Defunct AlpNames Had History As A Home For Phishing

The now defunct AlpNames, who had its Registrar Accreditation Agreement terminated by ICANN this week after the discounted registrar appears to have disappeared, has a history of being a home to spammers and scammers.

In a letter from the Independent Compliance Working Party to ICANN by a number of technology companies in February 2018 it was claimed there was a problem with ‘one particular party’: AlpNames. AlpNames it was claimed, among other problems, was responsible for over half the “new gTLD domains that have been blacklisted by Spamhaus.”

The members of the Independent Compliance Working Party, Adobe Systems, DomainTools, eBay, Facebook, Microsoft and Time Warner, asked ICANN to resolve problems they identified, with AlpNames the only registrar named.

“Troublingly”, the letter notes, “there also is a clear problem with one particular contracted party:

We find distinctive common patterns in domain name registration further suggesting malicious registrations. For example, we find 9,376 .link domains of which 9,256 were created in the first quarter of 2016 and 9,253 were registered with Alpnames Limited registrar.

  • …for 37.09% of the abused new gTLD domains reported by StopBadware, the sponsoring registrar is located in Gibraltar. Almost 195 abused new gTLD domains per 10,000 located in Gibraltar are abusive. (Note: Alpnames is located in Gibraltar.)
  • …we find that the abuse is driven by a single registrar: Alpnames Limited. For example, during the study period this registrar has acted as the sponsoring registrar for 53.97% (59,044) of the new gTLD domains that have been blacklisted by Spamhaus.
  • … one registrar, Alpnames Limited, having a high volume of abusive new gTLD domains reported by both Spamhaus and SURBL.”

The letter also notes there are problems with various generic top level domains, both legacy (in particular .com although it does have 137.3 million domain names, ten times the size of the next biggest gTLD, .net, with 13.7 million).

“Additionally, according to the [Statistical Analysis of DNS Abuse in gTLDs (SADAG)] report:

The number of abused phishing domains in legacy gTLDs is mainly driven by the .com gTLD and at the end of 2016 represents 82.5% (15,795 of 19,157) of all abused legacy gTLD domains considered in this study.

  • …the five new gTLDs suffering from the highest concentrations of domain names used in phishing attacks listed on the APWG domain blacklist in the last quarter of 2016 collectively owned 58.7% of all blacklisted domains in all new gTLDs.
  • …we observe as many as 182 and 111 abused .work and .xyz domains, respectively. The results indicate that the majority of .work domains were registered by the same person. 150 domains were registered on the same day using the same registrant information, the same registrar, and the domain names were composed of similar strings. Note that only 150 abused domains, blacklisted in the third quarter of 2015, influenced the security reputation of all new gTLDs.
  • …the overwhelming majority of malware domains, which were categorized as compromised, belong to one of four new gTLDs: .win, .loan, .top, and .link (77.1%, which represents 19,261 out of 24,987 domains).”

There are also “regrettably stark increases and serious concentrations of abuse across legacy and new gTLDs, registries and registrars, and in the proliferation of spam, malware, phishing and other harms. For example, according to the Domain Abuse Activity Reporting (DAAR) System report:

  • the 25 most exploited TLDs account for 95% of the abuse complaints submitted to DAAR.
  • Five TLDs alone are responsible for more than half of abuse complaints.

The letter says “You’ll agree these are troublesome statistics, and are antithetical to a secure and stable DNS administered by ICANN.”

“We are alarmed at the levels of DNS abuse among a few contracted parties, and would appreciate further information about how ICANN Compliance is using available data to proactively address the abusive activity amongst this subset of contracted parties in order to improve the situation before it further deteriorates.”

In his reply, Hedlund notes there are limitations as to what ICANN to do. He notes the current Registry Agreement “do not authorize ICANN org to require registries to suspend or delete potentially abusive domain names. Similarly, the RAA does not authorize ICANN org to require registrars to suspend or delete potentially abusive domain names. Instead, under RAA Section 3.18, registrars are required to take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse. Registrars are also required to review well-founded reports from law enforcement and other similarly designated authorities within 24 hours of receipt. There is no requirement in the RAA that requires registrars to suspend or delete reported domains.”

Hedlund writes that “to terminate registrars with high rates of abusive domains under management … a ‘court of competent jurisdiction’ must judge against the registrar prior to ICANN org taking action.”

The letter from the Independent Compliance Working Party is available to read in full at:
https://www.icann.org/en/system/files/correspondence/vayra-to-hedlund-27feb18-en.pdf

The letter from Jamie Hedlund, Senior Vice President, Contractual Compliance and Consumer Safeguard, in response is available to read in full at:
https://www.icann.org/en/system/files/correspondence/hedlund-to-vayra-04apr18-en.pdf

For more on AlpNames’ history, and what might happen next, check out the Domain Incite report here.

AlpNames Is No More As ICANN Terminates Registrar Days After Going Offline

Gibraltar-based domain name registrar and webhoster AlpNames appears to be no more. ICANN announced Thursday they were terminating “the Registrar Accreditation Agreement (RAA) with registrar Alpnames Limited (IANA #1857), effective immediately.”

The issue first came to prominence when Domain Incite reported on 12 March that “AlpNames has been offline for ‘days’, and rumors have started to circulate that it might not just a technical problem.”

Domain Incite also reported that “AlpNames is believed to have almost 700,000 names under management, double the size it was last June but well below its peak, at the height of its deep-discounting period in 2017, of over three million.”

It appears the discount registrar has been been having issues for several months. Their last Twitter post was in December and last Facebook post was in November.

The RAA was terminated after ICANN determined Alpnames was no longer performing required registrar functions as specified in the agreement. These functions include allowing existing registrants to renew domain name registrations and processing new registrations.

ICANN invoked the De-Accredited Registrar Transition Procedure (pdf – DARTP) to enable the successful transition of the names to an ICANN-accredited registrar and protect registrants. Once the gaining registrar is identified and confirmed, it will be listed on the Bulk Transfers page.

Alpnames current error page

The time required to complete the transfer process varies by the number of registrations with the terminated registrar. ICANN will work to facilitate the transfer of registrations to the gaining registrar as expeditiously as possible. Once the transfer of registrations has been completed, the new registrar will contact registrants with information on how to access and maintain their domain name registrations.

ICANN has a page that all domain name registrants are encouraged to visit for important information about managing their domain names. However the information is generic in nature and not specific to Alpnames.