On the effects of registrar-level intervention

Authors:
He Liu;Kirill Levchenko;Márk Félegyházi;Christian Kreibich;Gregor Maier;Geoffrey M. Voelker;Stefan Savage
Affiliations:
Department of Computer Science and Engineering, University of California, San Diego;Department of Computer Science and Engineering, University of California, San Diego;Laboratory of Cryptography and System Security, Budapest University of Technology and Economics and International Computer Science Institute, Berkeley, CA;Computer Science Division, University of California, Berkeley and International Computer Science Institute, Berkeley, CA;International Computer Science Institute, Berkeley, CA;Department of Computer Science and Engineering, University of California, San Diego;Department of Computer Science and Engineering, University of California, San Diego
Venue:
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Year:
2011

Citing 7
Cited 6

Examining the impact of website take-down on phishing

Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
On the Effectiveness of Techniques to Detect Phishing Sites

DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Beyond blacklists: learning to detect malicious web sites from suspicious URLs

Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining
Phishnet: predictive blacklisting to detect phishing attacks

INFOCOM'10 Proceedings of the 29th conference on Information communications
Spamcraft: an inside look at spam campaign orchestration

LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
On the potential of proactive domain blacklisting

LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Click Trajectories: End-to-End Analysis of the Spam Value Chain

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy

PharmaLeaks: understanding the business of online pharmaceutical affiliate programs

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Do malware reports expedite cleanup? an experimental study

CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Taster's choice: a comparative analysis of spam feeds

Proceedings of the 2012 ACM conference on Internet measurement conference
Beyond the blacklist: modeling malware spread and the effect of interventions

Proceedings of the 2012 workshop on New security paradigms
Understanding the domain registration behavior of spammers

Proceedings of the 2013 conference on Internet measurement conference
Shady paths: leveraging surfing crowds to detect malicious web pages

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Virtually all Internet scams make use of domain name resolution as a critical part of their execution (e.g., resolving a spam-advertised URL to its Web site). Consequently, defenders have initiated a range of efforts to intervene within the DNS ecosystem to block such activity (e.g., by blacklisting "known bad" domain names at the client). Recently, there has been a push for domain registrars to take a more active role in this conflict, and it is this class of intervention that is the focus of our work. In particular, this paper characterizes the impact of two recent efforts to counter scammers' use of domain registration: CNNIC's blanket policy changes for the .cn ccTLD made in late 2009 and the late 2010 agreement between eNom and LegitScript to reactively take down "rogue" Internet pharmacy domains. Using a combination of historic WHOIS data and co-temporal spam feeds, we measure the impact of these interventions on both the registration and use of spam-advertised domains. We use these examples to illustrate the key challenges in making registrar-level intervention an effective tool.