The most simplest, quickest, and easiest fix for this would be for ARIN to strip or mark as unusuable the email address of any contact in their database with an expired domain. Technically this is not so easy. The only way to implement it for sure is to get whois dump from verisign-grs and this they do not allow. A way around is getting .com, .net, .org zone files and look for any domains
that are deleted or changed to list no dns servers (this happens before being deleted), but some registrars do not do this (i.e. delete dns servers from domain) and may even retain the domain for themselve putting it on special buy list for their other customers. I'll try to do this myself as described above for domains that are possibly being deleted in .com, .net, .org and that have any associated arin whois contacts as sidetrack of larger project, you'll probably hear about it in 6 months. I'll also try a different way by just doing individual whois checks for all arin contacts for old blocks and then periodically checking on those domains with whois (this I maybe able to implement sooner actually). I'm not sure what to do with this data though (i.e. when I found contacts with deleted domains). I doubt if ARIN would accept or do anything about it it even if I send it to them. But this is part of larger issue and leaves too many open doors - i.e. how would you deal about domains that change hands and not through being "expired"? Or about non .com/.net/.org domains? BTW: For those who do not know - ARIN is planning to do more about authentication, first will come S/MIME X.509 email authentication, other types of authentication are also planned. I'v no idea when they will get it done, but I doubt it authentication would be seriously 2 years from now, so this is generally for very long-term future. -- William Leibzon Elan Communications Inc. william@elan.net