Last week we noted a problem reporting a phishing email to eBay. I'm pleased to report that the phishing Web site -- ebaychristmas.net -- is now down. However, I'm not pleased to report how long it took. The detail behind the delay is instructive.
From the first report to takedown took 13 days (November 25 to December 7), which is unacceptable. eBay wasn't the main factor in this delay (indeed the company claims that it first started takedown proceedings on November 8). The main issue was that the phishing Web server was hosted on a botnet of virus-compromised PCs. The DNS entry for the Web site served up a sequence of IP addresses, so that requests for the Web page could go to one of many machines. In other words, taking down "the Web site" wasn't an option.
Removing the DNS entry was the only practical takedown option. However, the DNS registrar for the domain -- Joker.com, a small company based in Switzerland -- was completely unresponsive to all requests to investigate. Finally, it seems the controller of the .net top-level domain stepped in and removed authority for ebaychristmas.net away from Joker.com. Now requests for the Web site come back "no such host."
This sorry saga illustrates the fact that it's important for domain registrars to act quickly and responsibly when abuses such as phishing are brought to their attention. Authorities upstream of the registrar need to be able to exercise some sort of leverage if they don't act.
... Richi Jennings