Precog/Minority Report territory where the 
> software and technology is just not good enough to guess the intent of 
> all registrants.
> 
> Regards...jmcc
> 
> > 
> > Regards
> > 
> > Michele
> > 
> > --
> > 
> > Mr Michele Neylon
> > 
> > Blacknight Solutions
> > 
> > Hosting, Colocation & Domains
> > 
> > https://www.blacknight.com/ <https://www.blacknight.com/>
> > 
> > https://blacknight.blog/ <https://blacknight.blog/>
> > 
> > Intl. +353 (0) 59  9183072
> > 
> > Direct Dial: +353 (0)59 9183090
> > 
> > Personal blog: https://michele.blog/ <https://michele.blog/>
> > 
> > Some thoughts: https://ceo.hosting/ <https://ceo.hosting/>
> > 
> > -------------------------------
> > 
> > Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
> > 
> > Road,Graiguecullen,Carlow,R93 X265,Ireland  Company No.: 370845
> > 
> > 
> > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
> > Virus-free. www.avg.com 
> > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> 
> > 
> > 
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> 
> 
> -- 
> **********************************************************
> John McCormac  *  e-mail: jmcc at hosterstats.com
> MC2            *  web: http://www.hosterstats.com/
> 22 Viewmount   *  Domain Registrations Statistics
> Waterford      *  Domnomics - the business of domain names
> Ireland        *  https://amzn.to/2OPtEIO
> IE             *  Skype: hosterstats.com
> **********************************************************
> 
> -- 
> This email has been checked for viruses by AVG.
> https://www.avg.com
> 
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
> 
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/cpwg/attachments/20220405/46d9ebe3/attachment.html>

More information about the CPWG mailing list