In reading one of the many stories about Jotform.com the site whose domain was seized and then returned by the Government for reasons still unexplained and therefore unknown reasons last week.

I came across the servers SPAM-AND-ABUSE.COM on which the domain name Jotform.com was placed on a few days ago and then removed from on Friday.

According to DailyChanges.com, There are currently over 225,000 domain names on the servers SPAM-AND-ABUSE.COM (you might also see the servers listed as ns1.suspended-for.spam-and-abuse.com)

The domain name SPAM-AND-ABUSE.COM is owned by Godaddy.com

The domain name SPAM-AND-ABUSE.COM does not resolve, so if a domain name is moved to the servers the domain and site will no longer resolve and of course any email directed to the domain will bounce.

Out of the 225,000 domain names placed on these servers, 212K are .info domains or about 90%.

It looks just by those numbers that a substantial  portion of the domains placed on these servers are there for a good reason.

I reached out to Godaddy.com and asked about these servers; how domains get moved to the servers and how a domain holder can gets it domain name moved off these servers back to its normal servers and make their site and email operational again.

I also asked if the domain name once moved to these servers where locked at the registrar level or could be transferred to another registrar.

To the great credit of Godaddy and while I certainly didn’t expect a response during a holiday weekend I got one.

Actually I got several.

Ben Butler,  Director of Network Abuse for Godaddy explained the process as follows:

“”You probably know Go Daddy has a long history of addressing abusive practices on its network.”

” While we don’t “police” or “monitor” our systems for these activities (nor could we due to the prohibitively large scope of such an effort), we do receive many thousands of complaints every month on a variety of abusive practices such as spam, phishing, malware installers, and so on.”

“We investigate each complaint that comes in.”

“Those investigations sometimes demonstrate a need to re-direct the DNS of an abusive domain name in order to prevent further harm.  (For example, an extra hour of up-time for a phisher can result in thousands of identities being stolen, so time is of the essence in many cases.) ”

“Domains pointed at the name servers you listed will not resolve unless and until the underlying issue is addressed by the registrant.  Redirection of the DNS can also sometimes be combined with a “hold” status that would remain in effect until the customer can address the problem with our 24×7 Abuse Response Team.”

“There are many types of harmful and illegal activity that can result in a domain being suspended and directed to these servers. ”

“The majority of domains that continue to be pointed at these servers, even after we encourage the registrant to cure the problem, are “throw-away” domains involved in snowshoe spam operations, identity theft, malware and botnet controls, and illegal pharmacies. ”

“It is not unusual for one snow-shoe spammer to register 10,000 domain names, knowing full well that those names will soon be redirected for violation of our TOS.  The reason there is such a large number of names pointing to those servers on an ongoing basis is that most of the bad actors behind these domains are not interested in resolving the situation.  They just go register a new set of names and continue their spam runs.  The result is a large number of malicious domains left resolving to the Abuse name servers.””

“””There can be any number of variables in this proces”

“As far as getting a domain that has been suspended (and thus pointed to the Abuse name servers), all the customer needs to do is contact our Abuse team who are available by email and phone 24 x 7 x 365 and address the underlying abuse issue.”

” Since there are many forms of abuse, what is involved to resolve the issue can vary, but as a general rule, as soon as the customer commits to stopping the abusive activity and abiding by our Terms of Service in the future, the domain can be re-activated.”

“It wouldn’t be fair to say that every domain resolving to the Abuse servers is on a Registrar lock, but in many cases that would be true.”

“In most cases, the “lock” would prevent the customer from simply changing the name servers back. ”

“The point being that if there is an abusive activity happening that warrants suspension, we need to be able to ensure that the issue is being resolved before we turn it back on.”

“In cases where the activity can cause real harm to the internet users, we would also prevent a transfer until the customer communicates with us.”

“This involves customer education efforts by our Abuse staff to help the customers understand the policies, requirements, and best practices that will help them avoid further issues. ”

“At that point, in most cases, the customer can choose to re-activate and remain a Go Daddy customer, or to transfer to another provider. ”

“The intentional bad-actors are responsible for most of the suspended domain volume, but the majority of customers that have a domain suspended as part of this process gladly remain customers and never have any more abuse issues.”

“As you noticed, the overwhelming majority of domains that are currently pointed to the Abuse servers are .INFO domains that were suspended as part of a snow shoe spam operation or similar “distributed” forms of domain abuse.  The changes you saw this week were the fruits of some long investigations dealing with of the worst known spam and malware organizations.””

While the Forbes article and some others in the blogosphere seem to want to make Godaddy responsible for the take down of Jotform.com I’m going to defend Godaddy.

I have attended several ICANN meetings where the registrars ask law enforcement to keep them in the loop and notify them if there is an issue with a domain since ultimately its their customer that is effected and the registrar is the one that gets the call from the customer to see what happened to their domain, site and email.

If law enforcement goes directly to the registry, like Verisign which they have done many times to seize a domain, the registrant will call their registrar to find out what happened.

The registrar is generally out of the loop when law enforcement goes directly to the registry, therefore the registrar will have no answers for their customer of what happened to the customers domain, often they don’t even know about law enforcement’s action when their customer calls them.

Its a horrible position for a registrar to be in.

If as in this case the Secret Service comes knocking telling you as a registrar to take down a domain a website and you refuse,  they won’t be too happy with you.

Remember the government can always and frequently goes to the registry directly bypassing the registrar asking them to seize the domain.

Next time when another issue arises the Government won’t both asking the registrar, they will go directly to the registry.

If the registrars want the Government to contact them first as to issues involving domains so they can deal with their customers directly then they pretty much have to comply.  Its pretty tough to tell the Secret Service to screw off, knowing that all they have to do is going to the registry and get the domain.

On the other hand if the do comply they open themselves up for endless criticism all for $10 a year.

At the end of the day its the Government’s responsibility to check, double check and actually it would be nice if they were required to get a court order before getting a domain pulled down to eliminate errors.

On the other hand as we saw with Megaupload there are some real abuses out there and notifying the domain holders/site owners may put law enforcement at a real disadvantage.