KnujOn.

com, LLC
Updated: 6/20/2010 Page 1
Abstract
Introduction
Outline
Registrars in Potential Breach
About KnujOn
Terms Used

Abstract

This independent audit of ICANN Registrar adherence and compliance to the Registrar
Accreditation Agreement has revealed that162 Registrars may be in breach of their contracts for
various reasons. The reasons are not trivial, they range from blocking and manipulating WHOIS
access to falsifying applications to knowingly facilitating criminal traffic. This report takes a deep
look at the relationships between registration fraud, DNS manipulation, spam, compliance failure
and the growing trade in illicit drugs online. We also offer recommendations to correct these
problems.

Introduction

The authors of this report are members of the ICANN At-Large community, representing Internet
users and consumers globally free of cost. We are committed to improving the quality and safety
of the Domain Name System through constant analysis of Internet abuse data and continual
review of the structure and its compliance mechanisms. We sincerely support ICANN’s
commitment the principles of openness, transparency, and accountability. In the interests of
assisting ICANN in reaching its goals we respectfully submit this security assessment to the
Board of Directors, ICANN Staff, the Government Advisory Committee, and all of the supporting
committees. This report is un-sponsored and unsolicited in an attempt to avoid any untoward
influence. The intent is to purely represent the frustrated and confused Internet user. The ultimate
goal is to assist in securing our Internet for the future.

Much of cyber-security’s focus has been on intrusions, mass data theft, phishing, privacy
violations, ID-theft, and malware. For the most part these are incidents. They differ from the focus
of this document - illicit Internet product traffic. Illicit product traffic is an ongoing cybercrime that
requires the continuity and stability that other threats do not. Another major difference is that
service providers generally do not profit from phishing, intrusions, and data theft. However, illicit
product traffic presents an opportunity for Registrars to earn significant amounts money through
illicit domain registrations and related domain product services.

There are many types of threats on the Internet but our research reveals the heavy influence of
diverted, altered, and counterfeit prescription drugs. In our estimation this is the number one
threat to consumers and the Internet structure. Additional security threats like malware
deployment, denial of service attacks, trademark hijacking, botnets, spam, WHOIS fraud, network
intrusions, domain hijacking, Registrar corruption, and electronic money laundering are all tools of
the global network of illicit drug traffic. Beyond the Internet this traffic impacts the health of the
public while funding organized crime and terrorist groups.

There is no question that underground pharmaceutical traffic is illegal and kills people. The
traffickers may paint themselves as virtual Robin Hoods who defy the greedy hands of
government and “big pharma”, but in reality they deliver tainted products and cruelly prey on the
sick, elderly, and addicted. In contrast with the popular perception, the underground pharmacy
market is far beyond lifestyle drugs like Viagra and Cialis. Tainted and completely fake drugs sold
on the Internet include heart, blood-pressure, cancer, diabetes, and AIDS medications. There are
multiple documented cases of chalk pressed into painted pills, HIV test kits that give false

KnujOn.com, LLC
Updated: 6/20/2010 Page 2
negatives, “anti-aging” cocktails, and an array of other “snake oils” that give false hope and make
the sick sicker.

While Internet illicit drug traffic uses various tools it relies one critical resource to make money,
online transaction platforms. Without a secure space to accept electronic payments the expense
of registering domains, deploying malware, and sending spam is wasted. It is important to
understand that, as Moses Naim of Foreign Policy Magazine states, illicit traffic is about
transactions, not products 1 . Replace drugs with pirated software and consumer knockoff products
and the problem still exists. While the emphasis of this report is drug traffic, many other issues
are discussed.

The transaction platforms in question are domain names. To acquire domain names illicit
networks need access to another critical resource, Registrars. All businesses need a support
structure, in this case an illicit support structure. Online drug traffickers have built an array of
online shops, content/image servers, NameServers, customer service sites, mail servers,
newsletter/blog sites, transaction sites, and click-through advertisement processing. Each portion
of the structure requires a domain name. Our research shows that the number of domains
registered for a single drug-related spam campaign is in the thousands. The domains are often
registered with false WHOIS or WHOIS shielded by invalid privacy services. The spammed
domains are often terminated quickly but, as we demonstrate, the transaction domains remain
intact, the NameServers receive a fresh crop of front-end shop sites and the Registrars rarely
respond to inquires about this.

This all may seem obvious, but what is not obvious is why the illicit transaction structure endures.
The answer is weak policy, improper oversight, ineffective enforcement tools, and missing
demand for accountability among service providers.

This is why we are focused on the Registrars. Without their sponsorship of the illicit transaction
structure, the problem would not exist. Registrars may claim this is not their responsibility or
problem but we will explain why it is and why a weak policy structure governing the Registrars
creates an atmosphere of permissiveness.

1
Moises Naim, Illicit (Anchor October 10, 2006)

KnujOn.com, LLC
Updated: 6/20/2010 Page 3
Outline of Report

In order to address the many faces of this problem we have separated this report into three major
sections:

Section I is a review of all Registrars in terms of the obligations under the Registrar Accreditation
Agreement (RAA). KnujOn has evaluated all of the ICANN-Accredited Registrars for compliance
as far as we are able to from outside ICANN and the Registrar community. Registrars in potential
brief are summarized below with corresponding RAA sections.

Section II addresses WHOIS issues starting at the top. KnujOn has evaluated the WHOIS
accuracy of the Registrar’s own domains and where appropriate filed WHOIS Inaccuracy with
ICANN. In this section we have preformed the same evaluation of all the Generic Top-Level
Domain (gTLD) NameServers and where appropriate filed WHOIS Inaccuracy complaints with
ICANN. In the remaining portion of this section we discuss a plan to validate the entire gTLD
WHOIS record, a project which some say is impossible.

Section III explains how the Domain Name System is being manipulated on a massive scale to
support illicit drug traffic and details conditions that allow this threat to exist at the expense of the
consumer and legitimate business.

KnujOn.com, LLC
Updated: 6/20/2010 Page 4
Registrars in Potential Breach with Relevant RAA Section

#1 Internet Services International, Inc. dba 1ISI : RAA 5.3.1

$$$ Private Label Internet Service Kiosk, Inc. (dba "PLISK.com") : RAA 3.16
1 More Name, LLC : RAA 5.3.1, 3.7.5.6, 3.7.5.5
1API GmbH (1apI.de) : RAA 3.7.5.6, 3.7.5.6
1st Antagus Internet GmbH (antagus.de) : RAA 3.3.1, 3.7.5.6, 3.7.5.7
2030138 Ontario Inc. dba NamesBeyond.com : RAA 3.3.1
21Company, Inc. dba 21-domain.com/21-domain.com : RAA 3.16, 3.3.1
A Technology Company, Inc. (namesystem.com) : RAA 3.3.1, 3.16
AB RIKTAD (riktad.com) : RAA 3.3.1
Abacus America, Inc. d/b/a Names4ever: 5.3.2
Abansys & Hostytec, S.L.(abansys.com) : RAA 3.3.1
Ace of Domains, Inc. : RAA 5.3.1
Active Registrar, Inc./activeregistrar.com : RAA 3.16
Add2Net Inc. (lunarpages.com) : RAA 3.3.1
Advanced Internet Technologies, Inc. (AIT) : RAA 3.3.1
Advantage Interactive Ltd.(LCN.com) : RAA 3.3.1
Alantron (alantron.com) : RAA 3.7.5.6, 3.7.5.8, 3.3.1
Alfena, LLC (alfena.com) : RAA 3.3.1
AllGlobalNames, S.A. dba Cyberegistro.com : RAA 3.3.1
Annulet Incorporated : RAA 5.3.1
AOL LLC (aol.com) : RAA 3.3.1
Arsys Internet, S.L. dba NICLINE.COM : RAA 3.16
Aruba SpA(aruba.it) : RAA 3.3.1
Atozdomainsmarket, LLC : RAA 5.3.1
AusRegistry Group Pty Ltd (ausregistry.com) : RAA 3.3.1
Aust Domains International Pty Ltd dba Aust Domains, Inc.(austdomains.com) : RAA 3.3.1
Autica Domain Services Inc. (autica.com) : RAA 3.3.1
Azdomainz, LLC : RAA 5.3.1
Azprivatez, LLC : RAA 5.3.1
Belgiumdomains, LLC : RAA 5.3.1
BIZCN.COM : RAA 3.7.5.3, 3.7.7.2, and 3.7.11
Black Ice Domains, Inc. : RAA 3.3.1
Bottle Domains, Inc. (bottledomains.com.au) : RAA 3.3.1
Brights Consulting Inc.(brights.jp) : RAA 3.3.1
Broadspire Inc. (broadspire.com) : RAA 3.7.5.6, 3.7.5.9
Capitoldomains, LLC : RAA 5.3.1
Cheapies.com Inc : RAA 3.7.5.6/3.7.5.10,3.3.1
China Springboard, Inc.(chinaspringboard.com/namerich.cn) : RAA 3.3.1
COMPANA LLC/budgetnames.com : RAA 3.16
CoolHandle Hosting, LLC : RAA 5.3.1
Cronon AG Berlin, Niederlassung Regensburg(cronon.org) : RAA 3.3.1
CSL Computer Service Langenbach GmbH d/b/a joker.com : RAA 3.16
Deschutesdomains.com LLC : RAA 5.3.1
Digirati Informatica Servicos e Telecomunicacoes LTDA dba Hostnet.com : RAA 3.3.1
Digitrad France (digitrad.com) : RAA 3.3.1
Directi Internet Solutions Pvt. /publicdomainregistry.com : RAA 3.16
Domain Jamboree, LLC (domainjamboree.com) : RAA 3.3.1
Domain Monkeys, LLC domainmonkeys.com : RAA 3.3.1
Domain Services Rotterdam BV (tellus.com) : RAA 3.7.5.6/3.7.5.11,3.3.1
Domain-A-Go-Go, LLC : RAA 5.3.1
Domainbullies,LLC DBA DomainClub.com : RAA 5.3.1
Domaindoorman, LLC : RAA 5.3.1

KnujOn.com, LLC
Updated: 6/20/2010 Page 5
Domainfactory GmbH : RAA 3.3.1
Domaininthehole.com LLC : RAA 5.3.1
Domain-It!, Inc. : RAA 5.3.1
DomainRegistry.com Inc. : RAA 3.3.1
DomainSpa LLC (domainspa.com) : RAA 3.3.1
DomainSystems, Inc. dba DomainsSystems.com : RAA 5.3.1
Domainz Limited (domainz.com) : RAA 3.3.1
DOTALLIANCE INC/dotalliance.com : RAA 3.16
DotArai Co., Ltd. (dotarai.co.th) : RAA 3.3.1
Dotster : RAA 3.3.6
DSTR Acquisition PA I, LLC dba DomainBank.com : RAA 3.16
eBrandSecure, LLC : RAA 5.3.1
EnetRegistry, Inc. : RAA 3.3.1
eNom : RAA 3.3.6, 3.7.2, 3.7.5.3, 3.7.7.2, 3.7.8, 3.8, 3.7.10, 5.3.1*, 3.12
EVERYONES INTERNET LTD./resellone.net : RAA 3.16
FBS Inc. (isimtescil.com) : RAA 3.3.1
FRANCE TELECOM/francetelecom.com : RAA 3.16
Freeparking Domain Registrars, Inc. : RAA 3.3.1
French Connexion dba Domaine.fr : RAA 3.3.1
Galcomm, Inc. : RAA 3.3.1
Gee Whiz Domains, Inc. (geewhizdomains.com) : RAA 3.3.1
GKG.NET, INC. : RAA 3.3.1
Good Luck Internet Services PVT, LTD. : RAA 3.3.1
Guangzhou Ming Yang Information Technology Co., Ltd : RAA 3.3.1
Hebei Guoji Maoyi LTD dba HebeiDomains.com : RAA 3.3.1
Hetzner Online AG (hetzner.de) : RAA 3.3.1
HooYoo (US) Inc. (us.hooyoo.com) : RAA 3.3.1
Hosting.com, Inc. : RAA 3.3.1
Hostway Services, Inc. (hostway.com) : RAA 3.3.1
Hu Yi Global Information Resources (Holding) Company : RAA 3.3.1
Humeia Corporation : RAA 3.3.1
ID Genesis, LLC (idgenesis.com) : RAA 3.3.1
Instra Corporation Pty Ltd. (instra.com) : RAA 3.3.1
Interdomain S.A. (interdomain.es) : RAA 3.3.1
Intermedia.NET, Inc. (intermedia.net) : RAA 3.3.1
Internet Group do Brasil S.A : RAA 3.3.1, 3.7.5.6, 3.7.5.12
Internet Invest, Ltd. dba Imena.ua : RAA 3.3.1
Internet Solutions (Pty) Ltd. (is.co.za) : RAA 3.3.1, 3.7.5.6, 3.7.5.13
INTERNET.BS CORP : RAA 3.7.5.3, 3.7.7.2, and 3.7.10
InterNetworX Ltd. & Co. KG (inwx.de) : RAA 3.3.1
IREGISTRY CORP. /iregistry.com : RAA 3.16
ITPAN.COM INC./itpan.com : RAA 3.16
iWelt AG (iwelt.de) : RAA 3.3.1,3.7.5.6, 3.7.5.14
Jetpack Domains, Inc. : RAA 3.3.1
Key-Systems GmbH (key-systems.net) : RAA 3.3.1,3.7.5.6, 3.7.5.15
KomPlex.Net GmbH : RAA 3.7.5.6, 3.7.5.16
Launchpad, Inc. (launchpad.com) : RAA 3.3.1
Ledl.net GmbH dba: Domaintechnik.at : RAA 3.3.1
M. G. Infocom Pvt. Ltd. (mindgenies.com) : RAA 3.7.5.6, 3.7.5.17, 3.3.1
Marcaria.com International, Inc. : RAA 3.3.1
Mobiline USA, Inc. dba domainbonus.com : RAA 3.7.5.6, 3.7.5.18
NameCheap : RAA 3.3.1, 3.7.2, 3.8, 3.8, 3.7.8
Namehouse, Inc. : RAA 5.3.1

KnujOn.com, LLC
Updated: 6/20/2010 Page 6
NameScout : RAA 3.3.6
Nameshield (nameshield.net) : RAA 3.3.1
NET 4 INDIA LIMITED/net4.in : RAA 3.16
Netdorm, Inc. dba DnsExit.com : RAA 3.3.1
Netfirms, Inc. : RAA 3.3.1
Netpia.com, Inc. : RAA 3.3.1
NetraCorp LLC dba Global Internet : RAA 3.3.1
NetRegistry Pty Ltd. (netregistry.com) : RAA 3.3.1
NetTuner Corp. dba Webmasters.com : RAA 5.3.1
Network Solutions : RAA 3.3.6
New Great Domains, Inc. (newgreatdomains.com) : RAA 3.3.1
NICCO LTD. /nicco.com : RAA 3.16
Nominalia Internet S.L. (nominalia.com) : RAA 3.3.1
Nordreg AB : RAA 3.3.1
Onlinenic Inc : RAA 3.3.1, 3.8, 3.7.11, 3.16, 5.3.1
Oversee : RAA 3.3.1, 3.3.6, 3.8, 3.7.9
Own Identity, Inc. (ownidentity.com) : RAA 3.7.5.6, 3.7.5.19
Pacnames Ltd (pacnames.com) - No conspicuous terms link : RAA 3.7.5.6, 3.7.5.20
Paknic (Private) Limited : RAA 3.3.1
Planete Marseille SARL dba MailClub (mailclub.fr) : RAA 3.3.1
Porting Access B.V. (portingxs.com) : RAA 3.3.1
Premium Registrations Sweden AB (premiumregistrations.com) : RAA 3.3.1, 3.7.5.6, 3.7.5.21
REGISTER.COM INC./register.com : RAA 3.16
Register4Less, Inc. (Register4Less.com) : RAA 3.3.1
Regtime Ltd. : RAA 3.3.1
RESELLER SERVICES INC./ResellServ.com : RAA 3.16
Samjung Data Service Co., Ltd (direct.co.kr) : RAA 3.3.1
Secura GmbH : RAA 3.3.1
Sedo.com LLC (sedo.com) : RAA 3.3.1
Service Development Center of the Service Bureau(chinagov.cn) : RAA 3.3.1
Simply Named Inc. dba SimplyNamed.com : RAA 3.3.1
SiteName Ltd. : RAA 3.3.1
That Darn Name, Inc. : RAA 3.3.1
The Planet Internet Services, Inc. (theplanet.com) : RAA 3.3.1
The Registry at Info Avenue dba Spirit Telecom (spiritdomains.com) : RAA 3.3.1
TierraNet Inc. d/b/a DomainDiscover: RAA Sections 5.3.1
Tucows : RAA 3.7.5.3, 3.7.7.2, and 3.7.9
UK2 Group Ltd. (uk2group.com) : RAA 3.3.1,3.16
UltraRPM, Inc. dba metapredict.com : RAA 3.7.5.6, 3.7.5.22, 3.3.1
United Domain Registry, Inc. : RAA 3.3.1
USA Webhost, Inc. (usawebhost.com) : RAA 3.3.1, 3.7.5.6, 3.7.5.23
VentureDomains, Inc. (upc360.com) : RAA 3.3.1, 3.7.5.6, 3.7.5.24
Verelink, Inc. (verelink.com) : RAA 3.3.1
Verza Domain Depot BV (verzadomains.com) : RAA 3.3.1
Visesh Infotecnics Ltd. d/b/a Signdomains.com : RAA 3.3.1
VIVID DOMAINS INC/vividdomains.com : RAA 3.16,5.3.1
VocalSpace LLC dba DesktopDomainer.com : RAA 3.3.1
VOLUSION, INC./volusion.com : RAA 3.16
Web Business, LLC (webbusiness.biz) : RAA 3.3.1
Web Commerce Communications Limited dba WebNic.cc : RAA 3.3.1
Web Werks India Pvt. Ltd : RAA RAA Sections 5.3.2 and 5.3.3
Webagentur.at Internet Services GmbH dba domainname.at : RAA 3.3.1
World Biz Domains, LLC : RAA 3.3.1

KnujOn.com, LLC
Updated: 6/20/2010 Page 7
Xiamen ChinaSource Internet Service Co., Ltd (zzy.cn) : RAA 3.3.1
Xiamen eName Network Technology Corp (ename.com) : RAA 3.7.5.6, 3.7.5.25
Ynot Domains Corp. (ynotdomains.myorderbox.com) : RAA 3.7.5.6, 3.7.5.26, 3.16, 5.3.1
Zog Media, Inc. DBA Zog Names (zognames.com) : RAA 3.3.1

About KnujOn.com

KnujOn.com, LLC is an independent, non-sponsored abuse handler and Internet security

research company based in Boston, Massachusetts and Wilmington, Vermont. KnujOn accepts
abuse data in the form of spam and other security threats to develop a clear picture of conditions
facing the Internet. KnujOn builds profiles of online criminal groups, evaluates the quality of
Registrars and Internet Service Providers, issues WHOIS challenges, documents policy failures,
tests compliance mechanisms, issues reports to law enforcement, and educates the public about
complex Internet security issues. We see our role as one of assisting the ordinary Internet user in
navigating the complex technical bureaucracy of the global network and augmenting public
services in the face of rampant illicit electronic traffic. Principle authors of this document are
KnujOn.com CEO Garth Bruen and CTO Dr. Robert Bruen. More information at:
http://www.knujon.com.

Credits and Contributions

Special thanks to Beau Brendler, John Horton, Derek Smythe, Neil Schwartzman, Jart Armin,
Gary C. Kessler, Howard Hoyt, Robert Mount, Ken de Montigny, Justin C. Le Grice, Benjamin
Edelman, B., Kim L, Andrew T., Sean O, Ginny S., Nova, Anonymous HTCIA member, and
Anonymous KnujOn member.

Terms Used
ALAC – At-Large Advisory Committee
Domain Name – A top-level URL like KnujOn.com
DNS – Domain Name System
gTLD – Generic Top Level Domain Names (.COM, .NET, .ORG, .BIZ, .INFO, etc.)
ICANN – Internet Corporation of Assigned Names and Number
IP – Internet Protocol, a four-part Internet machine address like 172.0.0.1. “IP” may also refer to Intellectual Property, but
is not abbreviated as such in this document
ISP – Internet Service Provider, may be a Registrar also but not in every case
Malware – Malicious software, viruses, Trojans, etc
NameServer – A domain name that serves other domain names, associates them with IP addresses
RAA – Registrar Accreditation Agreement, the common contract between ICANN and a Registrar
Registrar – A company that sells domain names under its accreditation with ICANN
Spam – Unsolicited email with forged headers and no functioning opt-out
UDRP – Uniform Dispute Resolution Procedure
WHOIS – A technical query tool that returns ownership of a domain name
WIPO – World Intellectual Property Organization(wipo.int), a body that resolves trademark disputes

KnujOn.com, LLC
Updated: 6/20/2010 Page 8
Table of Contents

Section I: Registrar Accreditation Agreement Compliance………………………………………Page 12

Introduction by Beau Brendler
A. Public WHOIS, Website and Port 43 Access (RAA 3.3.1)
Registrar Web-based WHOIS Access
Registrar Port 43 WHOIS Access
B. Bulk WHOIS Access for $10K per year (RAA 3.3.6)
C. Registrars, Laws and Regulations (RAA 3.7.2)
eNom Becomes Accessory to Ongoing Criminal Activity
D. Issues of inaccurate WHOIS (RAA 3.7.5.3, 3.7.7.7, and 3.7.9)
15 day fix for bad WI
WI complaints
eNom and qualitydrugs.org
BIZCN and cyberrxsavers.com
E. Registrar must display fees and display deletion policies (RAA 3.7.5.6/3.7.5.5)
F. UDRP Compliance and speculation holding (RAA 3.8 and 3.7.8)
NameCheap as “WhoisGuard”
Oversee as “Moniker Privacy”
eNom as “Whois Privacy Protection Service Inc.”
OnLineNIC, INC. as “ABSOLUTEE CORP. LTD.”
G. Reseller obligations (RAA 3.12)
Acquire This Name inc
H. Disclosure of Registrar Address (RAA 3.16)
2009 RAA Registrars Not Displaying Address
Non-2009 RAA Registrars Not Displaying Address
De-accredited Registrars Not Displaying Address
Unclear Status Registrars Not Displaying Address
Serious Issues
OnlineNIC
A Technology Company, Inc. (namesystem.com)
I. Material Falsification in Registrar Application (RAA 5.3.1)
Business Registrations Not Found
J. Legal issues with Registrar (RAA 5.3.2)
Abacus America, Inc. d/b/a Names4ever
K. Registrar Officer Legal Issues (RAA 5.3.3)
Web Werks India Pvt. Ltd, AKA D For Domains, AKA wwindia.net, AKA SUVIP INC.
L. Acting in a manner that endangers stability (RAA 5.3.6)
M. Miscellaneous: Registrars without a functioning website
N. Recommendations for these issues

Section II: WHOIS Issues………………………………………………………………………...Page 53

A. Registrar WHOIS Validity
Registrars with False WHOIS
Parava and OnlineNIC
A Technology Company, Inc. (namesystem.com)
B. Nameserver WHOIS Validity and Legitimacy
Bad Nameserver WHOIS: Contact Emails
.NAME NameServers
Soviet Union (.SU) NameServers
C. The Next Phase of WHOIS validation
D. Material falsification of WI privacy/proxy
U.S. v. Kilbride
secureordercheckout.info and GKG
E. Invalid Privacy Services
WhoisGuard (NameCheap)
PrivacyProtect
INTERNET.BS CORP. “Private Whois Service”
From Bad WHOIS to Bad Privacy

Section III: Illicit Activity in gTLD Space………………………………………………………Page 70

Introduction By John Horton
A. NameServers problems
B. Trademark and Illicit Product Traffic Issues
Verizon v. DirectNIC

KnujOn.com, LLC
Updated: 6/20/2010 Page 9
 Viagra project
C. The Spam/Pharma/Domain Abuse/Rogue Registrar Connection
Introduction by Neil Schwartzman
eNom, spam and GlavMed
D. Registrar Support of Illicit Pharmacy Networks
Introduction by Jart Armin
Real Time Register BV and Rx-Partners Illicit Pharmacy Network
E. BBB Complaints, AG consumer complaints
F. Five Registrars Dominate the Market, is it Anti-trust?
G. Breach Notices
H. Defunct Registrars
Terminated Registrars still selling gTLD and/or claiming ICANN accreditation
Defunct Registrars with unclear status
Clearly Defunct Registrars
Terminated Registrars with inoperable websites
I. Soviet Union (.SU) Policy and Status Unclear
J. Moot Issues

Closing Recommendations

KnujOn.com, LLC
Updated: 6/20/2010 Page 10
KnujOn.com, LLC
Updated: 6/20/2010 Page 11
Section I: Registrar Accreditation Agreement Compliance

“These failure numbers should be much, much lower. And there should be no ICANN-accredited registrars
among them. ICANN's compliance department needs to act swiftly and decisively, as it is obligated to do.
Unfortunately, we have some bad actors who, given the nature of the technology, can completely compromise
consumer trust in the Internet no matter what the good actors do. All it takes is one
www.bsasafetydownload.com and a company like Innovative Marketing can bilk consumers worldwide out of
$100 million.”

-Beau Brendler, managing editor, AOL Money and Finance's Consumer Ally and a
longtime investigative reporter

All Generic Top-Level Domain (gTLD) Registrars must enter into an agreement with ICANN
called the Registrar Accreditation Agreement (RAA). This contract outlines the formal relationship
between ICANN and a Registrar, including contractual obligations of the Registrar and by
extension the registrant. There are currently two versions of the RAA in use, a 2001 and a 2009
version. All Registrars still contracted under the 2001 version must certify under the 2009 version
when their existing contract period ends, and they must comply with the 2001 version before
being allowed to sign-on to the 2009 version. With the exception of some amendments,
discussed here where appropriate, the two contracts are more similar than different.

What follows is an evaluation of Registrar compliance with sections of the RAA that are
observable from outside ICANN and the Registrar community. Where appropriate, we examine a
Registrar’s compliance failure as it relates to illicit activity occurring within the Registrar’s space. It
is our contention is that poor policy enforcement creates an environment of permissiveness and
opens the door to criminality.

Reference

Registrar Accreditation Agreement, 17 May 2001:

http://www.icann.org/en/registrars/ra-agreement-17may01.htm

Registrar Accreditation Agreement, 21 May 2009:

http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm

Uniform Domain Name Dispute Resolution Policy:

http://www.icann.org/en/udrp/udrp.htm
http://www.icann.org/en/dndr/udrp/policy.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 12
A. 3.3.1 Public WHOIS, Website and Port 43 Access

“3.3.1 At its expense, Registrar shall provide an interactive web page and a port 43 Whois service providing free
public query-based access to up-to-date (i.e., updated at least daily) data concerning all active Registered
Names sponsored by Registrar for each TLD in which it is accredited.”

Registrars are in a position of trust and they are supposed to be leading by example. They willingly agreed to
uphold the RAA.

What faith can we have in a registrar that deliberately blocks port 43 DNS lookups. Not only does this deny the
ordinary user the right to look at whois details and decide if he wishes to have any dealings with a domain
owner or not, it also breaks various mechanisms in the WDPRS system. We saw this happen recently with
Alantron where despite gross domain registration abuse, no WDPRS complaints could be lodged for a period of
time.

Alantron abused their privileged position and deliberately jeopardized the ordinary internet user. Even still
today, despite a breach notice, Alantron's online whois look facility is lacking as it does not display complete
whois records for domains they sponsor and deliberately hides information.

We must not confuse privacy with anonymity and unaccountability, the latter is enemy to the first.

-Derek Smythe, Artists Against 419

Registrar Web-based WHOIS Access

Most Registrars have a clearly-marked WHOIS link or form on their homepage. The following
Registrars have no obvious path to a WHOIS interface and a reasonable attempt to find the
WHOIS interface did not prove successful. In several of these cases we solicited the help of
ordinary Internet users to try and find the web-based WHOIS engine and then verified their
findings.

VocalSpace LLC dba DesktopDomainer.com – “Login Screen” Only

Alfena, LLC (alfena.com) – WHOIS link goes to eNom. Registration agreement does not
mention relationship with eNom or Demand Media.

UltraRPM, Inc. dba metapredict.com – WHOIS on homepage but does not function properly

EnetRegistry, Inc. (enetregistry.net) - “Login Screen” Only

AusRegistry Group Pty Ltd (ausregistry.com) - Domain search only, directs user to port 43

Advanced Internet Technologies, Inc. (aitdomains.com) - Domain search only, access to

whois.aitdomains.com requires registration and password login.

NetRegistry Pty Ltd. (netregistry.com) – Refers visitors to http://www.geektools.com/whois.php

Autica Domain Services Inc. (autica.com) - WHOIS link redirects browser to us2.net which
does not supply full WHOIS

KnujOn.com, LLC
Updated: 6/20/2010 Page 13
The Following Registrars have a “Domain Lookup” which is not the same as a WHOIS

This is also a violation of RAA Sections 3.3.1.1 - 3.3.1.8

Zog Media, Inc. DBA Zog Names (zognames.com)

Hosting.com, Inc.
Add2Net Inc. (lunarpages.com)
Bottle Domains, Inc. (bottledomains.com.au)`
Cheapies.com Inc. (cheapies.com)
Domainz Limited (domainz.com)
Nominalia Internet S.L. (nominalia.com)
Sedo.com LLC (sedo.com)
DomainSpa LLC (domainspa.com)
Register4Less, Inc. (Register4Less.com)
Verelink, Inc. (verelink.com)

The Following Registrars either have no apparent web-based WHOIS

USA Webhost, Inc. (usawebhost.com)

Verza Domain Depot BV (verzadomains.com)
Premium Registrations Sweden AB (premiumregistrations.com)
VentureDomains, Inc. (upc360.com)
The Planet Internet Services, Inc. (theplanet.com)
Digitrad France (digitrad.com)
New Great Domains, Inc. (newgreatdomains.com)
Porting Access B.V. (portingxs.com)

KnujOn.com, LLC
Updated: 6/20/2010 Page 14
Registrar Port 43 WHOIS Access

For a period 71 days KnujOn tested the Port 43 WHOIS accessibility of each unique Registrar,
we did not test multiple accreditations held by the same companies and only tested once per day
to avoid being blacklisted. Our findings were disappointing - with 27 Registrars having major or
regular Port 43 outages. Port 43 is a command-line query location set up for WHOIS queries. The
typical call would be:

Whois –h whois.registrar.com somedomain.com

Some operating systems have WHOIS built-in; others require a utility to be installed but the
functionality is usually the same. “-h” indicates the host to be used for the session, this is followed
by the WHOIS address and then domain record being queried.

More troubling were the 57 Registrars who would not disclose their Port 43 location. In most
cases the Port 43 is logically located at WHOIS.[REGISTRARDOMAIN].[TLD], for example
“whois.networksolutions.com” for NetworkSolutions. Sometimes it is located at a different domain
as in the case of Xin Net, the Port 43 is hosted at whois.paycenter.com.cn. In most cases we
were able to find alternate Registrar WHOIS locations easily but for scores of them we had to ask
the Registrar. A handful quickly responded with the correct location, but most never responded,
and in a few cases our email was rejected from the ICANN-listed Registrar contact email. A small
minority wanted to know why we were asking, but we logged this as non-response since the RAA
does allow for Registrar discrimination in the access to WHOIS. Registrars who only failed once
during the study period were treated the same as ones that never failed since minor interruptions
in service are to be expected, the focus of this study is to determine if Registrars have frequent or
persistent Port 43 issues.

Marcaria.com International, Inc. was the worst, their Port 43 WHOIS worked at beginning of the
test period and stopped responding on March 30 for a total of 14 successful days out of 71. That
Darn Name, Inc., which became intrustdomains.com during the test period, had serious regular
outages only responding a total of 38 days, slightly more than a 50% success rate. South
America Domains Ltd. dba namefrog.com also started off ok but ceased responding after 46 days
on May 10 (South America Domains was terminated, but status is unclear).

OnlineNIC had the worst record in terms of consistency, failing 25 times, intermittently during the
study period making their reliability about 65%. OnLineNic was in fact worse during the study
period than Alantron, which received a breach notice for failing to consistently provide Port 43
service (http://www.icann.org/correspondence/burnette-to-acir-16apr10-en.pdf) as recorded by
KnujOn for at least 12 days during the study period. In addition to OnlineNIC being worse than
Alantron during this period, World Biz Domains had the exact same Port 43 record responding
only 79% of the time. The following is a chart of all Registrars who had regular failures or less
than perfect performance.

KnujOn.com, LLC
Updated: 6/20/2010 Page 15
Registrar Percent of
failures success
Marcaria.com International, Inc. 57 20%
That Darn Name, Inc. 33 54%
South America Domains Ltd. dba namefrog.com* 25 65%
Onlinenic Inc 25 65%
Alantron 15 79%
World Biz Domains, LLC 15 79%
Netfirms, Inc. 12 83%
Freeparking Domain Registrars, Inc. 9 87%
Good Luck Internet Services PVT, LTD. 8 89%
Hebei Guoji Maoyi LTD dba HebeiDomains.com 8 89%
Jetpack Domains, Inc. 8 89%
United Domain Registry, Inc. 8 89%
NetraCorp LLC dba Global Internet 7 90%
2030138 Ontario Inc. dba NamesBeyond.com 7 90%
Web Commerce Communications Limited dba
WebNic.cc 7 90%
GKG.NET, INC. 4 94%
Netpia.com, Inc. 4 94%
Paknic (Private) Limited 3 96%
Advanced Internet Technologies, Inc. (AIT) 2 97%
Galcomm, Inc. 2 97%
Guangzhou Ming Yang Information Technology Co.,
Ltd 2 97%
Internet Invest, Ltd. dba Imena.ua 2 97%
Moniker 2 97%
Nordreg AB 2 97%
Visesh Infotecnics Ltd. d/b/a Signdomains.com 2 97%
SiteName Ltd. 2 97%
Regtime Ltd. 2 97%

*Registrar de-accredited

KnujOn.com, LLC
Updated: 6/20/2010 Page 16
The following 55 Registrars did not respond to our inquiry about their Port 43 WHOIS. In
all cases the contact email presented on the InterNIC directory was used:

21Company, Inc. dba 21-domain.com

Abansys & Hostytec, S.L.(abansys.com)
1st Antagus Internet GmbH (antagus.de)
AOL LLC (aol.com)
Aruba SpA(aruba.it)
Aust Domains International Pty Ltd dba Aust Domains, Inc.(austdomains.com)
Brights Consulting Inc.(brights.jp)
Service Development Center of the Service Bureau(chinagov.cn)
China Springboard, Inc.(chinaspringboard.com/namerich.cn)
Cronon AG Berlin, Niederlassung Regensburg(cronon.org)
AllGlobalNames, S.A. dba Cyberegistro.com
VocalSpace LLC dba DesktopDomainer.com
Digitrad France (digitrad.com)
Samjung Data Service Co., Ltd (direct.co.kr)
Netdorm, Inc. dba DnsExit.com
French Connexion dba Domaine.fr
Domain Jamboree, LLC (domainjamboree.com)
The Registry at Info Avenue dba Spirit Telecom (spiritdomains.com)
Domain Monkeys, LLC domainmonkeys.com
Webagentur.at Internet Services GmbH dba domainname.at
DomainRegistry.com Inc.
DomainSpa LLC (domainspa.com)
Ledl.net GmbH dba: Domaintechnik.at
DotArai Co., Ltd. (dotarai.co.th)
Gee Whiz Domains, Inc. (geewhizdomains.com)
Hetzner Online AG (hetzner.de)
Digirati Informatica Servicos e Telecomunicacoes LTDA dba Hostnet.com
Hostway Services, Inc. (hostway.com)
ID Genesis, LLC (idgenesis.com)
Instra Corporation Pty Ltd. (instra.com)
Interdomain S.A. (interdomain.es)
Intermedia.NET, Inc. (intermedia.net)
InterNetworX Ltd. & Co. KG (inwx.de)
Internet Solutions (Pty) Ltd. (is.co.za)
FBS Inc. (isimtescil.com)
iWelt AG (iwelt.de)
Key-Systems GmbH (key-systems.net)
Launchpad, Inc. (launchpad.com)
Advantage Interactive Ltd.(LCN.com)
Add2Net Inc. (lunarpages.com)
Planete Marseille SARL dba MailClub (mailclub.fr)
M. G. Infocom Pvt. Ltd. DBA MindGenies (mindgenies.com)
Nameshield (nameshield.net)
New Great Domains, Inc. (newgreatdomains.com)
Porting Access B.V. (portingxs.com)
AB RIKTAD (riktad.com)
Sedo.com LLC
Simply Named Inc. dba SimplyNamed.com
Domain Services Rotterdam BV (tellus.com)

KnujOn.com, LLC
Updated: 6/20/2010 Page 17
UK2 Group Ltd. (uk2group.com)
HooYoo (US) Inc. (us.hooyoo.com)
Verelink, Inc. (verelink.com)
Web Business, LLC (webbusiness.biz)
Xiamen ChinaSource Internet Service Co., Ltd (zzy.cn)

Additional Issues with the following Registrar contacts

Internet Group do Brasil S.A. (http://www.internic.org/registrars/registrar-1380.html) – Email

sent to their Internic/ICANN listed contact address was rejected. Internet Group was also issued a
breach notice for failing to provide Port 43 access
(http://www.icann.org/correspondence/burnette-to-malinardi-02apr10-en.pdf)

Black Ice Domains, Inc. (http://www.internic.org/registrars/registrar-1017.html) - Email sent to

their Internic/ICANN listed contact address was rejected.

Domainfactory GmbH (http://www.internic.org/registrars/registrar-1401.html) – Responded that

they are NOT an ICANN accredited Registrar and not required to have a public WHOIS. However
they are listed as an accredited Registrar by ICANN and sell gTLD domains on their website. We
have asked ICANN for clarification.

Humeia Corporation (http://www.internic.org/registrars/registrar-951.html) - Instead of answering

our question, Humeia directed us to the InterNIC website to use their WHOIS look up.

Secura GmbH (http://www.internic.org/registrars/registrar-111.html) - Wanted to know why we

were asking.

Hu Yi Global Information Resources (Holding) Company -

(http://www.internic.net/registrars/registrar-1402.html) - Wanted to know why we were asking.

KnujOn.com, LLC
Updated: 6/20/2010 Page 18
C. Bulk Access for $10,000 US Per Year or Less (RAA 3.3.6)

“3.3.6 In addition, Registrar shall provide third-party bulk access to the data subject to public access under
Subsection 3.3.1 under the following terms and conditions:
...
3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one (1) time per week for
download by third parties who have entered into a bulk access agreement with Registrar.
...
3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.”

We asked some of the biggest Registrars two simple questions: 1. How much would you charge
for bulk access? And, 2. How frequently can we download? These are their responses.

NameScout:

“Unfortunately we don't offer this service.”

Network Solutions:

“Network Solutions does not sell bulk access to the Whois.”

eNom: No response

Dotster: No response

Moniker/Oversee: No response

This lack of adherence to the RAA in terms of WHOIS service delivery represents an overall
failure of the Registrar community to supply the basic technical products required in their
contracts. If the Registrars cannot perform simple contract functions, the stability of the remainder
of the operations is also in question. Even worse, these Registrars could simply be obfuscating a
service they wish not to provide.

KnujOn.com, LLC
Updated: 6/20/2010 Page 19
D. Registrars, Laws and Regulations (RAA 3.7.2)

“3.7.2 Registrar shall abide by applicable laws and governmental regulations.”

It is an obligation of the Registrar to adhere to law and regulation as condition of their contract
with ICANN. While Registrars claim they need court orders to suspend a domain, this is simply
untrue in the case of domains used for criminal activity. If a Registrar fails to respond to a court
order, they are then also in violation, but the contractual obligation of section 3.7.2 requires
adherence to the law and regulation regardless of any official government action.

eNom Becomes Accessory to Ongoing Criminal Activity

Since December, 2009 eNom has transitioned from being a passive service provider to become
an active facilitator of illicit criminal traffic, and possibly a knowing accessory, under the common
definitions:

“Facilitation...renders one guilty when he engages in conduct which assists [another

person] in obtaining the means or opportunity to commit the crime and in fact his conduct
does aid the person to so commit it” 2

“Accessory, one who aids or contributes in a secondary way or assists in or contributes to

a crime as a subordinate.” 3

eNom did receive instructions from the National Association of Boards of Pharmacy (NABP) on
December 23, 2009 requesting they cooperate with LegitScript and respond to consumer
complaints about rogue Internet pharmacies sponsored by eNom
(http://legitscript.com/download/NABP-Letter-to-eNom.pdf). The letter clearly indicated what
constitutes a rogue Internet pharmacy and summarized eNom’s involvement in this activity. For
those unacquainted with U.S. pharmacy regulation, the local pharmacies boards, working under
the umbrella of the NABP are the primary regulatory bodies for pharmacy. LegitScript is a private
company authorized by the NABP to advise on these issues. On December 1, 2009 eNom
received a letter from LegitScript indicating which eNom-sponsored pharmacy domains were in
violation of the law. Throughout December of 2009 and January of 2010, eNom received letters
from the pharmacy boards of Manitoba, Minnesota, Ontario, Quebec, and Texas indicating that
the “pharmacy licenses” posted by domains sponsored by eNom were all forgeries. eNom did not
respond to any of these notices and did not remove any of the domains in question. There is no
doubt that eNom is aware of the criminal nature of their customers’ domains. eNom was also
alerted to the fact that investigators were able to by drugs without a prescription from the eNom-
sponsored domain “canadianhealthcaremall.net.” 4 As of this writing,
canadianhealthcaremall.net remains online.

2
Barron’s Law Dictionary, Steven H. Gifis 1991 p179
3
Barron’s Law Dictionary, Steven H. Gifis 1991 p5
4
Rogues and Registrars, http://www.legitscript.com/blog/120

KnujOn.com, LLC
Updated: 6/20/2010 Page 20
There is a difference legally between a company that unknowingly facilitates violation of a
criminal statute, and one that does so knowingly. Registrars should not be expected to monitor
every website, and often, Registrars should not be expected to know what is legal and what is
not. But it is also well-established that third parties cannot turn a blind eye to their own facilitation
of criminal activity by others: the knowing facilitation of criminal activity by a third party can
subject that third party to criminal penalties, for example, as an accessory.

Below are the statutes we believe eNom is facilitating violation of:

21 USC 353(b)(1). This is one of the two main federal statutes that makes the sale of any
prescription drugs without a prescription is a criminal offense. It states:

...(a) drug intended for use by man which...is not safe for use except under
the supervision of a practitioner licensed by law to administer such drug; or (b) is limited
by an approved application under section 355 of this title to use under the professional
supervision of a practitioner licensed by law to administer such drug; shall be dispensed
only (i) upon a written prescription of a practitioner licensed by law to administer such
drug, or (ii) upon an oral prescription of such practitioner which is reduced promptly
to writing and filed by the pharmacist, or (iii) by refilling any such written or oral
prescription if such refilling is authorized by the prescriber either in the original
prescription or by oral order which is reduced promptly to writing and filed by the
pharmacist. The act of dispensing a drug contrary to the provisions of this
paragraph shall be deemed to be an act which results in the drug being
5
misbranded while held for sale.

The last sentence above refers to the “drug being misbranded.” This means that selling a
prescription drug without a prescription violates the federal misbranding statute, which prohibits
"...the introduction or delivery for introduction into interstate commerce of any food, drug, device,
or cosmetic that is adulterated or misbranded." 6

Misbranding is defined as a criminal offense by 21 USC 333 (http://frwebgate.access.gpo.gov/cgi-

bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+21USC333).

5
Title 21 United States Code (USC) Controlled Substances Act,
http://www.justice.gov/usao/eousa/foia_reading_room/usam/title4/civ00113.htm
6
Title 21 United States Code (USC) Controlled Substances Act,
http://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/FDCActChapterIIIProhibit
edActsandPenalties/ucm086300.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 21
 21 USC 841. Sale of controlled substances without a prescription is a criminal
offense. 7

Certain prescription drugs are called controlled substances, and are designated as such by the
DEA. The sale of these products without a valid prescription is a criminal offense under both 21
USC 353(b)(1) and 21 USC 331(a), as well as 21 USC 841
(http://www.justice.gov/usao/eousa/foia_reading_room/usam/title4/civ00113.htm).

21 USC §331(aa) also prohibits the importation of prescription drugs, prohibiting "(t)he
importation of a prescription drug in violation of section 384 of this title...." 8

Although there has been some intentional obfuscation of this issue (websites sometimes
untruthfully state that importing prescription drugs is legal). The bottom line is that importing a
prescription drug directly to the patient from outside of the US (e.g., from India, etc.) is not legal
under this statute

We will not cite all 50 state laws here, but two areas are pertinent: 1. depending on the state, it is
either a criminal or regulatory violation to ship prescription drugs into the state without a
pharmacy license in that state, and 2. it is generally a criminal offense to pretend to be a
pharmacy without being licensed as one. We cite Washington State law here because eNom is
located there. Revised Code of Washington (RCW) 18.64.250 provides:

“(1) Any person not a licensed pharmacist and not having continuously and regularly in
his employ a duly licensed pharmacist within the full meaning of this chapter, who shall
practice pharmacy; or (2) Any person who shall permit the compounding and dispensing
of prescriptions, or vending of drugs, medicine…” and

“(6) Any person who shall take or use or exhibit in or upon any place of business… or by
electronic media, or in any other manner, the title of pharmacist, pharmacy intern,
pharmacy assistant, druggist, pharmacy, drug store, medicine store, drug department,
drugs, drug sundries, or any title or name of like description or import, or display or permit
to be displayed upon said place of business the characteristic pharmacy symbols, bottles
or globes, either colored or filled with colored liquids, without having continuously and
regularly employed in his or her shop, store, or place of business, during business hours
of the pharmacy, a pharmacist duly licensed under this chapter; shall be guilty of a
misdemeanor, and each and every day that such prohibited practice continues shall be
deemed a separate offense.” 9

The “electronic media” in this case is the domain name under the control of eNom, and as a
knowing accessory they are liable for every day the domains remain operable. Similar language
exists in all states.
eNom is of particular concern because they sponsor more illicit pharmacy than the next "top five"
pharmacy-sponsoring Registrars combined. It is not reasonable to conclude that this is an area of
the law where eNom can claim to not be aware of the illegal behavior because they have been
provided with screenshots of hundreds of websites with names like
“noprescriptionpharmacy.biz” which clearly state they are selling prescription drugs without a
prescription in addition to the letters from received from the NABP identifying them as a sponsor
of Internet pharmacy crime and asking that they address the problem.

7
Title 21 United States Code (USC) Controlled Substances Act, http://www.deadiversion.usdoj.gov/21cfr/21usc/841.htm
8
Title 21 United States Code (USC) Controlled Substances Act,
http://www.fda.gov/RegulatoryInformation/Legislation/FederalFoodDrugandCosmeticActFDCAct/FDCActChapterIIIProhibit
edActsandPenalties/ucm086300.htm
9
Revised Code of Washington, http://apps.leg.wa.gov/rcw/default.aspx?cite=18.64.250

KnujOn.com, LLC
Updated: 6/20/2010 Page 22
It is also important to note also that the Communications Decency Act
(http://www.fcc.gov/Reports/tcom1996.txt) only immunizes defendants from non-intellectual
property claims and non-criminal complaints. Illicit drug sales is both a criminal act as well as an
intellectual property violation since most websites deal in counterfeit or unauthorized sales
of trademarked drugs.

“(1) NO EFFECT ON CRIMINAL LAW- Nothing in this section shall be construed to

impair the enforcement of section 223 of this Act, chapter 71 (relating to obscenity) or
110 (relating to sexual exploitation of children) of title 18, United States Code, or any
other Federal criminal statute.
(2) NO EFFECT ON INTELLECTUAL PROPERTY LAW- Nothing in this section shall be
construed to limit or expand any law pertaining to intellectual property.” 10

These are therefore the facts. There are roughly 4,000 rogue Internet pharmacies violating the
criminal laws specified above that are utilizing eNom's registration services, more than any other
Registrar by a factor of seven. eNom is aware of the illegal nature of these domains. eNom has
been notified by the organization that represents pharmacy regulatory authorities about this
problem, and has been requested to work with LegitScript, as other U.S.-based Registrars do,
and non-U.S. Registrars who do business in the United States, to identify clearly illegal websites
and suspend them in accordance with the RAA, UDRP and their own Terms and
Conditions. eNom has failed to act.

The facts support a conclusion that eNom has become an accessory to violation of the criminal
statutes listed above, by virtue of knowingly continuing to permit registration of these sites, and
refusing to suspend the domains once being put on notice. An accessory being a party who
assists in the commission of a crime, but who does not actually participate in the commission of
the crime as a joint principal. No one is suggesting that eNom is a principal in these cases.
However, without their sponsorship of domains, like canadianhealthcaremall.net, the illicit activity
would not exist. So it follows that eNom is facilitating crimes committed by the owners of
canadianhealthcaremall.net because eNom knowingly provides them with the means and
opportunity to commit a crime. We have already established eNom has full knowledge of the
crimes documented and from that day their inaction helps the criminals commit additional crimes
and even evade detection through privacy services.

The eNom domains have violated the law; their continued existence is only possible with eNom’s
knowing cooperation. This makes eNom party to the crime. Whether actively or ignorantly
involved, there is no question that eNom has become an arm of illicit international drug traffic, a
resource modern organized crime cannot exist without.

10
The Telecommunications Act of 1996, http://www.fcc.gov/Reports/tcom1996.txt

KnujOn.com, LLC
Updated: 6/20/2010 Page 23
E. Issues of inaccurate WHOIS in Illicit Drug Domains (RAA 3.7.5.3, 3.7.7.2, and 3.7.8)

“3.7.5.3 In the absence of extenuating circumstances (as defined in Section 3.7.5.1 above), a domain name
must be deleted within 45 days of either the registrar or the registrant terminating a registration agreement.”

“3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure
promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days
to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name
Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be
a basis for cancellation of the Registered Name registration.”

3.7.8 Registrar shall abide by any specifications or policies established according to Section 4 requiring
reasonable and commercially practicable (a) verification, at the time of registration, of contact information
associated with a Registered Name sponsored by Registrar or (b) periodic re-verification of such information.
Registrar shall, upon notification by any person of an inaccuracy in the contact information associated with a
Registered Name sponsored by Registrar, take reasonable steps to investigate that claimed inaccuracy. In the
event Registrar learns of inaccurate contact information associated with a Registered Name it sponsors, it shall
take reasonable steps to correct that inaccuracy.

As we will see below Registrars are bending the rules in favor of illicit pharmacies. In all cases we
reported the inaccurate WHOIS to ICANN and the registrant did not update the information after
45 days. We confirmed with ICANN that the information was still inaccurate at the end of the 45
day period. At that point the registrant was allowed to update the information and the Registrar
did not delete the domain. In these cases the Registrar skirted the RAA provisions in favor of an
illicit pharmacy past the mandated time limit. While we cannot know if the Registrar took
“reasonable steps to investigate” we assume they did not because no action was taken until long
after the 45 day period and only after KnujOn’s second notification.

eNom, RE: qualitydrugs.org

Original WHOIS:
Registrant Street1:Krasnoznamennaya str. 11/47
Registrant City:San Francisco
Registrant State/Province:
Registrant Postal Code:--
Registrant Country:US
Registrant Phone:+1.48546776

KnujOn.com, LLC
Updated: 6/20/2010 Page 24
The city and street are incompatible, the phone number is incomplete. Inaccuracy report by
KnujOn April 19, 2010, inaccuracy still existed on June 4, 2010 and the domain had not been
deleted. We reported such but the domain remained online. The WHOIS record was updated
June 12, 2010, and additional eight days after the 45-day period.

Tucows, RE: ON-LINEPHARMACYUK.COM

Original WHOIS:
Technical Contact:
Pharma, UK hpraymond@hotmail.com
46 Gordon St South Shield
Great, NULL
GB
9991111999

This ON-LINEPHARMACYUK.COM WHOIS record had a bogus phone number. KnujOn filed a
complaint with ICANN on April 19, 2010 and the WHOIS was unchanged after 45 days. Even
though we affirmed with ICANN that this complaint was unresolved after 45 days, the registrant
was allowed to update the record and the Registrar has kept the domain online.

INTERNET.BS CORP., RE: pharm2day.com, ordercure.com, and tadalafilindia.com

These domains use INTERNET.BS’ invalid privacy service (see Section II Part F) which declares
“*******PLEASE DO NOT SEND LETTERS******” and claims to be in the

KnujOn.com, LLC
Updated: 6/20/2010 Page 25
Bahamas but uses a Hong Kong phone number. These domains remain online with
unchanged WHOIS with this invalid privacy service.

BIZCN.COM, RE: cyberrxsavers.com

The WHOIS for this BIZCN-sponsored domain originally had no address or phone number
information. We filed a complaint with ICANN on May 17, 2010. After the 45 day period the
WHOIS remained unchanged and the domain was still active. We complained to ICANN a second
time and the domain was suspended, for 3 days. The domain was allowed to come back online
with new WHOIS in violation of ICANN rules.

These cases suggest that some Registrars are engaging in a pattern of protection for illicit
pharmacy domains. This activity may be considered collusion 11 by some which is beyond the
facilitation discussed in Section I Part D. This also suggests that ICANN compliance is allowing
Registrars to bend the rules in terms of WHOIS inaccuracy. While Registrars often claim they are
unaware of how a domain is being used and what other fraudulent activity is occurring. However,
the reinstatement or continuity of a domain in violation of ICANN rules may be the “smoking gun”
that indicates how important these illegal domains are to their business. Otherwise, why would a
Registrar bother to maintain them after they have been given a completely valid reason to delete
the domain? When illicit pharmacy domains are reported to Registrars they often claim they
cannot suspend them, but false WHOIS gives Registrars the contractual authority and obligation
to suspend the domains. One might assume that Registrars would be happy to have an excuse to
cut off troublesome domains, but they are instead taking extra measures to ensure their
preservation.

11
“Collusion: secret agreement or cooperation especially for an illegal or deceitful purpose”, http://www.merriam-
webster.com/dictionary/collusion

KnujOn.com, LLC
Updated: 6/20/2010 Page 26
F. Registrar Must Display Fees and Deletion Policies (RAA 3.7.5.6/3.7.5.5)

“3.7.5.5 If Registrar operates a website for domain name registration or renewal, details of Registrar's deletion
and auto-renewal policies must be clearly displayed on the website.”

“3.7.5.6 If Registrar operates a website for domain registration or renewal, it should state, both at the time of
registration and in a clear place on its website, any fee charged for the recovery of a domain name during the
Redemption Grace Period.”

This is an issue of consumer trust. The domain customer is entitled to know how much the
products cost and what the terms of service are over a period of years. Some Registrars have not
disclosed or buried their most crucial customer information.

VentureDomains, Inc. (upc360.com) – Policies not posted

Broadspire Inc. (broadspire.com) – Policies not posted

Mobiline USA, Inc. dba domainbonus.com - Policies not posted

Premium Registrations Sweden AB (premiumregistrations.com) - Policies not posted,

“member login”

Internet Group do Brasil S.A. (igempresas.com) – Site does not load

M. G. Infocom Pvt. Ltd. (mindgenies.com) - Policies not posted

Cheapies.com Inc. - Policies not posted

Domain Services Rotterdam BV (tellus.com) – Only reseller information available

Internet Solutions (Pty) Ltd. (is.co.za) - Policies not posted

iWelt AG (iwelt.de) - Policies not posted

Key-Systems GmbH (key-systems.net) – Reporter commented that fee policies were not clear

KomPlex.Net GmbH - Policies not posted

1st Antagus Internet GmbH (antagus.de) – Unable to locate renewal policies

1API GmbH (1apI.de) – Fee policies unclear

Xiamen eName Network Technology Corp (ename.com) – Unable to locate renewal policies

Alantron (alantron.com) – Unable to locate fee policy

Own Identity, Inc. (ownidentity.com) - No conspicuous terms link

Pacnames Ltd (pacnames.com) - No conspicuous terms link

UltraRPM, Inc. dba metapredict.com - No conspicuous terms link

USA Webhost, Inc. (usawebhost.com) - Site Loads default Drupal installation page

KnujOn.com, LLC
Updated: 6/20/2010 Page 27
Ynot Domains Corp. (ynotdomains.myorderbox.com) - Site Loads password-protected
control panel

1 More Name, LLC (1morename.myorderbox.com) – Site Loads password-protected control

panel

KnujOn.com, LLC
Updated: 6/20/2010 Page 28
G. UDRP Compliance and Domain Name Speculation Holding (RAA 3.8 and 3.7.8)

“3.8 Domain-Name Dispute Resolution. During the Term of this Agreement, Registrar shall have in place a
policy and procedures for resolution of disputes concerning Registered Names. Until different policies and
procedures are established by ICANN under Section 4, Registrar shall comply with the Uniform Domain Name
Dispute Resolution Policy identified on ICANN's website (www.icann.org/general/consensus-policies.htm).”

“All registrars must follow the the[sic] Uniform Domain-Name Dispute-Resolution

Policy(http://www.icann.org/en/udrp/udrp.htm)”

Typically, this policy concerns the relationship between the Registrar and the registrant. However,
when the Registrar technically is the registrant and fails to respond to a UDRP proceeding, the
question becomes more complex. In the following cases the Registrar’s WHOIS privacy service
was employed, which makes the Registrar responsible for all communication and ultimately
responsible for the domain name, and the Registrar did not respond to the UDRP.

NameCheap as “WhoisGuard”

The following cases represent some of the most troubling illicit activity in terms domain name
abuse and misuse of privacy services. The registrants have apparently gone to great lengths to
conceal their identities and avoid any responsibility; however the role of this accredited Registrar
cannot be overlooked and must be thoroughly investigated. The bulk of the domains in question
use trademarked drug names which prompted the UDRP claims. The domains themselves were
used as unlicensed online pharmacies. While eNom served as Registrar for these domains they
were mostly registered through NameCheap. While a Registrar in their own right, NameCheap
acted as a reseller for eNom in the case of these domains, and concealed ownership through
NameCheap’s WhoisGuard service. In a normal UDRP the Registrar would disclose the
ownership of a domain name to a complainant. However, eNom merely issued the WhoisGuard-
protected record and the actual ownership was not disclosed by NameCheap. In attempting to
contact “WhoisGuard”, which at this point is actually NameCheap, the respondent (NameCheap)
failed to respond to the UDRP. While domain owners are not obligated to respond the UDPR,
Registrars are. But through careful planning a scheme has been created in which the domain
owner is completely anonymous and unaccountable. In these cases the Registrar (eNom) did
technically comply, but the third-party (WhoisGuard) defaulted the Registrar of record is
technically blameless. WhoisGuard itself is a phantom - neither person nor legal entity in
California. In Section II Part F we explain why WhoisGuard is an invalid privacy service and may
have committed mail fraud. However, it is obvious that WhoisGuard is the privacy protection
service offered by NameCheap. This scheme, by which NameCheap avoids accountability for
domains registered in bad faith and used illicitly, is unacceptable. Their dual role as independent
Registrar and reseller for eNom is highly questionable.

Below we have summarized the trademark violation and NameCheap’s (as WhoisGuard)
response. WIPO documents may be obtained at http://wipo.int by referring to the document
name listed in the table.

KnujOn.com, LLC
Updated: 6/20/2010 Page 29
Site Substance/TradeMark NameCheap Response WIPO Document
buycheapcialis.biz Cialis The Respondent did not reply 2005_d2005-0478
to the Complainant’s
contentions
ambien-zolpidem.info Ambien/Zolpidem The Respondent did not reply 2005_d2005-1267
to the Complainant’s
contentions
tamiflu.net Tamiflu Respondent has failed to 2005_d2005-1288
respond to the Complaint and
has not otherwise actively
participated in these
proceedings.
pfizerhelpfulanswer.com Pfizer The Respondent did not reply 2006_d2006-0911
to the Complainant’s
contentions.
lillywomenshealth.com Lilly The Respondent did not reply 2007_d2007-0162
to the Complainant’s
contentions.
ambien-pills.com Ambien The Respondent did not reply 2007_d2007-1013
to the Complainant’s
contentions.
lexapro-drugs.com, order- Lexapro The Respondent did not reply 2008_d2008-0005
lexapro.com to the Complainant’s
contentions.
valium1.com Valium The Respondent did not reply 2008_d2008-0916
to the Complainant’s
contentions.
xenical-prices.com Xenical Respondent did not reply to 2008_d2008-1552
Complainant’s contentions.
accutaneprices.com Accutane The Respondent did not reply 2008_d2008-1681
to the Complainant’s
contentions.
xenicalweightloss.info Xenical The Respondent did not reply 2009_d2009-1128
to the Complainant’s
contentions.
cvspharmacyonline.org CVS The Respondent did not reply 2009_d2009-1604
to the Complainant’s
contentions.
ambien-next-day.info Ambien The Respondent did not reply 2009_d2009-1671
to the Complainant’s
contentions.
accutaneacnetreatment.info Accutane The Respondent did not reply 2010_d2010-0176
to the Complainant’s
contentions.
swineflutamiflu.info Tamiflu The Respondent did not reply 2010_d2010-0193
to the Complainant’s
contentions.
accutanebuy.com Accutane The Respondent did not reply 2010_d2010-0224
to the Complainant’s
contentions.

KnujOn.com, LLC
Updated: 6/20/2010 Page 30
Case No. D2005-1288 (Hoffmann-La Roche Inc. v. WhoisGuard) is in fact frequently cited in
WIPO decisions as precedent for transferring trademark infringing domains to the complainant.
These cases represent a pattern of bad behavior tacitly supported and possibly assisted by
NameCheap. The casual onlooker might get the impression that NameCheap is negatively
affected by these WIPO decisions and as a result their policies might change. This is far from the
truth. KnujOn has observed on a nearly daily basis, NameCheap registering pharmaceutical
trademarks through eNom on behalf of persons unknown. None of the UDRPs seem to have
slowed NameCheap’s business dealings with trademark hijackers and international drug
traffickers. On inspection there is no reason to expect that they would. As many have
commented, the UDRP is a “toothless” process as the respondent is not compelled to comply and
suffers only the potential penalty of losing the challenged domain name. That domain name
becomes worthless the moment it is transferred to the complainant. Meanwhile, the complainant
must expend a significant amount of time and money to resolve the issue. In these cases,
NameCheap, has averted any seeming connection or responsibility. The loss of one, or even 100,
infringing domain names is meaningless to the respondent since they have access to a
bottomless pit of variations at all gTLDs. The emergence of domains using “Tamiflu” are
additionally troubling at time when public anxiety over swine flu was riding high.

Oversee as “Moniker Privacy”

There are dozens of WIPO decisions against “Moniker Privacy” where they did not respond to the
UDRP. As with NameCheap, drug names are the frequent target as in the case of WIPO
2009_d2009-1348 concerning “acompliageneric.com” a trademark of Sanofi-Aventis, but also
involve other IP like the “jaylenoshow.com” ( 2009_d2009-0571), “delottetouche.com”
(2008_d2008-1489), and “nationalfootballleague.com” (2007_d2007-1839).

eNom as “Whois Privacy Protection Service Inc.”

Like above, eNom’s privacy service is abused for trademark hijacking. Like the above examples,
eNom refuses to respond to the UDRP. The language used in one WIPO decision is as follows:

“The Respondent is only a tool proposed by eNom to permit ill-intentioned owners to

mask their true identity. This fact constitutes evidence of bad faith.” 12

This quote sums up the perception of the use of privacy services in these cases and parallels
language used in U.S. v. Kilbride:

“Based on the plain meaning ... private registration for the purpose of concealing
the actual registrant’s identity would constitute ‘material falsification.’” 13

The point being that, under the guise of protecting domain consumer privacy, WHOIS privacy
services have been perverted into a weapon of criminal anonymity and Registrar irresponsibility.

12
WIPO 2005_d2005-0133, TAG HEUER v. Whois Privacy Protection Service, Inc.
13
http://www.ca9.uscourts.gov/datastore/opinions/2009/10/28/07-10528.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 31
OnLineNIC, INC. as “ABSOLUTEE CORP. LTD.”

Absolutee Corp Ltd is OnlineNIC’s privacy protection service and it is doubtful that OnlineNIC and
Abolutee are distinct entities. Furthermore, the Registrars China-Channel, 35.com and USA Intra
Corp. are all likely part of the same organization. On April 19, 2010 the Malletier group, which
owns Louis Vuitton, was issued a default judgment of $960,000.00 against Absolutee for
“knockoff” sales through OnlineNIC sponsored domains by by California Northern District Court
Judge Maxine M. Chesney (http://docs.justia.com/cases/federal/district-
courts/california/candce/3:2009cv05612/222027/27/). The Honorable Maxine Chesney also
issued an injunction against Absolutee preventing them from any further violation of these
trademarks (http://docs.justia.com/cases/federal/district-
courts/california/candce/3:2009cv05612/222027/26/).

This is same Absolutee that WIPO decided against for registering “tiffanyline.com” (WIPO
2009_d2009-0430) and “buickopen.com” (WIPO 2007_d2007-0279). As seen in the above
examples “The Respondent did not reply to the Complainant’s contentions.”

It would be useful at this point to provide some background on Absolutee:

• Absolutee has been flagged as supporting the Russian Business Network 14

• Absolutee has been linked to a payment processing system for child pornography called
Avalonpay 15
• Absolutee was linked to a fake Fidelity Investments phishing site 16
• Absolutee was linked to malware distribution 17
• The site “absolutee.com” has been known to appear as a download location in virus scan
logs 18

Like eNom's Whois Privacy Protection Service, Absolutee is tool proposed by OnlineNIC to
permit ill-intentioned owners to mask their true identity, which constitutes evidence of bad faith.
Without dragging the point out, we contend that Absolutee solely exists to mask illicit activity that
OnlineNIC benefits from.

Registrars will contend that the registrants are behind these illicit domains and the Registrar
should not have to take responsibility for the associated problems. However, OnlineNIC recently
settled for tens of millions of dollars with Verizon, Microsoft and Yahoo
(http://arstechnica.com/old/content/2008/12/court-awards-verizon-33-million-in-cybersquatting-
squabble.ars). In these cases the complainants alleged OnlineNIC employees registered the
domains under false identities. The courts agreed. These cases may point to a trend of brand-
holders bypassing the UDRP in order to collect monetary damages from Registrars who operate
as or protect cybersquatters. This issue is discussed specifically in section III part B.

In conclusion, the lines between registrants and Registrars have become seriously blurred in
cases of cybersquatting. Evidence precludes Registrar denial of involvement when they supply
special tools that encourage it, mask ownership of the domains, and ignore the UDRP when
caught.

14
http://www.wired.com/images_blogs/dangerroom/files/iDefense_RBNUpdated_20080303.doc
15
http://www.matchent.com/wpress/?q=node/369
16
http://www.ecommerce-journal.com/node/1195
17
http://www.dslreports.com/forum/remark,16686792
18
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t111606.html

KnujOn.com, LLC
Updated: 6/20/2010 Page 32
H. Reseller Obligations (RAA 3.12)

“3.12 Obligations of Third-Party Resellers. If Registrar enters into an agreement with a reseller of Registrar
Services to provide Registrar Services”

The issue of reseller compliance is so large that it calls for a separate report. However we feel the
need to discuss a case where the lines between reseller and Registrar have become extremely
blurred. This Report explores true ownership of a domain reseller. We believe that this purported
reseller is actually owned and controlled by eNom.

Acquire This Name, INC.

The apparent domain name reseller Acquire This Name, INC. (acquirethisname.com) posts no
clear ownership or location on its site except a post office box: PO BOX 6097, Bellevue, WA
98008

In the “About Us” they provide the following information:

“Q: Do you own the domains you sell?

A: No, we represent the domain owner and facilitate the sale of the domain.

Q: Is AcquireThisName a domain registrar?

A: No, AcquireThisName is a brokerage firm, representing domain owners. We are
not a registrar and do not offer registration services.”

KnujOn.com, LLC
Updated: 6/20/2010 Page 33
(http://www.acquirethisname.com/about-us.aspx)
Their FAQ states the following:

“Our reseller relationship with eNom helps make purchasing…”

(http://www.acquirethisname.com/frequently-asked-questions.aspx)

At this point Acquire This Name, INC. has made it clear they are NOT a Registrar but actually a
reseller or “brokerage.” They have also stated that Acquire This Name, INC. is a reseller of eNom
and directs customers to create an account at eNom to manage the domain name.

As for payment, Acquire This Name, INC. states:

“Our preferred method of payment is by wire to our affiliate, eNom…”

(http://www.acquirethisname.com/frequently-asked-questions.aspx)

Statement: eNom is an affiliate of Acquire This Name; Acquire This Name is a reseller of eNom.
We attempted to locate the business registration of Acquire This Name, INC. and found it in
Nevada’s Secretary of State Business Registration database. However all of the officer names for
Acquire This Name, INC. had been scrubbed or deleted through “resignations” on April 8, 2009.

KnujOn.com, LLC
Updated: 6/20/2010 Page 34
Acquire This Name currently has no officers listed with the Nevada SOS and has actually passed
the deadline for supplying this information.

However, we were able to determine that the resigned officers were SARAH AKHTAR COOPER
and MICHAEL BLEND. We also found two WIPO decisions where Acquire This Name, Inc. was
ordered to surrender a domain name for trademark reasons. The respondent in one of these
cases was Matt Overman.

(http://www.wipo.int/amc/en/domains/decisions/html/2009/d2009-0411.html,
http://www.wipo.int/amc/en/domains/decisions/html/2008/d2008-1162.html)

Sarah Akhtar Cooper is the General Counsel of eNom

Michael Blend is the Senior Vice President of Demand Media (eNom)
Matt Overman Director of Domain Sales at Demand Media (eNom)

Additionally, acquirethisname.com is hosted and sponsored by eNom.

From the list of officers and the cited payment structure, it does not appear that Acquire This
Name is really a reseller or even a separate entity.

KnujOn.com, LLC
Updated: 6/20/2010 Page 35
While Acquire This Name stated they do not own the domain names they sell, rather: “we
represent the domain owner and facilitate the sale of the domain.” It is impossible to verify as the
registrant’s details are concealed through Whois Privacy Protection Service Inc., which is eNom’s
privacy service. However, equateconsonant.com is indeed sponsored and hosted by eNom.

In conclusion it is clear that this entity was created by eNom staff for the benefit of eNom while
seeming to not be eNom. This is a serious violation of consumer trust.

KnujOn.com, LLC
Updated: 6/20/2010 Page 36
I. Registrar Contact Address Must Be Available on Website (RAA 3.16)

“3.16 Registrar shall provide on its web site its accurate contact details including a valid email and mailing
address (http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm).”

This section was added to the 2009 revised RAA after a series of incidents indicated Registrars
had not disclosed their business addresses. Research conducted by KnujOn 19 found that 70
Registrars had no address posted in the InterNIC Registrar directory. It was also found that
several Registrars had falsified their business address or were using “mail-drop” addresses in
different countries from where the business was actually located. Subsequently it was found that
Registrar Parava Networks has falsified their address 20 . KnujOn campaigned hard for a change to
the RAA 21 , but Registrars are still flouting this new rule. We also have serious concerns about
Registrars using Post Office Boxes as their primary business address, but this is still a subject of
debate 22 .

These Registrars have signed on to the 2009 RAA, which requires that they display their
address, but they have not yet done so.

Arsys Internet, S.L. dba NICLINE.COM

DSTR Acquisition PA I, LLC dba DomainBank.com
IREGISTRY CORP. /iregistry.com
$$$ Private Label Internet Service Kiosk, Inc. (dba "PLISK.com")
21Company, Inc. dba 21-domain.com/21-domain.com
ITPAN.COM INC./itpan.com
Active Registrar, Inc./activeregistrar.com
COMPANA LLC/budgetnames.com
Directi Internet Solutions Pvt. /publicdomainregistry.com
DOTALLIANCE INC/dotalliance.com
EVERYONES INTERNET LTD./resellone.net
FRANCE TELECOM/francetelecom.com
CSL Computer Service Langenbach GmbH d/b/a joker.com
NET 4 INDIA LIMITED/net4.in
NICCO LTD. /nicco.com
REGISTER.COM INC./register.com
RESELLER SERVICES INC./ResellServ.com
UK2 GROUP LTD. /uk2group.com
VOLUSION, INC./volusion.com
Webagentur.at Internet Services GmbH d/b/a domainname.at
YNOT DOMAINS CORP/myorderbox.com
VIVID DOMAINS INC/vividdomains.com*

*Merely gives "Miami" as the address, no street location

19
http://www.knujon.com/news2008.html#06102008
20
http://www.knujon.com/news2008.html#07222008
21
http://www.knujon.com/news2008.html#11022008
22
http://www.circleid.com/posts/should_a_domain_name_registrar_run_from_a_po_box/

KnujOn.com, LLC
Updated: 6/20/2010 Page 37
These Registrars have not signed on to the 2009 RAA, but should be required to post their
address before being eligible to renew their contract.

INTERNET GROUP DO BRASIL/igempresas.com

MANGO MOODS INC./Marcaria.com International, Inc
DNS:NET Internet Service GmbH/dns-net.de
PREMIUM REGISTRATIONS SWEDEN/premiumregistrations.com
AB CONNECT /hosteur.com
A TECHNOLOGY COMPANY INC/namesystem.com
C I HOST INC./cihost.com
EXPERINOM INC./experinom.com
FUNPEAS MEDIA VENTURES, LLC DBA DOMAINPROCESSOR.COM/DomainProcessor.com
GEE WHIZ DOMAINS INC/geewhizdomains.com
Globedom Datenkommunikations GmbH, d/b/a Globedom/globedom.com
DomainContext, Inc./isregistrar.com
JETPACK DOMAINS INC/jetpackdomains.com
NEW GREAT DOMAINS /newgreatdomains.com
ONLINENIC INC./onlinenic.com
OPEN SYSTEM LTD. /turbosite.com.br
OWN IDENTITY INC/ownidentity.com
PACNAMES LTD /pacnames.com
QUANTUMPAGES TECHNOLOGIES/ownregistrar.com
TURNCOMMERCE, INC. DBA NAMEBRIGHT.COM/NameBright.com
ULTRARPM INC./metapredict.com
UNITED DOMAIN REGISTRY, INC./uniteddomainregistry.com
WEBAIR INTERNET DEVELOPMENT/webair.com
ZOG MEDIA, INC. DBA ZOG NAMES/zognames.com
HOSTING.COM, INC./Hosting.com
MOOZOOY MEDIA INC. /wiredwebsite.com
NAMEHOUSE, INC./namehouse.net

USA WEBHOST/usawebhost.com*

*Home page declares: "You have to log in to contact us"

The following Registrars do not display their address but were de-accredited during the
study period.

MOBILINE USA INC./domainbonus.com

TAHOE DOMAINS INC./tahoedomains.com
WESTERN UNITED DOMAINS /wudomains.com
AFTERGEN, INC. DBA JUMPINGDOT/jumpingdot.com
OOO RUSSIAN REGISTRAR/ruregistrar.com

The following Registrars do not display their address but are of unclear status.

ENETREGISTRY INC/enetregistry.net
VERZA DOMAIN DEPOT BV/verzadomains.com

KnujOn.com, LLC
Updated: 6/20/2010 Page 38
Serious Issues

A Technology Company, Inc. (namesystem.com) does not disclose its business address on its
primary website and additionally is blocking access to its own WHOIS record (see Section II Part
A).

OnlineNIC, Inc. (onlinenic.com) is allegedly located in the Oakland area of California but
various investigations reveal it is actually in China and its U.S. locations are fraudulent. Most of
this became apparent during trademark lawsuits against OnlineNIC by Microsoft and Verizon
(http://www.theregister.co.uk/2009/08/27/onlinenic_verizon_ruling_upheld/;
http://www.thedomains.com/2009/03/12/onlinenic-settles-with-microsoft-appeals-verizon-
decision/). OnlineNIC sponsors thousands of unlicensed pharmacy domains in violation of U.S.
and California law. They have been notified multiple times about these sites. OnlineNIC actually
has several alleged addresses. The address given in the InterNIC directory and in their WHOIS
record is 351 Embarcadero E. Oakland CA 94606. This address was revealed to be an empty lot
in an article by Andrew Naylor called “Visiting OnlineNIC’s Non-Office” 23 over a year ago. We
have filed inaccuracy complaints about this address but Onlinenic.com endures. Their second
address, 2315 26th Avenue, San Francisco, CA, is related to a California business registration
that has been suspended by the Secretary of State.

Their third address is a residential address which we will not reveal here because there is no
evidence that the location is associated with OnlineNIC. The fourth address, 909 marina village
pkwy #236 Alameda CA 94501, is a UPS mail box.

23
http://dotsnews.com/domain-name-news/184

KnujOn.com, LLC
Updated: 6/20/2010 Page 39
Since the lawsuits their CA business has been re-registered by their U.S. lawyer, Perry J.
Narancic. 24 Narancic represented them against MS and Verizon and negotiated the multi-million
dollar settlement. OnlineNIC’s real address is likely 7F International Trade Building, 388 South
Hubin Road, Xiamen China that exists even in ICANN documents. 25 It is time for this charade to
end.

24
http://www.nk-pc.com/index.php?option=com_content&view=article&id=47&Itemid=54
25
http://www.icann.org/en/tlds/pro1/pdf/rop_exhibit_a5.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 40
J. Material Falsification in Registrar Application (RAA 5.3.1)

“5.3.1 There was a material misrepresentation, material inaccuracy, or materially misleading statement in
Registrar's application for accreditation or any material accompanying the application.
(http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm).”

Since we cannot see the original applications we can only estimate what was in the application
based on currently available business records. A Registrar must be a business entity, must
disclose the type of legal entity and attest that “the information contained in this application, and
all supporting documents included with this application, are true and accurate to the best of
Applicant's knowledge” 26 . Obviously, it is expected that entity be a legitimate and verifiable one.
However, we have found a fairly sizable number who apparently do not exist.

eNom has the largest number of unverified business entities. We attempted to locate them in
Washington State, where eNom is located; in California, where Demand Media is located; as well
as in Delaware, Florida, and Nevada. These issues can be easily resolved if eNom and others
reveal their business registrations with evidence they existed prior to accreditation. Otherwise, all
of these accreditations are in breach of section 5.3.1.

Business Registrations Not Found

eNom(DemandMedia) Accreditations
Afterdark Domains, Enom Corporate,
Incorporated (eNom) Inc. eNom666, Inc.
Arab Internet Names, Enom GMP
Incorporated (eNom) Services, Inc. eNom672, Inc.
Big House Services, Inc. enom413,
(eNom) Incorporated Enoma1, Inc.
Blisternet, Incorporated enom415,
(eNom) Incorporated EnomAte, Inc.
Dagnabit, Incorporated enom417,
(eNom) Incorporated EnomAU, Inc.
Domainnovations, enom419,
Incorporated (eNom) Incorporated eNombre Corporation
enom421,
Domain Rouge, Inc. (eNom) Incorporated EnomEU, Inc.
Dropoutlet, Incorporated enom423,
(eNom) Incorporated Enomfor, Inc.
enom389, Incorporated enom425,
(eNom) Incorporated EnomMX, Inc.
enom427,
eNom, Inc. (eNom) Incorporated Enomnz, Inc.
enom429,
Enom1, Inc. Incorporated eNomsky, Inc.
enom431,
eNom1008, Inc. Incorporated EnomTen, Inc.
enom433,
eNom1009, Inc. Incorporated EnomToo, Inc.
enom435,
eNom1010, Inc. Incorporated EnomV, Inc.
eNom1012, Inc. enom437, FastDomain Inc. (eNom)

26
http://www.icann.org/en/registrars/accreditation-application.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 41
 Incorporated
enom439,
eNom1013, Inc. Incorporated Fenominal, Inc. (eNom)
enom441,
eNom1014, Inc. Incorporated Fushi Tarazu, Incorporated (eNom)
enom443,
eNom1033, Inc. Incorporated Gunga Galunga, Incorporated (eNom)
enom445,
eNom1034, Inc. Incorporated Indirection Identity Corporation (eNom)
enom447, Internet Internal Affairs Corporation
eNom1035, Inc. Incorporated (eNom)
enom449,
eNom1036, Inc. Incorporated Kingdomains, Incorporated (eNom)
enom451,
eNom1037, Inc. Incorporated Mark Barker, Incorporated (eNom)
enom453,
eNom1038, Inc. Incorporated Mobile Name Services, Inc. (eNom)
enom455,
Enom2, Inc. Incorporated Name Nelly Corporation (eNom)
enom457,
Enom3, Inc. Incorporated Name Thread Corporation (eNom)
enom459,
enom371, Incorporated Incorporated Nerd Names Corporation (eNom)
enom461,
enom373, Incorporated Incorporated Nom Infinitum, Incorporated (eNom)
enom463,
enom375, Incorporated Incorporated One Putt, Inc. (eNom)
enom465.com,
enom377, Incorporated Incorporated PostalDomains, Incorporated (eNom)
enom467,
enom379, Incorporated Incorporated Private Domains, Incorporated (eNom)
enom469,
enom381, Incorporated Incorporated Retail Domains, Inc. (eNom)
enom383, Incorporated Enom5, Inc. SBSNames, Incorporated (eNom)
enom385, Incorporated eNom623, Inc. Searchnresq, Inc. (eNom)
enom387, Incorporated eNom635, Inc. SicherRegister, Incorporated (eNom)
enom391, Incorporated eNom646, Inc. Sipence, Inc. (eNom)
Small Business Names and Certs,
enom393, Incorporated eNom647, Inc. Incorporated (eNom)
enom395, Incorporated eNom650, Inc. Sssasss, Incorporated (eNom)
enom397, Incorporated eNom652, Inc. Traffic Names, Incorporated (eNom)
enom399, Incorporated eNom654, Inc. TravelDomains, Incorporated (eNom)
Enom4, Inc. eNom655, Inc. Vedacore.com, Inc. (eNom)
Whiteglove Domains, Incorporated
enom403, Incorporated eNom656, Inc. (eNom)
enom405, Incorporated eNom659, Inc.
enom407, Incorporated eNom661, Inc.
enom409, Incorporated eNom662, Inc.
enom411, Incorporated eNom663, Inc.

KnujOn.com, LLC
Updated: 6/20/2010 Page 42
OVERSEE/MONIKER/SNAPNAMES Accreditations
Ace of Domains, Inc.
CoolHandle Hosting, LLC
DomainSystems, Inc. dba DomainsSystems.com

DOTSTER Accreditations
Deschutesdomains.com LLC
Domain-A-Go-Go, LLC
Domaininthehole.com LLC

Apparently Unaffiliated
#1 Internet Services International, Inc. dba 1ISI
1 More Name, LLC
Annulet Incorporated
Azdomainz, LLC
Azprivatez, LLC
Atozdomainsmarket, LLC
Belgiumdomains, LLC
Capitoldomains, LLC
Domaindoorman, LLC
Domainbullies,LLC DBA DomainClub.com
Domain-It!, Inc.
Domain Jamboree, LLC
eBrandSecure, LLC
Namehouse, Inc.
NetTuner Corp. dba Webmasters.com
Vivid Domains, Inc.
Ynot Domains Corp.

KnujOn.com, LLC
Updated: 6/20/2010 Page 43
K. Legal Issues with a Registrar (RAA 5.3.2)

“5.3.2.1 is convicted by a court of competent jurisdiction of a felony or other serious offense related to financial
activities, or is judged by a court of competent jurisdiction to have committed fraud or breach of fiduciary duty,
or is the subject of a judicial determination that ICANN reasonably deems as the substantive equivalent of those
offenses; or 5.3.2.2 is disciplined by the government of its domicile for conduct involving dishonesty or misuse
of funds of others.”

Registrar Abacus America, Inc. d/b/a Names4ever in Corporate Delinquency

State of Kansas definition of Corporate Delinquency:

“Delinquent: The business entity has not filed its annual report and fee by the due date.
The business entity will remain in Delinquent status until it files its annual report, or until
the business entity forfeits for failure to timely file the annual report and fee.” 27

Abacus America was cited in 2008 28 by LegitScript and KnujOn for sponsoring an illicit,
unlicensed steroid-dealing site called MULTIHGROUP.COM
(http://www.knujon.com/schedule3/Steroid%20Report%20Knujon%20and%20LegitScript%20july
%202008.pdf) which sells schedule 3 (http://www.justice.gov/dea/pubs/scheduling.html)
substances without prescription, drugs that are shipped from Turkey into the United States. To
date, Abacus America has not responded to our inquiry and the site is still online, registered
through Abacus America.

27
http://www.accesskansas.org/corp_search/status_window.html
28
http://query.nytimes.com/gst/fullpage.html?res=9E07E4D91739F935A15754C0A96E9C8B63

KnujOn.com, LLC
Updated: 6/20/2010 Page 44
We have reported the corporate delinquency to ICANN’s compliance department and they have
informed us that since Abacus America is principally registered in California this issue does not
constitute a breach of their contract. However, we still believe this a poor reflection the
responsibility of the Registrar to the Internet community. Additionally, as an issue of disclosure it
should be noted that Abacus America purports to be in Florida, not California. We are also
concerned that a Registrar with multiple and possibly invalid locations is continuing to sponsor
illicit pharmacies with no response to the concerned public.

KnujOn.com, LLC
Updated: 6/20/2010 Page 45
L. Registrar Officer Legal Issues (RAA 5.3.3)

“5.3.3 Any officer or director of Registrar is convicted of a felony or of a misdemeanor related to financial
activities, or is judged by a court to have committed fraud or breach of fiduciary duty, or is the subject of a
judicial determination that ICANN deems as the substantive equivalent of any of these; provided, such officer or
director is not removed in such circumstances. Upon the execution of this agreement, Registrar shall provide
ICANN with a list of the names of Registrar's directors and officers...”

It is possible that an officer of Registrar Web Werks India Pvt. Ltd (AKA D For Domains, AKA
wwindia.net, AKA SUVIP INC) violated “federal securities laws by engaging in a fraudulent, tax-
motivated wash sales trading scheme.” 29 This information has been sent to ICANN compliance.

While Web Werks gives its address as 124 Prabhadevi Unique Industrial Estate off V.S. Marg
Prabhadevi Mumbai Maharashtra (India), the WHOIS address disclosed for their operational
domain, dfordomains.com, is 984 North Broadway Suite 314 Yonkers New York 10701. The
dfordomains.com/Web Werks informational site claims India and U.S. offices.

KnujOn staff attempted to verify the U.S. address in person and discovered that 984 North
Broadway is in fact a medical building. Listed in the directory at Suite 314 was an ophthalmology
and nephrology office operated by physicians Dwarka P. Rathi and Seema Rathi.

The officer contact for Web Werks India is Nishant Rathi who may be related to Dwarka P. Rathi
and Seema Rathi but we cannot confirm this at this time.

A subsequent search of businesses claiming to be located at 984 North Broadway Suite 314
produced a company called “Suvip Consultancy Services” or “SUVIP INC.” The address is used
on their website http://www.suvipgroup.com/Home.aspx which describes their business as “a
worldwide information and technology solutions and consulting services firm with a proven track
record in providing turnkey solutions to integrate businesses, workflows and Technology.”

The website also discloses their involvement in an automated stock trading interface:

“Suvip Technologies adopts ExtJS 2.0 as a client UI Framework for BrokerSwift

...
Suvip and AksaTech India Pvt Ltd collaborate to implement technology solutions for Broker
Dealers”

29
Securities Exchange Act of 1934 Release No. 48261, http://www.sec.gov/litigation/admin/34-48261.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 46
The New York state business filing for SUVIP INC. has the address 984 NORTH BROADWAY,
STE. 314 YONKERS, NEW YORK, 10701. There are no officers listed in the public filing.

In a 2003 filing the Securities and Exchange Commission alleges that Dwarka P. Rathi, described
as a “self-employed New York physician” 30 , “engaged in 132 wash sales involving 28 different
stocks from November 23, 1999 through December 23, 1999. Rathi executed 130 of these sales
in the after-hours market.” 31 Through this scheme “Rathi created losses of $221,698 in his
taxable accounts and gains of $245,174 in his tax-sheltered accounts.” 32 The SEC ruled that
Rathi violated Section 10(b) of the Exchange Act and Rule 10b-5. The SEC instituted settled
cease-and-desist proceedings, and filed a settled federal court action against Rathi.

30
Securities Exchange Act of 1934 Release No. 48261, http://www.sec.gov/litigation/admin/34-48261.htm
31
Securities Exchange Act of 1934 Release No. 48261, http://www.sec.gov/litigation/admin/34-48261.htm
32
Securities and Exchange Commission v. Dwarka P. Rathi, http://www.sec.gov/litigation/litreleases/lr18266.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 47
If Dwarka P. Rathi is an officer of Web Werks India/dfordomains.com and the same Dwarka P.
Rathi charged in the SEC filing, then Web Werks India is in breach of sections 5.3.2 and 5.3.3 of
the Registrar Accreditation Agreement. This matter should be fully investigated.

KnujOn.com, LLC
Updated: 6/20/2010 Page 48
N. Registrar Acting in a Manner that Endangers Stability (RAA 5.3.6)

“5.3.6 Registrar continues acting in a manner that ICANN has reasonably determined endangers the stability or
operational integrity of the Internet after receiving three (3) days notice of that determination.”

As we have seen, and will continue to see in this report, eNom is threatening the overall stability
of the DNS. Because of its size and share of the market a potential criminal charge and or de-
accreditation of eNom would throw the world of ICANN, online-business, and domain consumer
into chaos. The number of domains that would need to be transferred would far outnumber any
previous transfer. While a criminal charge against eNom has not occurred yet, it is inevitable
under their current policies or harboring illicit drug networks and failing to address the problem.

KnujOn.com, LLC
Updated: 6/20/2010 Page 49
L. Miscellaneous: Registrars without a functioning website

It is implied by the nature of this industry and the requirements of the RAA that a Registrar have a
functioning website. The following Registrars do not have a functioning or locatable website.

Bharti Airtel Services Limited - bhartiairtelservices.in redirects to bhartiresources.com, which

merely loads a password interface.

1 More Name, LLC – “1morename.myorderbox.com” is constantly down for maintenance

#1 Accredited Registrar - 1accredited.com does not load

1dotmobiregistrar.com – Parking page, now “Desert Devil, Inc”?

A Rite Tern, LLC (aritetern.com) – Access “Forbidden”

Basic Fusion, Inc. (basicfusion.net) - Not found

Best Bulk Register, Inc. (bestbulkregister.com) - Not found

DropHub.com, Inc. (DropHub.com) – Now “Intrust-Domains”?

FBS Inc. (isimtescil.com) - Not found

Launchpad, Inc. (launchpad.com) – No content

Mister Name (mistername.com) - Not found

ATXDOMAINS Inc. (atxdomains.com) - Not found

Nameescape.com LLC (Nameescape.com) – Parking Page

Names Bond, Inc. (namesbond.net) - Not found

Pointag Technologies, Inc. (pointag.com) – Not found

SiteName Ltd. (sitename.com) – “The page isn't redirecting properly”

KnujOn.com, LLC
Updated: 6/20/2010 Page 50
O. Recommendations for these issues

Most of these problems can be resolved by proper and regular auditing.

• Registrars who have not signed on to the 2009 RAA should not be allowed to until they
have posted their business address on their main web page.
• ICANN Needs to decide if eNom has failed to comply with government regulations and
thus is in violation of the RAA
• ICANN Compliance should issue breach notices to all Registrars who have failed to
provide a working Port 43 WHOIS address
• The InterNIC/ICANN Registrar Directories need to be updated on more regular basis
• The full lifecycle of Registrar breach, termination, transfer and sale should be available
• ICANN Needs to fully investigate eNom’s involvement with Acquire This Name, INC.

KnujOn.com, LLC
Updated: 6/20/2010 Page 51
KnujOn.com, LLC
Updated: 6/20/2010 Page 52
Section II: WHOIS Issues

"As the DNS is currently structured, registrants are under only an honor system to
provide accurate Whois data. Meanwhile, it makes no economic sense for
registrars to enforce Whois accuracy. The result is that in terms of accuracy,
when compared with other compilations of public data (such as driver's licenses
33
and trademark registrations), the Whois database is substantially fiction."

-Benjamin Edelman, as Fellow at the Berkman Center for Internet & Society

This quote comes from 2005 Congressional testimony before the Committee on the Judiciary
Subcommittee on Courts, the Internet, and Intellectual Property. In the half decade since, the
situation has gotten substantially worse with large drug trafficking networks settling into the DNS
comfortably with little to fear in terms of law or policy. At this hearing Professor Edelman’s
suggested the following process improvements:
1. Reduction in the lenience of opportunity to “cure” intentionally invalid data

2. Registrants with multiple domain names with intentionally invalid data, should forfeit of all domains with the
same invalid data

3. Statistically valid surveys of registrars’ WHOIS accuracy, with public reporting of each Registrar’s accuracy
should be published by ICANN

4. Public reporting by ICANN of WHOIS accuracy complaints and their outcome

5. Financial and other penalties to Registrars with poor WHOIS accuracy records

None of these recommendations have been enacted, or from our observations, seriously
considered by ICANN and the supporting bodies. The idea that Internet abuse handlers, such as
KnujOn, are anti-privacy because we support full WHOIS disclosure is a red herring. We have
proposed a simple solution to this problem – a hard line between commercial and informational
domains. This is a system adopted in some ccTLDs. Domains used for commercial activity must
have public WHOIS just as their brick-and-mortar components require public disclosure.
Pharmacies, banks, consumer goods stores and the like cannot have secret ownership in any
country. Products offered by these companies require government approval globally through
licensure, inspection and audit. In a very brief period the Internet has managed to subvert
generations of accountability created to protect the consumer from harm and the illicit players
hide with impunity under the banner of “privacy” with support and encouragement from the
Registrars. The domains of Girl Scout troops, dog-lover clubs, and political activists are not the
domains that generate heated public concern over WHOIS inaccuracy. Domains selling controlled
substances, imaginary loans, pirated software, and dangerous knockoff goods are of concern.
Domains lifting someone else’s intellectual property or selling images of child exploitation are of
concern. It is shameful to argue privacy rights for these parties.

There have been three major reviews of WHOIS in the last 10 years prior to the recent NORC 34
study: 2002 – “Large-Scale Intentional Invalid WHOIS Data” 35 ; 2003 – “US House Committee on
the Internet, and Intellectual Property” 36 ; and 2005 – “Prevalence of False Contact Information for
Registered Domain Names.” 37 Each report has told us more or less the same thing, that WHOIS
is largely falsified. The time for studies has passed, it is time for proactive correction and policy
enforcement.

33 cyber.law.harvard.edu/people/edelman/pubs/judiciary-090403.pdf
34 http://www.theregister.co.uk/2010/02/17/domain_name_problems/
35 http://cyber.law.harvard.edu/archived_content/people/edelman/invalid-whois/
36 http://cyber.law.harvard.edu/archived_content/people/edelman/pubs/Judiciary-090403.pdf
37 http://www.gao.gov/new.items/d06165.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 53
A. Registrar WHOIS Validity

If domain registrants are expected to supply valid contact information for the WHOIS record,
Registrars should be held to, at the very least, the same standard. We would argue that it
behooves the Registrar to set an example for the registrant by complying with the RAA conditions
for accurate WHOIS. However, we have found that many Registrars do not have accurate
WHOIS for their own operational sites and some are apparently deliberately obfuscating their
WHOIS record. At a minimum, the Registrar’s WHOIS record should match the contract address
required on their website by 2009 RAA section 3.16, and match the address displayed in the
ICANN/InterNIC Registrar directories. Recent cases of obfuscation by Parava Networks, now de-
accredited, and OnlineNIC represent serious violations of consumer trust. The first section below
shows which Registrars have bad WHOIS records. WDPRS complaints were filed where
appropriate.

1-877NameBid.com LLC (1-877NameBid.com) – Missing Phone

Administrative Contact:
R. Lee Chambers Company LLC
Richard chambers@rlcco.com
Post Office Box Ten
Ooltewah
TN 37363-0010
US
Tel. 000.0000000
Technical Contact:
R. Lee Chambers Company LLC
Richard chambers@rlcco.com
Post Office Box Ten
Ooltewah
TN 37363-0010
US
Tel. 000.0000000

Affordable Computer Solutions, Inc. DBA Afforda.com – Missing Phone, Address is a “Pak
Mail” mail drop service

Admin Contact Information :

Afforda.com
ritch@afforda.com
1280 W. Fifth Ave Suite 127
Columbus
43212
999 5555555555
999 5555555555

Bharti Airtel Services Limited (bhartiairtelservices.in) – Street Address Incomplete

Admin ID:DI_7411910
Admin Name:anubha
Admin Organization:bharti airtel limited
Admin Street1:qutub
Admin Street2:
Admin Street3:
Admin City:delhi
Admin State/Province:Delhi
Admin Postal Code:110030

KnujOn.com, LLC
Updated: 6/20/2010 Page 54
 Admin Country:IN
Admin Phone:+011.27883304
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:domains.admin@bharti.in

CoolHandle Hosting, LLC (coolhandle.com) – Bad Name, Street and City Address

Registrant [1729364]:
Private Reg info@coolhandle.com
0000 Street
California
CA
90001
US

The record was recently updated to put in a street location, but the registrant was apparently
unable to put “Los Angeles” in the City field and there is still no person listed as registrant.

Administrative Contact [2588228]:

Cool Handle Manager domain@coolhandle.com
700 W. 6th Street
California
CA
90017
US
Phone: 1.8662002828

Mobiline USA, Inc. dba domainbonus.com – No Phone Number

Administrative Contact
Mobiline USA Inc.
DomainBonus.com Mobiline dba contact@domainbonus.com
1204 Ave. U
11229 Brooklyn NY
United States
Tel: 1.1111111

Domus Enterprises LLC dba domus-llc.com – No name, no email address

Tech. Contact
Org. Name:
First Name: Manager
Last Name: General
City: Wilmington
Address1: 3422 Old Capitol Trail
Address2: PMB 439
State: DE
Country: US
Postal Code: 19808-6192
Phone: 1.8883970996
Fax:
Email:

KnujOn.com, LLC
Updated: 6/20/2010 Page 55
HANGANG Systems, Inc. dba Doregi.com – No name, no street address

Technical Contact:
Domain Master
domain@hangang.com
82-2-3284-2500

I.D.R Internet Domain Registry LTD. (idregister.com) – No phone

Tech ID: DI_1069961

Tech Name: IDR Internet Domain Registry ltd
Tech Organization: Company Require
Tech Street1: 12 Ha'Sharon
Tech Street2: P.O.Box 1057
Tech Street3:
Tech City: Kefar Sava
Tech State/Province:
Tech Postal Code: 44110
Tech Country: IL
Tech Phone: 000.0000000
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email: samkat@idregister.com

Marcaria.com International, Inc. – No Street Address

Administrative Contact:
MARCARIA.COM CORP.
MARCARIA.COM CORP. info@marcaria.com
1.3054348621
Fax: 1.3056752956
Suite 914-992143
Miami FL 33172
miami FL 33172
US

KnujOn.com, LLC
Updated: 6/20/2010 Page 56
A Technology Company, Inc. (namesystem.com) – Blocking access to its WHOIS Record

WHOIS does not exist for their primary domain (namesystem.com), for which they are the
Registrar.

KnujOn.com, LLC
Updated: 6/20/2010 Page 57
Red Register, Inc. (redregister.com) – No name, bad address, no phone number. Registrar is
de-accredited.

Administrative Contact:
customer, private rahul.redregister@yahoo.com
IMU K
Kiev, TX 41111
US
123.45678
Fax:123.45678

Simply Named Inc. dba SimplyNamed.com – No Phone Number

Admin ID: COCO-9994208

Admin Name: Cynthia L. Pearcy CEO
Admin Organization: Simply Named Inc.
Admin Street: 1829 US Highway 64
Admin Street: -
Admin City: Marion
Admin State/Province: AR
Admin Postal Code: 72364
Admin Country: US
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:

Registrar Domains Using Invalid Privacy Services

Gee Whiz Domains, Inc. (geewhizdomains.com) – “Private Whois Service”

Administrative Contact
Private Whois Service
Private Whois Service sp4hlne4bf6af1a516bf@n3omkv94bf61e901fd6c.privatewhois.net
*******PLEASE DO NOT SEND LETTERS******
****Contact the owner by email only****
c/o geewhizdomains.com
N4892 Nassau
Bahamas
Tel: +852.81720004

KnujOn.com, LLC
Updated: 6/20/2010 Page 58
B. Nameserver WHOIS Validity and Legitimacy

In March at the last ICANN meeting ICANN CEO Rod Beckstrom announced to shocked
audience that the Domain Name System “can stop any time” and “is under attack today as it has
never been before” 38 . While many in the ICANN supporting groups took extreme exception to his
statement everything in our research points to this being an indisputable fact. The structure of the
Internet is under constant threat, its oversight is weak, its resources are unaccountable, and its
records are forged. Criminals have become Registrars, Resellers, ISPs and hosting companies.
Nameservers are dedicated to illicit traffic in ways that specifically confound investigators and law
enforcement jurisdiction. The role of a domain name becomes infinitely more important when it
also functions as a NameServer. While domain name WHOIS records are held to a certain,
unchecked and un-enforced, standard it should be argued that NameServer domain records must
be even more subject to due diligence and verification.

Issues with DOTNAME Domains as NameServers

There a currently 553 .NAME NameServers serving gTLD domains. This presents a special
problem because .NAME is intended for personal use only and as a result does not have public
thick WHOIS 39 . The use of .NAME for personal names only is stipulated in the Registration
agreement as “the Personal Name…of the Registrant or a component of the Personal Name of
the Registrant” 40 . However, this has been violated on a massive scale as documented by Ryan
Single in “Dot-Name Becomes Cybercrime Haven” 41 . In the example below we see one domain
“cialis.name” which is an illicit pharmacy and a trademark violation.

cialis.name

Since the WHOIS does not provide direct contact information for the registrant, we sent the
complaint to the Registrar, Spot Domain LLC dba Domainsite.com at the address
support@domainsite.com and the email was rejected because “cialis.name” is apparently
blacklisted which makes communication with a Registrar about their domains difficult. We finally
reached a contact at Spot/Name who told us to contact the “web host provider” to deal with this.
This kind of Registrar obfuscation and misdirection is unacceptable.

38
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsId=19349
39
http://www.icann.org/en/tlds/agreements/name/appendix-05-15aug07.htm
40
http://www.icann.org/en/tlds/agreements/name/appendix-11-15aug07.htm
41
http://www.wired.com/politics/security/news/2007/09/dot_name

KnujOn.com, LLC
Updated: 6/20/2010 Page 59
However, in this section we are focused on the doubly serious issue of .NAME domains as
NameServers to illicit pharmacy domains. The problem here is that .NAME is intended to be
personal, but here it has become commercial, and illicitly so. Example, illicit pharmacy site meds-
freerx.com is served from KABINETT.NAME.

The .NAME agreement requires that “Standard Whois queries… provide more information,
including: registrar ID” 42 through http://whois.nic.name (hosted by Verisign). Use of this interface
is not simple. A search of KABINETT.NAME as a domain will result in “NOT FOUND”. The user
must know that this is also a NameServer and enter the full path of the NameServer as
“NS1.KABINETT.NAME”.

Name Server ID: 1231079HOST-NAME

Name Server Name: NS1.KABINETT.NAME
Name Server Registrar ID: 59REGISTRAR-NAME
Name Server Registrar: Network Solutions, LLC
Name Server Status: ok
IP Address Associated: 202.247.115.1
Created On: 2006-07-21T02:57:19Z
Updated On: 2006-07-21T02:57:19Z

mendrugs.com is served from ns2.dmdns.name, another example:

42
http://www.icann.org/en/tlds/agreements/name/appendix-05-15aug07.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 60
Soviet Union (.SU) NameServer Issue

There are 5743 gTLD domains being served from 336 .SU NameServers. The complexity of this
issue is described in detail in Section III Part J. While the legitimacy of .SU is a separate
argument, the question here is whether or not gTLD domains should be served from a ccTLD with
an unknown status and a lack of accountability.

Illicit pharmacy viagramed.com is served from ns1.exhost.su which lists “Private Person” as the
owner in WHOIS.

ns1.goldhosting.su serves a number of name-brand automobile part sites, legitimacy unknown

ns1.erotica.su serves a number of MP3 Download Sites

primary.su and secondary.su serve a number of fake “facebook”, “Flickr”, “Craigslist”, “Blogger”,
“Microsoft”, and “Wikipedia” typo domains.

KnujOn.com, LLC
Updated: 6/20/2010 Page 61
Sampling of gTLD NameServer WHOIS bad email contacts

xiam@menteslibres.org.nospam
contacto@jwebs.com.arr
the_registrant_can_NOT_be_reached@this.email.address
AlSoftw@re
00000@00000.0000
x@x.x
hotmail.xom
admin@eastendhosting.vom
nomail@noabuses.tld
whois-protect@nexgear.services
pasdemail@pasdemail.pari
guti_secretaria@ceddet.orguti
tnicholson@jamesriver.orgrg
email@is.off
ui@moi.oaz
null@null.null
nospam@nospam.none
sexe@sexe.none
nobody@nobody.nobody
maximov@bgcell.nert
notavailable@not.mail
domainadministration@avg.con
info@ntrhosting.con
Ayda008@gmail.como
info@gmail.common
dhall@hemispheresolutions.comau
futomaki@fukui.anal
Please_contact_via_Web_page_@Do-not-use-this-email.address
aa@aa.aa
info@edico-si
domainmaster@magic-box

In addition to the obviously impossible contact emails above we found 679 NameServer
registrations with contact emails at non-existent domains.

The following is an example of an eNom NameServer WHOIS record we found:

Tech Name:--- ---

Tech Street1:---
Tech Street2:---
Tech Street3:
Tech City:---
Tech State/Province:---
Tech Postal Code:00000
Tech Country:AT
Tech Phone:+43.0000000000
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:00000@00000.0000

KnujOn.com, LLC
Updated: 6/20/2010 Page 62
C. The Next Phase of WHOIS validation

On 09 April 2010 KnujOn issued an official response 43 to the NORC WHOIS Inaccuracy Study 44 .
Subsequently, KnujOn helped draft part 45 of the ALAC response to the study 46 which the ALAC
board voted to support in a near unanimous poll 47 . KnujOn has voiced reservations about this
study before it even began 48 .

We fundamentally believe that it is possible to validate the entire WHOIS record for the gTLD
space, even if the number of domains were to double in the next year. The continued assertion
that the "there are too many records" to validate flies in the face of reality. KnujOn has built, and
continues to expand, a system capable of processing and detecting illicit sites and rapidly
validating the WHOIS record. So there is no confusion, this is not simply an observation but we
plan to change the status quo and find all WHOIS inaccuracies for reporting. This system has
been in testing for some time and soon will be activated.

43
http://forum.icann.org/lists/whois-accuracy-study/msg00008.html
44
www.norc.org/projects/whois+data+accuracy+study.htm
45
http://www.atlarge.icann.org/correspondence/correspondence-2-11may10-en.htm
46
https://st.icann.org/gnso-liaison/index.cgi?alac_statement_on_recent_whois_reports
47
https://www.bigpulse.com/pollresults?code=A5KYRPm8FdwEz4hQaZZm
48
http://forum.icann.org/lists/whois-accuracy-study/pdfdeWnDwRQ17.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 63
D. Material Falsification of WHOIS Through Privacy/Proxy

In a recent U.S. court decision (U.S. v. Kilbride, No. 07-10528, D.C. No. CR-05-00870 DGC-2
and No. 07-10534, D.C. No. CR-05-00870-DGC-3) use of privacy and proxy WHOIS registrations
was declared “material falsification” 49 , meaning it is process used to deliberately alter, conceal, or
impair a record. It is understandable why a lawful private citizen would not want a public WHOIS
record, but all the cases discussed here concern domain names that are strictly commercial in
nature and exclusively used for illicit transactions. Critics have dismissed the decision claiming it
does not make privacy registrations illegal and only affects the 9th circuit in the U.S. However, this
case sets a precedent for dealing with obfuscation of records relating to illicit online traffic.
Furthermore, eNom, Snapnames(Oversee/Moniker), Godaddy, NameCheap, Dotster, and other
major Registrars are all located in the 9th Circuit.

secureordercheckout.info is a transaction processing platform, support site, and package

tracking interface for the illicit GlavMed network sponsored by GKG.net. The domain also uses
the GKG.NET Domain Proxy Service to conceal its actual ownership and location. As an
example we asked GKG about this and they did not respond.

As we continue to examine the relationship between illicit domains and abuse of privacy services
as it pertains to the law, this issue will gain more attention.

49
http://www.ca9.uscourts.gov/datastore/opinions/2009/10/28/07-10528.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 64
E. Invalid Privacy Services

KnujOn actually believes strongly in the privacy of the Internet user. However, we do not believe
this privilege should be extended to commercial entities, especially ones clearly involved in illicit
traffic. At this point it is not privacy, but obfuscation and anonymity. While the debate rages over
private WHOIS registrations there is an issue within this issue, the one of invalid privacy services.
Not all proxy/privacy services are made equal. While some a responsive, legitimate companies,
others are phantoms that exist to conceal.

WhoisGuard (NameCheap)

Registrar NameCheap’s privacy service is called WhoisGuard, and its use may violate ICANN
policy. The WHOIS contact information for WhoisGuard is as follows.

The address used for WhoisGuard is actually a UPS store.

In order to open a UPS box and accept regular mail to the box, an applicant must complete
United State Postal Service form 1583 50 which indicates that if the applicant is a corporation or
firm it must be affirmed and the business registration information be provided.

50
http://www.usps.com/forms/_pdf/ps1583.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 65
We have been unable to find business registrations for “WhoisGuard” in California or Delaware
(where NameCheap is registered). Without any other information available we must assume that
“WhoisGuard” is not a real entity. This situation posses policy and legal problems for
NameCheap. The policy problem, with ICANN, is that since WHOIS records require either a
person or legal entity to register a domain, all of the “WhoisGuard” registered domains have
invalid WHOIS records unless NameCheap can produce a business title registration that existed
previous to any domain registration. The potential legal problem is that NameCheap may have
committed mail fraud or submitted false information on the application. There are around 6000
gTLD NameServers that use WhoisGuard.

NameCheap is also offering privacy protection to .US domains (illicit pharmacy domains), which
is a violation of .US policy.

americandrugstore.us
Administrative Contact Organization: NameCheap.com
Administrative Contact Address1: 8939 S. Sepulveda Blvd. #110 - 732
Administrative Contact City: Westchester
Administrative Contact State/Province: CA
Administrative Contact Postal Code: 90045
Administrative Contact Country: United States
Administrative Contact Country Code: US

KnujOn.com, LLC
Updated: 6/20/2010 Page 66
INTERNET.BS CORP. “Private Whois Service”

This service offered by Registrar Internet.BS Corp clear indicates that the mailing address is
invalid. The registrant cannot instruct an Internet user to not send letters, the mailing address
must be valid as a condition of registration.

Private Whois Service

*******PLEASE DO NOT SEND LETTERS******
****Contact the owner by email only****

From Bad WHOIS to Bad Privacy

KnujOn has been following a trend after reporting inaccurate WHOIS for illicit domains. Instead of
the domain being deleted by the Registrar or the record corrected, the registrant immediately
makes use of a privacy service and often an invalid privacy service. To illustrate we have
provided the following example. Previously, the illicit pharmacy domain pillsforall.com had this
completely bogus WHOIS data:

pillsforall.com
Registrant:
Auscron Corp contact@auscroncorp.com

non have
non have NONE non have
CY
non have
Domain Name: pillsforall.com
Administrative Technical Billing Contact:
Auscron Corp contact@auscroncorp.com
non have
non have NONE non have
CY
non have

Apparently, after a complaint they changed Registrars and concealed their WHOIS with “Katz
Global Privacy”
Administrative Contact:
Katz Global Domain Name Trust
Privacy Protected Domain Name Domain Proxy Center (domaintrust@katzglobal.com)
32 Maxwell Road #03-07 c/o
SG, SG, sg 069115
P: +65.67228356 F: +0.0

KnujOn.com, LLC
Updated: 6/20/2010 Page 67
We attempted to cal the number in the WHOIS and it is not a real working phone number.
According to the Katz website, this is the phone number used for all of their private WHOIS, an
Singapore number while Katz is located in the United States. Katz sells domain names on their
site, but they are not an accredited Registrar so we asked them who they are reselling for. Under
the RAA 3.12.3 “Reseller shall identify the sponsoring registrar upon inquiry from the
customer” 51 However, they did not respond. We filed a complaint against this domain.

51
http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 68
KnujOn.com, LLC
Updated: 6/20/2010 Page 69
Section III: Illicit Activity in gTLD Space

The Internet is sometimes said to be the “Wild West” a place without any rules. The sentiment is
understandable, but incorrect: the Internet does have rules. These rules are supposed to ensure the growth of
the Internet in a way that fosters legitimate personal and commercial activity, but prevents an out-of-control
explosion of fraud and crime.

The Internet rule is straightforward. Domain Name Registrars are required by ICANN to prohibit domain owners
from using their domains for unlawful purposes. Without exception, this rule is also reflected in each Registrar’s
Terms and Conditions, thus formalizing and protecting the company’s contractual right to suspend domain
names for unlawful activity. Once a Registrar becomes aware that a website is engaged in criminal activity, the
company has the legal authority and technical ability to suspend the domain name, rendering the illegal and
fraudulent content inaccessible. This self-policing is meant to balance freedom of speech with safety and
legitimacy as the Internet continues to evolve. But all too often, Registrars simply turn a blind eye to criminal
activity.

-John Horton, President LegitScript.com

Some Registrars are aware of this issue and have taken proactive steps to handle it. Godaddy,
Directi and DomainContext have adopted policies concerning illegal pharmacy domains. By
adding a few lines to their customer agreements Godaddy has effectively changed the world of
the illicit pharmacy domainer as they will immediately suspend any doman that: “Violates the
Ryan Haight Online Pharmacy Consumer Protection Act of 2008 or similar legislation, or
promotes, encourages or engages in the sale or distribution of prescription medication without a
valid prescription” and “Infringes on the intellectual property rights of another User or any other
person or entity.” 52 The policy covers the two major points of this problem: pharmacy regulation
compliance and trademarks. Without access to transaction platforms that allow the sale of
trademarked drugs they cannot run their illicit business. This policy has been effective to the point
that Internet drug-dealers are complaining about the loss of business. 53 We encourage all
Registrars and ISPs to adopt a similar policy as it follows the law, avoids UDRP issues, and gives
the Registrar immunity.

52
http://www.godaddy.com/Legal-Agreements.aspx
53
http://www.1-script.com/forums/Godaddy-they-change-their-policy-and-take-your-domains-wit-article55902--1.htm

KnujOn.com, LLC
Updated: 6/20/2010 Page 70
A. Illicit NameServers

There are thousands of NameServer domains that are also illicit pharmacy sites (or illicit
pharmacy sites that are also NameServers). The reason for this is clear, control. A domain cannot
be dropped if the owner also runs the hosting. At this point the Registrar is the only party who can
remove the domain. Continuity is critical to running an illicit service. The following list shows
counts of gTLD NameServer domains are also illicit Rx sites by Registrar (top 20).

Enom 587 (e.g. buy-oxycodone-cheap.info)

Godaddy* 460 (e.g. rxn247.com)
Directi* 204 (e.g. bestpharmacy-us.net)
Oversee 135 (e.g. buyfluoxetineonline.com)
Uk2group 63 (e.g. 2pills.com)
Spotdomains 61 (e.g. 33-drugs.com)
Tucowsinc 53 (e.g. rx-options.com)
Bizcncominc 53 (e.g. muscle-relaxers-drugs.com)
Networksolutions 52 (e.g. the-best-pharmacy.net)
Dynadot 50 (e.g. buy--viagra.net)
Beijinginnovativelink 48 (e.g. yesrxrefill.com)
Joker 44 (e.g. buycheapviagra.net)
Webcommerce 38 (e.g. canadianonlined.com)
Directnic 32 (e.g. discountdrugs24.com)
Internetserviceregistrari 31 (e.g. buywithoutrx.com)
Internetbscorp 30 (e.g. buygenericviagra.net)
Registercominc 24 (e.g. orderqualitypills.com)
Dotster 21 (e.g. medicationsbuyworld.com)
Realtimeregbv 19 (e.g. 11pharm.com)
Regtime 15 (e.g. cvs-pharmacy.biz)

*Godaddy and Directi have been cooperative with these investigations and have adopted policies
concerning illicit drug domains.

KnujOn.com, LLC
Updated: 6/20/2010 Page 71
Problem Examples

orderviagra.us – While this is not a gTLD domain, it is serving as a gTLD NameServer and thus
presents a number of problems. The domain itself is an illicit pharmacy.

.US domains must be registered by a U.S. citizen or someone with a firm connection in the U.S.,
a “nexus.” Orderviagra.us is cheating this rule. The domain is registered to “Soft-com.biz Inc”
which is a non-existent New York business. The address of “244 Fifth Ave New York, NY.” Is a
mailbox rental company (nymail.com) and the phone number is actually a number in England.
The domain links to DRUGMEDONLINE[DOT]COM which is part of the “Rx-Partners” criminal
network and is apparently run our of the Ukraine. Orderviagra.us serves buyfinasteride.com,
buyonlineviagra.com, and cheapzoloft.com. All rogue pharmacies. This information was
forwarded to Neustar, the sponsor of .US.

KnujOn.com, LLC
Updated: 6/20/2010 Page 72
Count of recently detected and active illicit Rx domains in the gTLD sorted by NameServer
(top 20) listed by NameServer owner

domaincontrol.com 9094
dsredirection.com 1232
worldnic.com 812
1and1.com 804
fabulous.com 696
hostgator.com 462
yahoo.com 434
domainservice.com 408
dreamhost.com 400
above.com 376
33drugs.com* 349
websitewelcome.com 328
smartname.com 320
trafficz.com 318
hitfarm.com 317
fastpark.net 310
name.com 302
hostingnet.com 300
mydomain.com 296
dnszeta.com 294

Nameservers exclusively serving illicit pharmacy domains

*33drugs.com can be seen above a major NameServer for illicit drug domains. However, unlike
the rest of the NameServers on the list “33Drugs” is not a Registrar or Internet Service Provider
with other types of domains served from it.

33Drugs is a “boutique” NameServer that exists specifically to provide services to drug traffickers.
The 33Drugs network is made up of websites that do not require a prescription for prescription
drugs and the drugs may be counterfeit or adulterated. 33Drugs.com is sponsored by
JOKER.COM, but the domains served from 33Drugs.com are largely at DynaDot. DynaDot in
most cases has some kind of obfuscated WHOIS for the 33Drugs sites, most either not listing a
name or entity, in some cases the DynaDot-server record obfuscates the NameServers.
Complaints have been filed where appropriate.

KnujOn.com, LLC
Updated: 6/20/2010 Page 73
B. Trademark and Illicit Product Traffic Issues

On March 19, 2010 telecom company Verizon filed a cybersquatting suit against Registrar
DirectNIC, AKA Media Group/Intercosmos/DomainContender 54 . As with other cases documented
here, it is alleged that the Registrar acquired trademark infringing names through a variety of shell
companies and false identities. What is different is that they did not use the ICANN UDRP and did
not pursue the registrant. This is likely the future of domain name litigation, as we explained in
Section I Part G., since the UDRP is fairly fruitless for the mark-holder. As more businesses
realize this, the ICANN UDRP will be completely bypassed.

Cybersquatting and online traffic in counterfeited products are increasing at a rate that current
ICANN compliance and UDRP are unable handle. It is simply to easy to register, abuse and
abandon a trademark-violating domain name with impunity. The scale of potential illicit profits in
comparison to the risk of capture make this trade too tempting for the modern criminal. The fact
that there are nearly no consequences for Registrars who sponsor and profit from the activity
opens the door to silent criminal partners.

The Viagra Project

Unfortunately for drug-maker Pfizer, the name Viagra has become synonymous with spam. The
erectile dysfunction (“ED”) drug and its rival, Cialis are the most stolen and illicitly trafficked drugs
on the Internet. For several months KnujOn tracked registrations of domain names with “viagra” in
the name. Most of the registrations were through eNom.

Beyond the conditions already described here, of eNom

seeming generally friendly to sponsoring illicit
pharmacy domains, we attempted to understand what
may encourage use of eNom’s services by criminal
parties. In looking at eNom’s registration page they
offer a suggestion tool. Entering “viagra” in the interface
will produce a list of recommended domains with links
to register immediately. Many Registrars offer this kind
of service, but the eNom version has some additional
features that may be beneficial to illicit pharmacy
traffickers. In addition to supplying a list of varying
“viagra” names, the eNom tool also suggested
“vasomaxwithoutrx.com.” Vasomax is an alleged Viagra
alternative. This tells us that the eNom tool has built-in
intelligence that does more than create URLs with the
customer’s chosen word, it understands the theme or
type of product the customer wants. If eNom can build
this in they can block trademarks as well.

We attempted the same search through Moniker (Oversee), a Registrar also with a number of
“viagra” registrations and discovered even more curious results. Not only were “viagra” domain
names returned but also a list of “cialis” names. Cialis is a competitor product of Viagra. This

54
http://domainnamenews.com/pdfs/verizonVdirectnic.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 74
suggests that Moniker is well aware of what a “viagra” domain customer is looking for and is
comfortable selling known trademarks in bulk.

In general, Registrars can blame registrants for buying trademark infringing domain names but
not when using this type of interface. A trademark holder suing a Registrar would be wise to
demand statistics of registrations made from these interfaces during discovery. At this point the
Registrar has become an accessory to cybersquatting.

In reviewing these cases one must wonder how much Registrar income is derived illicit online
pharmacy domains. This is a question that begs for investigation, and considering the size and
seriousness should be an ICANN-funded study. Until the question is answered and the problem
addressed, the basic integrity of the Internet is in question.

KnujOn.com, LLC
Updated: 6/20/2010 Page 75
C. The Spam/Pharma/Domain Abuse/Rogue Registrar Connection

“Ever since I was asked to contribute to the KnujOn Security Report, I've stared at my spam folder in despair. It
seems so obvious to someone who has been in the fight against online abuse for as many years as I have
where the problem lies. Back in the day, as anachronistically as it sounds, we blocked individual addresses that
sent spam. Naturally enough, because it was difficult for the average bear to get a new address. Then that
became easier. So, we began to block entire domains, because domains were difficult to acquire, and
expensive. That changed. Now, a domain can be had for pennies. In this day and age, it isn't a strained
analogy, to my eyes, to see a doomsday clock ticking, signaling the potential collapse of something that is
beyond a mere network - the Internet has become a place where we live, love, laugh, cry, mourn, do business,
work, study, and are entertained. That is what the bad guys threaten to rent asunder. One aspect of their vile
activities is one we have all seen: the sale of pharmaceuticals. One would think that the Internet would actually
be an ideal place where legitimate doctors could safely and securely issue a prescription to a legitimate
pharmacy of one’s choosing and the patient would get the medicines they need at a discounted price, delivered
quickly safely and cheaply. The reality is anything but this Valhalla. Rogue doctors are bribed into writing
prescriptions for patients they have never examined, on behalf of front companies who have tens of thousands
of throw-away domains hosted on equally transient name-servers. These companies, many claiming to be from
my home and native land of Canada, often actually reside in Eastern Europe, may or may not send the
medicines, which may or may not be what they claim to be. Some drugs seized by law enforcement have been
nothing but inert substances, others, the correct drug but the wrong dosage. Now, many of you may be
grinning, because many of the spammed ads are for puerile things like erectile dysfunction drugs. However, the
criminals do not merely offer Cialis. They also sell pain killers, cholesterol medication, and yes, even insulin.
Imagine the dire consequences of adulteration of these latter medicines.
The criminal gangs operating almost without constraint have effectively taken a wonderful online opportunity
and killed it off for patients. They have wiped out consumer confidence in the entire industry sector. As with all
other thing they get their hands on, they have effectively poisoned the village well. Thanks, guys, for moving us
a minute closer to midnight...”

-Neil Schwartzman, Senior Director Security Strategy, Return Path

Spam is about who benefits from it, not who sent it. Spam is the crowbar, not the burglary. The
ecology and etiology of Spam reveals a paradox for the spammer. The spammer, at the same
time, wants maximum exposure, wants his transaction platform to be stable, and also wants to
remain anonymous and untraceable. In order to accomplish this feat they have presented us with
a Gordian Knot of misdirection and obfuscation that can ultimately only be stopped by the
Registrar. In previous years Registrars wouldn’t budge to remove a spammed domain, but
because of public pressure they have adopted policy to address this problem. It is ironically now
easier to get a Registrar to remove a spammed domain than a domain selling controlled
substances. Sites used in a spam campaign are often terminated and or blacklisted in a matter of
hours; narrowing the window an illicit network can attract a new customer. The spammers have
responded to this by creating a layered system of advertising, shop, and transaction that persists
beyond the spam campaign and gives collaborating Registrars plausible deniability. The illicit
drug traffickers use an array of domains and websites at different providers to intentionally
confound investigation and accountability. The graphic below shows the top-level, often malware-
driven, advertising campaigns. The domains used in spam and hijacks are merely link or redirect
to another layer of “throwaway” sites at different providers which in-turn lead to comprehensive
shopping sites where specific products can be selected. These domains are much more resilient
because they “have not been spammed.” The Registrar who sponsors them has no cause to
remove them for spam and will direct the complainant to the other Registrar or ISP responsible
for the spammed sites.

KnujOn.com, LLC
Updated: 6/20/2010 Page 76
Even further behind and more invisible are the transaction domains or “anchor” sites where
information and money are exchanged. Propping up the transaction domain is a complex
structure of support domains that would be indistinguishable from that of a legitimate online
business: NameServers, template and content servers, affiliate click-through payment
processing, customer service, and anything else required for a virtual company. There are in fact
illicit Internet provider organizations that do not sell drugs but merely target services to people
who do. Many of these illicit ISPs are more organized and professional than legitimate online
businesses.

KnujOn.com, LLC
Updated: 6/20/2010 Page 77
Case Study: eNom and GlavMed

GlavMed is an: “affiliate program which sponsors spammers to promote what are generally
known to be illegal pharmacy websites. It appears to be a cover for the real sponsor organization
behind all of these sites: Spamit.” 55 This is one of the groups behind so-called “Canadian
Pharmacies” which are not Canadian in any way. The networks are controlled from Russia and
the drugs come from Turkey and Thailand. 56 GlavMed is one of the largest illegal Internet drug
trafficking networks in the world and their back-end is propped up by eNom.

Here, we follow a Spam back to eNom. The initially spammed site in this case is BEIJING
INNOVATIVE-sponsored rocamwun.com.

55
http://spamtrackers.eu/wiki/index.php/Glavmed
56
http://www.intellisec.com/blog/2009/10/11/if-fake-anti-virus-software-doesnt-get-you-something-else-will/

KnujOn.com, LLC
Updated: 6/20/2010 Page 78
Going to rocamwun.com reveals a very plain website with one link to bestpillfinest.com

bestpillfinest.com is a full-service illicit pharmacy sponsored by ChinaSpringBoard

(NameRich.cn).

However, the domain where payment occurs is rx-securemerchant.com, which is sponsored by

eNom and has been for over a year. The domain is also served from “REGISTRAR-
SERVERS.COM” which is one of eNom’s primary NameServers.

KnujOn.com, LLC
Updated: 6/20/2010 Page 79
In summary, the spammed site can easily be removed, but the backend transaction domain,
sponsored by eNom endures throughout multiple spam campaigns.

Is the above example an anomaly? No. We can perform the same routine with a spam for
“cookgalore.ru” which leads to “pharmacyonlinerow.com” and again finally to eNom-sponsored rx-
securemerchant.com.

KnujOn.com, LLC
Updated: 6/20/2010 Page 80
The multi-site, multi-provider scheme allows eNom to remain relatively invisible and avoid
responsibility for supporting spam-advertised networks of illicit pharmacies.

We have requested an explanation from eNom on this issue but they have not responded. As
long as eNom continues to sponsor these back-end sites the ordinary Internet user will continue
getting spam that eventually leads back to eNom.

eNom is also the favorite service of the “front-line” spam domain. They are consistently the #1
Registrar for spammed domains at URIBL.COM (URI “Blacklist”). In Section III Part B we offer
one possible reason for this situation.

(From URIBL.COM)

KnujOn has frequently been accused of “picking on” certain Registrars, but data from other
sources confirms the accuracy of our Registrar reports.

KnujOn.com, LLC
Updated: 6/20/2010 Page 81
D. Registrar Support for Criminal Illicit Traffic Networks

“Rampant criminality operates on the Internet because we provide the

vehicles for it to exist and flourish.

It is self evident any Internet badness requires vehicles such as;

routing, transit, payment systems, hosts, ISPs, and the Registrars.
All of this is invariably provided not by criminal enterprises but by
commercial enterprises, where for some, security or privacy for the
consumer is a very low or non-existent priority.

We are at a crossroads for the development and growth of a freely

available and self-regulating Internet. ICANN in collaboration with
the community should pro-actively implement existing requirements. An
added priority should be to focus its considerable energies towards
such efforts as the WHOIS black hole or the reduction of DNS
vulnerabilities. The clear alternative will be individual governments
providing security, essentially via censorship, for their consumers in
a piecemeal fashion.

Commercial enterprises such as the registrars, ISPs, and hosts operate

the Internet on behalf of the community and consumers not as a RIGHT
but as a PRIVILEGE. Their obligation is to protect consumers from
unwarranted intrusions such as spam, scams, and exploitation, and if
they DO NOT, then ICANN should remove that privilege in an expedited
manner.”

-Jart Armin - Editor HostExploit.com

Here we provide a concrete example of a Registrar sponsoring the entire architecture of an illicit
pharmacy network. From the NameServers to drug shopping domains to payment processing,
nearly all the domains in the chart below are sponsored by REALTIME REGISTER BV
(realtimeregister.com) and part of the “Rx-Partners” illicit drug trafficking network. What is
interesting about this case is that this entire structure was previously at DIRECTNIC LTD. At
some point recently the backbone of this network was transferred in its entirety to another
Registrar.

KnujOn.com, LLC
Updated: 6/20/2010 Page 82
KnujOn.com, LLC
Updated: 6/20/2010 Page 83
Only the “command and control” site, RX-PARTNERS.BIZ, is at a different Registrar: ASCIO
TECHNOLOGIES INC. (ascio.com). The casual onlooker may believe that illicit domains are
singular events that exist like a swarm flies, impossible for Registrar to control or discern, but the
complex and large nature of these online networks begs for a better explanation. We assume
DirectNIC removed the Rx-Partners backbone because of a complaint, because it violated their
polices or its presence just made them nervous. But in transferring the network, as is, to a new
provider they may have aided in its preservation. As for Realtime Register B.V., we have asked
them about this network and their policies relating to it. We received some promise of
investigation and will confirm this later.

The Rx-Partners network is run by the imaginary “Jessica Eagloff” at the location 145-157 St
John Street 2nd Floor, London. 145-157 St. John Street is a "Brass Plate" company location.
There are no real businesses there except Westbury, a company that sells virtual offices and
incorporations. The phone number simply rings for a long time and then connects to a standard
automated voicemail and no one ever calls back. KnujOn is going to challenge this bogus
scheme.

KnujOn.com, LLC
Updated: 6/20/2010 Page 84
E. BBB Consumer Complaints

BRANDON GRAY INTERNET SERVICES INC. (dba "NameJuice.com") – 2 consumer

complaints, No Response to either according to BBB.

In2net Network Inc. (in2net.com) – F rating from BBB, 5 unanswered consumer complaints, 7
unanswered billing-related complaints, 4 unanswered service-related complaints, and 1
unanswered refund complaint.

SiberName.com, Inc. – F rating from BBB, “Company failed to respond to BBB to resolve or
address the complaint issues.”

Tucows Inc. (tucows.com) – F rating from BBB, Unauthorized credit card charges, Failure to
honor a contract or agreement, Sales presentation used dishonest sales practices, 2 Failures to
provide promised assistance or support for products or services, 6 Failures to respond to phone
calls or written requests for assistance or support, 4 complaints of Improper or inferior service.

A Technology Company, Inc. (namesystem.com) – F rating from BBB, “Company cannot be

located” (See Section I Part I for more details).

C I Host, Inc. (cihost.com) – F rating from BBB, 5 Unanswered consumer complaints.

OnlineNIC, Inc. (OnlineNIC.com) – F rating from BBB, “Improper or inferior service”, 1 Invalid or
false contract, 5 Failures to respond to phone calls or written requests for assistance or support,
10 failures to respond to BBB to resolve or address the consumer complaint issues.

Oversee Domain Management(Moniker/Snapnames) – D rating from BBB, 1 unanswered

consumer complaint.

KnujOn.com, LLC
Updated: 6/20/2010 Page 85
F. Five Registrars Drift to Oligopoly

On paper there are over nine hundred Registrars, but the true number is much smaller. Most
accreditations are redundancies held by five companies.

eNom (Demand Media): 138 Accreditations

Oversee (Moniker/SnapNames): 128 Accreditations

NameScout (Momentus): 108 Accreditations

Directi (PDR/Answerable): 72 Accreditations

DOTSTER: 53 Accreditations

More than half of the active Registrars are really one of these five entities in the form of a shell
company, and as seen in Section I Part X, not all are registered companies. This does not
engender open and free market competition. We are aware of the accreditations of smaller
Registrars being sold to these five mega-Registrars outside of public review. The situation is
drifting to a cartel and may violate anti-trust laws as the Clayon Act defines in part anti-trust as
“mergers or acquisitions trending substantially to lessen competition.” 57

The annual accreditation fee is $4000 US. This means ENom pays $544,000 - over one half
million dollars per year to ICANN, for what advantage? Surely no company voluntarily pays
excessive fees. Companies only expend funds if they can make it back three or fourfold. In
addition to eNom, Oversee (Moniker) would pay ICANN $512,000 per year, NameScout $432,000
US, $288,000, and DotSter $212,000. In total, these five companies are paying ICANN
$1,996,000 annually for no obvious reason. These funds are in addition to and separate from the
fees associated with purchasing domain names. In essence, these five companies are supplying
ICANN with 3% of its budget beyond the money that comes from domain sales.

Some argue that these additional accreditations give the Registrars additional power in the
domain aftermarket in auctions of expired domains. However, this power would diminish once a
Registrar a certain number of accreditations. A serious question here concerns the influence this
grants with ICANN among the Registrars. This level of funding may have created an unknown
power class within the Internet with inappropriate access and permission.

57
Barron’s Law Dictionary, Steven H. Gifis 1991 P 75

KnujOn.com, LLC
Updated: 6/20/2010 Page 86
G. Breach Notices

ICANN has issued breach notices to the following Registrars in the last 12 months. We applaud
ICANN efforts to enforce the rules and publicize the information with a few caveats. First, the
lifecycle of these efforts is not available. Unless a termination is issued the outcome of a breach
notice is not posted in the compliance area. Second, it is clear from KnujOn’s report that many
other Registrars are in breach for a variety of reasons that are more inline with the Internet
consumer experience and less about the main causes of breach like failure to escrow or pay fees.
The breach notices issued so far concern ICANN’s direct relationship with Registrars in areas
only ICANN would be aware of. It would improve consumer trust if breach notices were issued for
many of the problems described in this report as they impact the Internet community on a broader
scale.

Registrar Issue Status Notice

Lead Networks Domains Pvt. Ltd. Failure to comply In receivership, but http://www.icann.org/corresp
with UDRP, not status unclear. See ondence/burnette-to-malik-
supplying Section III, Part I 10jun09.pdf
WHOIS data

CodyCorp Failure to escrow Terminated, status http://www.icann.org/corresp

Western United Domains, Inc
and provide unclear. See ondence/burnette-to-
WHOIS access Section III, PartI bahlitzanakis-08oct09-
en.pdf
Failure to escrow Terminated but http://www.icann.org/corresp
WHOIS status unclear. See ondence/burnette-to-moll-
Section III Part I 15apr10-en.pdf

Mobiline USA, Inc Failure to escrow Terminated http://www.icann.org/corresp

ondence/burnette-to-tesler-
15apr10-en.pdf
DropNation.com, Inc. Failure to escrow Unknown http://www.icann.org/corresp
ondence/burnette-to-strong-
15apr10-en.pdf
Alantron BLTD Port 43 Access Unknown. See http://www.icann.org/corresp
Section I Part A ondence/burnette-to-acir-
16apr10-en.pdf

Internet Group do Brasil, SA Port 43 Access Unknown. See http://www.icann.org/corresp

Section I Part A ondence/burnette-to-
malinardi-02apr10-en.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 87
H. Issues of Defunct Registrars

Terminated Registrars Still Selling gTLD Domains and/or Claiming Accreditation

Hosting365 Inc. (hosting365.ie) was terminated by ICANN January 10, 2010

(http://www.icann.org/correspondence/burnette-to-mccarron-25nov09-en.pdf) but still offers gTLD
as “register365.com” which is not an accredited Registrar either.

Hu Yi Global Information Resources Holding Company (8hy.hk) was terminated by ICANN

June 10, 2009 (http://www.icann.org/correspondence/burnette-to-ho-10jun09.pdf) still claims
ICANN accreditation, displays ICANN Registrar icon, and sells gTLDs.

DotSpeedy LLC dba dotspeedy.com (dotspeedy.com) was terminated by ICANN March 29,
2010 (http://www.icann.org/correspondence/burnette-to-alexandrine-12mar10-en.pdf) but still
sells gTLD and is soliciting resellers.

Mobiline USA, Inc. dba domainbonus.com (domainbonus.com) was terminated by ICANN

June 7, 2010 (http://www.icann.org/correspondence/burnette-to-tesler-14may10-en.pdf) but still
sells gTLD.

AfterGen, Inc. dba JumpingDot (jumpingdot.com) was terminated by ICANN June 10, 2009
(http://www.icann.org/correspondence/burnette-to-bourov-10jun09.pdf) but is still claiming ICANN
accreditation. We could not determine if they actually sell gTLDs.

KnujOn.com, LLC
Updated: 6/20/2010 Page 88
Naugus Limited LLC (naugus.com) – Issued letter of non-renewal October 9, 2009
(http://www.icann.org/correspondence/burnette-to-goodwin-09oct09-en.pdf). Still claims to be a
Registrar under the name “DomainWar.net” which also claims ICANN accreditation, but from the
description sounds more like an eNom reseller.

Simply Named Inc. (simplynamed.com) – Issued letter of Non-Renewal on July 30, 2009
(http://www.icann.org/correspondence/burnette-to-pearcy-30jul09-en.pdf) for failure to escrow
WHOIS. Simply Named no longer appears in the ICANN/Internic directories but is still selling
gTLD domains and goes by the name “BestRegistrar.com” which is not an accredited company
either. Simplynamed.com does not claim ICANN accreditation but displays the individual seals for
.ORG, .BIZ, and .INFO (see below).

Lead Networks Domains Pvt. Ltd. (leadnetworks.com) was issued a letter of Non-Renewal
(http://www.icann.org/correspondence/burnette-to-malik-14jul09-en.pdf) on July 14, 2009 after a
series of controversies (Breach notice: http://www.icann.org/correspondence/burnette-to-malik-

KnujOn.com, LLC
Updated: 6/20/2010 Page 89
10jun09.pdf, Lead Networks “undermines the efficacy of the UDRP”:
http://www.wipo.int/export/sites/www/amc/en/docs/icann090409.pdf). Lead Networks is still listed
in the ICANN/Internic directories. What we have not understood is that Lead Networks listed itself
previously as being in the United States but all ICANN correspondence was sent to India. The
directory now points to this page: http://leadnetworksreceiver.net which indicates the Registrar is
in receivership following a lawsuit filed be Verizon. However, the original site (leadnetworks.com)
is still active, claiming ICANN accreditation and selling gTLDs. It is unclear if this site is being
operated by the court-appointed receiver.

Western United Domains, Inc. (wudomains.com) was terminated by ICANN June 7, 2010
(http://www.icann.org/correspondence/burnette-to-moll-14may10-en.pdf). Status is unknown
since site only ever displayed a log-in interface.

Broadspire Inc. (broadspire.com) has not been listed in the directory for some time and while
there is no termination document there is a note on an ICANN page that Broadspire is “NO
LONGER ACCREDITED” 58 . However, this company still sells gTLD and claims ICANN
accreditation.

58
www.iana.org/assignments/registrar-ids/

KnujOn.com, LLC
Updated: 6/20/2010 Page 90
Defunct Registrars with unclear status

VentureDomains, Inc. (upc360.com) sells gTLD, status and accreditation are unclear.

WEB INTERNET LLC/Web Site Source, Inc. – Status unclear

DomainCannon.com LLC, Termination sent January 26 2010

(http://www.icann.org/correspondence/burnette-to-daste-26jan10-en.pdf). Status unclear, site
directs to Hover.com (Tucows).

OOO Russian Registrar (ruregistrar.com) November 25 2009 ICANN Sends Notice of

Termination (http://www.icann.org/correspondence/burnette-to-petrov-25nov09-en.pdf). Site
appears re-registered to different party, no Registrations.

CodyCorp.com Inc. (codycorp.com) terminated by ICANN January 25, 2010

(http://www.icann.org/correspondence/burnette-to-bahlitzanakis-24dec09.htm.pdf). Site has
strange content requesting "Please turn cookies on to continue" and that the user drop certain
security and privacy settings.

BP HOLDINGS GROUP INC. (is.com) issued non-renewal letter October 9, 2009

(http://www.icann.org/correspondence/burnette-to-bahlitzanakis-09oct09-en.pdf) but site is active,
requires password log-in.

Terminated Registrars with inoperable websites

redregister.com
maximinternet.com
Sundance Group, Inc. (sundancegrp.com)
Clertech.com Inc. (clertech.com)
Desto! Inc. (desto.com)
DROPLIMITED.COM
DNGLOBE LLC (dnglobe.com)
R.B. Data Net LTD (datanet2004.com)
DOMAIN JINGLES INC. (powerwindows.com)
South American Domains (namefrog.com)

Defunct Registrars that are clearly defunct

Tahoe Domains, Inc. (tahoedomains.com) issued non-renewal letter July 30 2009

(http://www.icann.org/correspondence/burnette-to-ball-30jul09-en.pdf) and directs customers to
Answerable.

Mouzz Interactive, Inc. issued non-renewal letter October 9,

2009(http://www.icann.org/correspondence/burnette-to-faziani-09oct09-en.pdf). Directs visitors to
http://www.sibername.co.uk for registering new domains

KnujOn.com, LLC
Updated: 6/20/2010 Page 91
Registrars No Longer Listed in ICANN/InterNIC Directory – Status Unclear

! $ ! Bid It Win It, Inc. DOMAINPROCESSOR.COM REGISTER FOX INC.

!!! BB Bulk, Inc. dba My Name Now DOTFORCE CORP. D/B/A DOTF Rerun Domains, Inc.
# 1 DotMobi Registrar DOUBLE NETWORK INC. RJG Ventures, LLC
#1 Accredited Registrar DSTR ACQUISITION II LLC DB Slaphappy Domains, Inc.
1 DOMAIN NAMES INTERNATIO DSTR ACQUISITION VII LLC SmartyHost Pty Ltd.
1 HOST AMERICA INC. DSTR ACQUISITION. I LLC DB Snowflake Domains, Inc.
1 HOST RUSSIA INC Emily Names Domains, Inc. SOLID HUB INC.
12 REGISTER BV ENAME INC STARGATE HOLDINGS CORP.
8068 Registrar, Inc. ESOFTWIZ INC. SUGGEST NAMES INC
89AM Web Services, Inc. FarStar Domains, Inc. THE NAME IT CORPORATION
89Dian Registrar, Inc. FIRST INSTANT INC. TITANIC HOSTING INC.
A Mountain Domains, Inc. Flatme Networks, Inc. TOTALREGISTRATIONS
A Rite Tern, LLC FORTUNE INTERNET INC. TRANSPAC
A. W. B. Trading, Inc. FOX EDGE INC Triple.com, Inc.
AAAQ.COM INC. GET CHEAPEST DOMAINS INC
ABR PRODUCTS DBA MISK.CO Get SLD, Inc. Uniport Net Services, Inc.
ABSTRACT NAMES INC. GETDOMAINSIWANT.CA INant.ca URBAN VOLCANO INC.
ACTIVE INSIDER INC GO ITALY DOMAINS INC. Valley Apples, Inc.
AFTERNIC INC Gr8T Names, inc. VENUS DOMAINS INC.
ALL WEST COMMUNICATIONS I iCrossing, Inc. VIBRANT NETWORKS INC
AMERICA ONLINE INC. DBA AO INFINITE STORE INC. Walela Brook, Inc.
AO Domains, Incorporated INITIAL ONLINE LIMITED WANT DOMAIN NAMES INC
APEX REGISTRY INC. INNERWISE INC. D/B/A ITSYOU Web.com Holding Company, Inc.
ATCOM TECHNOLOGY LLC Inter China Network Software (Beijing) Co. Website Source, Inc.
BEST REGISTRATION SERVICES Intercosmos Media Group, Inc. WGB Registry, Inc.
Bindrop LLC Lazy Dog Domains, Inc. White Socks Domains, Inc.
BLOG.COM - DIGITAL COMMUN Le Grand Nom, Inc. WIRED WEBSITE INC
Blueweb, Inc. Level 10 Z-Core, Inc.
BRAZIL CONNECTION LTD. DBA Lime Spot, LLC Zipa, L.L.C.
CAPITAL NETWORKS PTY LTD
Colorado Names Domains, Inc. MODERN GRID INC.
Colossal Names MojoNIC, L.L.C. dba MojoNIC.com
COMMUNIGAL COMMUNICATI NAME TWISTER INC.
COTTON WATER INC Names Bond
DBMS, Incorporated NAMESBEYOND.COM DBA GO
DESERT DEVIL INC. NAMESDIRECT.COM INC.
Deviation, LLC, d/b/a Domoden Naming Web, Inc.
DevStart, Inc. NEEN.IT INC. DBA NAMESPRI
Domain Contender, LLC NETBENEFIT PLC AKA NETNA
DOMAIN GUN INC. Nihao Communications, Inc.
DOMAIN MODE INC. Nitin Corporation dba Misk.com
DOMAIN MONARCH INC. NUCLEAR NAMES INC.
DOMAIN NAME SALES CORP. Oil Change Domains, Inc.
DOMAIN SYSTEMS INC. PAIRNIC
DOMAINDISCOVER Pitchback Domains, Inc.

KnujOn.com, LLC
Updated: 6/20/2010 Page 92
I. Soviet Union ccTLD (.SU) Policy and Status Unclear

This is still an issue of debate and arguments can be made for the cultural and historical
preservation, but the focus of this report, in terms of .SU, is on accountability of a ccTLD and
whether new registrations of .SU should be allowed and permitted for parties who had no
connection to the Soviet Union. Currently, there are 336 .SU NameServers serving gTLD
domains. In attempting to research this issue we first checked the ICANN directory of ccTLD
agreements (http://www.icann.org/en/cctlds/agreements.html). The .SU management agreement
is curiously absent from ICANN’s list of ccTLD agreements and is the only active one not listed.
The first time we asked ICANN about this discrepancy, we received an anonymous and irrelevant
reply:

“ICANN does not accredit registrars for ccTLDs or set registration policy for
ccTLDs. For details about ccTLD registration policy, you should contact the
designated country code manager.”

However, our question was about the listing of the policy. Every other ccTLD agreement is clearly
posted on the ICANN website. Additionally, the answer is not completely accurate since all
agreements are issued by ICANN and signed by the ICANN CEO as well as the sovereign
representative. We followed up by re-asking the question to ICANN staff who did not respond to
the request for clarification. Why ICANN staff is helping obfuscate this issue is an open question.

Here is what we do know. According to IANA documents 59 , .SU is ostensibly sponsored by The
Russian Institute for Development of Public Networks (ROSNIIROS). The Soviet Union officially
ceased being a sovereign nation December 8, 1991 when it was dissolved and replaced by the
Commonwealth of Independent States. This was further affirmed on December 12 when Russia
official seceded from the union and denounced the original 1922 treaty that created the Soviet
Union. It has been 19 years, but .SU endures. According to some sources .SU is “marked for
retirement” 60 but has so far evaded closure. Starting in December 2006 there was an open
comment period at ICANN concerning the sunsettting 61 of .SU. The response was largely from
.SU users who did not want it retired. 62 The “SU” designation was removed from the ISO
standards (ISO 3166-1) and ICANN rules dictate this be the source for ccTLD codes. In 2007 the
directors of the Russian information centers(RIPN and FID) sent a letter to ICANN president Paul
Twoomey pleading that the .SU community not be disrupted. 63 The issue was again discussed
briefly last June at ICANN Sydney but not seriously addressed. 64

This is complex but not unique. Compare to the policies concerning:

.DD for "DDR", Deutsche Demokratische Republik (German Democratic Republic), AKA East
Germany, now consolidated politically with Deutschland (Germany) and with their ccTLD .DE.
.DD was retired in 1990

.CS for Československo (Czechoslovakia) was retired in 1995 as the country split into the Czech
Republic and Slovakia which are now represented by .CZ and .SK.

59
http://www.iana.org/domains/root/db/su.html
60
http://blog.icann.org/2007/09/the-lives-of-country-code-domains/
61
http://www.icann.org/en/announcements/announcement-2-05dec06.htm
62
forum.icann.org/lists/cctld-sunset-comments/
63
http://www.icann.org/correspondence/soldatov-to-twomey-24jun07.pdf
64
https://st.icann.org/data/workspaces/alac/attachments/sydney_meeting_reports_tuesday:20090710231344-0-
11573/original/Transcription%20ALAC%20Policy%20Meeting%2023%20June%202009.pdf

KnujOn.com, LLC
Updated: 6/20/2010 Page 93
Finally, Yugoslavia's ccTLD, .YU, was retired March 30, 2010 and mostly replaced by .RS for
Republika Srbija (Republic of Serbia), but also potentially by one of the other Balkan nations
Croatia (.HR), Montenegro (.ME), Slovenia (.SI), Macedonia (.MK), or Bosnia and Herzegovina
(.BA).

.SU remains an anomaly in a politically and geographically updated Internet. However, our
concerns are not political. We are primarily concerned with the accountability of a ccTLD that has
no sovereign government and one that is being sold by a U.S.-based Registrar (101domain.com)
to people who have no connection to the Soviet Union.

The policy discussion for .SU needs to be brought out of the shadows. It is possible this TLD
extension could be preserved as a new gTLD, but to allow it to linger as a phantom ccTLD
indefinitely does not engender openness, transparency, and accountability.

KnujOn.com, LLC
Updated: 6/20/2010 Page 94
J. Moot Issues

Data was collected for this report over several months and situations changed during this period.
We documented several situations that would otherwise be worthy of reporting had the Registrar
involved not been terminated or purchased during the study or the issue was corrected.

Cool Ocean, Inc. (coolocean.com)

Cool Ocean’s ICANN listed address was until recently 15 West 47th Street New York, NY 10036
which is an odd address. For those unfamiliar this section of Manhattan is called “Diamond Row”
and is almost exclusively populated with jewelry stores. It seemed a curious location to us so we
attempted to verify Cool Ocean. 15 West 47th is a complex of jewelry stores. We spoke to a
building manager who had worked there for years and he had never heard of Cool Ocean Inc.
However the address and apparent ownership has since changed and the website does not sell
gTLDs.

Kontent GmbH (komplex.net) - For a time not listed at ICANN any more, but still offering gTLD
domains and displays ICANN seal. Accreditation was just recently renewed.

Invalid Corporations Most states in the U.S. prohibit using a public mailbox, “U.S. post office
box” in a Business Registration. Because any leasing of a delivery box at UPS, Mailboxes Etc,
and other such services require the customer to enter into an agreement with the U.S. Postal
Service, those deliver boxes are also considered U.S. Postal Boxes.

GMO Internet, Inc. dba Discount-Domain.com and Onamae.com contacted us on June 13, 2010
to disclose that their WHOIS is located at whois.discount-domain.com.

Melbourne IT DBS, Inc. (MelbourneITDBS.com) contacted us June 15, 2010 to disclose that
their WHOIS is located at whois.melbourneit.com.au

KnujOn.com, LLC
Updated: 6/20/2010 Page 95
Closing Recommendations

First and foremost, a comprehensive audit of all Registrars is called for. Most of these problems
concern such basic services of the Registrar that it is quite possible other unseen violations are
occurring.

In terms of dealing with illicit pharmacy domains a detailed review of the impact this traffic has on
the Internet and Registrars is called form.

• ICANN or supporting groups should create a working group to specifically address the
issue of illicit online pharmacy
• ICANN or supporting groups should initiate a study to determine how much Registrar
income is derived from pharmacy-type domain registrations
• ICANN or supporting groups should survey Registrars to determine how complaints of
illicit pharmacy are handled and what the typical outcome is
• ICANN or supporting groups solicit the input of international pharmacy and health
organizations to develop policy concerning pharmacy domains
• ICANN should encourage Registrars to voluntarily adopt policy similar to Godaddy’s
• ICANN should adopt a Pharmacy disclosure policy on new and renewed registrations, a
check box which reads: “This registration is for a duly licensed pharmacist,
pharmaceutical professional, certified medical professional, or related pharmaceutical
business in the jurisdiction in which the domain is registered” or “This domain will be used
for the lawful dispensing of pharmaceuticals” or language found to be appropriate. The
Registrar need not determine that the registrant is a duly licensed pharmacist, , only
collect their affirmation that they are or are not. Registrants who affirm they are not
licensed pharmacists and are found to be selling pharmaceuticals would receive an
immediate domain suspension. If a registrant has affirmed that they are a licensed
pharmacist but has refused to provide proof upon request would receive an immediate
domain suspension. To resolve disputes that may arise from these terminations, a
transparent process should be developed that holds the Registrar blameless for proactive
terminations of this kind.
• Adopt the Law Enforcement amendments of the RAA
• Katz Global should have its reseller license suspended
• ICANN needs to be more open about multi-accreditation Registrars and inter-Registrar
accreditation sales
• Reconsider the WHOIS recommendations from Ben Edelman
• KnujOn will be performing its own audit of the entire gTLD WHOIS record set. Outside
assistance would be accepted but it is not required.
• Registrars should be compelled to resolve any outstanding consumer issues
• Registrar Privacy Service-related UDRP failures need careful review

KnujOn.com, LLC
Updated: 6/20/2010 Page 96