Click the comments link on any story to see comments or add your own.
Subscribe to this blog
07 May 2013
Palau is a tiny country of about 20,000 people with excellent snorkeling in the South Pacific. Like every country, it has a two-letter country domain .PW. Back in 2004, Palau leased .PW to Encirca, who tried to brand it as Personal Web, with approximately no success. Late last year, DirectI took it over and rebranded it as Professional Web. They went through an ICANN-style sunrise and landrush process and apparently got tens of thousands of defensive registrations. About a month ago, they opened it up to everyone with very cheap $5 registrations, and the spam began.
A few days ago questions about spam from .PW started showing up on a lot of lists about e-mail operations, from lists about general spam management to the spamassassin users list to some private lists for system operators. Everyone was seeing the same thing, vast amounts of spam from .PW addresses, and no legitimate mail at all. People with access to passive DNS reported a lot of different .PW domains in use in spam, about 10,000 of the total of 50,000 that DirectI claims.
Although they have a fine set of rules on the .PW web site forbidding spam and other evil, I don't get the impression that it occurred to DirectI that they need to take compliance seriously. (They're also an ICANN gTLD registrar, and do not have a great reputation for abuse management in that context, either.)
DirectI's .PW abuse reporting page isn't very helpful. They suggest that you look up the registrar through a web form and notify the registrar. Uh, no. Since they have a database of all the domains, it would take a junior programmer about 20 minutes to write a script that picks a .PW domain out of an e-mailed abuse report, looks it up, and forwards it to the appropriate registrar, if they actually wanted to deal with abuse.
On one of the lists I read, a DirectI employee popped up, which was nice, and suggested that we send abuse reports to a couple of addresses, neither of which was firstname.lastname@example.org or email@example.com (the only e-mail address on their web site.) Once again, uh, no.
At this point, people I know at at least one large webmail system tell me that it's too late to save .PW, they're filtering it as block on sight and see no reason to revisit that any time soon. I hope nobody in Palau, the legitimate home of .PW, is counting on using a .PW address for their own mail or web site. A little poking around finds palaugov.net (the main government web site), palaunet.com (the phone company), and palauopa.org (the public auditor), so it appears that they gave up on .PW a long time ago.
If DirectI were serious about abuse management, what would they do, particularly given the tension between the marketing department who wants to sell as many domains as possible to anyone with five bucks, and everyone else who doesn't want a public nuisance? The main thing is to plan ahead and get feedback loops of various sorts set up. Contact large mail providers, and ask for a feed of spam from .PW addresses or touting .PW web sites. Many will be happy to do it. There are also service bureaus that aggregate reports, again who should be able to provide close to real time intelligence to shut down abusers.
As noted above it's probably too late for .PW, but this should be a lesson for the operators of the thousand new domains that ICANN is likely to approve starting later this year. Some of the domains are closed, only available to the sponsor (typically corporate vanity domains) but a lot are intended to be open to anyone. Will the registries plan ahead for effective compliance? I'm not holding my breath.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.