Defunct AlpNames Had History As A Home For Phishing

The now defunct AlpNames, who had its Registrar Accreditation Agreement terminated by ICANN this week after the discounted registrar appears to have disappeared, has a history of being a home to spammers and scammers.

In a letter from the Independent Compliance Working Party to ICANN by a number of technology companies in February 2018 it was claimed there was a problem with ‘one particular party’: AlpNames. AlpNames it was claimed, among other problems, was responsible for over half the “new gTLD domains that have been blacklisted by Spamhaus.”

The members of the Independent Compliance Working Party, Adobe Systems, DomainTools, eBay, Facebook, Microsoft and Time Warner, asked ICANN to resolve problems they identified, with AlpNames the only registrar named.

“Troublingly”, the letter notes, “there also is a clear problem with one particular contracted party:

We find distinctive common patterns in domain name registration further suggesting malicious registrations. For example, we find 9,376 .link domains of which 9,256 were created in the first quarter of 2016 and 9,253 were registered with Alpnames Limited registrar.

  • …for 37.09% of the abused new gTLD domains reported by StopBadware, the sponsoring registrar is located in Gibraltar. Almost 195 abused new gTLD domains per 10,000 located in Gibraltar are abusive. (Note: Alpnames is located in Gibraltar.)
  • …we find that the abuse is driven by a single registrar: Alpnames Limited. For example, during the study period this registrar has acted as the sponsoring registrar for 53.97% (59,044) of the new gTLD domains that have been blacklisted by Spamhaus.
  • … one registrar, Alpnames Limited, having a high volume of abusive new gTLD domains reported by both Spamhaus and SURBL.”

The letter also notes there are problems with various generic top level domains, both legacy (in particular .com although it does have 137.3 million domain names, ten times the size of the next biggest gTLD, .net, with 13.7 million).

“Additionally, according to the [Statistical Analysis of DNS Abuse in gTLDs (SADAG)] report:

The number of abused phishing domains in legacy gTLDs is mainly driven by the .com gTLD and at the end of 2016 represents 82.5% (15,795 of 19,157) of all abused legacy gTLD domains considered in this study.

  • …the five new gTLDs suffering from the highest concentrations of domain names used in phishing attacks listed on the APWG domain blacklist in the last quarter of 2016 collectively owned 58.7% of all blacklisted domains in all new gTLDs.
  • …we observe as many as 182 and 111 abused .work and .xyz domains, respectively. The results indicate that the majority of .work domains were registered by the same person. 150 domains were registered on the same day using the same registrant information, the same registrar, and the domain names were composed of similar strings. Note that only 150 abused domains, blacklisted in the third quarter of 2015, influenced the security reputation of all new gTLDs.
  • …the overwhelming majority of malware domains, which were categorized as compromised, belong to one of four new gTLDs: .win, .loan, .top, and .link (77.1%, which represents 19,261 out of 24,987 domains).”

There are also “regrettably stark increases and serious concentrations of abuse across legacy and new gTLDs, registries and registrars, and in the proliferation of spam, malware, phishing and other harms. For example, according to the Domain Abuse Activity Reporting (DAAR) System report:

  • the 25 most exploited TLDs account for 95% of the abuse complaints submitted to DAAR.
  • Five TLDs alone are responsible for more than half of abuse complaints.

The letter says “You’ll agree these are troublesome statistics, and are antithetical to a secure and stable DNS administered by ICANN.”

“We are alarmed at the levels of DNS abuse among a few contracted parties, and would appreciate further information about how ICANN Compliance is using available data to proactively address the abusive activity amongst this subset of contracted parties in order to improve the situation before it further deteriorates.”

In his reply, Hedlund notes there are limitations as to what ICANN to do. He notes the current Registry Agreement “do not authorize ICANN org to require registries to suspend or delete potentially abusive domain names. Similarly, the RAA does not authorize ICANN org to require registrars to suspend or delete potentially abusive domain names. Instead, under RAA Section 3.18, registrars are required to take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse. Registrars are also required to review well-founded reports from law enforcement and other similarly designated authorities within 24 hours of receipt. There is no requirement in the RAA that requires registrars to suspend or delete reported domains.”

Hedlund writes that “to terminate registrars with high rates of abusive domains under management … a ‘court of competent jurisdiction’ must judge against the registrar prior to ICANN org taking action.”

The letter from the Independent Compliance Working Party is available to read in full at:

The letter from Jamie Hedlund, Senior Vice President, Contractual Compliance and Consumer Safeguard, in response is available to read in full at:

For more on AlpNames’ history, and what might happen next, check out the Domain Incite report here.