Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 16 March 2011

Take downs: The good, the bad - and RapidSwitch

Taking down malicious sites has been part of daily life for years now, and I still love every second of it. Primarily because it annoys the bad guys, but mostly because it means there's less malicious sites (for a second anyway) for people to get infected via.

During the years, there's been many changes in the responses from hosting companies and registrars. GoDaddy have become one of the best at take downs and cleanups, courtesy of my good friend William (GoDaddy abuse dept), DirectI are challenging FreeHostia for the title of "quickest to respond and action an abuse report" (record currently held by FreeHostia at an unbelievable 4 minutes!), responding to and actioning, an abuse report in under 6 minutes (GoDaddy are close to beating this too, depending on when the report is sent in).

Sadly however, something never change. .co.cc still don't appear to have put any measures in place to prevent bad guys misusing their services. Dot.tk still won't take down a malicious domain if the registrant has paid for the domain, NameCheap and eNom STILL seem to be willingly allowing malicious domains to be registered through them (evident by eNoms lack of response, and NameCheaps refusal to take action, regardless of the domain in question, on the basis they're "only the registrar").

The most hilarious however, is RapidSwitch, who I blogged about back in 2008, and a few more times since - still have me blocked, which prevents my sending abuse reports to them (or it would if I only had one e-mail address). Little hint RapidSwitch, blocking abuse reports does one thing and one thing only - guarantees you'll keep the title of crime-ware friendly, and continue to have your IP ranges blocked!, not sure your customers are going to be happy about that (I look forward to hearing the excuse you're going to give them).

I also noted, along with co.cc, another ccTLD registrar that's seemingly doing nothing to stop the rising number of hostnames being created via their service - ce.ms. Though, given it's run by cz.cc, this perhaps isn't very surprising. It is important to note of course, the issues here aren't caused by their offering the domains for free (evident by there being far more abuse on paid TLDs such as .com), it's caused both by their complete failure to put measures in place for prevention, and their seemingly allowing bulk/scripted registrations (a problem ALL registrars have).

In an effort not to bore you to death, I'm keeping this short, but look for further updates in the future regarding this.

References

Take downs and cleanups: The good, and the rest
http://hphosts.blogspot.com/2010/12/take-downs-and-cleanups-good-and-rest.html

2 comments:

Unknown said...

Yeah, the best thing to do is a complete range block. After all they are the hosting company, and RESPONSIBLE for the proper operation of their client base. It's time they start to understand that cashing in is not the only thing they are responsiblme for.

After all, blocking unresponsive hosters will only block few (if any) good guys, when they'll start to ask their hosters what's going on, they very well know what the real reason is for that.

Range block please !

Conrad Longmore said...

I rarely block anything smaller than a /24 these days.. if there's more than a handful of bad sites in a range then the chances are that it's full of crap in any case and no great loss to block.

How long will it be until we turn it all on its head and start whitelisting instead?