Last week I noted a problem reporting a phishing email to eBay. I'm pleased to report that the phishing website -- ebaychristmas.net -- is now down. However, I'm not pleased to report how long it took. The detail behind the delay is instructive...
From first report to takedown took 13 days (November 25 to December 7), which is simply unacceptable. However, despite the hilarious response from their "Trust and Safety Department," you should note that eBay wasn't the main factor in this delay. Indeed, the company claims that it first started takedown proceedings on November 8.
The main issue was that the phishing webserver was hosted on a botnet of virus-compromised PCs. The DNS entry for the web site served up a sequence of IP addresses, so that requests for the webpage could go to one of many machines. In other words, taking down "the website" wasn't an option.
Removing the DNS entry was the only practical takedown option. However, the DNS registrar for the domain -- Joker.com, a small company based in Switzerland -- was completely unresponsive to all requests to investigate. Finally, it seems Verisign -- the controller of the .net top-level domain stepped in and removed authority for ebaychristmas.net away from Joker.com. Now requests for the web site come back "no such host."
This sorry saga illustrates the fact that it's important for domain registrars to act quickly and responsibly when abuses such as phishing are brought to their attention. Authorities upstream of the registrar need to be able to exercise some sort of leverage if they don't act.
Tags: spam, phishing, eBay.