Inspired by Igor’s post (and whilst Terry is dancing in doorways) I’ve taken some time out from my current project and beaten a path through the tangled web of service providers, registrars, resellers and registrants of the domain name system supporting the darker side of the web.

This investigation originally started when Garth from Knujon pointed out that Directi have some shill registrars on their books (Whilst I was enjoying the Kaiser Chiefs @ Rock en Seine in Paris no less). I then read Brian Krebs post about Atrivo being one of the best known dangerous networks around… He finished with a teaser note about ESTDomains. So guessing whats coming next I’m going to jump the inter-networking gymnastics that binds EST with Atrivo/Intercage/(cernel|inhoster)/Etc, privacy services and others and start at the far end of the story and expose a secret about a not-so-little Indian company called Directi and shine a light on the almost invisible but vital service that powers the domain registration core of the largest group(s) of bad-actors on the web today.

Let me provide some bullet points about the Directi Group of companies to get you up to speed.

  • Directi are a privately owned Indian company with a reported turnover in excess of $300M USD.
  • Directi own LogicBoxes the maker of a product used to manage the registrar relationship with registries.
  • Directi own the reseller Resellerclub.com, and the registrar Answerable.com amongst others.
  • Directi own skenzo.com a domain typo squatting monetization service.
  • Directi’s Logicboxes are responsible for over 3.5M domains, about 45K resellers across 50+ ICANN accredited registrars.
  • LogicBoxes has no acceptable use policy (AUP) for their service.

That last point is the weak link in the chain. Directi’s Logicboxes provide domain registration automation services under contract but without an AUP, and to organizations that have an un-holy tie to organised crime at that.

LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I’m deliberately withholding for now) prove that it’s software combined with a backend service and Directi are involved at every stage of the game via it’s service-layer even though it looks on the face of it like they aren’t.

(If you don’t understand the cats-cradle of knotted string that holds the domain name registration system together then blame John Levine as he has admitted it’s all his fault and this slide explains it all, “apparently” ;) ).

So on the the murky world of Registrars also being Resellers and why:
ESTDomains, Dynamic Dolphin, to name but a few are huge Directi resellers, and as ICANN accredited registrars also customers of LogicBoxes too. But as Garths and Brian’s posts show there are also many other “shill” registrars and unanswered questions too. However between them they provide a disproportionate amount of domains that are used for illegal activities and most have a path back to Directi’s logicboxes service. I’d estimate the total to be north of 100,000 domains by now, everything from Social networking spam through illegal pharmaceutical supply to botnet command and control.

There is a metric truckload of publicly available evidence for anyone that still doubts the darkness of their hats take a look at the URIBL listings for the last 5 days for ESTdomains. All the linked domains are sites you do not want to click as they contain spam landing pages, fake anti-mailware, porn with fake codecs amongst other things. Why on earth a legitimate registrar would not monitor uribl’s published information and act on it is completely beyond me.

ICANN don’t help the situation by accrediting registrars without a verifiable legitimate address and well publicized & working contacts. We have procurement and vendor qualification processes that’s a real pain some times excellent IMHO, I’ll ask someone to send them a copy ;)

Our friends at Spamhaus have plenty to say about ESTDomains too on many listings, take a look at their nameserver listings for starters SBL53320 SBL53319. Searching ROKSO will reveal a whole lot more. As for Atrivo, it’s a rats nest of issues; A rats nest that would do well to fall off the internet. For more information on the internet-gymnastics I jumped over take a look at this great pdf from hostexploit.com. Keep in mind though that some of the feeder transit networks may be owned or run by the same gang and just exist for redundancy.

The ESTDomains that I’ve investigated first hand have generally fallen into two camps, one where they are registrar directly and one where PublicDomainRegistry is mentioned in the whois, the latter being the “shill” sorry I mean “white labeled Registrar” for the previously mentioned Directi company “resellerclub dot com“. The fact that PrivacyProtect.org is Directi’s whois privacy service (pasted from here) for resellers just makes matters worse.

Don’t get me wrong, Directi have a clue, register a domain directly with a Directi owned registrar and break the AUP and they will act well as any registrar must. I’m specifically talking about the other services they provide to the criminal corners of the web.

It would appear too that the ESTDomains portfolio has had their privacy protection revoked too, this is definitely a step in the right direction. (Breaking news this evening from El Reg and knujon, nice work guys) However, these guys move pretty fast and recently EST moved their privacy needs to their own protectdetails.com domain.

So finally I have to ask those making money by providing the core services Bhavin Turakhia & Divyank Turakhia from Directi, you clearly know the score, so when will you completely stop supporting the illegal acts of EST, DD and other very obvious darkside entities and kick the bad apples out?

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you ;)