
On Thu, Apr 19, 2018 at 05:57:48PM -0400, bzs@theworld.com wrote:
One of the memes driving this WHOIS change is the old idea of "starving the beast".
People involved in policy discussions complain that "spammers" -- many only marginally fit that term other than by the strictest interpretation -- use the public WHOIS data to contact domain owners.
I've countered that 20+ years experience trying to "starve the beast" by trying to deny them access to email and other casual contact info has proven the approach to be useless.
I've been trying to kill this same meme for years, and it just won't die. It's related to the equally-silly meme that says that email/newsgroup archives should have the addresses of participant obfuscated, and it's just as wrong. Let me make yet one more likely-futile effort: 1. WHOIS data is a poor source of email addresses. It always has been. Much richer ones exist and new ones show up all day, every day. The same can be said for mailing list/newsgroup archives. Moreover, many of those people are poor choices as victims. 2. Those much richer sources include (and this is far from exhaustive): - subscribing to mailing lists - acquiring Usenet news feeds - querying mail servers - acquiring corporate email directories - insecure LDAP servers - insecure AD servers - use of backscatter/outscatter - use of auto-responders - use of mailing list mechanisms - use of abusive "callback" mechanisms - dictionary attacks - construction of plausible addresses (e.g. "firstname.lastname") - purchase of addresses in bulk on the open market. - purchase of addresses from vendors, web sites, etc. - purchase of addresses from registrars, ISPs, web hosts, etc. - domain registration (some registrars ARE spammers) - misplaced/lost/sold media - harvesting of the mail, address books and any other files present on any of the hundreds of millions of compromised systems annnnnnd - the security breach/dataloss incident of the day 3. The bottom line is that, starting about 15 years ago, it became effectively impossible to keep any email address *that is actually used* away from spammers. [1] Simultaneously, it became a best practice to assume this up front and design defenses accordingly. 4. You know who is best-protected by restrictions on WHOIS and obfuscated domain registration? Spammers, phishers, typosquatters, and other abusers. It's not a coincidence that the number of malicious domains has skyrocketed as these practices have spread. (And "skyrocket" is not an exaggeration. I've been studying abuser domains for 15+ years and I have no hesitation saying that easily 90% of all domains are malicious. And that's likely a serious understatement. Why? Because whereas you and I and other NANOG-ish people register one here, one there, whether for professional or personal or other use, abusers are registering them by the tens of thousands and more. Much more.) ---rsk [1] Yes, there are edge cases. I *know*.