Home / Blogs

What’s Driving Spam and Domain Fraud? Illicit Drug Traffic

Spam is not about who sent it, it’s about who benefits from it. For a moment forget everything you know about filters, zombie PCs, firewalls, spoofing, viruses, beisyan algorithms, header forgery, botnets, or blacklists. These are all methods for sending spam or preventing spam delivery. None of these explain why spam is sent and for far too long all the attention has been paid to the effects and not the driving force. Under the endless onslaught of junk mail it is easy to feel that the goal of the game is send spam and annoy us all. But this isn’t the goal. The goal of spam is a transaction. Motivation not method.

A transaction in this sense could be many things. It can refer to the traditional meaning of the word: someone voluntarily exchanging some kind of money for a product or service, like buying illicit products from shady. In terms of cybercrime it can also refer to the involuntary exchange of information, like the reveal of a password, credit card, or bank account information. It could mean that a virus was installed on your pc that opens it up to abuse. An email recipient could follow a link charges and advertising account, click-fraud. Or, a transaction could simply be that the recipient of the spam comes to believe that something is true and then acts on it. Examples of this being stock spam and urban legends. A consumer believes that a stock price will increase so they buy some. An email user believes a chain-hoax to be true so they forward it to more people. Sending spam is not a transaction, it’s just an advertisement. The transaction only occurs when the spam recipient takes action or provides money, information, or access.

There are two broad categories of spam emails: ones that advertise a URL and ones that do not. Stock spam, degree mills, and advance fee scams (so-called 419 or Nigerian scams). For the purposes of this discussion we’re focusing on the URL-based spam.

Transactions for products and services occur at websites. There is certainly a diversity of products advertised in spam but far and away the number one item: Drugs. Not heroin, cocaine or marijuana but illicit pharmaceuticals. This should not come as a surprise to anyone as Viagra has become synonymous with spam and vice-versa. But it’s not just lifestyle drugs. Painkillers, psychotropics, anti-depressants, diabetics, and pretty much any drug that requires a prescription are being sold on domains sponsored by ICANN Accredited Registrars. The only problem here is that these drugs are being sold without a prescription. No, the drugs do not come from Canada. Even though “Canada” is a favorite term for these websites the pills come from Turkey, Serbia, Moldova, and India. The medicine may be real or it may not be, but anyone consuming them is risking their health as well as giving money to organized crime.

Spam offers everything from septic tanks to prostitution, but illicit prescriptions are most of the problem. Rogue pharmacy is now at least at $100 Billion illicit industry and the Internet is driving its growth with absolute impunity.

Criminals hire spammers to promote websites where drugs are sold illegally. Because spammed websites are quickly discovered and complained about they are often taken down soon after a spam campaign. To deal with this problem drug traffickers use multiple layers of linked and redirected domains that are not spammed, stay intact and endure. Spammers may in fact be the Registrars best customers. Whereas the ordinary business may buy one or two domain names, spammers buy thousands and then dump them. The Registrar can then resell the defunct domain names, so they get paid twice for the same item.

Some reading this may think that Registrars are the fall guy here as it is impossible to track the activity of the thousands of domain names they sponsor. Problem is, they have been specifically informed of which domains are conducting illegal activities multiple times. Some might wonder then who is KnujOn to tell a Registrar about fake pharmacy domains? Actually, our reports have been endorsed by the National Association of Boards of Pharmacy(NABP), The National Center on Addiction and Substance Abuse at Columbia University (CASA), The American Pharmacists Association (APhA), and the Partnership for Safe Medicines.

Regardless of our endorsements, if a Registrar receives information of an illicit pharmacy site sponsored by them from any consumer and does not investigate and terminate, that Registrar is now aiding criminals. If a Registrar continues to accept payment from the domain owner after being notified, they are then receiving money from organized crime.

Bottom line is that the Registrars have the authority and technical ability to terminate a domain, even though many claim they do not. Registrars have the power to stop rogue pharmacy domains. The illicit networks rely on stable domains just like any other business. However, until the Registrars are told to stop sponsoring illicit drug traffic they will continue to do so. It is a ridiculous dance that cannot go on much longer. This farce is going to come to an end. No more pointing fingers at the ISPs only, terminating a domain breaks the spam link and closes the transaction platform.

By Garth Bruen, Internet Fraud Analyst and Policy Developer

Filed Under


It varies Suresh Ramasubramanian  –  Nov 20, 2009 7:14 AM

Pills yesterday, fake rolexes some other day .. malware URLs that broadcast trojans some other day.  It varies.

Yes, we want to make pill traffic Garth Bruen  –  Nov 20, 2009 2:55 PM

Yes, we want to make pill traffic yesterday’s problem so we can tackle fake rolexes tomorrow. Thanks for making that point.

Registrars have the power to stop rogue Th. Kühne  –  Nov 20, 2009 9:37 PM

Registrars have the power to stop rogue pharmacy domains.

That sounds like an invitation for successful lawsuits against the registrars(as well as registries) on two fronts:

* the finding if some operation is a “rogue pharmacy” is usually reserved to courts of law and similar institutions
* what happens if a registry establishes a no-rouge-pharmacy policy and fails to enforce it against a registered domain(e.g. the registry wasn’t aware)

That said, registries and registrars should of course enforce their TOS: valid name/address/means of payment.

@Th. Kühne Garth Bruen  –  Nov 20, 2009 9:45 PM

the finding if some operation is a rogue pharmacy is usually reserved to courts of law and similar institutions

Nope, the licensing is done at the local level by board certification

what happens if a registry establishes a no-rouge-pharmacy policy and fails to enforce it against a registered domain(e.g. the registry wasn’t aware)

If they’re not aware they can’t enforce. The problem begins when they are informed and do nothing.

That said, registries and registrars should of course enforce their TOS: valid name/address/means of payment.

The typical TOS also includes “no illegal activities” clause (as does the UDRP) as well as clauses that forbid activities that may harm the public or result in a lawsuit against the provider.

I've done a cursory look at the Th. Kühne  –  Nov 20, 2009 10:26 PM

I've done a cursory look at the TOSs of Go Daddy, Enom, Tucows and Networksolutions. While all of them contain rules against illegal use, the wording seems only to apply to value added services like DNS hosting, email forwarding etc. and not the domain registration itself. The UDPR does contain (2.c and 2.d) wording against illegal use but also requires an UDPR proceeding(or order of court) to establish the illegal use and decide applicable actions. Unless I'm missing anything, the registrars would have to request an UDPR decision to cancel domains registered with them.

I suppose cybercrime is a myth and Garth Bruen  –  Nov 23, 2009 3:37 AM

You make a number of statements about “organized crime” “felonies” “subverted the entire DNS” and “raking in billions” that you would have extreme difficulty proving in a court.

I suppose cybercrime is a myth and the Registrars have no responsibility to anyone, that’s one theory.

But if that were true Interpol and 24 governments wouldn’t be conducting massive sweeps of fake Internet pharmacies: http://www.interpol.int/Public/ICPO/PressReleases/PR2009/PR2009111.asp

The FDA, Customs, DEA and Postal Inspectors wouldn’t be taking down illicit pharma operations and including Registrars and ISPs as part of that: http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm191330.htm

And I suppose MarkMonitor’s excellent report on the rapid growth of pharma brandjacking is also an exaggeration: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220300056

This is a dark, dangerous illicit market that cares little for public safety as they prey on consumer fears and market fake flu medicine online: http://blogs.wsj.com/digits/2009/11/18/cybercrime-capitalizes-on-swine-flu-fears/

The Registrars have a choice. They can help end the illicit use of their products or they will soon find themselves more heavily regulated. The heavy regulations will surely lead to the increases in pricing you fear.

The guidelines are quite clear. The crime Garth Bruen  –  Nov 23, 2009 4:28 AM

My point is that registrars do not have the knowledge or ability to determine what is a “crime” and should not have the ability to go around shutting down domains for whatever reason they want.

The guidelines are quite clear. The crime is quite clear. We’re not talking about “shutting down domains for whatever reason they want”, we’re talking about a very specific set of circumstances. Registrars are providing an easy portal for international drug traffickers to meet victims in ways they could not dream of 20 years ago. The amount of money flowing through this portal is unprecedented and actually quantifiable. The Internet has erased the protective layers of doctors, pharmacists, regulatory inspections, and industry standards. The role of the Registrar in this dramatic shift has not gone unnoticed and will continue to be the focus of regular scrutiny.

As predicted, it's coming around Garth Bruen  –  Dec 15, 2010 2:57 PM

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign