ICANN terminates EstDomains, Directi takes over 280k domains

Following ICANN's notice of termination sent to cybercrime-friendly domain registrar EstDomains in October, on the 24th of November the termination became a reality and EstDomains is no more. Despite the public concerns of who will take the 280,000 domains, and that includes the cybercrime facilitating ones, Directi's ResellerClub is new home for EstDomains customers.

ICANN's Stacy Burnette, Director of Contractual Compliance, was kind enough to elaborate a little bit more on ICANN's decision to terminate EstDomains, and how is the bulk transfer of their domains portfolio going to benefit the community.

Go through the Q&A.

Q: Terminating EstDomains accreditation is indeed a step in the right direction, but isn't it a bit disturbing that what prompted the ICANN to do it wasn't the fact that the registrar was facilitating the registration of hundreds of thousands of cybercrime driving domains, but their CEO's earlier conviction? Would EstDomains be still in operation if the ICANN wasn't aware of the conviction?

A: ICANN is not a law enforcement authority and an allegation that a registrar is "facilitating the registration of hundreds of thousands of cybercrime driving domains" is not grounds for termination under the Registrar Accreditation Agreement (RAA).

Most RAA violations require ICANN to send the registrar notice of breach and provide the registrar an opportunity to cure the breach. If the registrar cures the breach within the time period provided in the RAA, the matter is closed.  There are very few RAA violations that are terminable and do not allow the registrar to cure.  Pursuant to Section 5.3 of the RAA, the conviction of a registrar officer is one of the few contract violations that allows ICANN to terminate without an opportunity for the registrar to cure. Although RAA amendments intended to provide additional enforcement tools are currently under consideration, ICANN will continue to use the enforcement tools available in the RAA.

Q: A large percentage of EstDomains' portfolio is still comprised of the cybercrime facilitating domains, which is natural despite the fact that they will no longer be allowed to slow down the shut down process. Do you believe that the bulk transfer of their legitimate and fraudulent domains to a more cooperative domain registrar in the face of Directi, would make the impact the security community and the average Internet user wants to see in general?

A: Directi representatives have expressed an openness to work collaboratively with the security community to analyze the domain name registrations formerly managed by EstDomains and take action where there is proof that the domain name registrations are being used for unlawful purposes. The security community and the global Internet community benefit from such cooperation.  ICANN commends Directi for its willingness to work with the security community and encourages other registrars to do the same.

Q: Having monitored a dozen of anti-abuse hosting providers throughout 2008, and continuing to do so, while their hosting services allow malware, logs of stolen e-banking details, and malicious redirection scripts only for "starters" they exclusively forbid other cybercriminals from hosting child pornography, pirated software and in fact entice them to enter "correct" Whois information so that they can ensure the domains remain online longer.

From a legal perspective, does the ICANN have any authority over cybercrime domains hosting underground data over which ICANN's rules perhaps doesn't apply?  Moreover, does ICANN's long-term vision have to do with more policing or better cooperating with the security community as an early warning system?

A: You asked if ICANN has "any authority over cybercrime domains hosting underground data over which ICANN's rules perhaps doesn't apply."  ICANN is a technical coordination body with responsibility for, among other things, overseeing the domain name registration system and ensuring that all ICANN-accredited registrars comply with the provisions of the RAA.

ICANN has consistently worked cooperatively with the security community to address a variety of security issues. In the past, ICANN has received information from the security community and ICANN has used that information constructively to address issues that fall within its mission and authority.  ICANN will continue to work collaboratively with the security community to effectively address security related issues.

Q: Bulk domain registrations are systematically abused for cybercriminals on a daily basis. In fact, I can easily argue that the average time it takes to track, report and shutdown such a domain portfolio is enough for them to break even and scam several thousand people on average depending on the volume and scale of their attack tactics. With cybercriminals systematically exploiting domain registrars with weak anti-abuse practices, isn't it time for a major clean-up operation of such registrars?

A: Note your opening discusses registrations but your question deals with registrars.  ICANN encourages registrars to implement anti-abuse policies that result in the swift cancellation of domain names used for unlawful purposes.  This is an area where greater collaboration between ICANN and the registrar community is needed to develop better registrar practices.

The bottom line is that when a trusted and actively cooperating with cybercrime fighters and security researchers domain registrar starts managing EstDomains portfolio, there's a higher chance for faster takedowns of malicious domains. In Directi's case, their cooperation with the community has been pretty evident. For instance, in October alone they've suspended over 175,000 domains due to fake whois entries, spam, phishing and pharmaceutical hosting involvement, and I'm sure the numbers are only going to get better.