Directi, KnujOn, HostExploit to work together

Posted on September 10, 2008 - 13:07 by mweinstein

I recently blogged about two reports related to business practices of web-related companies. One of those companies, Directi, was the direct target of the KnujOn report and was mentioned in Jart Armin's report, as well. I blogged about Directi's response to the KnujOn report last week.
This week, Directi, KnujOn, and HostExploit (Jart's company) released a joint statement:

In light of recent developments, Jart Armin of, Bhavin Turakhia, CEO of Directi and Garth Bruen of Knujon have had an open dialogue and mutually agreed to release this joint statement as an accurate representation of facts, clearing any previous misconceptions and reaffirming their common goal to combat abuse on the Internet.

You can read the statement for the specifics, but I want to applaud the public commitment by all three parties to working together to fight badware. So far, Jart tells us that they have removed thousands of badware and spam domains. It will be interesting to see how this plays out and, in particular, how Garth, Jart, and other members of the security community evaluate Directi's follow-through.
Also this week, both Directi and EstDomains (which was mentioned prominently in Jart's report) contacted us to request that we send any data about domains registered through their respective services to them so they can take appropriate action. We don't currently analyze registrars, though we hope to sometime soon, and we will, of course, make the data available to the registrars to the extent practicable if/when we have such data.
All of this activity raises an interesting (and long-standing) question about the role of domain registrars in policing content of sites. Should a domain registrar be expected to deactivate a domain that is known to be associated with badware? If so, who is the authority that decides which sites should be taken down? How is the process kept transparent? How are errors corrected? What about legitimate sites that have been infected without the owner's knowledge (like many of those that are in our Clearinghouse?) What about sites that are potentially "bad" in other ways, like violating local laws, perpetuating defamation, or trafficking in child pornography? Let us know what you think in the comments.

7 responses to

Directi, KnujOn, HostExploit to work together

Anonymous says:

This issue of knowing what registrars and hosting companies know about their clients is one that is finally being dealt with in an honest manner.

Everyone who has been doing any amount of malware research knows where it all stems from, the problem has always been getting those companies to stop turning a blind eye to it because they make so much money.

It's been a good week in so far as this whole Directi\Atrivo\Estdomains goes. The long tail of it will be tho, how long before these companies evolve to a different company, also turning a blind eye? I for one don't think they're going to be giving up the millions they have been making and start eating oatmeal in place of caviar.

I think they'll just wind up at another company in another country with lesser concerns than their criminal behavior on the Net.

We can hope, and only time will tell.

Keep your fingers crossed.

Anonymous says:

The registrars are the gateway for everyone who wants a domain name, just as a Department of Motor Vehicles provides a license to drive a car. That license will be revoked if I break any laws. ICANN's Registrar Accreditation Agreement (RAA) requires that the Registrar terminate any site that is breaking the law, so yes, registrars should terminate those sites breaking any laws. Spam is against the law, as are sites selling drugs without a license.

The registrar does not really take down a site, it just suspends the use of the domain name. If there is an error it can be corrected by reinstating the domain name. Most of the time, criminals do not complain about losing a domain name.

If a site has been victimized, then that site can repair the problem and be reinstated. Again, for the most part criminal sites do not complain. Victims should be shut off until they are no longer victims, because they are hosting badware or spammers, perhaps part of botnet.

If the registrars would follow the rules and verify the whois data for registrants, much of the problem would go away. Criminals generally lie on their applications for domain names and legitimate organizations do not.

Anonymous says:

You may find this interesting:

A new registration: - created 8 September 2008 - Registrar Estdomains

Nameservers:, - Registrar DIRECTI, WHOIS hidden behind is only accessible from some countries, one being Germany.

Anonymous says:

Sandi, and thus, perhaps, the new round of obfuscation begins??

Anonymous says:

I do not think that registrars should have any role beyond the clerical of putting domain name entries into the registry. If we ask/encourage them to police registrants, I fear that delegated censorship encourages too frequent takedown of lawful sites, with little recourse for the person whose site is made inaccessible. (I recall an earlier case where GoDaddy unmasked the private registrant of a bar-code spoof site,, on the allegation that it encouraged bar code fraud.)

If we encourage registrars to take down "bad" sites, we're likely to get the incentives all wrong for protecting lawful but unpopular content. It costs them more to take a single support call than they make from a year's registration, so they'll likely err on the side of rapid takedown rather than close investigation. This amounts to what we know in the First Amendment context as a "heckler's veto," giving someone who
dislikes speech the power to raise its cost by complaining to the registrar. (And meanwhile, we'll get a few registrar-like entities providing "bullet-proof hosting" and inviting miscreants at a higher fee.)

I posit that every speaker who wants a stable location for online speech requires a registrar: Even if one doesn't need a meaningful domain name, he needs a persistent one -- else he's just subject to the whims of a different third party, witness the recent YouTube Scientology mass takedown and put-back. So raising registrars' costs and the burdens they place on registrants will raise the costs particularly of unpopular speech.

Perhaps the risks and rapid spread of phishing or malware attacks encourage us to look for more rapid response than the courts typically are able to provide, but we need to find solutions that retain due process even as they increase in speed.

Anonymous says:

For me, Wendy's response raises a couple additional questions:

1. If there were a responsive, transparent, fair organization (like, say, StopBadware) providing the guidelines for what should be taken down and the due process for appeals, would this change the situation at all?

2. Is there some entity other than the registrar whom we could reasonably expect to take action against a site known to be a public threat (e.g., by distributing malware)?

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.