| Web site domain name registrars are increasingly finding themselves at the forefront of the never-ending slog against online con artists and phishers. But there is little consensus on how far registrars should go to police their pool of names for fraudulent activity, and the performance of registrars in decommissioning domain names connected to fraud scams is all over the map. Such was one of the many findings in a "brandjacking" report released last month by brand security firm MarkMonitor. November's report, which detailed online fraud trends for Q3 of 2007, was the first to include a list of the top 10 best and worst lists of registrar performance in revoking domain names connected to phishing scams.  Domain name registrars can play a crucial role in getting phishing sites shut down, as most phishing sites use some kind of Web site name in their scam. According to the latest stats from the Anti-Phishing Working Group, 84 percent of scam sites spotted in August used a registered Web site name (the other 16 percent of phishing sites were advertised in spam as numeric Internet addresses - http://123.143.13.256, for example). Most readers are unlikely to recognize any of the registrars in the list of the registrars that lead the industry in fighting phishing. But among the bottom performers, according to MarkMonitor, is Register.com, which took an average of 313 hours - or more than 13 days - to revoke Web site names that were used in phishing scams in the third quarter of 2007. That's more than four times the normal life of a phishing site: The APWG says the average scam site lives online for just over three days. Laura Mather, senior scientist at MarkMonitor, said to be fair, the company is not certain whether the registrars were notified of each phishing site used in computing the takedown times in the report. But she added that many registrars don't see phish fighting as part of their job. "The registrars could be very powerful in phish site mitigation," Mather said. "Until recently, a lot of the registrars have taken the view that it's not their responsibility, and they worry about what problems would be caused if they take action against a domain that isn't actually a phishing domain."  Roni Jacobson, Register.com's executive vice president of product management, called the takedown averages "completely off the mark." Jacobsen said the company takes phishing "incredibly seriously," and that it has a 24/7 abuse line wherein phishing complaints involving any domains in its stable are given top priority. But she acknowledged that the company's efforts on phish fighting haven't always been what they are today. "Over the last quarter, we have made significant improvements to be even more vigilant," Jacobson said. "Thirteen days for something like this is an extremely long time and we generally handle these things in minutes." The APWG is currently drafting a proposal to give registrars and registries (such as Verisign and Afilias) a procedure for taking action against domains used solely for phishing, Mather said. The group could take its proposal to the Internet Corporation for Assigned Names and Numbers (ICANN), which oversees domain policy. But that process can be lengthy and uncertain, so the APWG is trying to get the registries and registrars to implement it themselves. "We're talking to a couple of registries that are very close to being willing to adopt this." 责任编辑:米尊 |