nic.at bitten by Spamhaus for helping phishers.
Wednesday June 20, 2007 at 12:24 pm CST
Posted by Chris Barton
The .at domain registry nic.at have publicly given a green light to phishers to use their top level domain without the fear of their domain name being revoked. nic.at suggest on their recent news article [Translate] that their hands are legally tied when it comes to revoking registrations used solely for fraud. I should note however, they do not support fraudulent activity. 
The Spamhaus listing for nic.at is here and I very much doubt this domain has legitimate uses so I’ll happily validate the data Spamhaus presents: for example besthkd was used in a URL similar to the following:
http://ebanking-se[removed]t/folder-name/client-form/form.aspx
However we have lots(!) of samples from some days before the one Spamhaus have recorded for this domain, which raises a question, was this a longer than normal attack?
Looking at our data warehouse I can see lots of samples covering some 6-and-a-bit days! That’s one amazingly long campaign when with professional help brand owners can execute site take-downs in an average 6 hours or so. There has been some growth of phishing attacks recently as I’m sure you’re all aware but this “we’re frightened about liability” behaviour is very disappointing.
Common sense needs to prevail!
In fact, I’m reminded of the 2 laws of sudo
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
…and they are in that order for a reason!
I would like to respectfully suggest the following: Since your contract is with the owner of the domain that you ensure that contract can be broken in exceptional circumstances. I’m not sure I know of anywhere where fraud is not a crime, so that’s another basis you can act upon.
Spamhaus gives good advice on their listing too:
Nic.at needs to urgently set up communication channels with the
various professional investigators who are investigating phishing:
and of course to review their policies on not taking down domains
being used for phishing.
You can read a full rundown by David Goldstein here.
Sorry for ranting, but in the wise (although edited!) words of Schalk “If you stir the poop and it smells bad people do something about it.“.
The last word: nic.at, you are part of the problem. Grow some balls and “Respect the privacy of others”.
June 20th, 2007 at 10:49 pm
As usual stupid comments by US companies and it s representatives. It becomes notorius by them to ignore laws of other countries resp. impose their illogical lawcode to others.
If a breach of contract happens you have to follow the procedures set by Austrian law and differently to other countries there is a very specific individual protection of personal data which has to be ollowed and not the very unclear position of an dubious organisation as spamhaus
June 20th, 2007 at 11:23 pm
I used McAffee Products in my comany; reading your “last words” I decided to stop using it.
mgareiss
June 20th, 2007 at 11:51 pm
First of all, the websites in question here did not belong to those carrying out phising attacks but were actually hacked to display this content.
Secondly, a registrar has to take action if his own service (the domain) is violating current law (trademark issues, ….) which obviously hasnt been the case here. The actual problem was the content of a service where the domain pointed to.
So the correct and only contact were the webhosters where the sites were running. If these refuse to cooperate one can still contact their upstream providers.
The domain registrar however is never part in such a case. If they refuse to cooperate why not contacting IANA to remove the whole .at zone overall, and if they refuse why not contacting ICANN to shut down the complete Internet?
June 21st, 2007 at 11:55 pm
> The last word: nic.at, you are part of the problem.
> Grow some balls and “Respect the privacy of others”.
i think people like you who are not thinking, before writing
are the bigger problem. the opinion of nic.at is absolutly
ok - the problem is that spamhaus is a steve lindford directed
showgroup without rules, without discussion, without processes
and without brain. the do whatever they like to do without any
respect on customer blackouts who can´t do anything for it.
bernd
June 22nd, 2007 at 2:54 am
I thought sudo had a third rule.
3) With great power comes great responsibility.
You’re right, they should be acting.
June 22nd, 2007 at 3:43 am
Dear Chris!
The difference between your self-understanding and the nic.at self-understanding is to respect Austrian Law.
In Austrian Law you had to authenticate first that somebody is a criminal - as far as I know the US law does not accept in these days the basic “in dubeo pro reo”.
So it could be really helpful if you reduce first the size of your nuts and think before you write such a nonsense.
Kurt
June 22nd, 2007 at 4:10 am
Have you read this: http://www.icann.org/announcements/announcement-10oct06.htm
Quote: Only the Internet registrar with whom the registrant has a contractual relationship - and in certain instances the Internet registry - can suspend an individual domain name.
If you know about austrian law (and german and….) you will see that nic.at can NOT delete these domains. Should postmasters request the deletion of spamhaus.org because they block sometimes legal email-servers? Their policies for listing are not really clear and it seems that the quality is not so good as for some years. But they can do what they want….
June 26th, 2007 at 4:28 am
Sigh. Of course hands are tied. If one rapes one (and nothing else is phishing, in terms of law view - as both are crime) in a mart, and the mart owner says while watching the rapture “Oh, well my hands are tied” then he is a liar. Because - at least in austria - he can step in and/or contact a police department. If he doesn’t he is (by law) “Gehilfe”. If he would go to the police they would say “it’s your mart, why didn’t you even try to avoid it?! Stop it!”.
If raptures happen frequently at this special mart without notifying police and so on, then this mart will be soon history.
Also the austrian high court already stated, that IF nic.at knows about legal issues, and IF it is obvious, and they do nothing, then they ARE “Gehilfe”. See the FPO.at finding, where they mentioned in their finding also “Contents”. It is up to the reader and up to nic.at to conclude “If I am responsible for obvious legal issues by court under my domain, then I am also responsible for crime issues - if I do not act”.
July 8th, 2007 at 4:38 am
Employees at nic.at specifically went on record as stating “if child pornography were hosted on a fraudulently registered .at name, we still would do nothing about it”.
Rock-kit phishing sites HAVE NO WEB HOST.
The web sites in question here absolutely were under the control of the phishers. That’s the beauty of registering a fraud domain. And the Rock gang knows it (they are making millions of dollars off of nic.at’s inaction). They are using fast flux IP and DNS switching. If we could avoid dealing with idiots like nic.at we would, except for the fact that suspending the domain name is the only way to get the attack squelched.
By the way, the author is not from the US - so YOUR point is illogical. Policies like the ones nic.at has in place are rooted in a legal-political philosophy of fear. It’s no wonder countries like Austria get rolled over by thugs every 50 years or so.
May 27th, 2008 at 11:03 am
[…] Final thoughts: All we need now is a few of the heavily abused cc-TLD’s to do the same and dive into the fight before we see more of these. […]