Domain seized

Thanks for letting us know. So I see that the alleged use was well prior to your hand registration. It seems to me that a hand registration should not have been allowed and your money should be returned. I am concerned that it can be done without owner informed - so I take it you would be allowed to build website on it, just can't transfer it?

Bob Hawkes said:

Thanks for letting us know. So I see that the alleged use was well prior to your hand registration. It seems to me that a hand registration should not have been allowed and your money should be returned. I am concerned that it can be done without owner informed - so I take it you would be allowed to build website on it, just can't transfer it?

Click to expand...

No, they have changed the nameservers as well, even do in the control panel it shows undeveloped nameservers. As far as I know until a few months ago the domain was revolving fine, to undeveloped, so it's something recent.

Discussing this case with @boker.

The domain was a hand-registration in 2018. The ShadowServer sting operation referenced here was in December 2016. Apparently long after that they were able to update the registrant's DNS without notification for a domain that was no longer owned by the same organization as was the apparent registrant in 2016.

The domain is locked against his will at the current registrar, Registrar.IT, where he holds 30 domains. This domain had its DNS changed without notification to the registrant. It appears as follows now:

Domain Name: OREUX.COM
Registry Domain ID: 2211579716_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.register.it
Registrar URL: http://we.register.it
Updated Date: 2018-07-28T00:00:00Z
Creation Date: 2018-01-11T00:00:00Z
Registrar Registration Expiration Date: 2019-01-11T00:00:00Z
Registrar: REGISTER.IT S.P.A.
Registrar IANA ID: 168
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +39.5520021555
Reseller:
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited

Name Server: SC-D.SINKHOLE.SHADOWSERVER.ORG
Name Server: SC-A.SINKHOLE.SHADOWSERVER.ORG
Name Server: SC-B.SINKHOLE.SHADOWSERVER.ORG
Name Server: SC-C.SINKHOLE.SHADOWSERVER.ORG

For those unaware, ShadowServer is the group that is aligned and funds Registrar of Last Resort, who Epik has called out for running the "Gitmo" of domains. More here:

https://twitter.com/EpikDotCom/status/1073638817373061120

It seems pretty clear that we have a case where a registrant was not given due process before their DNS was disabled and the domain was quarantined at the existing registrar -- the registrant cannot move or use the domain presently.

Finally, since we are talking about 800,000 domains included in the December 2016 sting operation, it is entirely possible that this was some clerical error that re-seized a domain from that list. Nevertheless, the registrant is still owed disclosure and due process and therein lies a major problem.

The main thing it's not about the domain name, because it was a hand reg, so I will not loose big, but what about the one's who paid big money for a domain which was seized? 800k domains to seize it's a big number and it could affect the new owners who don't have anything to do with it. @Rob Monster from epik will check it out, so if something can be done, for sure he will be able to do it.

boker said:

The main thing it's not about the domain name, because it was a hand reg, so I will not loose big, but what about the one's who paid big money for a domain which was seized? 800k domains to seize it's a big number and it could affect the new owners who don't have anything to do with it. @Rob Monster from epik will check it out, so if something can be done, for sure he will be able to do it.

Click to expand...

The issue is a "Due Process" issue. Anyone here that is on the ICANN Registrar Stakeholder Group knows that I have taken a strong stance on this issue. It domains are subject to wild west justice, they can never be viable investment assets because their value can be arbitrarily impaired. That is one of the main reasons that I have been dogmatic about due process. Gab.com was much higher profile but it was the same issue -- unlawful impairment of a domain name without due process. This case here is for a parked domain but it actually is more egregious because the registrant was apparently not notified of the impairment action. I have written to the Registrar Stakeholder Group now to see if someone familiar with Registrar.IT or ShadowServer can explain what happened and expedite a resolution.

Rob Monster said:

The issue is a "Due Process" issue. Anyone here that is on the ICANN Registrar Stakeholder Group knows that I have taken a strong stance on this issue. It domains are subject to wild west justice, they can never be viable investment assets because their value can be arbitrarily impaired. That is one of the main reasons that I have been dogmatic about due process. Gab.com was much higher profile but it was the same issue -- unlawful impairment of a domain name without due process. This case here is for a parked domain but it actually is more egregious because the registrant was apparently not notified of the impairment action. I have written to the Registrar Stakeholder Group now to see if someone familiar with Registrar.IT or ShadowServer can explain what happened and expedite a resolution.

Click to expand...

I don't think that register.it knows anything about it, because at registrar level everything shows fine, my contact info, I have access to dns settings, auth code and everything else, so looks like it's a perfectly viable domain, but when you want to use it, than you notice that something is fishy. I will have to wait a response from register.it, but sometimes it takes days for them to respond, so you can't count on them.

boker said:

I don't think that register.it knows anything about it, because at registrar level everything shows fine, my contact info, I have access to dns settings, auth code and everything else, so looks like it's a perfectly viable domain, but when you want to use it, than you notice that something is fishy. I will have to wait a response from register.it, but sometimes it takes days for them to respond, so you can't count on them.

Click to expand...

That would be even more concerning - a .com that was centrally updated without notifying the registrar. I have not heard of such a thing so I would be very surprised to discover it here. There is a "Trusted Notifier" program being adopted by some registries. That said, stealth updates of domains would be something new as far as I know. Let's see what comes back from the ICANN Registrar Stakeholder Group or Registrar.It.

Update here.

I reached out to ShadowServer to see if their blacklisting can be removed:

https://www.shadowserver.org/wiki/pmwiki.php/Contact/ContactUs

It appears that they maintain the closest thing to a centralized list of blacklisted domains based on these types of Interpol actions.

I wonder how many of HugeDomains' domains were seized.

CJ6 said:

I wonder how many of HugeDomains' domains were seized.

Click to expand...

I wonder more how valuable were the domains seized. My was a 5l.com but I can bet there were more valuable domains seized out of the 800k. Looks like it's very easy to seize a domain, without even to notity the owner, so that he can defend himself.

Rob Monster said:

Update here.

I reached out to ShadowServer to see if their blacklisting can be removed:

https://www.shadowserver.org/wiki/pmwiki.php/Contact/ContactUs

It appears that they maintain the closest thing to a centralized list of blacklisted domains based on these types of Interpol actions.

Click to expand...

Thanks Rob. In the section on how they operate they say the following that does not seem to be congruent with what was done here in taking control without even notification.

How do we operate?

Bob Hawkes said:

Thanks Rob. In the section on how they operate they say the following that does not seem to be congruent with what was done here in taking control without even notification.

How do we operate?

Carefully. Working with friendly registrars we have been registering previously and future malicious domain names and pointing those records to our sinkhole servers. This means that if there are any infections still attempting to access previously malicious domain names, we can track and report those out. In the case of future malicious domain names, we are helping take a preventive measure by tracking up coming infections such as Srizbi and Conficker/Downadup.​

Click to expand...

"Future malicious names"....That sounds very troubling.

How can anyone, or any bot, know what a "future malicious name" is?

Are they cross checking databases and going after other domains owned by a portfolio holder?

Bob Hawkes said:

Thanks Rob. In the section on how they operate they say the following that does not seem to be congruent with what was done here in taking control without even notification.

How do we operate?

Carefully. Working with friendly registrars we have been registering previously and future malicious domain names and pointing those records to our sinkhole servers. This means that if there are any infections still attempting to access previously malicious domain names, we can track and report those out. In the case of future malicious domain names, we are helping take a preventive measure by tracking up coming infections such as Srizbi and Conficker/Downadup.​

Click to expand...

No reply yet from ShadowServer.

As for the description, it does sound like a page out of Minority Report, i.e. registering and holding tons of domains that could be malicious in the future. This entails a cost. Who pays it?

I get why services like this exist as there are malware distributors and phishers. Where it gets complicated is when these same services become apparatus for arbitrary takedowns and quarantine without due process.

In light of the rise of arbitrary censorship, we are all getting a crash course in the function and mandate of services like ShadowServer and Registrar of Last Resort as their roles seem to be evolving.

The lack of due process is severely disturbing... akin to the "no fly" lists out there.

Question's for clarification @Rob Monster

Is the registrar notified when there is a quarantine?

If so, is there any responsibility for the registrar to inform the registrant?

Or, are these questions that need to be addressed in the "due process" guidelines which you so rightly advocate?

I put out a Tweet now to ShadowServer:

https://twitter.com/EpikDotCom/status/1078515980630929409

As for the registrar notification, apparently registrars are not being notified. It is a registry action, which is crazy.

To add further confusion I found this from ShadowServer:


Shadowserver does not create, maintain, or distribute any blacklists. It does not make such lists available for this purpose in any format. What Shadowserver does is to assemble reports and data sets that provide information on any activity detected on an IP that was involved or referenced in a malicious act. Providing this scope of data pertaining to malicious activity means that absolutely innocent IP's could potentially be reported. This is understood, and must be processed accordingly by the consumers of our reports. There are many different reasons why this can occur. Some of the ways we see this are as follows: Spam messages referring to a real URL to help show legitimacy of the messageURL forwarding to a sinkhole locationReferenced URL in a communication between malicious actors Of course, there are many ways that people may believe themselves innocent while being infected. The purposes of our reports are to illuminate a possible problem. The consumers of these reports are the ones that need to decide an appropriate action from those reports. Several of our consumers create black or block lists from our data. Any issues pertaining to this blocking activity needs to be addressed directly with them. We do not suggest any specific action except investigation and possible remediation.

So who are the "consumer(s)" that seizes the reported domains? ICANN? Registries?

Source:
https://www.shadowserver.org/wiki/pmwiki.php/Involve/BlacklistsAndBlocking

In the name of security, "low level bad domains" can be quarantined. Basically any domain can be identified and quarantined accordingly.

Try to stay with me on this.

"[1] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. "

Knowing that, here is a tweet form Shadowserver:

"Shadowserver @Shadowserver Replying
Sinkhole and ASN resolution is separate. Sinkhole is run by MalwareTech who feeds us the data, we then do ASN matching to IP's "

So MalwareTech runs the sinkhole, according to Shadowserver. Right?

So who is MalwareTech?

According to Wikipedia:

"MalwareTech, is a British computer securityresearcher known for temporarily stopping the WannaCry ransomware attack.[1][2] He is employed by cybersecurity firm Kryptos Logic.[3][4] In August 2017, Hutchins was arrested in Las Vegas (where he was attending the DEF CONconference) after being indicted on six hacking-related federal charges in the U.S. District Court for the Eastern District of Wisconsin. Prosecutors allege that Hutchins assisted in the creation and spread of a piece of banking malware known as Kronos in 2014 and 2015. The charges are not related to WannaCry,[5][6] but included the allegations that he created the Kronos malware in 2014, and sold it in 2015 via the AlphaBayforums.[7][8] Hutchins denied any wrongdoing and pleaded not guilty to the charges against him on August 2017.[9] He is out on bailpending trial and remains in Los Angeles.[10]In early June 2018, the U.S. government added four more charges to his indictment.[11 "

It should also be noted that MalwareTech found a temporary "kill switch" for WannaCry ransomware by sinkholing a domain.

Does anyone else see a problem with all of this?

Internet.Domains said:

Try to stay with me on this.

"[1] Sinkholing is an action whereby traffic between infected computers and a criminal infrastructure is redirected to servers controlled by law enforcement authorities and/or an IT security company. This may be done by assuming control of the domains used by the criminals or IP addresses. "

Knowing that, here is a tweet form Shadowserver:

"Shadowserver @Shadowserver Replying
Sinkhole and ASN resolution is separate. Sinkhole is run by MalwareTech who feeds us the data, we then do ASN matching to IP's "

So MalwareTech runs the sinkhole, according to Shadowserver. Right?

So who is MalwareTech?

According to Wikipedia:

"MalwareTech, is a British computer securityresearcher known for temporarily stopping the WannaCry ransomware attack.[1][2] He is employed by cybersecurity firm Kryptos Logic.[3][4] In August 2017, Hutchins was arrested in Las Vegas (where he was attending the DEF CONconference) after being indicted on six hacking-related federal charges in the U.S. District Court for the Eastern District of Wisconsin. Prosecutors allege that Hutchins assisted in the creation and spread of a piece of banking malware known as Kronos in 2014 and 2015. The charges are not related to WannaCry,[5][6] but included the allegations that he created the Kronos malware in 2014, and sold it in 2015 via the AlphaBayforums.[7][8] Hutchins denied any wrongdoing and pleaded not guilty to the charges against him on August 2017.[9] He is out on bailpending trial and remains in Los Angeles.[10]In early June 2018, the U.S. government added four more charges to his indictment.[11 "

It should also be noted that MalwareTech found a temporary "kill switch" for WannaCry ransomware by sinkholing a domain.

Does anyone else see a problem with all of this?

Click to expand...

I've just received the court order. It was given on 26 november 2018, almost one year after registration , looks like the registrar found out 4 days later, at that time it was already seized. The order is saying something that they have the authority to seize any domains from the bunch of 800k, from that action two years prior. They have the authority to do whatever they want to. It's not good to give this kind of authority to just couple of guys. What will happen is they don't like ngtlds, .info or any other tld related to icann, they could seize everything. This is a court order from a US judge, I can bet it will be ten times more difficult to do that for cctlds in Europe, you can'd give a court order like this without giving the owners the right to defend.

boker said:

I've just received the court order. It was given on 26 november 2018, almost one year after registration , looks like the registrar found out 4 days later, at that time it was already seized. The order is saying something that they have the authority to seize any domains from the bunch of 800k, from that action two years prior. They have the authority to do whatever they want to. It's not good to give this kind of authority to just couple of guys. What will happen is they don't like ngtlds, .info or any other tld related to icann, they could seize everything. This is a court order from a US judge, I can bet it will be ten times more difficult to do that for cctlds in Europe, you can'd give a court order like this without giving the owners the right to defend.

Click to expand...

The case is being heavily discussed in the ICANN registrar stakeholder group. Several Chinese registrars have seen this issue and it is common that the registrars cannot delete the sinkholes domains and they keep renewing at the registrar's expense.

As for getting the domain unrestricted, I sent the phone number for the responsible court. You should call them and find out the procedure. Alternatively you can authorize me to do it as your agent and will try to get in touch there and document the whitelisting procedure.

For anyone not familiar with Registrar of Last Resort, it is time to learn about them because registrars are apparently now going to be asked to register these unusable domains at that their expense and then transfer the domains to RoLR. See screen shot of the complaint.



In other words, as of 11/26/18, Sinkholing is the new Gulag. Orwell would be impressed.

Just talked to the Western PA District Court Clerk's office. There are no law clerks in their office until next Wednesday. They will call me back. They did acknowledge the civil action as being theirs but had no documented process for getting removed. The individual domain gets reviewed by a clerk in the court, and it happens on their timing. So, will pursue this and see where it nets out.

In parallel, a few folks including James Bladel from Godaddy are thoughtfully engaged in the conversation in the registrar stakeholder group. I have summarized the issue as being these:

1. How registrars and registrants get notified about a takedown action.

2. How registrants appeal to be removed from a takedown action and restored to a working state.

3. Who pays for domains that are subject to takedown while the domain is in a sinkhole.

I am quite sure that this is some nasty unaccountable stuff with large scope for abuse. I also find it troubling that Pittsburgh, PA has become ground zero for global takedowns of domains.

I don't doubt that ShadowServer started in 2004 with benevolent intentions by this guy:

https://www.linkedin.com/in/adimino/

However, now it is a nameless and faceless organization complicit in massive takedown operations through the PA court system without due process. That is very troubling.

If anyone has recent experience with ShadowServer or Registrar of Last Resort, or knows the current management personally, please contact me via Direct Message.

Bob Hawkes said:

Thanks Rob. In the section on how they operate they say the following that does not seem to be congruent with what was done here in taking control without even notification.

How do we operate?

Carefully. Working with friendly registrars we have been registering previously and future malicious domain names and pointing those records to our sinkhole servers. This means that if there are any infections still attempting to access previously malicious domain names, we can track and report those out. In the case of future malicious domain names, we are helping take a preventive measure by tracking up coming infections such as Srizbi and Conficker/Downadup.​

Click to expand...

Friendly registrars .... "Co-conspirators". Fixed it for you.

Rob Monster said:

If domains are subject to wild west justice, they can never be viable investment assets because their value can be arbitrarily impaired.

Click to expand...

To me the term "investment" goes beyond just aftermarket domains with high price tags for domainers or endusers. Investment in a name can also be choosing, branding, printing, development, SEO linking, and use for email. If you build on a reg fee domain name and base your email on it then have it taken away, you are screwed - plus whoever takes it can set up a catchall email and capture all your email and possibly also related accounts.

And your domain could be grabbed after someone else hijacked it and abused it without your knowledge or consent, or it could be grabbed for actions carried out by someone renting the domain or buying it on installments. Or for actions of a previous registrant.