The Spamhaus Project

blog

XYZ discusses industry collaboration to ban bad actors

XYZ Registry explains how the lack of visibility into a bad actor's domain causes issues and provides suggestions to overcome this problem.

by The XYZ team March 10, 20224 minutes reading time

In part two of our Registries Series, we’re still in discussion with XYZ. Previously in Getting the low-down from XYZ on combating domain abuse, we talked about the what, why, and how of domain abuse. However, when XYZ was chatting about domain suspensions, they mentioned how anonymizing registrant details was an added challenge.

The redaction of domain ownership information, as a result of various privacy legislation, including GDPR, causes Spamhaus significant headaches at times, so we’re interested to hear why it’s an issue for Registries and what they’re proposing to readdress the balance between those wanting to abuse the internet and those wanting to protect it. Over to you XYZ…XYZ: We left off our discussion talking about domain suspensions. However, for most registries, the reality of anti-abuse action on the domain name side is that the isolated action of shutting down a domain isn’t the most effective method of stopping cybercriminal activity. There needs to be collaboration across multiple areas.

Spamhaus: Can you explain why you feel this way?

XYZ: Firstly, it’s important to understand that a domain name is purely an address. An abusive website or file is uploaded to a hosting company, and an abusive domain user is the customer of a registrar. When a registry suspends a domain used as an address to an abusive website or file, an abusive user can simply find another address to use. This is why abuse is not domain extension-specific. The abusive user can connect their malicious files to another domain extension to facilitate the abuse again in a matter of minutes.

Secondly, registries like XYZ have no direct contact with registrants. Their only course of action is to suspend the domain and notify the registrar. This doesn’t stop the bad actor; it just redirects them to other domain extensions. For these reasons, XYZ strongly believes that the registry, registrar, and cybersecurity organizations should work together.

Spamhaus: How do you think these relationships should interact in a perfect world?

**XYZ:**If all parties act in harmony, we can help break the cycle of abuse and more effectively prevent cybercriminal activity. When the XYZ Registry receives evidence of abuse from cybersecurity experts, we verify and suspend the domain and then notify the relevant registrar of their customer’s suspension. The registrar can prevent the abusive customer from registering further domains. It is the least effective method to start at the registry level since that is not the source of the malicious file or user. Still, the XYZ Registry is very active and successful in doing what we can to slow down bad actors and move them off .xyz.

Spamhaus: What do you think can be done to help this cross-section of the industry work more effectively together?

**XYZ:**An important aspect of rapid abuse control is being able to identify a group of domains registered by the same bad actor, so all domains under their control can be investigated. One of the most apparent innovations would be greater visibility into this association. At this time, only a registrar can determine what other domains an abusive user has in their account.

At the registry level, we can use the time of registration to associate multiple registrations occurring at the same registrar; however, this is not a silver bullet. With a domain as popular as .xyz, there are many instances of domains registered with the same timestamp by multiple legitimate registrants. To avoid false positives, we can only use this methodology to monitor closely.

An innovation in associating domains, users, and accounts used for abuse while maintaining data privacy, could help organizations better track the movement of bad actors across platforms and services.

Spamhaus: We strongly support this idea. From our perspective, one of the often-overlooked uses of the data that “Whois” published is “correlation,” not “identification.” Bad actors often use stolen or fake identities. While the actual information from the records won’t always lead to a real-world attribution, it does enable our researchers to make important associations.

Meanwhile, legitimate domain owners suffer due to this data redaction – it is increasingly hard to determine if a newly registered domain belongs to a known entity with a good reputation.

A cross-platform method of information association wouldn’t solve all the issues introduced by ownership redaction. Still, we feel that it would undoubtedly go a long way towards improving the situation for both malicious and legitimate domains. The next question must be, who can make this happen? Perhaps one for ICANN?

Next in our series, XYZ dives into the world of newly registered domains and email.