Tuesday, October 28, 2008

Ding Dong The Witch Is Dead! ( ICANN Pulls the Plug on ESTDomains )

Today is certainly a great day! The first day of NBA season had me feeling good (although I'd rather be watching the Pistons than Cavs-Celtics or Portland-Lakers), but the latest news has me dancing in the living room! (Which is scaring the parakeet, and making the water in the fishtank jiggle alarmingly.)

ICANN's Director of Contractual Compliance, Stacy Burnette, has officially begun termination proceedings to eliminate EST Domains as a registrar.

Anyone who has worked in Internet Security for any amount of time will be familiar with the fact that EST Domains is the registrar of choice for most Eastern European cyber criminals. EST should have realized their time was limited when investigative cyber reporter Brian Krebs shined his searchlights into their dark corner of the Internet with his two part series, that began with A Superlative Spam and Scam Site Registrar and continued with EST Domains: A Sordid History and a Storied CEO.

It was Krebs' second column that started certain parties in the ICANN community to begin the process of finding Estonian court documents that would prove conclusively (and locally) that what Krebs allged in his column was true -- that a known criminal was running an ICANN Registrar.

The hand-writing has been on the wall since Krebs' column, which has lead to an increase in criminal domains being registered on Chinese-based registrars, but historically if a domain was involved in crime or malware, there was a great chance it was going to be registered at EST Domains. (Some of the "Chinese" registrars actually have "subcontractor" arrangements in St. Petersburg and Moscow to allow Russian criminals to register their own domains, but make them appear to be registered in China.)

The ICANN letter opens with:

Dear Mr. Tsastsin:

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction. This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008.

Since Estonian Court records indicate the conviction occurred on 6 February 2008, and EstDomains made no attempt to remove Tsastsin from office because of these convictions, the terms of the RAA allow such a termination.

EstDomains 281,000 domain names under management will be transfered using the ICANN "De-accredited Registrar Transition Procedure" on or before 6 November 2008. An announcement requesting parties interested in taking over the management of these domains was posted on the ICANN website this evening at:


The letter quoted above is also available on the ICANN website, at:


Brian Krebs and all the folks at ICANN, and all the researchers who contributed to bringing this event to pass - Well Done!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.