knujon_audit0610

KnujOn.com, LLC Updated: 6/20/2010

Abstract Introduction Outline Registrars in Potential Breach About KnujOn Terms Used Abstract This independent audit of ICANN Registrar adherence and compliance to the Registrar Accreditation Agreement has revealed that162 Registrars may be in breach of their contracts for various reasons. The reasons are not trivial, they range from blocking and manipulating WHOIS access to falsifying applications to knowingly facilitating criminal traffic. This report takes a deep look at the relationships between registration fraud, DNS manipulation, spam, compliance failure and the growing trade in illicit drugs online. We also offer recommendations to correct these problems. Introduction The authors of this report are members of the ICANN At-Large community, representing Internet users and consumers globally free of cost. We are committed to improving the quality and safety of the Domain Name System through constant analysis of Internet abuse data and continual review of the structure and its compliance mechanisms. We sincerely support ICANN’s commitment the principles of openness, transparency, and accountability. In the interests of assisting ICANN in reaching its goals we respectfully submit this security assessment to the Board of Directors, ICANN Staff, the Government Advisory Committee, and all of the supporting committees. This report is un-sponsored and unsolicited in an attempt to avoid any untoward influence. The intent is to purely represent the frustrated and confused Internet user. The ultimate goal is to assist in securing our Internet for the future. Much of cyber-security’s focus has been on intrusions, mass data theft, phishing, privacy violations, ID-theft, and malware. For the most part these are incidents. They differ from the focus of this document - illicit Internet product traffic. Illicit product traffic is an ongoing cybercrime that requires the continuity and stability that other threats do not. Another major difference is that service providers generally do not profit from phishing, intrusions, and data theft. However, illicit product traffic presents an opportunity for Registrars to earn significant amounts money through illicit domain registrations and related domain product services. There are many types of threats on the Internet but our research reveals the heavy influence of diverted, altered, and counterfeit prescription drugs. In our estimation this is the number one threat to consumers and the Internet structure. Additional security threats like malware deployment, denial of service attacks, trademark hijacking, botnets, spam, WHOIS fraud, network intrusions, domain hijacking, Registrar corruption, and electronic money laundering are all tools of the global network of illicit drug traffic. Beyond the Internet this traffic impacts the health of the public while funding organized crime and terrorist groups. There is no question that underground pharmaceutical traffic is illegal and kills people. The traffickers may paint themselves as virtual Robin Hoods who defy the greedy hands of government and “big pharma”, but in reality they deliver tainted products and cruelly prey on the sick, elderly, and addicted. In contrast with the popular perception, the underground pharmacy market is far beyond lifestyle drugs like Viagra and Cialis. Tainted and completely fake drugs sold on the Internet include heart, blood-pressure, cancer, diabetes, and AIDS medications. There are multiple documented cases of chalk pressed into painted pills, HIV test kits that give false


negatives, “anti-aging” cocktails, and an array of other “snake oils” that give false hope and make the sick sicker. While Internet illicit drug traffic uses various tools it relies one critical resource to make money, online transaction platforms. Without a secure space to accept electronic payments the expense of registering domains, deploying malware, and sending spam is wasted. It is important to understand that, as Moses Naim of Foreign Policy Magazine states, illicit traffic is about transactions, not products1. Replace drugs with pirated software and consumer knockoff products and the problem still exists. While the emphasis of this report is drug traffic, many other issues are discussed. The transaction platforms in question are domain names. To acquire domain names illicit networks need access to another critical resource, Registrars. All businesses need a support structure, in this case an illicit support structure. Online drug traffickers have built an array of online shops, content/image servers, NameServers, customer service sites, mail servers, newsletter/blog sites, transaction sites, and click-through advertisement processing. Each portion of the structure requires a domain name. Our research shows that the number of domains registered for a single drug-related spam campaign is in the thousands. The domains are often registered with false WHOIS or WHOIS shielded by invalid privacy services. The spammed domains are often terminated quickly but, as we demonstrate, the transaction domains remain intact, the NameServers receive a fresh crop of front-end shop sites and the Registrars rarely respond to inquires about this. This all may seem obvious, but what is not obvious is why the illicit transaction structure endures. The answer is weak policy, improper oversight, ineffective enforcement tools, and missing demand for accountability among service providers. This is why we are focused on the Registrars. Without their sponsorship of the illicit transaction structure, the problem would not exist. Registrars may claim this is not their responsibility or problem but we will explain why it is and why a weak policy structure governing the Registrars creates an atmosphere of permissiveness.

1 Moises Naim, Illicit (Anchor October 10, 2006)


Outline of Report In order to address the many faces of this problem we have separated this report into three major sections: Section I is a review of all Registrars in terms of the obligations under the Registrar Accreditation Agreement (RAA). KnujOn has evaluated all of the ICANN-Accredited Registrars for compliance as far as we are able to from outside ICANN and the Registrar community. Registrars in potential brief are summarized below with corresponding RAA sections. Section II addresses WHOIS issues starting at the top. KnujOn has evaluated the WHOIS accuracy of the Registrar’s own domains and where appropriate filed WHOIS Inaccuracy with ICANN. In this section we have preformed the same evaluation of all the Generic Top-Level Domain (gTLD) NameServers and where appropriate filed WHOIS Inaccuracy complaints with ICANN. In the remaining portion of this section we discuss a plan to validate the entire gTLD WHOIS record, a project which some say is impossible. Section III explains how the Domain Name System is being manipulated on a massive scale to support illicit drug traffic and details conditions that allow this threat to exist at the expense of the consumer and legitimate business.


Registrars in Potential Breach with Relevant RAA Section #1 Internet Services International, Inc. dba 1ISI : RAA 5.3.1 $$$ Private Label Internet Service Kiosk, Inc. (dba "PLISK.com") : RAA 3.16 1 More Name, LLC : RAA 5.3.1, 3.7.5.6, 3.7.5.5 1API GmbH (1apI.de) : RAA 3.7.5.6, 3.7.5.6 1st Antagus Internet GmbH (antagus.de) : RAA 3.3.1, 3.7.5.6, 3.7.5.7 2030138 Ontario Inc. dba NamesBeyond.com : RAA 3.3.1 21Company, Inc. dba 21-domain.com/21-domain.com : RAA 3.16, 3.3.1 A Technology Company, Inc. (namesystem.com) : RAA 3.3.1, 3.16 AB RIKTAD (riktad.com) : RAA 3.3.1 Abacus America, Inc. d/b/a Names4ever: 5.3.2 Abansys & Hostytec, S.L.(abansys.com) : RAA 3.3.1 Ace of Domains, Inc. : RAA 5.3.1 Active Registrar, Inc./activeregistrar.com : RAA 3.16 Add2Net Inc. (lunarpages.com) : RAA 3.3.1 Advanced Internet Technologies, Inc. (AIT) : RAA 3.3.1 Advantage Interactive Ltd.(LCN.com) : RAA 3.3.1 Alantron (alantron.com) : RAA 3.7.5.6, 3.7.5.8, 3.3.1 Alfena, LLC (alfena.com) : RAA 3.3.1 AllGlobalNames, S.A. dba Cyberegistro.com : RAA 3.3.1 Annulet Incorporated : RAA 5.3.1 AOL LLC (aol.com) : RAA 3.3.1 Arsys Internet, S.L. dba NICLINE.COM : RAA 3.16 Aruba SpA(aruba.it) : RAA 3.3.1 Atozdomainsmarket, LLC : RAA 5.3.1 AusRegistry Group Pty Ltd (ausregistry.com) : RAA 3.3.1 Aust Domains International Pty Ltd dba Aust Domains, Inc.(austdomains.com) : RAA 3.3.1 Autica Domain Services Inc. (autica.com) : RAA 3.3.1 Azdomainz, LLC : RAA 5.3.1 Azprivatez, LLC : RAA 5.3.1 Belgiumdomains, LLC : RAA 5.3.1 BIZCN.COM : RAA 3.7.5.3, 3.7.7.2, and 3.7.11 Black Ice Domains, Inc. : RAA 3.3.1 Bottle Domains, Inc. (bottledomains.com.au) : RAA 3.3.1 Brights Consulting Inc.(brights.jp) : RAA 3.3.1 Broadspire Inc. (broadspire.com) : RAA 3.7.5.6, 3.7.5.9 Capitoldomains, LLC : RAA 5.3.1 Cheapies.com Inc : RAA 3.7.5.6/3.7.5.10,3.3.1 China Springboard, Inc.(chinaspringboard.com/namerich.cn) : RAA 3.3.1 COMPANA LLC/budgetnames.com : RAA 3.16 CoolHandle Hosting, LLC : RAA 5.3.1 Cronon AG Berlin, Niederlassung Regensburg(cronon.org) : RAA 3.3.1 CSL Computer Service Langenbach GmbH d/b/a joker.com : RAA 3.16 Deschutesdomains.com LLC : RAA 5.3.1 Digirati Informatica Servicos e Telecomunicacoes LTDA dba Hostnet.com : RAA 3.3.1 Digitrad France (digitrad.com) : RAA 3.3.1 Directi Internet Solutions Pvt. /publicdomainregistry.com : RAA 3.16 Domain Jamboree, LLC (domainjamboree.com) : RAA 3.3.1 Domain Monkeys, LLC domainmonkeys.com : RAA 3.3.1 Domain Services Rotterdam BV (tellus.com) : RAA 3.7.5.6/3.7.5.11,3.3.1 Domain-A-Go-Go, LLC : RAA 5.3.1 Domainbullies,LLC DBA DomainClub.com : RAA 5.3.1 Domaindoorman, LLC : RAA 5.3.1


Domainfactory GmbH : RAA 3.3.1 Domaininthehole.com LLC : RAA 5.3.1 Domain-It!, Inc. : RAA 5.3.1 DomainRegistry.com Inc. : RAA 3.3.1 DomainSpa LLC (domainspa.com) : RAA 3.3.1 DomainSystems, Inc. dba DomainsSystems.com : RAA 5.3.1 Domainz Limited (domainz.com) : RAA 3.3.1 DOTALLIANCE INC/dotalliance.com : RAA 3.16 DotArai Co., Ltd. (dotarai.co.th) : RAA 3.3.1 Dotster : RAA 3.3.6 DSTR Acquisition PA I, LLC dba DomainBank.com : RAA 3.16 eBrandSecure, LLC : RAA 5.3.1 EnetRegistry, Inc. : RAA 3.3.1 eNom : RAA 3.3.6, 3.7.2, 3.7.5.3, 3.7.7.2, 3.7.8, 3.8, 3.7.10, 5.3.1*, 3.12 EVERYONES INTERNET LTD./resellone.net : RAA 3.16 FBS Inc. (isimtescil.com) : RAA 3.3.1 FRANCE TELECOM/francetelecom.com : RAA 3.16 Freeparking Domain Registrars, Inc. : RAA 3.3.1 French Connexion dba Domaine.fr : RAA 3.3.1 Galcomm, Inc. : RAA 3.3.1 Gee Whiz Domains, Inc. (geewhizdomains.com) : RAA 3.3.1 GKG.NET, INC. : RAA 3.3.1 Good Luck Internet Services PVT, LTD. : RAA 3.3.1 Guangzhou Ming Yang Information Technology Co., Ltd : RAA 3.3.1 Hebei Guoji Maoyi LTD dba HebeiDomains.com : RAA 3.3.1 Hetzner Online AG (hetzner.de) : RAA 3.3.1 HooYoo (US) Inc. (us.hooyoo.com) : RAA 3.3.1 Hosting.com, Inc. : RAA 3.3.1 Hostway Services, Inc. (hostway.com) : RAA 3.3.1 Hu Yi Global Information Resources (Holding) Company : RAA 3.3.1 Humeia Corporation : RAA 3.3.1 ID Genesis, LLC (idgenesis.com) : RAA 3.3.1 Instra Corporation Pty Ltd. (instra.com) : RAA 3.3.1 Interdomain S.A. (interdomain.es) : RAA 3.3.1 Intermedia.NET, Inc. (intermedia.net) : RAA 3.3.1 Internet Group do Brasil S.A : RAA 3.3.1, 3.7.5.6, 3.7.5.12 Internet Invest, Ltd. dba Imena.ua : RAA 3.3.1 Internet Solutions (Pty) Ltd. (is.co.za) : RAA 3.3.1, 3.7.5.6, 3.7.5.13 INTERNET.BS CORP : RAA 3.7.5.3, 3.7.7.2, and 3.7.10 InterNetworX Ltd. & Co. KG (inwx.de) : RAA 3.3.1 IREGISTRY CORP. /iregistry.com : RAA 3.16 ITPAN.COM INC./itpan.com : RAA 3.16 iWelt AG (iwelt.de) : RAA 3.3.1,3.7.5.6, 3.7.5.14 Jetpack Domains, Inc. : RAA 3.3.1 Key-Systems GmbH (key-systems.net) : RAA 3.3.1,3.7.5.6, 3.7.5.15 KomPlex.Net GmbH : RAA 3.7.5.6, 3.7.5.16 Launchpad, Inc. (launchpad.com) : RAA 3.3.1 Ledl.net GmbH dba: Domaintechnik.at : RAA 3.3.1 M. G. Infocom Pvt. Ltd. (mindgenies.com) : RAA 3.7.5.6, 3.7.5.17, 3.3.1 Marcaria.com International, Inc. : RAA 3.3.1 Mobiline USA, Inc. dba domainbonus.com : RAA 3.7.5.6, 3.7.5.18 NameCheap : RAA 3.3.1, 3.7.2, 3.8, 3.8, 3.7.8 Namehouse, Inc. : RAA 5.3.1


NameScout : RAA 3.3.6 Nameshield (nameshield.net) : RAA 3.3.1 NET 4 INDIA LIMITED/net4.in : RAA 3.16 Netdorm, Inc. dba DnsExit.com : RAA 3.3.1 Netfirms, Inc. : RAA 3.3.1 Netpia.com, Inc. : RAA 3.3.1 NetraCorp LLC dba Global Internet : RAA 3.3.1 NetRegistry Pty Ltd. (netregistry.com) : RAA 3.3.1 NetTuner Corp. dba Webmasters.com : RAA 5.3.1 Network Solutions : RAA 3.3.6 New Great Domains, Inc. (newgreatdomains.com) : RAA 3.3.1 NICCO LTD. /nicco.com : RAA 3.16 Nominalia Internet S.L. (nominalia.com) : RAA 3.3.1 Nordreg AB : RAA 3.3.1 Onlinenic Inc : RAA 3.3.1, 3.8, 3.7.11, 3.16, 5.3.1 Oversee : RAA 3.3.1, 3.3.6, 3.8, 3.7.9 Own Identity, Inc. (ownidentity.com) : RAA 3.7.5.6, 3.7.5.19 Pacnames Ltd (pacnames.com) - No conspicuous terms link : RAA 3.7.5.6, 3.7.5.20 Paknic (Private) Limited : RAA 3.3.1 Planete Marseille SARL dba MailClub (mailclub.fr) : RAA 3.3.1 Porting Access B.V. (portingxs.com) : RAA 3.3.1 Premium Registrations Sweden AB (premiumregistrations.com) : RAA 3.3.1, 3.7.5.6, 3.7.5.21 REGISTER.COM INC./register.com : RAA 3.16 Register4Less, Inc. (Register4Less.com) : RAA 3.3.1 Regtime Ltd. : RAA 3.3.1 RESELLER SERVICES INC./ResellServ.com : RAA 3.16 Samjung Data Service Co., Ltd (direct.co.kr) : RAA 3.3.1 Secura GmbH : RAA 3.3.1 Sedo.com LLC (sedo.com) : RAA 3.3.1 Service Development Center of the Service Bureau(chinagov.cn) : RAA 3.3.1 Simply Named Inc. dba SimplyNamed.com : RAA 3.3.1 SiteName Ltd. : RAA 3.3.1 That Darn Name, Inc. : RAA 3.3.1 The Planet Internet Services, Inc. (theplanet.com) : RAA 3.3.1 The Registry at Info Avenue dba Spirit Telecom (spiritdomains.com) : RAA 3.3.1 TierraNet Inc. d/b/a DomainDiscover: RAA Sections 5.3.1 Tucows : RAA 3.7.5.3, 3.7.7.2, and 3.7.9 UK2 Group Ltd. (uk2group.com) : RAA 3.3.1,3.16 UltraRPM, Inc. dba metapredict.com : RAA 3.7.5.6, 3.7.5.22, 3.3.1 United Domain Registry, Inc. : RAA 3.3.1 USA Webhost, Inc. (usawebhost.com) : RAA 3.3.1, 3.7.5.6, 3.7.5.23 VentureDomains, Inc. (upc360.com) : RAA 3.3.1, 3.7.5.6, 3.7.5.24 Verelink, Inc. (verelink.com) : RAA 3.3.1 Verza Domain Depot BV (verzadomains.com) : RAA 3.3.1 Visesh Infotecnics Ltd. d/b/a Signdomains.com : RAA 3.3.1 VIVID DOMAINS INC/vividdomains.com : RAA 3.16,5.3.1 VocalSpace LLC dba DesktopDomainer.com : RAA 3.3.1 VOLUSION, INC./volusion.com : RAA 3.16 Web Business, LLC (webbusiness.biz) : RAA 3.3.1 Web Commerce Communications Limited dba WebNic.cc : RAA 3.3.1 Web Werks India Pvt. Ltd : RAA RAA Sections 5.3.2 and 5.3.3 Webagentur.at Internet Services GmbH dba domainname.at : RAA 3.3.1 World Biz Domains, LLC : RAA 3.3.1


Xiamen ChinaSource Internet Service Co., Ltd (zzy.cn) : RAA 3.3.1 Xiamen eName Network Technology Corp (ename.com) : RAA 3.7.5.6, 3.7.5.25 Ynot Domains Corp. (ynotdomains.myorderbox.com) : RAA 3.7.5.6, 3.7.5.26, 3.16, 5.3.1 Zog Media, Inc. DBA Zog Names (zognames.com) : RAA 3.3.1 About KnujOn.com KnujOn.com, LLC is an independent, non-sponsored abuse handler and Internet security research company based in Boston, Massachusetts and Wilmington, Vermont. KnujOn accepts abuse data in the form of spam and other security threats to develop a clear picture of conditions facing the Internet. KnujOn builds profiles of online criminal groups, evaluates the quality of Registrars and Internet Service Providers, issues WHOIS challenges, documents policy failures, tests compliance mechanisms, issues reports to law enforcement, and educates the public about complex Internet security issues. We see our role as one of assisting the ordinary Internet user in navigating the complex technical bureaucracy of the global network and augmenting public services in the face of rampant illicit electronic traffic. Principle authors of this document are KnujOn.com CEO Garth Bruen and CTO Dr. Robert Bruen. More information at: http://www.knujon.com. Credits and Contributions Special thanks to Beau Brendler, John Horton, Derek Smythe, Neil Schwartzman, Jart Armin, Gary C. Kessler, Howard Hoyt, Robert Mount, Ken de Montigny, Justin C. Le Grice, Benjamin Edelman, B., Kim L, Andrew T., Sean O, Ginny S., Nova, Anonymous HTCIA member, and Anonymous KnujOn member. Terms Used ALAC – At-Large Advisory Committee Domain Name – A top-level URL like KnujOn.com DNS – Domain Name System gTLD – Generic Top Level Domain Names (.COM, .NET, .ORG, .BIZ, .INFO, etc.) ICANN – Internet Corporation of Assigned Names and Number IP – Internet Protocol, a four-part Internet machine address like 172.0.0.1. “IP” may also refer to Intellectual Property, but is not abbreviated as such in this document ISP – Internet Service Provider, may be a Registrar also but not in every case Malware – Malicious software, viruses, Trojans, etc NameServer – A domain name that serves other domain names, associates them with IP addresses RAA – Registrar Accreditation Agreement, the common contract between ICANN and a Registrar Registrar – A company that sells domain names under its accreditation with ICANN Spam – Unsolicited email with forged headers and no functioning opt-out UDRP – Uniform Dispute Resolution Procedure WHOIS – A technical query tool that returns ownership of a domain name WIPO – World Intellectual Property Organization(wipo.int), a body that resolves trademark disputes


Table of Contents Section I: Registrar Accreditation Agreement Compliance………………………………………Page 12

Introduction by Beau Brendler A. Public WHOIS, Website and Port 43 Access (RAA 3.3.1)

Registrar Web-based WHOIS Access Registrar Port 43 WHOIS Access

B. Bulk WHOIS Access for $10K per year (RAA 3.3.6) C. Registrars, Laws and Regulations (RAA 3.7.2)

eNom Becomes Accessory to Ongoing Criminal Activity D. Issues of inaccurate WHOIS (RAA 3.7.5.3, 3.7.7.7, and 3.7.9)

15 day fix for bad WI WI complaints eNom and qualitydrugs.org BIZCN and cyberrxsavers.com

E. Registrar must display fees and display deletion policies (RAA 3.7.5.6/3.7.5.5) F. UDRP Compliance and speculation holding (RAA 3.8 and 3.7.8)

NameCheap as “WhoisGuard” Oversee as “Moniker Privacy” eNom as “Whois Privacy Protection Service Inc.” OnLineNIC, INC. as “ABSOLUTEE CORP. LTD.”

G. Reseller obligations (RAA 3.12) Acquire This Name inc

H. Disclosure of Registrar Address (RAA 3.16) 2009 RAA Registrars Not Displaying Address Non-2009 RAA Registrars Not Displaying Address De-accredited Registrars Not Displaying Address Unclear Status Registrars Not Displaying Address Serious Issues

OnlineNIC A Technology Company, Inc. (namesystem.com)

I. Material Falsification in Registrar Application (RAA 5.3.1) Business Registrations Not Found

J. Legal issues with Registrar (RAA 5.3.2) Abacus America, Inc. d/b/a Names4ever

K. Registrar Officer Legal Issues (RAA 5.3.3) Web Werks India Pvt. Ltd, AKA D For Domains, AKA wwindia.net, AKA SUVIP INC.

L. Acting in a manner that endangers stability (RAA 5.3.6) M. Miscellaneous: Registrars without a functioning website N. Recommendations for these issues

Section II: WHOIS Issues………………………………………………………………………...Page 53

A. Registrar WHOIS Validity Registrars with False WHOIS Parava and OnlineNIC A Technology Company, Inc. (namesystem.com)

B. Nameserver WHOIS Validity and Legitimacy Bad Nameserver WHOIS: Contact Emails .NAME NameServers Soviet Union (.SU) NameServers

C. The Next Phase of WHOIS validation D. Material falsification of WI privacy/proxy

U.S. v. Kilbride secureordercheckout.info and GKG

E. Invalid Privacy Services WhoisGuard (NameCheap) PrivacyProtect INTERNET.BS CORP. “Private Whois Service” From Bad WHOIS to Bad Privacy

Section III: Illicit Activity in gTLD Space………………………………………………………Page 70 Introduction By John Horton A. NameServers problems B. Trademark and Illicit Product Traffic Issues

Verizon v. DirectNIC


Viagra project C. The Spam/Pharma/Domain Abuse/Rogue Registrar Connection

Introduction by Neil Schwartzman eNom, spam and GlavMed

D. Registrar Support of Illicit Pharmacy Networks Introduction by Jart Armin Real Time Register BV and Rx-Partners Illicit Pharmacy Network

E. BBB Complaints, AG consumer complaints F. Five Registrars Dominate the Market, is it Anti-trust? G. Breach Notices H. Defunct Registrars

Terminated Registrars still selling gTLD and/or claiming ICANN accreditation Defunct Registrars with unclear status Clearly Defunct Registrars Terminated Registrars with inoperable websites

I. Soviet Union (.SU) Policy and Status Unclear J. Moot Issues

Closing Recommendations


Section I: Registrar Accreditation Agreement Compliance

“These failure numbers should be much, much lower. And there should be no ICANN-accredited registrars among them. ICANN's compliance department needs to act swiftly and decisively, as it is obligated to do. Unfortunately, we have some bad actors who, given the nature of the technology, can completely compromise consumer trust in the Internet no matter what the good actors do. All it takes is one www.bsasafetydownload.com and a company like Innovative Marketing can bilk consumers worldwide out of $100 million.”

-Beau Brendler, managing editor, AOL Money and Finance's Consumer Ally and a longtime investigative reporter

All Generic Top-Level Domain (gTLD) Registrars must enter into an agreement with ICANN called the Registrar Accreditation Agreement (RAA). This contract outlines the formal relationship between ICANN and a Registrar, including contractual obligations of the Registrar and by extension the registrant. There are currently two versions of the RAA in use, a 2001 and a 2009 version. All Registrars still contracted under the 2001 version must certify under the 2009 version when their existing contract period ends, and they must comply with the 2001 version before being allowed to sign-on to the 2009 version. With the exception of some amendments, discussed here where appropriate, the two contracts are more similar than different. What follows is an evaluation of Registrar compliance with sections of the RAA that are observable from outside ICANN and the Registrar community. Where appropriate, we examine a Registrar’s compliance failure as it relates to illicit activity occurring within the Registrar’s space. It is our contention is that poor policy enforcement creates an environment of permissiveness and opens the door to criminality. Reference Registrar Accreditation Agreement, 17 May 2001: http://www.icann.org/en/registrars/ra-agreement-17may01.htm Registrar Accreditation Agreement, 21 May 2009: http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm Uniform Domain Name Dispute Resolution Policy: http://www.icann.org/en/udrp/udrp.htm http://www.icann.org/en/dndr/udrp/policy.htm


A. 3.3.1 Public WHOIS, Website and Port 43 Access

“3.3.1 At its expense, Registrar shall provide an interactive web page and a port 43 Whois service providing free public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered Names sponsored by Registrar for each TLD in which it is accredited.”

Registrars are in a position of trust and they are supposed to be leading by example. They willingly agreed to uphold the RAA. What faith can we have in a registrar that deliberately blocks port 43 DNS lookups. Not only does this deny the ordinary user the right to look at whois details and decide if he wishes to have any dealings with a domain owner or not, it also breaks various mechanisms in the WDPRS system. We saw this happen recently with Alantron where despite gross domain registration abuse, no WDPRS complaints could be lodged for a period of time. Alantron abused their privileged position and deliberately jeopardized the ordinary internet user. Even still today, despite a breach notice, Alantron's online whois look facility is lacking as it does not display complete whois records for domains they sponsor and deliberately hides information. We must not confuse privacy with anonymity and unaccountability, the latter is enemy to the first. -Derek Smythe, Artists Against 419

Registrar Web-based WHOIS Access Most Registrars have a clearly-marked WHOIS link or form on their homepage. The following Registrars have no obvious path to a WHOIS interface and a reasonable attempt to find the WHOIS interface did not prove successful. In several of these cases we solicited the help of ordinary Internet users to try and find the web-based WHOIS engine and then verified their findings. VocalSpace LLC dba DesktopDomainer.com – “Login Screen” Only Alfena, LLC (alfena.com) – WHOIS link goes to eNom. Registration agreement does not mention relationship with eNom or Demand Media. UltraRPM, Inc. dba metapredict.com – WHOIS on homepage but does not function properly EnetRegistry, Inc. (enetregistry.net) - “Login Screen” Only AusRegistry Group Pty Ltd (ausregistry.com) - Domain search only, directs user to port 43 Advanced Internet Technologies, Inc. (aitdomains.com) - Domain search only, access to whois.aitdomains.com requires registration and password login. NetRegistry Pty Ltd. (netregistry.com) – Refers visitors to http://www.geektools.com/whois.php Autica Domain Services Inc. (autica.com) - WHOIS link redirects browser to us2.net which does not supply full WHOIS


The Following Registrars have a “Domain Lookup” which is not the same as a WHOIS This is also a violation of RAA Sections 3.3.1.1 - 3.3.1.8 Zog Media, Inc. DBA Zog Names (zognames.com) Hosting.com, Inc. Add2Net Inc. (lunarpages.com) Bottle Domains, Inc. (bottledomains.com.au)` Cheapies.com Inc. (cheapies.com) Domainz Limited (domainz.com) Nominalia Internet S.L. (nominalia.com) Sedo.com LLC (sedo.com) DomainSpa LLC (domainspa.com) Register4Less, Inc. (Register4Less.com) Verelink, Inc. (verelink.com) The Following Registrars either have no apparent web-based WHOIS USA Webhost, Inc. (usawebhost.com) Verza Domain Depot BV (verzadomains.com) Premium Registrations Sweden AB (premiumregistrations.com) VentureDomains, Inc. (upc360.com) The Planet Internet Services, Inc. (theplanet.com) Digitrad France (digitrad.com) New Great Domains, Inc. (newgreatdomains.com) Porting Access B.V. (portingxs.com)


Registrar Port 43 WHOIS Access For a period 71 days KnujOn tested the Port 43 WHOIS accessibility of each unique Registrar, we did not test multiple accreditations held by the same companies and only tested once per day to avoid being blacklisted. Our findings were disappointing - with 27 Registrars having major or regular Port 43 outages. Port 43 is a command-line query location set up for WHOIS queries. The typical call would be: Whois –h whois.registrar.com somedomain.com Some operating systems have WHOIS built-in; others require a utility to be installed but the functionality is usually the same. “-h” indicates the host to be used for the session, this is followed by the WHOIS address and then domain record being queried. More troubling were the 57 Registrars who would not disclose their Port 43 location. In most cases the Port 43 is logically located at WHOIS.[REGISTRARDOMAIN].[TLD], for example “whois.networksolutions.com” for NetworkSolutions. Sometimes it is located at a different domain as in the case of Xin Net, the Port 43 is hosted at whois.paycenter.com.cn. In most cases we were able to find alternate Registrar WHOIS locations easily but for scores of them we had to ask the Registrar. A handful quickly responded with the correct location, but most never responded, and in a few cases our email was rejected from the ICANN-listed Registrar contact email. A small minority wanted to know why we were asking, but we logged this as non-response since the RAA does allow for Registrar discrimination in the access to WHOIS. Registrars who only failed once during the study period were treated the same as ones that never failed since minor interruptions in service are to be expected, the focus of this study is to determine if Registrars have frequent or persistent Port 43 issues. Marcaria.com International, Inc. was the worst, their Port 43 WHOIS worked at beginning of the test period and stopped responding on March 30 for a total of 14 successful days out of 71. That Darn Name, Inc., which became intrustdomains.com during the test period, had serious regular outages only responding a total of 38 days, slightly more than a 50% success rate. South America Domains Ltd. dba namefrog.com also started off ok but ceased responding after 46 days on May 10 (South America Domains was terminated, but status is unclear). OnlineNIC had the worst record in terms of consistency, failing 25 times, intermittently during the study period making their reliability about 65%. OnLineNic was in fact worse during the study period than Alantron, which received a breach notice for failing to consistently provide Port 43 service (http://www.icann.org/correspondence/burnette-to-acir-16apr10-en.pdf) as recorded by KnujOn for at least 12 days during the study period. In addition to OnlineNIC being worse than Alantron during this period, World Biz Domains had the exact same Port 43 record responding only 79% of the time. The following is a chart of all Registrars who had regular failures or less than perfect performance.


http://www.icann.org/correspondence/burnette-to-acir-16apr10-en.pdf

Registrar

failures Percent of success

Marcaria.com International, Inc. 57 20% That Darn Name, Inc. 33 54% South America Domains Ltd. dba namefrog.com* 25 65% Onlinenic Inc 25 65% Alantron 15 79% World Biz Domains, LLC 15 79% Netfirms, Inc. 12 83% Freeparking Domain Registrars, Inc. 9 87% Good Luck Internet Services PVT, LTD. 8 89% Hebei Guoji Maoyi LTD dba HebeiDomains.com 8 89% Jetpack Domains, Inc. 8 89% United Domain Registry, Inc. 8 89% NetraCorp LLC dba Global Internet 7 90% 2030138 Ontario Inc. dba NamesBeyond.com 7 90% Web Commerce Communications Limited dba WebNic.cc 7 90% GKG.NET, INC. 4 94% Netpia.com, Inc. 4 94% Paknic (Private) Limited 3 96% Advanced Internet Technologies, Inc. (AIT) 2 97% Galcomm, Inc. 2 97% Guangzhou Ming Yang Information Technology Co., Ltd 2 97% Internet Invest, Ltd. dba Imena.ua 2 97% Moniker 2 97% Nordreg AB 2 97% Visesh Infotecnics Ltd. d/b/a Signdomains.com 2 97% SiteName Ltd. 2 97% Regtime Ltd. 2 97% *Registrar de-accredited


The following 55 Registrars did not respond to our inquiry about their Port 43 WHOIS. In all cases the contact email presented on the InterNIC directory was used: 21Company, Inc. dba 21-domain.com Abansys & Hostytec, S.L.(abansys.com) 1st Antagus Internet GmbH (antagus.de) AOL LLC (aol.com) Aruba SpA(aruba.it) Aust Domains International Pty Ltd dba Aust Domains, Inc.(austdomains.com) Brights Consulting Inc.(brights.jp) Service Development Center of the Service Bureau(chinagov.cn) China Springboard, Inc.(chinaspringboard.com/namerich.cn) Cronon AG Berlin, Niederlassung Regensburg(cronon.org) AllGlobalNames, S.A. dba Cyberegistro.com VocalSpace LLC dba DesktopDomainer.com Digitrad France (digitrad.com) Samjung Data Service Co., Ltd (direct.co.kr) Netdorm, Inc. dba DnsExit.com French Connexion dba Domaine.fr Domain Jamboree, LLC (domainjamboree.com) The Registry at Info Avenue dba Spirit Telecom (spiritdomains.com) Domain Monkeys, LLC domainmonkeys.com Webagentur.at Internet Services GmbH dba domainname.at DomainRegistry.com Inc. DomainSpa LLC (domainspa.com) Ledl.net GmbH dba: Domaintechnik.at DotArai Co., Ltd. (dotarai.co.th) Gee Whiz Domains, Inc. (geewhizdomains.com) Hetzner Online AG (hetzner.de) Digirati Informatica Servicos e Telecomunicacoes LTDA dba Hostnet.com Hostway Services, Inc. (hostway.com) ID Genesis, LLC (idgenesis.com) Instra Corporation Pty Ltd. (instra.com) Interdomain S.A. (interdomain.es) Intermedia.NET, Inc. (intermedia.net) InterNetworX Ltd. & Co. KG (inwx.de) Internet Solutions (Pty) Ltd. (is.co.za) FBS Inc. (isimtescil.com) iWelt AG (iwelt.de) Key-Systems GmbH (key-systems.net) Launchpad, Inc. (launchpad.com) Advantage Interactive Ltd.(LCN.com) Add2Net Inc. (lunarpages.com) Planete Marseille SARL dba MailClub (mailclub.fr) M. G. Infocom Pvt. Ltd. DBA MindGenies (mindgenies.com) Nameshield (nameshield.net) New Great Domains, Inc. (newgreatdomains.com) Porting Access B.V. (portingxs.com) AB RIKTAD (riktad.com) Sedo.com LLC Simply Named Inc. dba SimplyNamed.com Domain Services Rotterdam BV (tellus.com)


UK2 Group Ltd. (uk2group.com) HooYoo (US) Inc. (us.hooyoo.com) Verelink, Inc. (verelink.com) Web Business, LLC (webbusiness.biz) Xiamen ChinaSource Internet Service Co., Ltd (zzy.cn) Additional Issues with the following Registrar contacts Internet Group do Brasil S.A. (http://www.internic.org/registrars/registrar-1380.html) – Email sent to their Internic/ICANN listed contact address was rejected. Internet Group was also issued a breach notice for failing to provide Port 43 access (http://www.icann.org/correspondence/burnette-to-malinardi-02apr10-en.pdf) Black Ice Domains, Inc. (http://www.internic.org/registrars/registrar-1017.html) - Email sent to their Internic/ICANN listed contact address was rejected. Domainfactory GmbH (http://www.internic.org/registrars/registrar-1401.html) – Responded that they are NOT an ICANN accredited Registrar and not required to have a public WHOIS. However they are listed as an accredited Registrar by ICANN and sell gTLD domains on their website. We have asked ICANN for clarification. Humeia Corporation (http://www.internic.org/registrars/registrar-951.html) - Instead of answering our question, Humeia directed us to the InterNIC website to use their WHOIS look up. Secura GmbH (http://www.internic.org/registrars/registrar-111.html) - Wanted to know why we were asking. Hu Yi Global Information Resources (Holding) Company - (http://www.internic.net/registrars/registrar-1402.html) - Wanted to know why we were asking.


http://www.internic.org/registrars/registrar-1017.html



C. Bulk Access for $10,000 US Per Year or Less (RAA 3.3.6)

“3.3.6 In addition, Registrar shall provide third-party bulk access to the data subject to public access under Subsection 3.3.1 under the following terms and conditions: ... 3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one (1) time per week for download by third parties who have entered into a bulk access agreement with Registrar. ... 3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.”

We asked some of the biggest Registrars two simple questions: 1. How much would you charge for bulk access? And, 2. How frequently can we download? These are their responses. NameScout:

“Unfortunately we don't offer this service.” Network Solutions: “Network Solutions does not sell bulk access to the Whois.” eNom: No response Dotster: No response Moniker/Oversee: No response This lack of adherence to the RAA in terms of WHOIS service delivery represents an overall failure of the Registrar community to supply the basic technical products required in their contracts. If the Registrars cannot perform simple contract functions, the stability of the remainder of the operations is also in question. Even worse, these Registrars could simply be obfuscating a service they wish not to provide.


D. Registrars, Laws and Regulations (RAA 3.7.2)

“3.7.2 Registrar shall abide by applicable laws and governmental regulations.” It is an obligation of the Registrar to adhere to law and regulation as condition of their contract with ICANN. While Registrars claim they need court orders to suspend a domain, this is simply untrue in the case of domains used for criminal activity. If a Registrar fails to respond to a court order, they are then also in violation, but the contractual obligation of section 3.7.2 requires adherence to the law and regulation regardless of any official government action. eNom Becomes Accessory to Ongoing Criminal Activity Since December, 2009 eNom has transitioned from being a passive service provider to become an active facilitator of illicit criminal traffic, and possibly a knowing accessory, under the common definitions:

“Facilitation...renders one guilty when he engages in conduct which assists [another person] in obtaining the means or opportunity to commit the crime and in fact his conduct does aid the person to so commit it”2

“Accessory, one who aids or contributes in a secondary way or assists in or contributes to a crime as a subordinate.”3

eNom did receive instructions from the National Association of Boards of Pharmacy (NABP) on December 23, 2009 requesting they cooperate with LegitScript and respond to consumer complaints about rogue Internet pharmacies sponsored by eNom (http://legitscript.com/download/NABP-Letter-to-eNom.pdf). The letter clearly indicated what constitutes a rogue Internet pharmacy and summarized eNom’s involvement in this activity. For those unacquainted with U.S. pharmacy regulation, the local pharmacies boards, working under the umbrella of the NABP are the primary regulatory bodies for pharmacy. LegitScript is a private company authorized by the NABP to advise on these issues. On December 1, 2009 eNom received a letter from LegitScript indicating which eNom-sponsored pharmacy domains were in violation of the law. Throughout December of 2009 and January of 2010, eNom received letters from the pharmacy boards of Manitoba, Minnesota, Ontario, Quebec, and Texas indicating that the “pharmacy licenses” posted by domains sponsored by eNom were all forgeries. eNom did not respond to any of these notices and did not remove any of the domains in question. There is no doubt that eNom is aware of the criminal nature of their customers’ domains. eNom was also alerted to the fact that investigators were able to by drugs without a prescription from the eNom-sponsored domain “canadianhealthcaremall.net.”4 As of this writing, canadianhealthcaremall.net remains online.

2 Barron’s Law Dictionary, Steven H. Gifis 1991 p179 3 Barron’s Law Dictionary, Steven H. Gifis 1991 p5 4 Rogues and Registrars, http://www.legitscript.com/blog/120


http://legitscript.com/download/NABP-Letter-to-eNom.pdf

There is a difference legally between a company that unknowingly facilitates violation of a criminal statute, and one that does so knowingly. Registrars should not be expected to monitor every website, and often, Registrars should not be expected to know what is legal and what is not. But it is also well-established that third parties cannot turn a blind eye to their own facilitation of criminal activity by others: the knowing facilitation of criminal activity by a third party can subject that third party to criminal penalties, for example, as an accessory. Below are the statutes we believe eNom is facilitating violation of: 21 USC 353(b)(1). This is one of the two main federal statutes that makes the sale of any prescription drugs without a prescription is a criminal offense. It states:

...(a) drug intended for use by man which...is not safe for use except under the supervision of a practitioner licensed by law to administer such drug; or (b) is limited by an approved application under section 355 of this title to use under the professional supervision of a practitioner licensed by law to administer such drug; shall be dispensed only (i) upon a written prescription of a practitioner licensed by law to administer such drug, or (ii) upon an oral prescription of such practitioner which is reduced promptly to writing and filed by the pharmacist, or (iii) by refilling any such written or oral prescription if such refilling is authorized by the prescriber either in the original prescription or by oral order which is reduced promptly to writing and filed by the pharmacist. The act of dispensing a drug contrary to the provisions of this paragraph shall be deemed to be an act which results in the drug being misbranded while held for sale.5

The last sentence above refers to the “drug being misbranded.” This means that selling a prescription drug without a prescription violates the federal misbranding statute, which prohibits "...the introduction or delivery for introduction into interstate commerce of any food, drug, device, or cosmetic that is adulterated or misbranded." 6

Misbranding is defined as a criminal offense by 21 USC 333 (http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+21USC333).

5 Title 21 United States Code (USC) Controlled Substances Act, http://www.justice.gov/usao/eousa/foia_reading_room/usam/title4/civ00113.htm 6 Title 21 United States Code (USC) Controlled Substances Act, http://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/FDCActChapterIIIProhibitedActsandPenalties/ucm086300.htm


21 USC 841. Sale of controlled substances without a prescription is a criminal offense. 7

Certain prescription drugs are called controlled substances, and are designated as such by the DEA. The sale of these products without a valid prescription is a criminal offense under both 21 USC 353(b)(1) and 21 USC 331(a), as well as 21 USC 841 (http://www.justice.gov/usao/eousa/foia_reading_room/usam/title4/civ00113.htm). 21 USC §331(aa) also prohibits the importation of prescription drugs, prohibiting "(t)he importation of a prescription drug in violation of section 384 of this title...."8

Although there has been some intentional obfuscation of this issue (websites sometimes untruthfully state that importing prescription drugs is legal). The bottom line is that importing a prescription drug directly to the patient from outside of the US (e.g., from India, etc.) is not legal under this statute We will not cite all 50 state laws here, but two areas are pertinent: 1. depending on the state, it is either a criminal or regulatory violation to ship prescription drugs into the state without a pharmacy license in that state, and 2. it is generally a criminal offense to pretend to be a pharmacy without being licensed as one. We cite Washington State law here because eNom is located there. Revised Code of Washington (RCW) 18.64.250 provides:

“(1) Any person not a licensed pharmacist and not having continuously and regularly in his employ a duly licensed pharmacist within the full meaning of this chapter, who shall practice pharmacy; or (2) Any person who shall permit the compounding and dispensing of prescriptions, or vending of drugs, medicine…” and

“(6) Any person who shall take or use or exhibit in or upon any place of business… or by electronic media, or in any other manner, the title of pharmacist, pharmacy intern, pharmacy assistant, druggist, pharmacy, drug store, medicine store, drug department, drugs, drug sundries, or any title or name of like description or import, or display or permit to be displayed upon said place of business the characteristic pharmacy symbols, bottles or globes, either colored or filled with colored liquids, without having continuously and regularly employed in his or her shop, store, or place of business, during business hours of the pharmacy, a pharmacist duly licensed under this chapter; shall be guilty of a misdemeanor, and each and every day that such prohibited practice continues shall be deemed a separate offense.” 9

The “electronic media” in this case is the domain name under the control of eNom, and as a knowing accessory they are liable for every day the domains remain operable. Similar language exists in all states. eNom is of particular concern because they sponsor more illicit pharmacy than the next "top five" pharmacy-sponsoring Registrars combined. It is not reasonable to conclude that this is an area of the law where eNom can claim to not be aware of the illegal behavior because they have been provided with screenshots of hundreds of websites with names like “noprescriptionpharmacy.biz” which clearly state they are selling prescription drugs without a prescription in addition to the letters from received from the NABP identifying them as a sponsor of Internet pharmacy crime and asking that they address the problem. 7 Title 21 United States Code (USC) Controlled Substances Act, http://www.deadiversion.usdoj.gov/21cfr/21usc/841.htm 8 Title 21 United States Code (USC) Controlled Substances Act, http://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/FDCActChapterIIIProhibitedActsandPenalties/ucm086300.htm 9 Revised Code of Washington, http://apps.leg.wa.gov/rcw/default.aspx?cite=18.64.250


http://noprescriptionpharmacy.biz/

It is also important to note also that the Communications Decency Act (http://www.fcc.gov/Reports/tcom1996.txt) only immunizes defendants from non-intellectual property claims and non-criminal complaints. Illicit drug sales is both a criminal act as well as an intellectual property violation since most websites deal in counterfeit or unauthorized sales of trademarked drugs.

“(1) NO EFFECT ON CRIMINAL LAW- Nothing in this section shall be construed to impair the enforcement of section 223 of this Act, chapter 71 (relating to obscenity) or 110 (relating to sexual exploitation of children) of title 18, United States Code, or any other Federal criminal statute. (2) NO EFFECT ON INTELLECTUAL PROPERTY LAW- Nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.” 10

These are therefore the facts. There are roughly 4,000 rogue Internet pharmacies violating the criminal laws specified above that are utilizing eNom's registration services, more than any other Registrar by a factor of seven. eNom is aware of the illegal nature of these domains. eNom has been notified by the organization that represents pharmacy regulatory authorities about this problem, and has been requested to work with LegitScript, as other U.S.-based Registrars do, and non-U.S. Registrars who do business in the United States, to identify clearly illegal websites and suspend them in accordance with the RAA, UDRP and their own Terms and Conditions. eNom has failed to act. The facts support a conclusion that eNom has become an accessory to violation of the criminal statutes listed above, by virtue of knowingly continuing to permit registration of these sites, and refusing to suspend the domains once being put on notice. An accessory being a party who assists in the commission of a crime, but who does not actually participate in the commission of the crime as a joint principal. No one is suggesting that eNom is a principal in these cases. However, without their sponsorship of domains, like canadianhealthcaremall.net, the illicit activity would not exist. So it follows that eNom is facilitating crimes committed by the owners of canadianhealthcaremall.net because eNom knowingly provides them with the means and opportunity to commit a crime. We have already established eNom has full knowledge of the crimes documented and from that day their inaction helps the criminals commit additional crimes and even evade detection through privacy services. The eNom domains have violated the law; their continued existence is only possible with eNom’s knowing cooperation. This makes eNom party to the crime. Whether actively or ignorantly involved, there is no question that eNom has become an arm of illicit international drug traffic, a resource modern organized crime cannot exist without.

10 The Telecommunications Act of 1996, http://www.fcc.gov/Reports/tcom1996.txt


E. Issues of inaccurate WHOIS in Illicit Drug Domains (RAA 3.7.5.3, 3.7.7.2, and 3.7.8)

“3.7.5.3 In the absence of extenuating circumstances (as defined in Section 3.7.5.1 above), a domain name must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement.”

“3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration.”

3.7.8 Registrar shall abide by any specifications or policies established according to Section 4 requiring reasonable and commercially practicable (a) verification, at the time of registration, of contact information associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information. Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall take reasonable steps to correct that inaccuracy.

As we will see below Registrars are bending the rules in favor of illicit pharmacies. In all cases we reported the inaccurate WHOIS to ICANN and the registrant did not update the information after 45 days. We confirmed with ICANN that the information was still inaccurate at the end of the 45 day period. At that point the registrant was allowed to update the information and the Registrar did not delete the domain. In these cases the Registrar skirted the RAA provisions in favor of an illicit pharmacy past the mandated time limit. While we cannot know if the Registrar took “reasonable steps to investigate” we assume they did not because no action was taken until long after the 45 day period and only after KnujOn’s second notification. eNom, RE: qualitydrugs.org

Original WHOIS:

Registrant Street1:Krasnoznamennaya str. 11/47 Registrant City:San Francisco Registrant State/Province: Registrant Postal Code:-- Registrant Country:US Registrant Phone:+1.48546776


The city and street are incompatible, the phone number is incomplete. Inaccuracy report by KnujOn April 19, 2010, inaccuracy still existed on June 4, 2010 and the domain had not been deleted. We reported such but the domain remained online. The WHOIS record was updated June 12, 2010, and additional eight days after the 45-day period. Tucows, RE: ON-LINEPHARMACYUK.COM

Original WHOIS:

Technical Contact: Pharma, UK [email protected] 46 Gordon St South Shield Great, NULL GB 9991111999

This ON-LINEPHARMACYUK.COM WHOIS record had a bogus phone number. KnujOn filed a complaint with ICANN on April 19, 2010 and the WHOIS was unchanged after 45 days. Even though we affirmed with ICANN that this complaint was unresolved after 45 days, the registrant was allowed to update the record and the Registrar has kept the domain online. INTERNET.BS CORP., RE: pharm2day.com, ordercure.com, and tadalafilindia.com

These domains use INTERNET.BS’ invalid privacy service (see Section II Part F) which declares “*******PLEASE DO NOT SEND LETTERS******” and claims to be in the


mailto:[email protected]

Bahamas but uses a Hong Kong phone number. These domains remain online with unchanged WHOIS with this invalid privacy service. BIZCN.COM, RE: cyberrxsavers.com

The WHOIS for this BIZCN-sponsored domain originally had no address or phone number information. We filed a complaint with ICANN on May 17, 2010. After the 45 day period the WHOIS remained unchanged and the domain was still active. We complained to ICANN a second time and the domain was suspended, for 3 days. The domain was allowed to come back online with new WHOIS in violation of ICANN rules. These cases suggest that some Registrars are engaging in a pattern of protection for illicit pharmacy domains. This activity may be considered collusion11 by some which is beyond the facilitation discussed in Section I Part D. This also suggests that ICANN compliance is allowing Registrars to bend the rules in terms of WHOIS inaccuracy. While Registrars often claim they are unaware of how a domain is being used and what other fraudulent activity is occurring. However, the reinstatement or continuity of a domain in violation of ICANN rules may be the “smoking gun” that indicates how important these illegal domains are to their business. Otherwise, why would a Registrar bother to maintain them after they have been given a completely valid reason to delete the domain? When illicit pharmacy domains are reported to Registrars they often claim they cannot suspend them, but false WHOIS gives Registrars the contractual authority and obligation to suspend the domains. One might assume that Registrars would be happy to have an excuse to cut off troublesome domains, but they are instead taking extra measures to ensure their preservation.

11 “Collusion: secret agreement or cooperation especially for an illegal or deceitful purpose”, http://www.merriam-webster.com/dictionary/collusion


F. Registrar Must Display Fees and Deletion Policies (RAA 3.7.5.6/3.7.5.5)

“3.7.5.5 If Registrar operates a website for domain name registration or renewal, details of Registrar's deletion and auto-renewal policies must be clearly displayed on the website.” “3.7.5.6 If Registrar operates a website for domain registration or renewal, it should state, both at the time of registration and in a clear place on its website, any fee charged for the recovery of a domain name during the Redemption Grace Period.”

This is an issue of consumer trust. The domain customer is entitled to know how much the products cost and what the terms of service are over a period of years. Some Registrars have not disclosed or buried their most crucial customer information. VentureDomains, Inc. (upc360.com) – Policies not posted Broadspire Inc. (broadspire.com) – Policies not posted Mobiline USA, Inc. dba domainbonus.com - Policies not posted Premium Registrations Sweden AB (premiumregistrations.com) - Policies not posted, “member login” Internet Group do Brasil S.A. (igempresas.com) – Site does not load M. G. Infocom Pvt. Ltd. (mindgenies.com) - Policies not posted Cheapies.com Inc. - Policies not posted Domain Services Rotterdam BV (tellus.com) – Only reseller information available Internet Solutions (Pty) Ltd. (is.co.za) - Policies not posted iWelt AG (iwelt.de) - Policies not posted Key-Systems GmbH (key-systems.net) – Reporter commented that fee policies were not clear KomPlex.Net GmbH - Policies not posted 1st Antagus Internet GmbH (antagus.de) – Unable to locate renewal policies 1API GmbH (1apI.de) – Fee policies unclear Xiamen eName Network Technology Corp (ename.com) – Unable to locate renewal policies Alantron (alantron.com) – Unable to locate fee policy Own Identity, Inc. (ownidentity.com) - No conspicuous terms link Pacnames Ltd (pacnames.com) - No conspicuous terms link UltraRPM, Inc. dba metapredict.com - No conspicuous terms link USA Webhost, Inc. (usawebhost.com) - Site Loads default Drupal installation page


Ynot Domains Corp. (ynotdomains.myorderbox.com) - Site Loads password-protected control panel 1 More Name, LLC (1morename.myorderbox.com) – Site Loads password-protected control panel


G. UDRP Compliance and Domain Name Speculation Holding (RAA 3.8 and 3.7.8)

“3.8 Domain-Name Dispute Resolution. During the Term of this Agreement, Registrar shall have in place a policy and procedures for resolution of disputes concerning Registered Names. Until different policies and procedures are established by ICANN under Section 4, Registrar shall comply with the Uniform Domain Name Dispute Resolution Policy identified on ICANN's website (www.icann.org/general/consensus-policies.htm).”

“All registrars must follow the the[sic] Uniform Domain-Name Dispute-Resolution Policy(http://www.icann.org/en/udrp/udrp.htm)”

Typically, this policy concerns the relationship between the Registrar and the registrant. However, when the Registrar technically is the registrant and fails to respond to a UDRP proceeding, the question becomes more complex. In the following cases the Registrar’s WHOIS privacy service was employed, which makes the Registrar responsible for all communication and ultimately responsible for the domain name, and the Registrar did not respond to the UDRP. NameCheap as “WhoisGuard” The following cases represent some of the most troubling illicit activity in terms domain name abuse and misuse of privacy services. The registrants have apparently gone to great lengths to conceal their identities and avoid any responsibility; however the role of this accredited Registrar cannot be overlooked and must be thoroughly investigated. The bulk of the domains in question use trademarked drug names which prompted the UDRP claims. The domains themselves were used as unlicensed online pharmacies. While eNom served as Registrar for these domains they were mostly registered through NameCheap. While a Registrar in their own right, NameCheap acted as a reseller for eNom in the case of these domains, and concealed ownership through NameCheap’s WhoisGuard service. In a normal UDRP the Registrar would disclose the ownership of a domain name to a complainant. However, eNom merely issued the WhoisGuard-protected record and the actual ownership was not disclosed by NameCheap. In attempting to contact “WhoisGuard”, which at this point is actually NameCheap, the respondent (NameCheap) failed to respond to the UDRP. While domain owners are not obligated to respond the UDPR, Registrars are. But through careful planning a scheme has been created in which the domain owner is completely anonymous and unaccountable. In these cases the Registrar (eNom) did technically comply, but the third-party (WhoisGuard) defaulted the Registrar of record is technically blameless. WhoisGuard itself is a phantom - neither person nor legal entity in California. In Section II Part F we explain why WhoisGuard is an invalid privacy service and may have committed mail fraud. However, it is obvious that WhoisGuard is the privacy protection service offered by NameCheap. This scheme, by which NameCheap avoids accountability for domains registered in bad faith and used illicitly, is unacceptable. Their dual role as independent Registrar and reseller for eNom is highly questionable. Below we have summarized the trademark violation and NameCheap’s (as WhoisGuard) response. WIPO documents may be obtained at http://wipo.int by referring to the document name listed in the table.


Site Substance/TradeMarkNameCheap Response WIPO Document buycheapcialis.biz Cialis The Respondent did not reply

to the Complainant’s contentions

2005_d2005-0478

ambien-zolpidem.info Ambien/Zolpidem The Respondent did not reply to the Complainant’s contentions

2005_d2005-1267

tamiflu.net Tamiflu Respondent has failed to respond to the Complaint and has not otherwise actively participated in these proceedings.

2005_d2005-1288

pfizerhelpfulanswer.com Pfizer The Respondent did not reply to the Complainant’s contentions.

2006_d2006-0911

lillywomenshealth.com Lilly The Respondent did not reply to the Complainant’s contentions.

2007_d2007-0162

ambien-pills.com Ambien The Respondent did not reply to the Complainant’s contentions.

2007_d2007-1013

lexapro-drugs.com, order-lexapro.com

Lexapro The Respondent did not reply to the Complainant’s contentions.

2008_d2008-0005

valium1.com Valium The Respondent did not reply to the Complainant’s contentions.

2008_d2008-0916

xenical-prices.com Xenical Respondent did not reply to Complainant’s contentions.

2008_d2008-1552

accutaneprices.com Accutane The Respondent did not reply to the Complainant’s contentions.

2008_d2008-1681

xenicalweightloss.info Xenical The Respondent did not reply to the Complainant’s contentions.

2009_d2009-1128

cvspharmacyonline.org CVS The Respondent did not reply to the Complainant’s contentions.

2009_d2009-1604

ambien-next-day.info Ambien The Respondent did not reply to the Complainant’s contentions.

2009_d2009-1671

accutaneacnetreatment.info Accutane The Respondent did not reply to the Complainant’s contentions.

2010_d2010-0176

swineflutamiflu.info Tamiflu The Respondent did not reply to the Complainant’s contentions.

2010_d2010-0193

accutanebuy.com Accutane The Respondent did not reply to the Complainant’s contentions.

2010_d2010-0224


Case No. D2005-1288 (Hoffmann-La Roche Inc. v. WhoisGuard) is in fact frequently cited in WIPO decisions as precedent for transferring trademark infringing domains to the complainant. These cases represent a pattern of bad behavior tacitly supported and possibly assisted by NameCheap. The casual onlooker might get the impression that NameCheap is negatively affected by these WIPO decisions and as a result their policies might change. This is far from the truth. KnujOn has observed on a nearly daily basis, NameCheap registering pharmaceutical trademarks through eNom on behalf of persons unknown. None of the UDRPs seem to have slowed NameCheap’s business dealings with trademark hijackers and international drug traffickers. On inspection there is no reason to expect that they would. As many have commented, the UDRP is a “toothless” process as the respondent is not compelled to comply and suffers only the potential penalty of losing the challenged domain name. That domain name becomes worthless the moment it is transferred to the complainant. Meanwhile, the complainant must expend a significant amount of time and money to resolve the issue. In these cases, NameCheap, has averted any seeming connection or responsibility. The loss of one, or even 100, infringing domain names is meaningless to the respondent since they have access to a bottomless pit of variations at all gTLDs. The emergence of domains using “Tamiflu” are additionally troubling at time when public anxiety over swine flu was riding high. Oversee as “Moniker Privacy” There are dozens of WIPO decisions against “Moniker Privacy” where they did not respond to the UDRP. As with NameCheap, drug names are the frequent target as in the case of WIPO 2009_d2009-1348 concerning “acompliageneric.com” a trademark of Sanofi-Aventis, but also involve other IP like the “jaylenoshow.com” ( 2009_d2009-0571), “delottetouche.com” (2008_d2008-1489), and “nationalfootballleague.com” (2007_d2007-1839). eNom as “Whois Privacy Protection Service Inc.” Like above, eNom’s privacy service is abused for trademark hijacking. Like the above examples, eNom refuses to respond to the UDRP. The language used in one WIPO decision is as follows:

“The Respondent is only a tool proposed by eNom to permit ill-intentioned owners to mask their true identity. This fact constitutes evidence of bad faith.”12

This quote sums up the perception of the use of privacy services in these cases and parallels language used in U.S. v. Kilbride:

“Based on the plain meaning ... private registration for the purpose of concealing the actual registrant’s identity would constitute ‘material falsification.’”13

The point being that, under the guise of protecting domain consumer privacy, WHOIS privacy services have been perverted into a weapon of criminal anonymity and Registrar irresponsibility.

12 WIPO 2005_d2005-0133, TAG HEUER v. Whois Privacy Protection Service, Inc. 13 http://www.ca9.uscourts.gov/datastore/opinions/2009/10/28/07-10528.pdf


OnLineNIC, INC. as “ABSOLUTEE CORP. LTD.” Absolutee Corp Ltd is OnlineNIC’s privacy protection service and it is doubtful that OnlineNIC and Abolutee are distinct entities. Furthermore, the Registrars China-Channel, 35.com and USA Intra Corp. are all likely part of the same organization. On April 19, 2010 the Malletier group, which owns Louis Vuitton, was issued a default judgment of $960,000.00 against Absolutee for “knockoff” sales through OnlineNIC sponsored domains by by California Northern District Court Judge Maxine M. Chesney (http://docs.justia.com/cases/federal/district-courts/california/candce/3:2009cv05612/222027/27/). The Honorable Maxine Chesney also issued an injunction against Absolutee preventing them from any further violation of these trademarks (http://docs.justia.com/cases/federal/district-courts/california/candce/3:2009cv05612/222027/26/). This is same Absolutee that WIPO decided against for registering “tiffanyline.com” (WIPO 2009_d2009-0430) and “buickopen.com” (WIPO 2007_d2007-0279). As seen in the above examples “The Respondent did not reply to the Complainant’s contentions.” It would be useful at this point to provide some background on Absolutee:

• Absolutee has been flagged as supporting the Russian Business Network 14 • Absolutee has been linked to a payment processing system for child pornography called

Avalonpay15 • Absolutee was linked to a fake Fidelity Investments phishing site16 • Absolutee was linked to malware distribution17 • The site “absolutee.com” has been known to appear as a download location in virus scan

logs18 Like eNom's Whois Privacy Protection Service, Absolutee is tool proposed by OnlineNIC to permit ill-intentioned owners to mask their true identity, which constitutes evidence of bad faith. Without dragging the point out, we contend that Absolutee solely exists to mask illicit activity that OnlineNIC benefits from. Registrars will contend that the registrants are behind these illicit domains and the Registrar should not have to take responsibility for the associated problems. However, OnlineNIC recently settled for tens of millions of dollars with Verizon, Microsoft and Yahoo (http://arstechnica.com/old/content/2008/12/court-awards-verizon-33-million-in-cybersquatting-squabble.ars). In these cases the complainants alleged OnlineNIC employees registered the domains under false identities. The courts agreed. These cases may point to a trend of brand-holders bypassing the UDRP in order to collect monetary damages from Registrars who operate as or protect cybersquatters. This issue is discussed specifically in section III part B. In conclusion, the lines between registrants and Registrars have become seriously blurred in cases of cybersquatting. Evidence precludes Registrar denial of involvement when they supply special tools that encourage it, mask ownership of the domains, and ignore the UDRP when caught.

14 http://www.wired.com/images_blogs/dangerroom/files/iDefense_RBNUpdated_20080303.doc15 http://www.matchent.com/wpress/?q=node/36916 http://www.ecommerce-journal.com/node/119517 http://www.dslreports.com/forum/remark,1668679218 http://www.bleepingcomputer.com/forums/lofiversion/index.php/t111606.html


http://arstechnica.com/old/content/2008/12/court-awards-verizon-33-million-in-cybersquatting-squabble.ars

http://arstechnica.com/old/content/2008/12/court-awards-verizon-33-million-in-cybersquatting-squabble.ars

http://www.wired.com/images_blogs/dangerroom/files/iDefense_RBNUpdated_20080303.doc

http://www.matchent.com/wpress/?q=node/369

http://www.ecommerce-journal.com/node/1195

http://www.dslreports.com/forum/remark,16686792

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t111606.html

H. Reseller Obligations (RAA 3.12)

“3.12 Obligations of Third-Party Resellers. If Registrar enters into an agreement with a reseller of Registrar Services to provide Registrar Services”

The issue of reseller compliance is so large that it calls for a separate report. However we feel the need to discuss a case where the lines between reseller and Registrar have become extremely blurred. This Report explores true ownership of a domain reseller. We believe that this purported reseller is actually owned and controlled by eNom. Acquire This Name, INC.

The apparent domain name reseller Acquire This Name, INC. (acquirethisname.com) posts no clear ownership or location on its site except a post office box: PO BOX 6097, Bellevue, WA 98008 In the “About Us” they provide the following information:

“Q: Do you own the domains you sell? A: No, we represent the domain owner and facilitate the sale of the domain. Q: Is AcquireThisName a domain registrar? A: No, AcquireThisName is a brokerage firm, representing domain owners. We are not a registrar and do not offer registration services.”


(http://www.acquirethisname.com/about-us.aspx) Their FAQ states the following:

“Our reseller relationship with eNom helps make purchasing…”

(http://www.acquirethisname.com/frequently-asked-questions.aspx) At this point Acquire This Name, INC. has made it clear they are NOT a Registrar but actually a reseller or “brokerage.” They have also stated that Acquire This Name, INC. is a reseller of eNom and directs customers to create an account at eNom to manage the domain name. As for payment, Acquire This Name, INC. states:

“Our preferred method of payment is by wire to our affiliate, eNom…”

(http://www.acquirethisname.com/frequently-asked-questions.aspx) Statement: eNom is an affiliate of Acquire This Name; Acquire This Name is a reseller of eNom. We attempted to locate the business registration of Acquire This Name, INC. and found it in Nevada’s Secretary of State Business Registration database. However all of the officer names for Acquire This Name, INC. had been scrubbed or deleted through “resignations” on April 8, 2009.


Acquire This Name currently has no officers listed with the Nevada SOS and has actually passed the deadline for supplying this information.

However, we were able to determine that the resigned officers were SARAH AKHTAR COOPER and MICHAEL BLEND. We also found two WIPO decisions where Acquire This Name, Inc. was ordered to surrender a domain name for trademark reasons. The respondent in one of these cases was Matt Overman. (http://www.wipo.int/amc/en/domains/decisions/html/2009/d2009-0411.html, http://www.wipo.int/amc/en/domains/decisions/html/2008/d2008-1162.html) Sarah Akhtar Cooper is the General Counsel of eNom Michael Blend is the Senior Vice President of Demand Media (eNom) Matt Overman Director of Domain Sales at Demand Media (eNom) Additionally, acquirethisname.com is hosted and sponsored by eNom. From the list of officers and the cited payment structure, it does not appear that Acquire This Name is really a reseller or even a separate entity.


While Acquire This Name stated they do not own the domain names they sell, rather: “we represent the domain owner and facilitate the sale of the domain.” It is impossible to verify as the registrant’s details are concealed through Whois Privacy Protection Service Inc., which is eNom’s privacy service. However, equateconsonant.com is indeed sponsored and hosted by eNom. In conclusion it is clear that this entity was created by eNom staff for the benefit of eNom while seeming to not be eNom. This is a serious violation of consumer trust.


I. Registrar Contact Address Must Be Available on Website (RAA 3.16)

“3.16 Registrar shall provide on its web site its accurate contact details including a valid email and mailing address (http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm).”

This section was added to the 2009 revised RAA after a series of incidents indicated Registrars had not disclosed their business addresses. Research conducted by KnujOn19 found that 70 Registrars had no address posted in the InterNIC Registrar directory. It was also found that several Registrars had falsified their business address or were using “mail-drop” addresses in different countries from where the business was actually located. Subsequently it was found that Registrar Parava Networks has falsified their address20. KnujOn campaigned hard for a change to the RAA21, but Registrars are still flouting this new rule. We also have serious concerns about Registrars using Post Office Boxes as their primary business address, but this is still a subject of debate22. These Registrars have signed on to the 2009 RAA, which requires that they display their address, but they have not yet done so. Arsys Internet, S.L. dba NICLINE.COM DSTR Acquisition PA I, LLC dba DomainBank.com IREGISTRY CORP. /iregistry.com $$$ Private Label Internet Service Kiosk, Inc. (dba "PLISK.com") 21Company, Inc. dba 21-domain.com/21-domain.com ITPAN.COM INC./itpan.com Active Registrar, Inc./activeregistrar.com COMPANA LLC/budgetnames.com Directi Internet Solutions Pvt. /publicdomainregistry.com DOTALLIANCE INC/dotalliance.com EVERYONES INTERNET LTD./resellone.net FRANCE TELECOM/francetelecom.com CSL Computer Service Langenbach GmbH d/b/a joker.com NET 4 INDIA LIMITED/net4.in NICCO LTD. /nicco.com REGISTER.COM INC./register.com RESELLER SERVICES INC./ResellServ.com UK2 GROUP LTD. /uk2group.com VOLUSION, INC./volusion.com Webagentur.at Internet Services GmbH d/b/a domainname.at YNOT DOMAINS CORP/myorderbox.com VIVID DOMAINS INC/vividdomains.com* *Merely gives "Miami" as the address, no street location

19 http://www.knujon.com/news2008.html#06102008 20 http://www.knujon.com/news2008.html#07222008 21 http://www.knujon.com/news2008.html#11022008 22 http://www.circleid.com/posts/should_a_domain_name_registrar_run_from_a_po_box/


These Registrars have not signed on to the 2009 RAA, but should be required to post their address before being eligible to renew their contract. INTERNET GROUP DO BRASIL/igempresas.com MANGO MOODS INC./Marcaria.com International, Inc DNS:NET Internet Service GmbH/dns-net.de PREMIUM REGISTRATIONS SWEDEN/premiumregistrations.com AB CONNECT /hosteur.com A TECHNOLOGY COMPANY INC/namesystem.com C I HOST INC./cihost.com EXPERINOM INC./experinom.com FUNPEAS MEDIA VENTURES, LLC DBA DOMAINPROCESSOR.COM/DomainProcessor.com GEE WHIZ DOMAINS INC/geewhizdomains.com Globedom Datenkommunikations GmbH, d/b/a Globedom/globedom.com DomainContext, Inc./isregistrar.com JETPACK DOMAINS INC/jetpackdomains.com NEW GREAT DOMAINS /newgreatdomains.com ONLINENIC INC./onlinenic.com OPEN SYSTEM LTD. /turbosite.com.br OWN IDENTITY INC/ownidentity.com PACNAMES LTD /pacnames.com QUANTUMPAGES TECHNOLOGIES/ownregistrar.com TURNCOMMERCE, INC. DBA NAMEBRIGHT.COM/NameBright.com ULTRARPM INC./metapredict.com UNITED DOMAIN REGISTRY, INC./uniteddomainregistry.com WEBAIR INTERNET DEVELOPMENT/webair.com ZOG MEDIA, INC. DBA ZOG NAMES/zognames.com HOSTING.COM, INC./Hosting.com MOOZOOY MEDIA INC. /wiredwebsite.com NAMEHOUSE, INC./namehouse.net USA WEBHOST/usawebhost.com* *Home page declares: "You have to log in to contact us" The following Registrars do not display their address but were de-accredited during the study period. MOBILINE USA INC./domainbonus.com TAHOE DOMAINS INC./tahoedomains.com WESTERN UNITED DOMAINS /wudomains.com AFTERGEN, INC. DBA JUMPINGDOT/jumpingdot.com OOO RUSSIAN REGISTRAR/ruregistrar.com The following Registrars do not display their address but are of unclear status. ENETREGISTRY INC/enetregistry.net VERZA DOMAIN DEPOT BV/verzadomains.com


Serious Issues A Technology Company, Inc. (namesystem.com) does not disclose its business address on its primary website and additionally is blocking access to its own WHOIS record (see Section II Part A). OnlineNIC, Inc. (onlinenic.com) is allegedly located in the Oakland area of California but various investigations reveal it is actually in China and its U.S. locations are fraudulent. Most of this became apparent during trademark lawsuits against OnlineNIC by Microsoft and Verizon (http://www.theregister.co.uk/2009/08/27/onlinenic_verizon_ruling_upheld/; http://www.thedomains.com/2009/03/12/onlinenic-settles-with-microsoft-appeals-verizon-decision/). OnlineNIC sponsors thousands of unlicensed pharmacy domains in violation of U.S. and California law. They have been notified multiple times about these sites. OnlineNIC actually has several alleged addresses. The address given in the InterNIC directory and in their WHOIS record is 351 Embarcadero E. Oakland CA 94606. This address was revealed to be an empty lot in an article by Andrew Naylor called “Visiting OnlineNIC’s Non-Office”23 over a year ago. We have filed inaccuracy complaints about this address but Onlinenic.com endures. Their second address, 2315 26th Avenue, San Francisco, CA, is related to a California business registration that has been suspended by the Secretary of State.

Their third address is a residential address which we will not reveal here because there is no evidence that the location is associated with OnlineNIC. The fourth address, 909 marina village pkwy #236 Alameda CA 94501, is a UPS mail box.

23 http://dotsnews.com/domain-name-news/184


Since the lawsuits their CA business has been re-registered by their U.S. lawyer, Perry J. Narancic.24 Narancic represented them against MS and Verizon and negotiated the multi-million dollar settlement. OnlineNIC’s real address is likely 7F International Trade Building, 388 South Hubin Road, Xiamen China that exists even in ICANN documents.25 It is time for this charade to end.

24 http://www.nk-pc.com/index.php?option=com_content&view=article&id=47&Itemid=5425 http://www.icann.org/en/tlds/pro1/pdf/rop_exhibit_a5.pdf


http://www.nk-pc.com/index.php?option=com_content&view=article&id=47&Itemid=54

http://www.icann.org/en/tlds/pro1/pdf/rop_exhibit_a5.pdf

J. Material Falsification in Registrar Application (RAA 5.3.1)

“5.3.1 There was a material misrepresentation, material inaccuracy, or materially misleading statement in Registrar's application for accreditation or any material accompanying the application. (http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm).”

Since we cannot see the original applications we can only estimate what was in the application based on currently available business records. A Registrar must be a business entity, must disclose the type of legal entity and attest that “the information contained in this application, and all supporting documents included with this application, are true and accurate to the best of Applicant's knowledge”26. Obviously, it is expected that entity be a legitimate and verifiable one. However, we have found a fairly sizable number who apparently do not exist. eNom has the largest number of unverified business entities. We attempted to locate them in Washington State, where eNom is located; in California, where Demand Media is located; as well as in Delaware, Florida, and Nevada. These issues can be easily resolved if eNom and others reveal their business registrations with evidence they existed prior to accreditation. Otherwise, all of these accreditations are in breach of section 5.3.1. Business Registrations Not Found eNom(DemandMedia) Accreditations Afterdark Domains, Incorporated (eNom)

Enom Corporate, Inc. eNom666, Inc.

Arab Internet Names, Incorporated (eNom)

Enom GMP Services, Inc. eNom672, Inc.

Big House Services, Inc. (eNom)

enom413, Incorporated Enoma1, Inc.

Blisternet, Incorporated (eNom)

enom415, Incorporated EnomAte, Inc.

Dagnabit, Incorporated (eNom)

enom417, Incorporated EnomAU, Inc.

Domainnovations, Incorporated (eNom)

enom419, Incorporated eNombre Corporation

Domain Rouge, Inc. (eNom) enom421, Incorporated EnomEU, Inc.

Dropoutlet, Incorporated (eNom)

enom423, Incorporated Enomfor, Inc.

enom389, Incorporated (eNom)

enom425, Incorporated EnomMX, Inc.

eNom, Inc. (eNom) enom427, Incorporated Enomnz, Inc.

Enom1, Inc. enom429, Incorporated eNomsky, Inc.

eNom1008, Inc. enom431, Incorporated EnomTen, Inc.

eNom1009, Inc. enom433, Incorporated EnomToo, Inc.

eNom1010, Inc. enom435, Incorporated EnomV, Inc.

eNom1012, Inc. enom437, FastDomain Inc. (eNom)

26 http://www.icann.org/en/registrars/accreditation-application.htm


Incorporated

eNom1013, Inc. enom439, Incorporated Fenominal, Inc. (eNom)

eNom1014, Inc. enom441, Incorporated Fushi Tarazu, Incorporated (eNom)

eNom1033, Inc. enom443, Incorporated Gunga Galunga, Incorporated (eNom)

eNom1034, Inc. enom445, Incorporated Indirection Identity Corporation (eNom)

eNom1035, Inc. enom447, Incorporated

Internet Internal Affairs Corporation (eNom)

eNom1036, Inc. enom449, Incorporated Kingdomains, Incorporated (eNom)

eNom1037, Inc. enom451, Incorporated Mark Barker, Incorporated (eNom)

eNom1038, Inc. enom453, Incorporated Mobile Name Services, Inc. (eNom)

Enom2, Inc. enom455, Incorporated Name Nelly Corporation (eNom)

Enom3, Inc. enom457, Incorporated Name Thread Corporation (eNom)

enom371, Incorporated enom459, Incorporated Nerd Names Corporation (eNom)

enom373, Incorporated enom461, Incorporated Nom Infinitum, Incorporated (eNom)

enom375, Incorporated enom463, Incorporated One Putt, Inc. (eNom)

enom377, Incorporated enom465.com, Incorporated PostalDomains, Incorporated (eNom)

enom379, Incorporated enom467, Incorporated Private Domains, Incorporated (eNom)

enom381, Incorporated enom469, Incorporated Retail Domains, Inc. (eNom)

enom383, Incorporated Enom5, Inc. SBSNames, Incorporated (eNom) enom385, Incorporated eNom623, Inc. Searchnresq, Inc. (eNom) enom387, Incorporated eNom635, Inc. SicherRegister, Incorporated (eNom) enom391, Incorporated eNom646, Inc. Sipence, Inc. (eNom)

enom393, Incorporated eNom647, Inc. Small Business Names and Certs, Incorporated (eNom)

enom395, Incorporated eNom650, Inc. Sssasss, Incorporated (eNom) enom397, Incorporated eNom652, Inc. Traffic Names, Incorporated (eNom) enom399, Incorporated eNom654, Inc. TravelDomains, Incorporated (eNom) Enom4, Inc. eNom655, Inc. Vedacore.com, Inc. (eNom)

enom403, Incorporated eNom656, Inc. Whiteglove Domains, Incorporated (eNom)

enom405, Incorporated eNom659, Inc. enom407, Incorporated eNom661, Inc. enom409, Incorporated eNom662, Inc. enom411, Incorporated eNom663, Inc.


OVERSEE/MONIKER/SNAPNAMES Accreditations Ace of Domains, Inc. CoolHandle Hosting, LLC DomainSystems, Inc. dba DomainsSystems.com DOTSTER Accreditations Deschutesdomains.com LLC Domain-A-Go-Go, LLC Domaininthehole.com LLC Apparently Unaffiliated #1 Internet Services International, Inc. dba 1ISI 1 More Name, LLC Annulet Incorporated Azdomainz, LLC Azprivatez, LLC Atozdomainsmarket, LLC Belgiumdomains, LLC Capitoldomains, LLC Domaindoorman, LLC Domainbullies,LLC DBA DomainClub.com Domain-It!, Inc. Domain Jamboree, LLC eBrandSecure, LLC Namehouse, Inc. NetTuner Corp. dba Webmasters.com Vivid Domains, Inc. Ynot Domains Corp.


K. Legal Issues with a Registrar (RAA 5.3.2)

“5.3.2.1 is convicted by a court of competent jurisdiction of a felony or other serious offense related to financial activities, or is judged by a court of competent jurisdiction to have committed fraud or breach of fiduciary duty, or is the subject of a judicial determination that ICANN reasonably deems as the substantive equivalent of those offenses; or 5.3.2.2 is disciplined by the government of its domicile for conduct involving dishonesty or misuse of funds of others.”

Registrar Abacus America, Inc. d/b/a Names4ever in Corporate Delinquency

State of Kansas definition of Corporate Delinquency:

“Delinquent: The business entity has not filed its annual report and fee by the due date. The business entity will remain in Delinquent status until it files its annual report, or until the business entity forfeits for failure to timely file the annual report and fee.”27

Abacus America was cited in 200828 by LegitScript and KnujOn for sponsoring an illicit, unlicensed steroid-dealing site called MULTIHGROUP.COM (http://www.knujon.com/schedule3/Steroid%20Report%20Knujon%20and%20LegitScript%20july%202008.pdf) which sells schedule 3 (http://www.justice.gov/dea/pubs/scheduling.html) substances without prescription, drugs that are shipped from Turkey into the United States. To date, Abacus America has not responded to our inquiry and the site is still online, registered through Abacus America.

27 http://www.accesskansas.org/corp_search/status_window.html 28 http://query.nytimes.com/gst/fullpage.html?res=9E07E4D91739F935A15754C0A96E9C8B63


We have reported the corporate delinquency to ICANN’s compliance department and they have informed us that since Abacus America is principally registered in California this issue does not constitute a breach of their contract. However, we still believe this a poor reflection the responsibility of the Registrar to the Internet community. Additionally, as an issue of disclosure it should be noted that Abacus America purports to be in Florida, not California. We are also concerned that a Registrar with multiple and possibly invalid locations is continuing to sponsor illicit pharmacies with no response to the concerned public.


L. Registrar Officer Legal Issues (RAA 5.3.3)

“5.3.3 Any officer or director of Registrar is convicted of a felony or of a misdemeanor related to financial activities, or is judged by a court to have committed fraud or breach of fiduciary duty, or is the subject of a judicial determination that ICANN deems as the substantive equivalent of any of these; provided, such officer or director is not removed in such circumstances. Upon the execution of this agreement, Registrar shall provide ICANN with a list of the names of Registrar's directors and officers...”

It is possible that an officer of Registrar Web Werks India Pvt. Ltd (AKA D For Domains, AKA wwindia.net, AKA SUVIP INC) violated “federal securities laws by engaging in a fraudulent, tax-motivated wash sales trading scheme.”29 This information has been sent to ICANN compliance. While Web Werks gives its address as 124 Prabhadevi Unique Industrial Estate off V.S. Marg Prabhadevi Mumbai Maharashtra (India), the WHOIS address disclosed for their operational domain, dfordomains.com, is 984 North Broadway Suite 314 Yonkers New York 10701. The dfordomains.com/Web Werks informational site claims India and U.S. offices. KnujOn staff attempted to verify the U.S. address in person and discovered that 984 North Broadway is in fact a medical building. Listed in the directory at Suite 314 was an ophthalmology and nephrology office operated by physicians Dwarka P. Rathi and Seema Rathi. The officer contact for Web Werks India is Nishant Rathi who may be related to Dwarka P. Rathi and Seema Rathi but we cannot confirm this at this time. A subsequent search of businesses claiming to be located at 984 North Broadway Suite 314 produced a company called “Suvip Consultancy Services” or “SUVIP INC.” The address is used on their website http://www.suvipgroup.com/Home.aspx which describes their business as “a worldwide information and technology solutions and consulting services firm with a proven track record in providing turnkey solutions to integrate businesses, workflows and Technology.” The website also discloses their involvement in an automated stock trading interface: “Suvip Technologies adopts ExtJS 2.0 as a client UI Framework for BrokerSwift ... Suvip and AksaTech India Pvt Ltd collaborate to implement technology solutions for Broker Dealers”

29 Securities Exchange Act of 1934 Release No. 48261, http://www.sec.gov/litigation/admin/34-48261.htm


http://www.suvipgroup.com/Home.aspx

The New York state business filing for SUVIP INC. has the address 984 NORTH BROADWAY, STE. 314 YONKERS, NEW YORK, 10701. There are no officers listed in the public filing.

In a 2003 filing the Securities and Exchange Commission alleges that Dwarka P. Rathi, described as a “self-employed New York physician”30, “engaged in 132 wash sales involving 28 different stocks from November 23, 1999 through December 23, 1999. Rathi executed 130 of these sales in the after-hours market.”31 Through this scheme “Rathi created losses of $221,698 in his taxable accounts and gains of $245,174 in his tax-sheltered accounts.”32 The SEC ruled that Rathi violated Section 10(b) of the Exchange Act and Rule 10b-5. The SEC instituted settled cease-and-desist proceedings, and filed a settled federal court action against Rathi.

30 Securities Exchange Act of 1934 Release No. 48261, http://www.sec.gov/litigation/admin/34-48261.htm 31 Securities Exchange Act of 1934 Release No. 48261, http://www.sec.gov/litigation/admin/34-48261.htm 32 Securities and Exchange Commission v. Dwarka P. Rathi, http://www.sec.gov/litigation/litreleases/lr18266.htm


If Dwarka P. Rathi is an officer of Web Werks India/dfordomains.com and the same Dwarka P. Rathi charged in the SEC filing, then Web Werks India is in breach of sections 5.3.2 and 5.3.3 of the Registrar Accreditation Agreement. This matter should be fully investigated.


N. Registrar Acting in a Manner that Endangers Stability (RAA 5.3.6)

“5.3.6 Registrar continues acting in a manner that ICANN has reasonably determined endangers the stability or operational integrity of the Internet after receiving three (3) days notice of that determination.”

As we have seen, and will continue to see in this report, eNom is threatening the overall stability of the DNS. Because of its size and share of the market a potential criminal charge and or de-accreditation of eNom would throw the world of ICANN, online-business, and domain consumer into chaos. The number of domains that would need to be transferred would far outnumber any previous transfer. While a criminal charge against eNom has not occurred yet, it is inevitable under their current policies or harboring illicit drug networks and failing to address the problem.


L. Miscellaneous: Registrars without a functioning website It is implied by the nature of this industry and the requirements of the RAA that a Registrar have a functioning website. The following Registrars do not have a functioning or locatable website. Bharti Airtel Services Limited - bhartiairtelservices.in redirects to bhartiresources.com, which merely loads a password interface. 1 More Name, LLC – “1morename.myorderbox.com” is constantly down for maintenance #1 Accredited Registrar - 1accredited.com does not load 1dotmobiregistrar.com – Parking page, now “Desert Devil, Inc”? A Rite Tern, LLC (aritetern.com) – Access “Forbidden” Basic Fusion, Inc. (basicfusion.net) - Not found Best Bulk Register, Inc. (bestbulkregister.com) - Not found DropHub.com, Inc. (DropHub.com) – Now “Intrust-Domains”? FBS Inc. (isimtescil.com) - Not found Launchpad, Inc. (launchpad.com) – No content Mister Name (mistername.com) - Not found ATXDOMAINS Inc. (atxdomains.com) - Not found Nameescape.com LLC (Nameescape.com) – Parking Page Names Bond, Inc. (namesbond.net) - Not found Pointag Technologies, Inc. (pointag.com) – Not found SiteName Ltd. (sitename.com) – “The page isn't redirecting properly”


O. Recommendations for these issues Most of these problems can be resolved by proper and regular auditing.

• Registrars who have not signed on to the 2009 RAA should not be allowed to until they have posted their business address on their main web page.

• ICANN Needs to decide if eNom has failed to comply with government regulations and thus is in violation of the RAA

• ICANN Compliance should issue breach notices to all Registrars who have failed to provide a working Port 43 WHOIS address

• The InterNIC/ICANN Registrar Directories need to be updated on more regular basis • The full lifecycle of Registrar breach, termination, transfer and sale should be available • ICANN Needs to fully investigate eNom’s involvement with Acquire This Name, INC.


Section II: WHOIS Issues

"As the DNS is currently structured, registrants are under only an honor system to provide accurate Whois data. Meanwhile, it makes no economic sense for registrars to enforce Whois accuracy. The result is that in terms of accuracy, when compared with other compilations of public data (such as driver's licenses and trademark registrations), the Whois database is substantially fiction." 33

-Benjamin Edelman, as Fellow at the Berkman Center for Internet & Society

This quote comes from 2005 Congressional testimony before the Committee on the Judiciary Subcommittee on Courts, the Internet, and Intellectual Property. In the half decade since, the situation has gotten substantially worse with large drug trafficking networks settling into the DNS comfortably with little to fear in terms of law or policy. At this hearing Professor Edelman’s suggested the following process improvements:

1. Reduction in the lenience of opportunity to “cure” intentionally invalid data 2. Registrants with multiple domain names with intentionally invalid data, should forfeit of all domains with the same invalid data 3. Statistically valid surveys of registrars’ WHOIS accuracy, with public reporting of each Registrar’s accuracy should be published by ICANN 4. Public reporting by ICANN of WHOIS accuracy complaints and their outcome 5. Financial and other penalties to Registrars with poor WHOIS accuracy records

None of these recommendations have been enacted, or from our observations, seriously considered by ICANN and the supporting bodies. The idea that Internet abuse handlers, such as KnujOn, are anti-privacy because we support full WHOIS disclosure is a red herring. We have proposed a simple solution to this problem – a hard line between commercial and informational domains. This is a system adopted in some ccTLDs. Domains used for commercial activity must have public WHOIS just as their brick-and-mortar components require public disclosure. Pharmacies, banks, consumer goods stores and the like cannot have secret ownership in any country. Products offered by these companies require government approval globally through licensure, inspection and audit. In a very brief period the Internet has managed to subvert generations of accountability created to protect the consumer from harm and the illicit players hide with impunity under the banner of “privacy” with support and encouragement from the Registrars. The domains of Girl Scout troops, dog-lover clubs, and political activists are not the domains that generate heated public concern over WHOIS inaccuracy. Domains selling controlled substances, imaginary loans, pirated software, and dangerous knockoff goods are of concern. Domains lifting someone else’s intellectual property or selling images of child exploitation are of concern. It is shameful to argue privacy rights for these parties. There have been three major reviews of WHOIS in the last 10 years prior to the recent NORC34 study: 2002 – “Large-Scale Intentional Invalid WHOIS Data”35; 2003 – “US House Committee on the Internet, and Intellectual Property”36; and 2005 – “Prevalence of False Contact Information for Registered Domain Names.”37 Each report has told us more or less the same thing, that WHOIS is largely falsified. The time for studies has passed, it is time for proactive correction and policy enforcement.

33 cyber.law.harvard.edu/people/edelman/pubs/judiciary-090403.pdf 34 http://www.theregister.co.uk/2010/02/17/domain_name_problems/ 35 http://cyber.law.harvard.edu/archived_content/people/edelman/invalid-whois/ 36 http://cyber.law.harvard.edu/archived_content/people/edelman/pubs/Judiciary-090403.pdf 37 http://www.gao.gov/new.items/d06165.pdf


A. Registrar WHOIS Validity

If domain registrants are expected to supply valid contact information for the WHOIS record, Registrars should be held to, at the very least, the same standard. We would argue that it behooves the Registrar to set an example for the registrant by complying with the RAA conditions for accurate WHOIS. However, we have found that many Registrars do not have accurate WHOIS for their own operational sites and some are apparently deliberately obfuscating their WHOIS record. At a minimum, the Registrar’s WHOIS record should match the contract address required on their website by 2009 RAA section 3.16, and match the address displayed in the ICANN/InterNIC Registrar directories. Recent cases of obfuscation by Parava Networks, now de-accredited, and OnlineNIC represent serious violations of consumer trust. The first section below shows which Registrars have bad WHOIS records. WDPRS complaints were filed where appropriate. 1-877NameBid.com LLC (1-877NameBid.com) – Missing Phone

Administrative Contact: R. Lee Chambers Company LLC Richard [email protected] Post Office Box Ten Ooltewah TN 37363-0010 US Tel. 000.0000000 Technical Contact: R. Lee Chambers Company LLC Richard [email protected] Post Office Box Ten Ooltewah TN 37363-0010 US Tel. 000.0000000

Affordable Computer Solutions, Inc. DBA Afforda.com – Missing Phone, Address is a “Pak Mail” mail drop service

Admin Contact Information : Afforda.com [email protected] 1280 W. Fifth Ave Suite 127 Columbus 43212 999 5555555555 999 5555555555

Bharti Airtel Services Limited (bhartiairtelservices.in) – Street Address Incomplete

Admin ID:DI_7411910 Admin Name:anubha Admin Organization:bharti airtel limited Admin Street1:qutub Admin Street2: Admin Street3: Admin City:delhi Admin State/Province:Delhi Admin Postal Code:110030


Admin Country:IN Admin Phone:+011.27883304 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email:[email protected]

CoolHandle Hosting, LLC (coolhandle.com) – Bad Name, Street and City Address

Registrant [1729364]: Private Reg [email protected] 0000 Street California CA 90001 US

The record was recently updated to put in a street location, but the registrant was apparently unable to put “Los Angeles” in the City field and there is still no person listed as registrant.

Administrative Contact [2588228]: Cool Handle Manager [email protected] 700 W. 6th Street California CA 90017 US Phone: 1.8662002828

Mobiline USA, Inc. dba domainbonus.com – No Phone Number

Administrative Contact Mobiline USA Inc. DomainBonus.com Mobiline dba [email protected] 1204 Ave. U 11229 Brooklyn NY United States Tel: 1.1111111

Domus Enterprises LLC dba domus-llc.com – No name, no email address

Tech. Contact Org. Name: First Name: Manager Last Name: General City: Wilmington Address1: 3422 Old Capitol Trail Address2: PMB 439 State: DE Country: US Postal Code: 19808-6192 Phone: 1.8883970996 Fax: Email:


HANGANG Systems, Inc. dba Doregi.com – No name, no street address

Technical Contact: Domain Master [email protected] 82-2-3284-2500

I.D.R Internet Domain Registry LTD. (idregister.com) – No phone

Tech ID: DI_1069961 Tech Name: IDR Internet Domain Registry ltd Tech Organization: Company Require Tech Street1: 12 Ha'Sharon Tech Street2: P.O.Box 1057 Tech Street3: Tech City: Kefar Sava Tech State/Province: Tech Postal Code: 44110 Tech Country: IL Tech Phone: 000.0000000 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email: [email protected]

Marcaria.com International, Inc. – No Street Address

Administrative Contact: MARCARIA.COM CORP. MARCARIA.COM CORP. [email protected] 1.3054348621 Fax: 1.3056752956 Suite 914-992143 Miami FL 33172 miami FL 33172 US


A Technology Company, Inc. (namesystem.com) – Blocking access to its WHOIS Record WHOIS does not exist for their primary domain (namesystem.com), for which they are the Registrar.


Red Register, Inc. (redregister.com) – No name, bad address, no phone number. Registrar is de-accredited.

Administrative Contact: customer, private [email protected] IMU K Kiev, TX 41111 US 123.45678 Fax:123.45678

Simply Named Inc. dba SimplyNamed.com – No Phone Number

Admin ID: COCO-9994208 Admin Name: Cynthia L. Pearcy CEO Admin Organization: Simply Named Inc. Admin Street: 1829 US Highway 64 Admin Street: - Admin City: Marion Admin State/Province: AR Admin Postal Code: 72364 Admin Country: US Admin Phone: Admin Phone Ext: Admin Fax: Admin Fax Ext:

Registrar Domains Using Invalid Privacy Services Gee Whiz Domains, Inc. (geewhizdomains.com) – “Private Whois Service”

Administrative Contact Private Whois Service Private Whois Service [email protected] *******PLEASE DO NOT SEND LETTERS****** ****Contact the owner by email only**** c/o geewhizdomains.com N4892 Nassau Bahamas Tel: +852.81720004


B. Nameserver WHOIS Validity and Legitimacy

In March at the last ICANN meeting ICANN CEO Rod Beckstrom announced to shocked audience that the Domain Name System “can stop any time” and “is under attack today as it has never been before”38. While many in the ICANN supporting groups took extreme exception to his statement everything in our research points to this being an indisputable fact. The structure of the Internet is under constant threat, its oversight is weak, its resources are unaccountable, and its records are forged. Criminals have become Registrars, Resellers, ISPs and hosting companies. Nameservers are dedicated to illicit traffic in ways that specifically confound investigators and law enforcement jurisdiction. The role of a domain name becomes infinitely more important when it also functions as a NameServer. While domain name WHOIS records are held to a certain, unchecked and un-enforced, standard it should be argued that NameServer domain records must be even more subject to due diligence and verification.

Issues with DOTNAME Domains as NameServers There a currently 553 .NAME NameServers serving gTLD domains. This presents a special problem because .NAME is intended for personal use only and as a result does not have public thick WHOIS39. The use of .NAME for personal names only is stipulated in the Registration agreement as “the Personal Name…of the Registrant or a component of the Personal Name of the Registrant”40. However, this has been violated on a massive scale as documented by Ryan Single in “Dot-Name Becomes Cybercrime Haven”41. In the example below we see one domain “cialis.name” which is an illicit pharmacy and a trademark violation.

cialis.name

Since the WHOIS does not provide direct contact information for the registrant, we sent the complaint to the Registrar, Spot Domain LLC dba Domainsite.com at the address [email protected] and the email was rejected because “cialis.name” is apparently blacklisted which makes communication with a Registrar about their domains difficult. We finally reached a contact at Spot/Name who told us to contact the “web host provider” to deal with this. This kind of Registrar obfuscation and misdirection is unacceptable. 38 http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsId=19349 39 http://www.icann.org/en/tlds/agreements/name/appendix-05-15aug07.htm 40 http://www.icann.org/en/tlds/agreements/name/appendix-11-15aug07.htm 41 http://www.wired.com/politics/security/news/2007/09/dot_name


However, in this section we are focused on the doubly serious issue of .NAME domains as NameServers to illicit pharmacy domains. The problem here is that .NAME is intended to be personal, but here it has become commercial, and illicitly so. Example, illicit pharmacy site meds-freerx.com is served from KABINETT.NAME.

The .NAME agreement requires that “Standard Whois queries… provide more information, including: registrar ID”42 through http://whois.nic.name (hosted by Verisign). Use of this interface is not simple. A search of KABINETT.NAME as a domain will result in “NOT FOUND”. The user must know that this is also a NameServer and enter the full path of the NameServer as “NS1.KABINETT.NAME”.

Name Server ID: 1231079HOST-NAME Name Server Name: NS1.KABINETT.NAME Name Server Registrar ID: 59REGISTRAR-NAME Name Server Registrar: Network Solutions, LLC Name Server Status: ok IP Address Associated: 202.247.115.1 Created On: 2006-07-21T02:57:19Z Updated On: 2006-07-21T02:57:19Z

mendrugs.com is served from ns2.dmdns.name, another example:

42 http://www.icann.org/en/tlds/agreements/name/appendix-05-15aug07.htm


Soviet Union (.SU) NameServer Issue There are 5743 gTLD domains being served from 336 .SU NameServers. The complexity of this issue is described in detail in Section III Part J. While the legitimacy of .SU is a separate argument, the question here is whether or not gTLD domains should be served from a ccTLD with an unknown status and a lack of accountability. Illicit pharmacy viagramed.com is served from ns1.exhost.su which lists “Private Person” as the owner in WHOIS.

ns1.goldhosting.su serves a number of name-brand automobile part sites, legitimacy unknown ns1.erotica.su serves a number of MP3 Download Sites primary.su and secondary.su serve a number of fake “facebook”, “Flickr”, “Craigslist”, “Blogger”, “Microsoft”, and “Wikipedia” typo domains.


Sampling of gTLD NameServer WHOIS bad email contacts

[email protected] [email protected] [email protected] AlSoftw@re [email protected] [email protected] hotmail.xom [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] info@edico-si domainmaster@magic-box

In addition to the obviously impossible contact emails above we found 679 NameServer registrations with contact emails at non-existent domains.

The following is an example of an eNom NameServer WHOIS record we found:

Tech Name:--- --- Tech Street1:--- Tech Street2:--- Tech Street3: Tech City:--- Tech State/Province:--- Tech Postal Code:00000 Tech Country:AT Tech Phone:+43.0000000000 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email:[email protected]


C. The Next Phase of WHOIS validation On 09 April 2010 KnujOn issued an official response43 to the NORC WHOIS Inaccuracy Study44. Subsequently, KnujOn helped draft part45 of the ALAC response to the study46 which the ALAC board voted to support in a near unanimous poll47. KnujOn has voiced reservations about this study before it even began48. We fundamentally believe that it is possible to validate the entire WHOIS record for the gTLD space, even if the number of domains were to double in the next year. The continued assertion that the "there are too many records" to validate flies in the face of reality. KnujOn has built, and continues to expand, a system capable of processing and detecting illicit sites and rapidly validating the WHOIS record. So there is no confusion, this is not simply an observation but we plan to change the status quo and find all WHOIS inaccuracies for reporting. This system has been in testing for some time and soon will be activated.

43 http://forum.icann.org/lists/whois-accuracy-study/msg00008.html 44 www.norc.org/projects/whois+data+accuracy+study.htm 45 http://www.atlarge.icann.org/correspondence/correspondence-2-11may10-en.htm 46 https://st.icann.org/gnso-liaison/index.cgi?alac_statement_on_recent_whois_reports 47 https://www.bigpulse.com/pollresults?code=A5KYRPm8FdwEz4hQaZZm 48 http://forum.icann.org/lists/whois-accuracy-study/pdfdeWnDwRQ17.pdf


D. Material Falsification of WHOIS Through Privacy/Proxy

In a recent U.S. court decision (U.S. v. Kilbride, No. 07-10528, D.C. No. CR-05-00870 DGC-2 and No. 07-10534, D.C. No. CR-05-00870-DGC-3) use of privacy and proxy WHOIS registrations was declared “material falsification”49, meaning it is process used to deliberately alter, conceal, or impair a record. It is understandable why a lawful private citizen would not want a public WHOIS record, but all the cases discussed here concern domain names that are strictly commercial in nature and exclusively used for illicit transactions. Critics have dismissed the decision claiming it does not make privacy registrations illegal and only affects the 9th circuit in the U.S. However, this case sets a precedent for dealing with obfuscation of records relating to illicit online traffic. Furthermore, eNom, Snapnames(Oversee/Moniker), Godaddy, NameCheap, Dotster, and other major Registrars are all located in the 9th Circuit. secureordercheckout.info is a transaction processing platform, support site, and package tracking interface for the illicit GlavMed network sponsored by GKG.net. The domain also uses the GKG.NET Domain Proxy Service to conceal its actual ownership and location. As an example we asked GKG about this and they did not respond.

As we continue to examine the relationship between illicit domains and abuse of privacy services as it pertains to the law, this issue will gain more attention.

49 http://www.ca9.uscourts.gov/datastore/opinions/2009/10/28/07-10528.pdf


E. Invalid Privacy Services KnujOn actually believes strongly in the privacy of the Internet user. However, we do not believe this privilege should be extended to commercial entities, especially ones clearly involved in illicit traffic. At this point it is not privacy, but obfuscation and anonymity. While the debate rages over private WHOIS registrations there is an issue within this issue, the one of invalid privacy services. Not all proxy/privacy services are made equal. While some a responsive, legitimate companies, others are phantoms that exist to conceal. WhoisGuard (NameCheap) Registrar NameCheap’s privacy service is called WhoisGuard, and its use may violate ICANN policy. The WHOIS contact information for WhoisGuard is as follows.

The address used for WhoisGuard is actually a UPS store.

In order to open a UPS box and accept regular mail to the box, an applicant must complete United State Postal Service form 158350 which indicates that if the applicant is a corporation or firm it must be affirmed and the business registration information be provided.

50 http://www.usps.com/forms/_pdf/ps1583.pdf


We have been unable to find business registrations for “WhoisGuard” in California or Delaware (where NameCheap is registered). Without any other information available we must assume that “WhoisGuard” is not a real entity. This situation posses policy and legal problems for NameCheap. The policy problem, with ICANN, is that since WHOIS records require either a person or legal entity to register a domain, all of the “WhoisGuard” registered domains have invalid WHOIS records unless NameCheap can produce a business title registration that existed previous to any domain registration. The potential legal problem is that NameCheap may have committed mail fraud or submitted false information on the application. There are around 6000 gTLD NameServers that use WhoisGuard. NameCheap is also offering privacy protection to .US domains (illicit pharmacy domains), which is a violation of .US policy. americandrugstore.us

Administrative Contact Organization: NameCheap.com Administrative Contact Address1: 8939 S. Sepulveda Blvd. #110 - 732 Administrative Contact City: Westchester Administrative Contact State/Province: CA Administrative Contact Postal Code: 90045 Administrative Contact Country: United States Administrative Contact Country Code: US


INTERNET.BS CORP. “Private Whois Service” This service offered by Registrar Internet.BS Corp clear indicates that the mailing address is invalid. The registrant cannot instruct an Internet user to not send letters, the mailing address must be valid as a condition of registration.

Private Whois Service *******PLEASE DO NOT SEND LETTERS****** ****Contact the owner by email only****

From Bad WHOIS to Bad Privacy KnujOn has been following a trend after reporting inaccurate WHOIS for illicit domains. Instead of the domain being deleted by the Registrar or the record corrected, the registrant immediately makes use of a privacy service and often an invalid privacy service. To illustrate we have provided the following example. Previously, the illicit pharmacy domain pillsforall.com had this completely bogus WHOIS data:

pillsforall.com Registrant: Auscron Corp [email protected] non have non have NONE non have CY non have Domain Name: pillsforall.com Administrative Technical Billing Contact: Auscron Corp [email protected] non have non have NONE non have CY non have

Apparently, after a complaint they changed Registrars and concealed their WHOIS with “Katz Global Privacy”

Administrative Contact: Katz Global Domain Name Trust Privacy Protected Domain Name Domain Proxy Center ([email protected]) 32 Maxwell Road #03-07 c/o SG, SG, sg 069115 P: +65.67228356 F: +0.0


We attempted to cal the number in the WHOIS and it is not a real working phone number. According to the Katz website, this is the phone number used for all of their private WHOIS, an Singapore number while Katz is located in the United States. Katz sells domain names on their site, but they are not an accredited Registrar so we asked them who they are reselling for. Under the RAA 3.12.3 “Reseller shall identify the sponsoring registrar upon inquiry from the customer”51 However, they did not respond. We filed a complaint against this domain.

51 http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm


Section III: Illicit Activity in gTLD Space

The Internet is sometimes said to be the “Wild West” a place without any rules. The sentiment is understandable, but incorrect: the Internet does have rules. These rules are supposed to ensure the growth of the Internet in a way that fosters legitimate personal and commercial activity, but prevents an out-of-control explosion of fraud and crime. The Internet rule is straightforward. Domain Name Registrars are required by ICANN to prohibit domain owners from using their domains for unlawful purposes. Without exception, this rule is also reflected in each Registrar’s Terms and Conditions, thus formalizing and protecting the company’s contractual right to suspend domain names for unlawful activity. Once a Registrar becomes aware that a website is engaged in criminal activity, the company has the legal authority and technical ability to suspend the domain name, rendering the illegal and fraudulent content inaccessible. This self-policing is meant to balance freedom of speech with safety and legitimacy as the Internet continues to evolve. But all too often, Registrars simply turn a blind eye to criminal activity. -John Horton, President LegitScript.com

Some Registrars are aware of this issue and have taken proactive steps to handle it. Godaddy, Directi and DomainContext have adopted policies concerning illegal pharmacy domains. By adding a few lines to their customer agreements Godaddy has effectively changed the world of the illicit pharmacy domainer as they will immediately suspend any doman that: “Violates the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 or similar legislation, or promotes, encourages or engages in the sale or distribution of prescription medication without a valid prescription” and “Infringes on the intellectual property rights of another User or any other person or entity.”52 The policy covers the two major points of this problem: pharmacy regulation compliance and trademarks. Without access to transaction platforms that allow the sale of trademarked drugs they cannot run their illicit business. This policy has been effective to the point that Internet drug-dealers are complaining about the loss of business.53 We encourage all Registrars and ISPs to adopt a similar policy as it follows the law, avoids UDRP issues, and gives the Registrar immunity.

52 http://www.godaddy.com/Legal-Agreements.aspx 53 http://www.1-script.com/forums/Godaddy-they-change-their-policy-and-take-your-domains-wit-article55902--1.htm


A. Illicit NameServers There are thousands of NameServer domains that are also illicit pharmacy sites (or illicit pharmacy sites that are also NameServers). The reason for this is clear, control. A domain cannot be dropped if the owner also runs the hosting. At this point the Registrar is the only party who can remove the domain. Continuity is critical to running an illicit service. The following list shows counts of gTLD NameServer domains are also illicit Rx sites by Registrar (top 20).

Enom 587 (e.g. buy-oxycodone-cheap.info)Godaddy* 460 (e.g. rxn247.com) Directi* 204 (e.g. bestpharmacy-us.net) Oversee 135 (e.g. buyfluoxetineonline.com) Uk2group 63 (e.g. 2pills.com) Spotdomains 61 (e.g. 33-drugs.com) Tucowsinc 53 (e.g. rx-options.com) Bizcncominc 53 (e.g. muscle-relaxers-drugs.com)Networksolutions 52 (e.g. the-best-pharmacy.net) Dynadot 50 (e.g. buy--viagra.net) Beijinginnovativelink 48 (e.g. yesrxrefill.com) Joker 44 (e.g. buycheapviagra.net) Webcommerce 38 (e.g. canadianonlined.com) Directnic 32 (e.g. discountdrugs24.com) Internetserviceregistrari 31 (e.g. buywithoutrx.com) Internetbscorp 30 (e.g. buygenericviagra.net) Registercominc 24 (e.g. orderqualitypills.com) Dotster 21 (e.g. medicationsbuyworld.com) Realtimeregbv 19 (e.g. 11pharm.com) Regtime 15 (e.g. cvs-pharmacy.biz) *Godaddy and Directi have been cooperative with these investigations and have adopted policies concerning illicit drug domains.


Problem Examples orderviagra.us – While this is not a gTLD domain, it is serving as a gTLD NameServer and thus presents a number of problems. The domain itself is an illicit pharmacy.

.US domains must be registered by a U.S. citizen or someone with a firm connection in the U.S., a “nexus.” Orderviagra.us is cheating this rule. The domain is registered to “Soft-com.biz Inc” which is a non-existent New York business. The address of “244 Fifth Ave New York, NY.” Is a mailbox rental company (nymail.com) and the phone number is actually a number in England. The domain links to DRUGMEDONLINE[DOT]COM which is part of the “Rx-Partners” criminal network and is apparently run our of the Ukraine. Orderviagra.us serves buyfinasteride.com, buyonlineviagra.com, and cheapzoloft.com. All rogue pharmacies. This information was forwarded to Neustar, the sponsor of .US.


Count of recently detected and active illicit Rx domains in the gTLD sorted by NameServer (top 20) listed by NameServer owner domaincontrol.com 9094dsredirection.com 1232worldnic.com 8121and1.com 804fabulous.com 696hostgator.com 462yahoo.com 434domainservice.com 408dreamhost.com 400above.com 37633drugs.com* 349websitewelcome.com 328smartname.com 320trafficz.com 318hitfarm.com 317fastpark.net 310name.com 302hostingnet.com 300mydomain.com 296dnszeta.com 294

Nameservers exclusively serving illicit pharmacy domains *33drugs.com can be seen above a major NameServer for illicit drug domains. However, unlike the rest of the NameServers on the list “33Drugs” is not a Registrar or Internet Service Provider with other types of domains served from it.

33Drugs is a “boutique” NameServer that exists specifically to provide services to drug traffickers. The 33Drugs network is made up of websites that do not require a prescription for prescription drugs and the drugs may be counterfeit or adulterated. 33Drugs.com is sponsored by JOKER.COM, but the domains served from 33Drugs.com are largely at DynaDot. DynaDot in most cases has some kind of obfuscated WHOIS for the 33Drugs sites, most either not listing a name or entity, in some cases the DynaDot-server record obfuscates the NameServers. Complaints have been filed where appropriate.


B. Trademark and Illicit Product Traffic Issues On March 19, 2010 telecom company Verizon filed a cybersquatting suit against Registrar DirectNIC, AKA Media Group/Intercosmos/DomainContender54. As with other cases documented here, it is alleged that the Registrar acquired trademark infringing names through a variety of shell companies and false identities. What is different is that they did not use the ICANN UDRP and did not pursue the registrant. This is likely the future of domain name litigation, as we explained in Section I Part G., since the UDRP is fairly fruitless for the mark-holder. As more businesses realize this, the ICANN UDRP will be completely bypassed. Cybersquatting and online traffic in counterfeited products are increasing at a rate that current ICANN compliance and UDRP are unable handle. It is simply to easy to register, abuse and abandon a trademark-violating domain name with impunity. The scale of potential illicit profits in comparison to the risk of capture make this trade too tempting for the modern criminal. The fact that there are nearly no consequences for Registrars who sponsor and profit from the activity opens the door to silent criminal partners. The Viagra Project Unfortunately for drug-maker Pfizer, the name Viagra has become synonymous with spam. The erectile dysfunction (“ED”) drug and its rival, Cialis are the most stolen and illicitly trafficked drugs on the Internet. For several months KnujOn tracked registrations of domain names with “viagra” in the name. Most of the registrations were through eNom.

We attempted the same search through Moniker (Oversee), a Registrar also with a number of “viagra” registrations and discovered even more curious results. Not only were “viagra” domain names returned but also a list of “cialis” names. Cialis is a competitor product of Viagra. This

54 http://domainnamenews.com/pdfs/verizonVdirectnic.pdf

Beyond the conditions already described here, of eNom seeming generally friendly to sponsoring illicit pharmacy domains, we attempted to understand what may encourage use of eNom’s services by criminal parties. In looking at eNom’s registration page they offer a suggestion tool. Entering “viagra” in the interface will produce a list of recommended domains with links to register immediately. Many Registrars offer this kind of service, but the eNom version has some additional features that may be beneficial to illicit pharmacy traffickers. In addition to supplying a list of varying “viagra” names, the eNom tool also suggested “vasomaxwithoutrx.com.” Vasomax is an alleged Viagra alternative. This tells us that the eNom tool has built-in intelligence that does more than create URLs with the customer’s chosen word, it understands the theme or type of product the customer wants. If eNom can build this in they can block trademarks as well.


http://domainnamenews.com/pdfs/verizonVdirectnic.pdf

suggests that Moniker is well aware of what a “viagra” domain customer is looking for and is comfortable selling known trademarks in bulk.

In general, Registrars can blame registrants for buying trademark infringing domain names but not when using this type of interface. A trademark holder suing a Registrar would be wise to demand statistics of registrations made from these interfaces during discovery. At this point the Registrar has become an accessory to cybersquatting. In reviewing these cases one must wonder how much Registrar income is derived illicit online pharmacy domains. This is a question that begs for investigation, and considering the size and seriousness should be an ICANN-funded study. Until the question is answered and the problem addressed, the basic integrity of the Internet is in question.


C. The Spam/Pharma/Domain Abuse/Rogue Registrar Connection

“Ever since I was asked to contribute to the KnujOn Security Report, I've stared at my spam folder in despair. It seems so obvious to someone who has been in the fight against online abuse for as many years as I have where the problem lies. Back in the day, as anachronistically as it sounds, we blocked individual addresses that sent spam. Naturally enough, because it was difficult for the average bear to get a new address. Then that became easier. So, we began to block entire domains, because domains were difficult to acquire, and expensive. That changed. Now, a domain can be had for pennies. In this day and age, it isn't a strained analogy, to my eyes, to see a doomsday clock ticking, signaling the potential collapse of something that is beyond a mere network - the Internet has become a place where we live, love, laugh, cry, mourn, do business, work, study, and are entertained. That is what the bad guys threaten to rent asunder. One aspect of their vile activities is one we have all seen: the sale of pharmaceuticals. One would think that the Internet would actually be an ideal place where legitimate doctors could safely and securely issue a prescription to a legitimate pharmacy of one’s choosing and the patient would get the medicines they need at a discounted price, delivered quickly safely and cheaply. The reality is anything but this Valhalla. Rogue doctors are bribed into writing prescriptions for patients they have never examined, on behalf of front companies who have tens of thousands of throw-away domains hosted on equally transient name-servers. These companies, many claiming to be from my home and native land of Canada, often actually reside in Eastern Europe, may or may not send the medicines, which may or may not be what they claim to be. Some drugs seized by law enforcement have been nothing but inert substances, others, the correct drug but the wrong dosage. Now, many of you may be grinning, because many of the spammed ads are for puerile things like erectile dysfunction drugs. However, the criminals do not merely offer Cialis. They also sell pain killers, cholesterol medication, and yes, even insulin. Imagine the dire consequences of adulteration of these latter medicines. The criminal gangs operating almost without constraint have effectively taken a wonderful online opportunity and killed it off for patients. They have wiped out consumer confidence in the entire industry sector. As with all other thing they get their hands on, they have effectively poisoned the village well. Thanks, guys, for moving us a minute closer to midnight...” -Neil Schwartzman, Senior Director Security Strategy, Return Path

Spam is about who benefits from it, not who sent it. Spam is the crowbar, not the burglary. The ecology and etiology of Spam reveals a paradox for the spammer. The spammer, at the same time, wants maximum exposure, wants his transaction platform to be stable, and also wants to remain anonymous and untraceable. In order to accomplish this feat they have presented us with a Gordian Knot of misdirection and obfuscation that can ultimately only be stopped by the Registrar. In previous years Registrars wouldn’t budge to remove a spammed domain, but because of public pressure they have adopted policy to address this problem. It is ironically now easier to get a Registrar to remove a spammed domain than a domain selling controlled substances. Sites used in a spam campaign are often terminated and or blacklisted in a matter of hours; narrowing the window an illicit network can attract a new customer. The spammers have responded to this by creating a layered system of advertising, shop, and transaction that persists beyond the spam campaign and gives collaborating Registrars plausible deniability. The illicit drug traffickers use an array of domains and websites at different providers to intentionally confound investigation and accountability. The graphic below shows the top-level, often malware-driven, advertising campaigns. The domains used in spam and hijacks are merely link or redirect to another layer of “throwaway” sites at different providers which in-turn lead to comprehensive shopping sites where specific products can be selected. These domains are much more resilient because they “have not been spammed.” The Registrar who sponsors them has no cause to remove them for spam and will direct the complainant to the other Registrar or ISP responsible for the spammed sites.


Even further behind and more invisible are the transaction domains or “anchor” sites where information and money are exchanged. Propping up the transaction domain is a complex structure of support domains that would be indistinguishable from that of a legitimate online business: NameServers, template and content servers, affiliate click-through payment processing, customer service, and anything else required for a virtual company. There are in fact illicit Internet provider organizations that do not sell drugs but merely target services to people who do. Many of these illicit ISPs are more organized and professional than legitimate online businesses.


Case Study: eNom and GlavMed GlavMed is an: “affiliate program which sponsors spammers to promote what are generally known to be illegal pharmacy websites. It appears to be a cover for the real sponsor organization behind all of these sites: Spamit.”55 This is one of the groups behind so-called “Canadian Pharmacies” which are not Canadian in any way. The networks are controlled from Russia and the drugs come from Turkey and Thailand. 56 GlavMed is one of the largest illegal Internet drug trafficking networks in the world and their back-end is propped up by eNom.

Here, we follow a Spam back to eNom. The initially spammed site in this case is BEIJING INNOVATIVE-sponsored rocamwun.com.

55 http://spamtrackers.eu/wiki/index.php/Glavmed 56 http://www.intellisec.com/blog/2009/10/11/if-fake-anti-virus-software-doesnt-get-you-something-else-will/


Going to rocamwun.com reveals a very plain website with one link to bestpillfinest.com

bestpillfinest.com is a full-service illicit pharmacy sponsored by ChinaSpringBoard (NameRich.cn).

However, the domain where payment occurs is rx-securemerchant.com, which is sponsored by eNom and has been for over a year. The domain is also served from “REGISTRAR-SERVERS.COM” which is one of eNom’s primary NameServers.


In summary, the spammed site can easily be removed, but the backend transaction domain, sponsored by eNom endures throughout multiple spam campaigns.

Is the above example an anomaly? No. We can perform the same routine with a spam for “cookgalore.ru” which leads to “pharmacyonlinerow.com” and again finally to eNom-sponsored rx-securemerchant.com.


The multi-site, multi-provider scheme allows eNom to remain relatively invisible and avoid responsibility for supporting spam-advertised networks of illicit pharmacies.

We have requested an explanation from eNom on this issue but they have not responded. As long as eNom continues to sponsor these back-end sites the ordinary Internet user will continue getting spam that eventually leads back to eNom. eNom is also the favorite service of the “front-line” spam domain. They are consistently the #1 Registrar for spammed domains at URIBL.COM (URI “Blacklist”). In Section III Part B we offer one possible reason for this situation.

(From URIBL.COM) KnujOn has frequently been accused of “picking on” certain Registrars, but data from other sources confirms the accuracy of our Registrar reports.


D. Registrar Support for Criminal Illicit Traffic Networks

“Rampant criminality operates on the Internet because we provide the vehicles for it to exist and flourish. It is self evident any Internet badness requires vehicles such as; routing, transit, payment systems, hosts, ISPs, and the Registrars. All of this is invariably provided not by criminal enterprises but by commercial enterprises, where for some, security or privacy for the consumer is a very low or non-existent priority. We are at a crossroads for the development and growth of a freely available and self-regulating Internet. ICANN in collaboration with the community should pro-actively implement existing requirements. An added priority should be to focus its considerable energies towards such efforts as the WHOIS black hole or the reduction of DNS vulnerabilities. The clear alternative will be individual governments providing security, essentially via censorship, for their consumers in a piecemeal fashion. Commercial enterprises such as the registrars, ISPs, and hosts operate the Internet on behalf of the community and consumers not as a RIGHT but as a PRIVILEGE. Their obligation is to protect consumers from unwarranted intrusions such as spam, scams, and exploitation, and if they DO NOT, then ICANN should remove that privilege in an expedited manner.”

-Jart Armin - Editor HostExploit.com

Here we provide a concrete example of a Registrar sponsoring the entire architecture of an illicit pharmacy network. From the NameServers to drug shopping domains to payment processing, nearly all the domains in the chart below are sponsored by REALTIME REGISTER BV (realtimeregister.com) and part of the “Rx-Partners” illicit drug trafficking network. What is interesting about this case is that this entire structure was previously at DIRECTNIC LTD. At some point recently the backbone of this network was transferred in its entirety to another Registrar.


Only the “command and control” site, RX-PARTNERS.BIZ, is at a different Registrar: ASCIO TECHNOLOGIES INC. (ascio.com). The casual onlooker may believe that illicit domains are singular events that exist like a swarm flies, impossible for Registrar to control or discern, but the complex and large nature of these online networks begs for a better explanation. We assume DirectNIC removed the Rx-Partners backbone because of a complaint, because it violated their polices or its presence just made them nervous. But in transferring the network, as is, to a new provider they may have aided in its preservation. As for Realtime Register B.V., we have asked them about this network and their policies relating to it. We received some promise of investigation and will confirm this later. The Rx-Partners network is run by the imaginary “Jessica Eagloff” at the location 145-157 St John Street 2nd Floor, London. 145-157 St. John Street is a "Brass Plate" company location. There are no real businesses there except Westbury, a company that sells virtual offices and incorporations. The phone number simply rings for a long time and then connects to a standard automated voicemail and no one ever calls back. KnujOn is going to challenge this bogus scheme.


E. BBB Consumer Complaints BRANDON GRAY INTERNET SERVICES INC. (dba "NameJuice.com") – 2 consumer complaints, No Response to either according to BBB. In2net Network Inc. (in2net.com) – F rating from BBB, 5 unanswered consumer complaints, 7 unanswered billing-related complaints, 4 unanswered service-related complaints, and 1 unanswered refund complaint. SiberName.com, Inc. – F rating from BBB, “Company failed to respond to BBB to resolve or address the complaint issues.” Tucows Inc. (tucows.com) – F rating from BBB, Unauthorized credit card charges, Failure to honor a contract or agreement, Sales presentation used dishonest sales practices, 2 Failures to provide promised assistance or support for products or services, 6 Failures to respond to phone calls or written requests for assistance or support, 4 complaints of Improper or inferior service. A Technology Company, Inc. (namesystem.com) – F rating from BBB, “Company cannot be located” (See Section I Part I for more details). C I Host, Inc. (cihost.com) – F rating from BBB, 5 Unanswered consumer complaints. OnlineNIC, Inc. (OnlineNIC.com) – F rating from BBB, “Improper or inferior service”, 1 Invalid or false contract, 5 Failures to respond to phone calls or written requests for assistance or support, 10 failures to respond to BBB to resolve or address the consumer complaint issues. Oversee Domain Management(Moniker/Snapnames) – D rating from BBB, 1 unanswered consumer complaint.


F. Five Registrars Drift to Oligopoly On paper there are over nine hundred Registrars, but the true number is much smaller. Most accreditations are redundancies held by five companies.

eNom (Demand Media): 138 Accreditations Oversee (Moniker/SnapNames): 128 Accreditations NameScout (Momentus): 108 Accreditations Directi (PDR/Answerable): 72 Accreditations DOTSTER: 53 Accreditations

More than half of the active Registrars are really one of these five entities in the form of a shell company, and as seen in Section I Part X, not all are registered companies. This does not engender open and free market competition. We are aware of the accreditations of smaller Registrars being sold to these five mega-Registrars outside of public review. The situation is drifting to a cartel and may violate anti-trust laws as the Clayon Act defines in part anti-trust as “mergers or acquisitions trending substantially to lessen competition.”57

The annual accreditation fee is $4000 US. This means ENom pays $544,000 - over one half million dollars per year to ICANN, for what advantage? Surely no company voluntarily pays excessive fees. Companies only expend funds if they can make it back three or fourfold. In addition to eNom, Oversee (Moniker) would pay ICANN $512,000 per year, NameScout $432,000 US, $288,000, and DotSter $212,000. In total, these five companies are paying ICANN $1,996,000 annually for no obvious reason. These funds are in addition to and separate from the fees associated with purchasing domain names. In essence, these five companies are supplying ICANN with 3% of its budget beyond the money that comes from domain sales. Some argue that these additional accreditations give the Registrars additional power in the domain aftermarket in auctions of expired domains. However, this power would diminish once a Registrar a certain number of accreditations. A serious question here concerns the influence this grants with ICANN among the Registrars. This level of funding may have created an unknown power class within the Internet with inappropriate access and permission.

57 Barron’s Law Dictionary, Steven H. Gifis 1991 P 75


G. Breach Notices ICANN has issued breach notices to the following Registrars in the last 12 months. We applaud ICANN efforts to enforce the rules and publicize the information with a few caveats. First, the lifecycle of these efforts is not available. Unless a termination is issued the outcome of a breach notice is not posted in the compliance area. Second, it is clear from KnujOn’s report that many other Registrars are in breach for a variety of reasons that are more inline with the Internet consumer experience and less about the main causes of breach like failure to escrow or pay fees. The breach notices issued so far concern ICANN’s direct relationship with Registrars in areas only ICANN would be aware of. It would improve consumer trust if breach notices were issued for many of the problems described in this report as they impact the Internet community on a broader scale. Registrar Issue Status Notice Lead Networks Domains Pvt. Ltd. Failure to comply

with UDRP, not supplying WHOIS data

In receivership, but status unclear. See Section III, Part I

http://www.icann.org/correspondence/burnette-to-malik-10jun09.pdf

CodyCorp Failure to escrow and provide WHOIS access

Terminated, status unclear. See Section III, PartI

http://www.icann.org/correspondence/burnette-to-bahlitzanakis-08oct09-en.pdf

Western United Domains, Inc Failure to escrow WHOIS

Terminated but status unclear. See Section III Part I

http://www.icann.org/correspondence/burnette-to-moll-15apr10-en.pdf

Mobiline USA, Inc Failure to escrow Terminated http://www.icann.org/correspondence/burnette-to-tesler-15apr10-en.pdf

DropNation.com, Inc. Failure to escrow Unknown http://www.icann.org/correspondence/burnette-to-strong-15apr10-en.pdf

Alantron BLTD Port 43 Access Unknown. See Section I Part A

http://www.icann.org/correspondence/burnette-to-acir-16apr10-en.pdf

Internet Group do Brasil, SA Port 43 Access Unknown. See Section I Part A

http://www.icann.org/correspondence/burnette-to-malinardi-02apr10-en.pdf


H. Issues of Defunct Registrars Terminated Registrars Still Selling gTLD Domains and/or Claiming Accreditation Hosting365 Inc. (hosting365.ie) was terminated by ICANN January 10, 2010 (http://www.icann.org/correspondence/burnette-to-mccarron-25nov09-en.pdf) but still offers gTLD as “register365.com” which is not an accredited Registrar either. Hu Yi Global Information Resources Holding Company (8hy.hk) was terminated by ICANN June 10, 2009 (http://www.icann.org/correspondence/burnette-to-ho-10jun09.pdf) still claims ICANN accreditation, displays ICANN Registrar icon, and sells gTLDs.

DotSpeedy LLC dba dotspeedy.com (dotspeedy.com) was terminated by ICANN March 29, 2010 (http://www.icann.org/correspondence/burnette-to-alexandrine-12mar10-en.pdf) but still sells gTLD and is soliciting resellers. Mobiline USA, Inc. dba domainbonus.com (domainbonus.com) was terminated by ICANN June 7, 2010 (http://www.icann.org/correspondence/burnette-to-tesler-14may10-en.pdf) but still sells gTLD. AfterGen, Inc. dba JumpingDot (jumpingdot.com) was terminated by ICANN June 10, 2009 (http://www.icann.org/correspondence/burnette-to-bourov-10jun09.pdf) but is still claiming ICANN accreditation. We could not determine if they actually sell gTLDs.


http://www.icann.org/correspondence/burnette-to-ho-10jun09.pdf

http://www.icann.org/correspondence/burnette-to-alexandrine-12mar10-en.pdf

http://www.icann.org/correspondence/burnette-to-tesler-14may10-en.pdf

http://www.icann.org/correspondence/burnette-to-bourov-10jun09.pdf

Naugus Limited LLC (naugus.com) – Issued letter of non-renewal October 9, 2009 (http://www.icann.org/correspondence/burnette-to-goodwin-09oct09-en.pdf). Still claims to be a Registrar under the name “DomainWar.net” which also claims ICANN accreditation, but from the description sounds more like an eNom reseller.

Simply Named Inc. (simplynamed.com) – Issued letter of Non-Renewal on July 30, 2009 (http://www.icann.org/correspondence/burnette-to-pearcy-30jul09-en.pdf) for failure to escrow WHOIS. Simply Named no longer appears in the ICANN/Internic directories but is still selling gTLD domains and goes by the name “BestRegistrar.com” which is not an accredited company either. Simplynamed.com does not claim ICANN accreditation but displays the individual seals for .ORG, .BIZ, and .INFO (see below).

Lead Networks Domains Pvt. Ltd. (leadnetworks.com) was issued a letter of Non-Renewal (http://www.icann.org/correspondence/burnette-to-malik-14jul09-en.pdf) on July 14, 2009 after a series of controversies (Breach notice: http://www.icann.org/correspondence/burnette-to-malik-


http://www.icann.org/correspondence/burnette-to-goodwin-09oct09-en.pdf

http://www.icann.org/correspondence/burnette-to-pearcy-30jul09-en.pdf

http://www.icann.org/correspondence/burnette-to-malik-14jul09-en.pdf


10jun09.pdf, Lead Networks “undermines the efficacy of the UDRP”: http://www.wipo.int/export/sites/www/amc/en/docs/icann090409.pdf). Lead Networks is still listed in the ICANN/Internic directories. What we have not understood is that Lead Networks listed itself previously as being in the United States but all ICANN correspondence was sent to India. The directory now points to this page: http://leadnetworksreceiver.net which indicates the Registrar is in receivership following a lawsuit filed be Verizon. However, the original site (leadnetworks.com) is still active, claiming ICANN accreditation and selling gTLDs. It is unclear if this site is being operated by the court-appointed receiver.

Western United Domains, Inc. (wudomains.com) was terminated by ICANN June 7, 2010 (http://www.icann.org/correspondence/burnette-to-moll-14may10-en.pdf). Status is unknown since site only ever displayed a log-in interface. Broadspire Inc. (broadspire.com) has not been listed in the directory for some time and while there is no termination document there is a note on an ICANN page that Broadspire is “NO LONGER ACCREDITED”58. However, this company still sells gTLD and claims ICANN accreditation.

58 www.iana.org/assignments/registrar-ids/



http://leadnetworksreceiver.net/

Defunct Registrars with unclear status VentureDomains, Inc. (upc360.com) sells gTLD, status and accreditation are unclear. WEB INTERNET LLC/Web Site Source, Inc. – Status unclear DomainCannon.com LLC, Termination sent January 26 2010 (http://www.icann.org/correspondence/burnette-to-daste-26jan10-en.pdf). Status unclear, site directs to Hover.com (Tucows). OOO Russian Registrar (ruregistrar.com) November 25 2009 ICANN Sends Notice of Termination (http://www.icann.org/correspondence/burnette-to-petrov-25nov09-en.pdf). Site appears re-registered to different party, no Registrations. CodyCorp.com Inc. (codycorp.com) terminated by ICANN January 25, 2010 (http://www.icann.org/correspondence/burnette-to-bahlitzanakis-24dec09.htm.pdf). Site has strange content requesting "Please turn cookies on to continue" and that the user drop certain security and privacy settings. BP HOLDINGS GROUP INC. (is.com) issued non-renewal letter October 9, 2009 (http://www.icann.org/correspondence/burnette-to-bahlitzanakis-09oct09-en.pdf) but site is active, requires password log-in. Terminated Registrars with inoperable websites redregister.com maximinternet.com Sundance Group, Inc. (sundancegrp.com) Clertech.com Inc. (clertech.com) Desto! Inc. (desto.com) DROPLIMITED.COM DNGLOBE LLC (dnglobe.com) R.B. Data Net LTD (datanet2004.com) DOMAIN JINGLES INC. (powerwindows.com) South American Domains (namefrog.com) Defunct Registrars that are clearly defunct Tahoe Domains, Inc. (tahoedomains.com) issued non-renewal letter July 30 2009 (http://www.icann.org/correspondence/burnette-to-ball-30jul09-en.pdf) and directs customers to Answerable. Mouzz Interactive, Inc. issued non-renewal letter October 9, 2009(http://www.icann.org/correspondence/burnette-to-faziani-09oct09-en.pdf). Directs visitors to http://www.sibername.co.uk for registering new domains


http://www.icann.org/correspondence/burnette-to-daste-26jan10-en.pdf

http://www.icann.org/correspondence/burnette-to-petrov-25nov09-en.pdf

http://www.icann.org/correspondence/burnette-to-bahlitzanakis-24dec09.htm.pdf

http://www.icann.org/correspondence/burnette-to-bahlitzanakis-09oct09-en.pdf

http://www.icann.org/correspondence/burnette-to-ball-30jul09-en.pdf

http://www.icann.org/correspondence/burnette-to-faziani-09oct09-en.pdf

http://www.sibername.co.uk/

Registrars No Longer Listed in ICANN/InterNIC Directory – Status Unclear ! $ ! Bid It Win It, Inc. DOMAINPROCESSOR.COM REGISTER FOX INC.

!!! BB Bulk, Inc. dba My Name Now DOTFORCE CORP. D/B/A DOTF Rerun Domains, Inc.

# 1 DotMobi Registrar DOUBLE NETWORK INC. RJG Ventures, LLC

#1 Accredited Registrar DSTR ACQUISITION II LLC DB Slaphappy Domains, Inc.

1 DOMAIN NAMES INTERNATIO DSTR ACQUISITION VII LLC SmartyHost Pty Ltd.

1 HOST AMERICA INC. DSTR ACQUISITION. I LLC DB Snowflake Domains, Inc.

1 HOST RUSSIA INC Emily Names Domains, Inc. SOLID HUB INC.

12 REGISTER BV ENAME INC STARGATE HOLDINGS CORP.

8068 Registrar, Inc. ESOFTWIZ INC. SUGGEST NAMES INC

89AM Web Services, Inc. FarStar Domains, Inc. THE NAME IT CORPORATION

89Dian Registrar, Inc. FIRST INSTANT INC. TITANIC HOSTING INC.

A Mountain Domains, Inc. Flatme Networks, Inc. TOTALREGISTRATIONS

A Rite Tern, LLC FORTUNE INTERNET INC. TRANSPAC

A. W. B. Trading, Inc. FOX EDGE INC Triple.com, Inc.

AAAQ.COM INC. GET CHEAPEST DOMAINS INC

ABR PRODUCTS DBA MISK.CO Get SLD, Inc. Uniport Net Services, Inc.

ABSTRACT NAMES INC. GETDOMAINSIWANT.CA INant.ca URBAN VOLCANO INC.

ACTIVE INSIDER INC GO ITALY DOMAINS INC. Valley Apples, Inc.

AFTERNIC INC Gr8T Names, inc. VENUS DOMAINS INC.

ALL WEST COMMUNICATIONS I iCrossing, Inc. VIBRANT NETWORKS INC

AMERICA ONLINE INC. DBA AO INFINITE STORE INC. Walela Brook, Inc.

AO Domains, Incorporated INITIAL ONLINE LIMITED WANT DOMAIN NAMES INC

APEX REGISTRY INC. INNERWISE INC. D/B/A ITSYOU Web.com Holding Company, Inc.

ATCOM TECHNOLOGY LLC Inter China Network Software (Beijing) Co. Website Source, Inc.

BEST REGISTRATION SERVICES Intercosmos Media Group, Inc. WGB Registry, Inc.

Bindrop LLC Lazy Dog Domains, Inc. White Socks Domains, Inc.

BLOG.COM - DIGITAL COMMUN Le Grand Nom, Inc. WIRED WEBSITE INC

Blueweb, Inc. Level 10 Z-Core, Inc.

BRAZIL CONNECTION LTD. DBA Lime Spot, LLC Zipa, L.L.C.

CAPITAL NETWORKS PTY LTD Colorado Names Domains, Inc. MODERN GRID INC. Colossal Names MojoNIC, L.L.C. dba MojoNIC.com

COMMUNIGAL COMMUNICATI NAME TWISTER INC. COTTON WATER INC Names Bond DBMS, Incorporated NAMESBEYOND.COM DBA GO

DESERT DEVIL INC. NAMESDIRECT.COM INC. Deviation, LLC, d/b/a Domoden Naming Web, Inc. DevStart, Inc. NEEN.IT INC. DBA NAMESPRI

Domain Contender, LLC NETBENEFIT PLC AKA NETNA

DOMAIN GUN INC. Nihao Communications, Inc.

DOMAIN MODE INC. Nitin Corporation dba Misk.com

DOMAIN MONARCH INC. NUCLEAR NAMES INC. DOMAIN NAME SALES CORP. Oil Change Domains, Inc. DOMAIN SYSTEMS INC. PAIRNIC DOMAINDISCOVER Pitchback Domains, Inc.


I. Soviet Union ccTLD (.SU) Policy and Status Unclear This is still an issue of debate and arguments can be made for the cultural and historical preservation, but the focus of this report, in terms of .SU, is on accountability of a ccTLD and whether new registrations of .SU should be allowed and permitted for parties who had no connection to the Soviet Union. Currently, there are 336 .SU NameServers serving gTLD domains. In attempting to research this issue we first checked the ICANN directory of ccTLD agreements (http://www.icann.org/en/cctlds/agreements.html). The .SU management agreement is curiously absent from ICANN’s list of ccTLD agreements and is the only active one not listed. The first time we asked ICANN about this discrepancy, we received an anonymous and irrelevant reply:

“ICANN does not accredit registrars for ccTLDs or set registration policy for ccTLDs. For details about ccTLD registration policy, you should contact the designated country code manager.”

However, our question was about the listing of the policy. Every other ccTLD agreement is clearly posted on the ICANN website. Additionally, the answer is not completely accurate since all agreements are issued by ICANN and signed by the ICANN CEO as well as the sovereign representative. We followed up by re-asking the question to ICANN staff who did not respond to the request for clarification. Why ICANN staff is helping obfuscate this issue is an open question. Here is what we do know. According to IANA documents59, .SU is ostensibly sponsored by The Russian Institute for Development of Public Networks (ROSNIIROS). The Soviet Union officially ceased being a sovereign nation December 8, 1991 when it was dissolved and replaced by the Commonwealth of Independent States. This was further affirmed on December 12 when Russia official seceded from the union and denounced the original 1922 treaty that created the Soviet Union. It has been 19 years, but .SU endures. According to some sources .SU is “marked for retirement”60 but has so far evaded closure. Starting in December 2006 there was an open comment period at ICANN concerning the sunsettting61 of .SU. The response was largely from .SU users who did not want it retired.62 The “SU” designation was removed from the ISO standards (ISO 3166-1) and ICANN rules dictate this be the source for ccTLD codes. In 2007 the directors of the Russian information centers(RIPN and FID) sent a letter to ICANN president Paul Twoomey pleading that the .SU community not be disrupted.63 The issue was again discussed briefly last June at ICANN Sydney but not seriously addressed.64

This is complex but not unique. Compare to the policies concerning: .DD for "DDR", Deutsche Demokratische Republik (German Democratic Republic), AKA East Germany, now consolidated politically with Deutschland (Germany) and with their ccTLD .DE. .DD was retired in 1990 .CS for Československo (Czechoslovakia) was retired in 1995 as the country split into the Czech Republic and Slovakia which are now represented by .CZ and .SK.

59 http://www.iana.org/domains/root/db/su.html 60 http://blog.icann.org/2007/09/the-lives-of-country-code-domains/ 61 http://www.icann.org/en/announcements/announcement-2-05dec06.htm 62 forum.icann.org/lists/cctld-sunset-comments/ 63 http://www.icann.org/correspondence/soldatov-to-twomey-24jun07.pdf 64https://st.icann.org/data/workspaces/alac/attachments/sydney_meeting_reports_tuesday:20090710231344-0-11573/original/Transcription%20ALAC%20Policy%20Meeting%2023%20June%202009.pdf


Finally, Yugoslavia's ccTLD, .YU, was retired March 30, 2010 and mostly replaced by .RS for Republika Srbija (Republic of Serbia), but also potentially by one of the other Balkan nations Croatia (.HR), Montenegro (.ME), Slovenia (.SI), Macedonia (.MK), or Bosnia and Herzegovina (.BA). .SU remains an anomaly in a politically and geographically updated Internet. However, our concerns are not political. We are primarily concerned with the accountability of a ccTLD that has no sovereign government and one that is being sold by a U.S.-based Registrar (101domain.com) to people who have no connection to the Soviet Union.

The policy discussion for .SU needs to be brought out of the shadows. It is possible this TLD extension could be preserved as a new gTLD, but to allow it to linger as a phantom ccTLD indefinitely does not engender openness, transparency, and accountability.


J. Moot Issues Data was collected for this report over several months and situations changed during this period. We documented several situations that would otherwise be worthy of reporting had the Registrar involved not been terminated or purchased during the study or the issue was corrected. Cool Ocean, Inc. (coolocean.com) Cool Ocean’s ICANN listed address was until recently 15 West 47th Street New York, NY 10036 which is an odd address. For those unfamiliar this section of Manhattan is called “Diamond Row” and is almost exclusively populated with jewelry stores. It seemed a curious location to us so we attempted to verify Cool Ocean. 15 West 47th is a complex of jewelry stores. We spoke to a building manager who had worked there for years and he had never heard of Cool Ocean Inc. However the address and apparent ownership has since changed and the website does not sell gTLDs. Kontent GmbH (komplex.net) - For a time not listed at ICANN any more, but still offering gTLD domains and displays ICANN seal. Accreditation was just recently renewed. Invalid Corporations Most states in the U.S. prohibit using a public mailbox, “U.S. post office box” in a Business Registration. Because any leasing of a delivery box at UPS, Mailboxes Etc, and other such services require the customer to enter into an agreement with the U.S. Postal Service, those deliver boxes are also considered U.S. Postal Boxes. GMO Internet, Inc. dba Discount-Domain.com and Onamae.com contacted us on June 13, 2010 to disclose that their WHOIS is located at whois.discount-domain.com. Melbourne IT DBS, Inc. (MelbourneITDBS.com) contacted us June 15, 2010 to disclose that their WHOIS is located at whois.melbourneit.com.au


Closing Recommendations First and foremost, a comprehensive audit of all Registrars is called for. Most of these problems concern such basic services of the Registrar that it is quite possible other unseen violations are occurring. In terms of dealing with illicit pharmacy domains a detailed review of the impact this traffic has on the Internet and Registrars is called form.

• ICANN or supporting groups should create a working group to specifically address the issue of illicit online pharmacy

• ICANN or supporting groups should initiate a study to determine how much Registrar income is derived from pharmacy-type domain registrations

• ICANN or supporting groups should survey Registrars to determine how complaints of illicit pharmacy are handled and what the typical outcome is

• ICANN or supporting groups solicit the input of international pharmacy and health organizations to develop policy concerning pharmacy domains

• ICANN should encourage Registrars to voluntarily adopt policy similar to Godaddy’s • ICANN should adopt a Pharmacy disclosure policy on new and renewed registrations, a

check box which reads: “This registration is for a duly licensed pharmacist, pharmaceutical professional, certified medical professional, or related pharmaceutical business in the jurisdiction in which the domain is registered” or “This domain will be used for the lawful dispensing of pharmaceuticals” or language found to be appropriate. The Registrar need not determine that the registrant is a duly licensed pharmacist, , only collect their affirmation that they are or are not. Registrants who affirm they are not licensed pharmacists and are found to be selling pharmaceuticals would receive an immediate domain suspension. If a registrant has affirmed that they are a licensed pharmacist but has refused to provide proof upon request would receive an immediate domain suspension. To resolve disputes that may arise from these terminations, a transparent process should be developed that holds the Registrar blameless for proactive terminations of this kind.

• Adopt the Law Enforcement amendments of the RAA • Katz Global should have its reseller license suspended • ICANN needs to be more open about multi-accreditation Registrars and inter-Registrar

accreditation sales • Reconsider the WHOIS recommendations from Ben Edelman • KnujOn will be performing its own audit of the entire gTLD WHOIS record set. Outside

assistance would be accepted but it is not required. • Registrars should be compelled to resolve any outstanding consumer issues • Registrar Privacy Service-related UDRP failures need careful review


knujon_audit0610

Documents