While doing a quick sample of my spam to see where spamvertized web sites were hosted and registered, I came across the domain vestigial3had.com shell1% whois vestigial3had.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. No match for "VESTIGIAL3HAD.COM". yet, shell1% host -tns vestigial3had.com vestigial3had.com name server ns1.kronuna.biz vestigial3had.com name server ns2.kronuna.biz shell1% What gives ? How can their be no whois info anywhere ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
On Thu, 9 Dec 2004, Mike Tancsa wrote:
While doing a quick sample of my spam to see where spamvertized web sites were hosted and registered, I came across the domain vestigial3had.com
shell1% whois vestigial3had.com ... No match for "VESTIGIAL3HAD.COM". What gives ? How can their be no whois info anywhere ?
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more! Now it so happens that I've long ago added internal dns resolver code into completewhois engine to find list of nameservers (because whois for some CCtld was not showing it and sometimes even for internic it was wrong) and now this is done by default on ALL domains (no matter if they show up in whois or not) and if nameservers from whois are available they are compared to the list of the nameservers reported from dns and both are shown. For your domain I see the following (which nicely explains it to those who are surprised about not seeing real whois): $ whois -h whois.completewhois.com vestigial3had.com [whois.completewhois.com] Elan Completewhois.Com Whois Server, Version 0.91a16, compiled on Dec 7, 2004 Please see http://www.completewhois.com/help.htm for command-line options Use of this server and any information obtained here is allowed only if you follow our policies at http://www.completewhois.com/policies.htm [DOMAIN whois information for VESTIGIAL3HAD.COM ] Domain Name: VESTIGIAL3HAD.COM Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm Registry: VeriSign, Inc. - http://www.verisign-grs.com Registrar: Whois data parsing problem, no registrar information found Whois Server: rs.internic.net Name Server[from dns, dns ip]: NS2.KRONUNA.BIZ 219.154.96.29 Name Server[from dns, dns ip]: NS1.KRONUNA.BIZ 200.124.75.9 Domain VESTIGIAL3HAD.COM not found in registry whois server. But this domain appears to be deligated in dns. This is either an error with registrar whois database or it is possible this domain was recently registered and whois data is not yet available. Completewhois domain information above should list current nameservers as has been found in dns, for more information regarding this domain, please do whois lookup on these nameservers or ips P.S. If you're going to do whois on nameserver ips next, then you can do the following combined lookup: $ whois -h whois.completewhois.com "nsips vestigial3had.com" But so you don't all overwhelm the engine with same query, I saved you the results, you can retreive with "whois -h completewhois.com R#75944680" or at http://www.completewhois.com/cgi-bin/whois.cgi?query=75944680&options=retrieve --- William Leibzon Elan Networks william@elan.net
At 11:17 AM 09/12/2004, william(at)elan.net wrote:
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz)
Yes, I was aware of that.
while whois data is still updated once or twice a day.
I (wrongly) assumed that the initial whois data would be immediately there to be seen at registration time....
That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more!
What a lovely well thought out feature.... ---Mike
shell1% whois vestigial3had.com ... No match for "VESTIGIAL3HAD.COM". What gives ? How can their be no whois info anywhere ?
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more!
You can also make whois information private, usually for an additional fee.
At 01:50 PM 09/12/2004, Jeff Rosowski wrote:
shell1% whois vestigial3had.com ... No match for "VESTIGIAL3HAD.COM". What gives ? How can there be no whois info anywhere ?
You can also make whois information private, usually for an additional fee.
I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet. It would be nice to somehow incorporate this into a SpamAssassin check somehow. ---Mike
At 02:33 PM 12/9/2004, Mike Tancsa wrote:
At 01:50 PM 09/12/2004, Jeff Rosowski wrote:
shell1% whois vestigial3had.com ... No match for "VESTIGIAL3HAD.COM". What gives ? How can there be no whois info anywhere ?
You can also make whois information private, usually for an additional fee.
I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet.
I would doubt that. We have started hiding the information for clients who request it for a simple reason: use of WHOIS data for marketing. Anyone want to guess how many credit cards have been offered to "Host Master" and "Master Host" addressed to our Technical contact address? We have clients complaining about the junk email, junk faxes and junk postal mail that results from these listings. Then there's the folks who send out offers to "renew" domains, but in the very fine print say "this is not a bill" and are really an attempt to transfer the domain name to another provider. We've had customers fall for these, thinking the invoices were from us, and in cases where the customer didn't have their domain locked against transfers, have their web sites go dark.
It would be nice to somehow incorporate this into a SpamAssassin check somehow.
Your basic assumption is faulty. The WHOIS data is there to ensure there's someone to contact. As long as the data listed can be used to reach the domain holder for legitimate purposes (technical problems, etc.), why should you care if the listed address is a Care Of address, the email address goes through a redirect or is handled by an agent trusted by the domain holder? Yes, I understand the concern that spammers might use the mechanism to hide. I'm concerned about that too, but not enough to override my concern about the marketing use of the data, often in campaigns that border on scams.
At 03:10 PM 09/12/2004, Daniel Senie wrote:
The WHOIS data is there to ensure there's someone to contact. As long as the data listed can be used to reach the domain holder for legitimate purposes (technical problems, etc.), why should you care if the listed address is a Care Of address, the email address goes through a redirect or is handled by an agent trusted by the domain holder?
Yes, I agree. I am talking about not having *ANY* whois info. I dont see how any of your arguments justify % whois vestigial3had.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. No match for "VESTIGIAL3HAD.COM". Hopefully this is just a case of the whois info not catching up with the registration.... There should always be some way to contact the domain holder, or registrar. Right now, there is none for this domain which is wrong IMO. ---Mike
Captain's Log, stardate Thu, 09 Dec 2004 15:10:14 -0500, from the fingers of Daniel Senie came the words: <snip>
�We have clients complaining about the junk email, junk faxes and �junk postal mail that results from these listings. <snip>
I agree, Even the .ie domain registry doesn't add personal information by default. For example, one of the domains I've registered has only the registrant name and the DNS host's name. This is our full .ie whois info: domain: blah descr: BLAH descr: Body Corporate (Ltd,PLC,Company) descr: Registered Business Name admin-c: ABA822-IEDR tech-c: IBH1-IEDR nserver: AUTH-NS1.IRISHBROADBAND.IE nserver: AUTH-NS2.IRISHBROADBAND.IE source: IEDR person: Ken Gilmour nic-hdl: ABA822-IEDR source: IEDR person: Irish Broadband Hostmaster nic-hdl: IBH1-IEDR source: IEDR
I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet. It would be nice to somehow incorporate this into a SpamAssassin check somehow.
Please don't, there are legitimate reasons to have private domain names. One of the main reasons my domains are private is I got tired of the spam and direct snail mail I got to the contact addresses. Also, some people, like incest survivors, feel better not having their name out there as an owner of a related support site. Taking away the usefulness of private registrations won't stop the spammers. It will just impact the privacy of the regular folks.
At 10:32 PM 09/12/2004, Janet Sullivan wrote:
I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet. It would be nice to somehow incorporate this into a SpamAssassin check somehow.
Please don't, there are legitimate reasons to have private domain names. One of the main reasons my domains are private is I got tired of the spam and direct snail mail I got to the contact addresses.
The internet is a public space. If your domain is being abused / misused, how are people supposed to contact the domain holder or registrar if there is no whois record for the domain OR the registrar ? Remember, I am talking about domains that whois servers says does not exist, but for whose DNS is active in the root name servers. In this case, I was talking about the domain vestigial3had.com which was registered this AM, and by the time it shows up in the whois records 24hrs later, is thrown away by the spammer after blasting out their spam.... Anyways, its there now Domain Name: VESTIGIAL3HAD.COM Registrar: BIZCN.COM, INC. Whois Server: whois.bizcn.com Referral URL: http://www.bizcn.com Name Server: NS1.KRONUNA.BIZ Name Server: NS2.KRONUNA.BIZ Status: REGISTRAR-LOCK Updated Date: 09-dec-2004 Creation Date: 09-dec-2004 Expiration Date: 09-dec-2005 Registrant Contact: Uno More haun nito huannni@mail333.com 371-6352202 fax: 371-6352202 Briezha 5-6 Riga Riga LV 1021 lv .... Yeah, one more throwaway spam domain....
Also, some people, like incest survivors, feel better not having their name out there as an owner of a related support site.
... Roll account/PO Box.... ---Mike
I don't want to turn this into a domain policy discussion, but here are a few comments (in some semblance of order) which relate to the operational aspects. 1. Anyone controlling an operational resource (such as a domain) can't be anonymous. This _in no way_ prevents anyone from doing things anonymously on the Internet: it just means that they can't control an operational resource, because that way lies madness. 2. If someone wants to remain anonymous -- say, as in the example Janet cited, of sexual abuse victims -- then one of the very LAST things they should do is register a domain. Doing so creates a record (in the registrar's billing department if nowhere else) that clearly traces back to them. Further, an anonymously-registered domain isn't much good without services such as DNS and web hosting: and those, of course, represent still more potential information leaks. Anyone who thinks their "anonymous" registration is truly anonymous is in for a rude awakening: if the data isn't already in the wild, it will be as soon as the spammers find it useful to make it so. It's much better, if anonymity is the goal, not to begin by causing this data to exist. 3. Anonymous domain registration, like free email services, is an abuse magnet. [Almost] nobody offering either has yet demonstrated the ability to properly deal with the ensuing abuse: they've simply forced the costs of doing so onto the entire rest of the Internet. It's thus not surprising that a pretty good working hypothesis is to presume that any domain which either (a) has anonymous registration or (b) has contact addresses at freemail providers is owned by people intent on abusing the Internet. No, it's not always true, but as a first-cut approximation it works quite well. Doubly so if the domain is in a TLD known to be spammer-infested (e.g., ".biz") and triply so if the domain name itself screams "spam" (e.g. "cheap-phentermine-online.biz"). [1] 4. Spammers have a myriad of ways of "harvesting" mail addresses that yield the same data but without requiring WHOIS output. For example, some of the malware they've released prowls through all the sent/received mail on infected systems...which means that if anyone using their brand-new anonymously-registered domain happens to send a single message to someone else -- who is already or subsequently infected -- then the address in question will shortly be in the wild, bought and sold and used by spammers. Note that some of the infected systems are mail servers, so even if the sender and recipient are secure from infection, the address in question may still be acquired. And no doubt some of them are inside registrars and DNS hosts and web hosts, just like they're [nearly] everywhere else. And this is just one way that addresses are harvested. 5. Spam is about far more than than merely SMTP these days. SPIM (IM spam) and SPIT (VOIP spam) and adware and all kinds of other things are being used -- and by _the same people_, e.g. Spamford, to do exactly the same thing: put content in front of eyeballs. Even if we could throw a switch and cut off all SMTP spam, the respite would only be temporary. So just trying to hide from SMTP spam, although it might provide the comfortable illusion of accomplishing something in the short term, is useless in the long term. 6. Spam is a problem for everyone, and so it's everyone's responsibility to fight it. Those who want the privilege of controlling operational resources must also accept the responsibility of doing their part. ---Rsk [1] To save you the trouble of looking it up: Domain Name: CHEAP-PHENTERMINE-ONLINE.BIZ Domain ID: D3193600-BIZ Sponsoring Registrar: DOTSTER Domain Status: ok Registrant ID: DOTS-1025016423 Registrant Name: N K Registrant Organization: Registrant Address1: - Registrant Address2: n/a Registrant City: - Registrant State/Province: - Registrant Postal Code: - Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.3155551212 Registrant Facsimile Number: +1.3155551212 Registrant Email: info2000go@yahoo.com and so on. A 200-foot-high billboard would only be slightly more obvious.
Rich Kulawiec wrote:
1. Anyone controlling an operational resource (such as a domain) can't be anonymous. This _in no way_ prevents anyone from doing things anonymously on the Internet: it just means that they can't control an operational resource, because that way lies madness.
As long as that person is contactable, why should it matter if they are anonymous? If you get a quick response to abuse@some_anonymous_domain.net, does it REALLY matter to you if the person's name is Tom, John, or Susan? There seem to be two definitions of "anonymous" floating around here. One seems to equal "no working contact information", and one seems to equal "private registration ala domainsbyproxy.net". I can understand why people might want to take non-existent whois records into account, but I just don't see the argument against anonymous records. Killing anonymous records won't stop spammers. It can however harm a vulnerable section of the Internet.
2. If someone wants to remain anonymous -- say, as in the example Janet cited, of sexual abuse victims -- then one of the very LAST things they should do is register a domain. Doing so creates a record (in the registrar's billing department if nowhere else) that clearly traces back to them. Further, an anonymously-registered domain isn't much good without services such as DNS and web hosting: and those, of course, represent still more potential information leaks.
There are layers of privacy. Let's say a person has a restraining order against an ex-husband, ex-girlfriend, etc. That person has moved and doesn't want to be easily found. Now, which will be easier for the ex - typing in whois, or somehow getting the billing records from the registrar? As for DNS & web hosting - there are sites out there that offer anonymous hosting & DNS to groups like abuse survivors, etc.
It's much better, if anonymity is the goal, not to begin by causing this data to exist.
Great! So, if you are a vulnerable minority, don't use the internet. Don't have political free speech in your country? Don't talk. You have an abusive ex? Sorry, can't help you. Whistle blower? The hell with you. Pissed off a drug dealer by turning them in? Good for you! Sorry, we have to take away your internet access now. 100% Anonymity is not possible, true. Neither is 100% security. But does that mean you give up running any kind of firewall?
3. Anonymous domain registration, like free email services, is an abuse magnet. [Almost] nobody offering either has yet demonstrated the ability to properly deal with the ensuing abuse: they've simply forced the costs of doing so onto the entire rest of the Internet.
OK, how many anonymous domains (ala domainsbyproxy) have you been unable to contact? Real numbers, please. I'm not talking about missing or false whois records.
It's thus not surprising that a pretty good working hypothesis is to presume that any domain which either (a) has anonymous registration or (b) has contact addresses at freemail providers is owned by people intent on abusing the Internet. No, it's not always true, but as a first-cut approximation it works quite well.
I'm sorry, I guess I'm still one of those "innocent until proven guilty" folks. Yes, it means first run spammers get me. That's a price I'm willing to pay. If, as an end user, you want more aggressive filtering, that should be up to you. I have no problem with that. If decisions start impacting innocents on the Internet at large, THAT's a problem.
4. Spammers have a myriad of ways of "harvesting" mail addresses that yield the same data but without requiring WHOIS output.
Yes, they do. But, I get less spam, and MUCH less snail mail, with anonymous registrations.
6. Spam is a problem for everyone, and so it's everyone's responsibility to fight it. Those who want the privilege of controlling operational resources must also accept the responsibility of doing their part.
I agree. But why should it matter if you know the name of the person controlling an operational resource if they are responsible net citizens?
On Sat, 11 Dec 2004, Janet Sullivan wrote:
Rich Kulawiec wrote:
1. Anyone controlling an operational resource (such as a domain) can't be anonymous. This _in no way_ prevents anyone from doing things anonymously on the Internet: it just means that they can't control an operational resource, because that way lies madness.
As long as that person is contactable, why should it matter if they are anonymous? If you get a quick response to abuse@some_anonymous_domain.net, does it REALLY matter to you if the person's name is Tom, John, or Susan?
There seem to be two definitions of "anonymous" floating around here. One seems to equal "no working contact information", and one seems to equal "private registration ala domainsbyproxy.net". I can understand why people might want to take non-existent whois records into account, but I just don't see the argument against anonymous records.
It matters if we're talking about Tom, John or Susan working for some commercial company and contacting me as part of the activity of that entity, in that case I'd like to know about the domain and don't want to see its whois data hidden. Same goes for ip block data used by commercial companies - I do not agree with having this data be hidden or not listing use/allocation of the ip block to some company. So my view of it is the same as current practice and laws (at least in US) which require business (including DBA) registrations in county/state registrar and requirying and making public corporate records, including address of the company and list of its officers. -- William Leibzon Elan Networks william@elan.net
william(at)elan.net wrote:
It matters if we're talking about Tom, John or Susan working for some commercial company and contacting me as part of the activity of that entity, in that case I'd like to know about the domain and don't want to see its whois data hidden.
I find it somewhat amusing that the whois record for elan.net refers to a hostmaster role account and a P.O. Box. ;-) I do agree that a "one size fits all" rule rarely fits all situations. Do I support anonymous registrations for non-commercial sites as long as they can still be contacted? Yes. Do I support them for large corporations? Not necessarily. Do I support the right of end users to filter their mail any way they choose? Sure. Do I support the right of a provider to filter their user's mail any way they choose? Not necessarily. Unfortunately, there isn't a perfect way to tell if a site is commercial or not by it's domain name. To me, a false positive is worse than spam getting through. I realize other people have other opinions. I just don't want to see wide spread filtering of mail from anonymous (ala domainsbyproxy) whois records. I feel it damages an important part of the internet with little long term benefit.
On Sun, 12 Dec 2004, Janet Sullivan wrote:
william(at)elan.net wrote:
It matters if we're talking about Tom, John or Susan working for some commercial company and contacting me as part of the activity of that entity, in that case I'd like to know about the domain and don't want to see its whois data hidden.
I find it somewhat amusing that the whois record for elan.net refers to a hostmaster role account and a P.O. Box. ;-)
That PO Box is registered to the company and as such you can request from USPS a copy of the registration and will find current office address and contact name. Note that if PO Box is used by individual than the address and name are kept confidential unless that individual indicated he's going to use PO Box for business activities. The rules about privacy of information on PO Boxes pretty much supports what I wrote, so thank you for giving me a chance to show our own practical example :)
I do agree that a "one size fits all" rule rarely fits all situations. Do I support anonymous registrations for non-commercial sites as long as they can still be contacted? Yes. Do I support them for large corporations? Not necessarily. Do I support the right of end users to filter their mail any way they choose? Sure. Do I support the right of a provider to filter their user's mail any way they choose? Not necessarily.
The last one is same as previous one - you have chosen your provider and as such there is a contractual relationship for getting these services if you do not believe the services meet your needs, you find another provider, So its all the same and is basicly the right of the user to choose how his/hers email would be filters and that maybe direct choice of exactly which mail filters are to be used or it maybe a choice of which company would filter the email or all of that maybe outsourced to ISP.
Unfortunately, there isn't a perfect way to tell if a site is commercial or not by it's domain name.
If somebody sends me an email with morgage offer, I consider it to be a commercial email and expect to come registered mrtgage broker with publickly known address. Same for almost all other offers you receive by unsolicited email.
To me, a false positive is worse than spam getting through. I realize other people have other opinions. I just don't want to see wide spread filtering of mail from anonymous (ala domainsbyproxy) whois records.
I note that I did not suggest that nor do I see any easy way to implement it (because godaddy has one of the most stict rules about limiting access to whois by automated means). My current project goal is to only use use internic whois data (which means no registrant's or contact names or addresses) and only use it to stop use of domains where registrar has put a hold status on it or where the domain registrations it too new to be in whois (and email would not be denied but simply postponed until more information is known about the registrant and registrar had a chance to decide if their new domain and its use are in violation of their policies or not). The goal is to combat through-away domains and force spammers to use well known names that can be traced to them and their business activities. Then legal and other pressure can be applied to those known business entities to stop their abuse of email infrastructure. -- William Leibzon Elan Networks william@elan.net
So my view of it is the same as current practice and laws (at least in US) which require business (including DBA) registrations in county/state registrar and requirying and making public corporate records, including address of the company and list of its officers.
Interesting how many companies are "parked" at a lawyers office, i.e. the official address of the company is that of it's legal firm. One wonders why an abuse organization would not use this same tactic and register a legal firm as the administrative contact. This is entirely separate from the operational issue of who controls the nameservice for the domain and who controls the routers and servers referenced by A records in the domain. That is not something that a registry can help with. Granted, it would be good to have a real technical contact for every domain that gets you to the same people who control nameservice etc. However, that will always be secondary information. The network itself is the primary contact information for a domain. Every nameserver has an IP address whose connectivity can be tracked through the network. Same thing for mail servers and anything else with an A record. This means that operationally it is far more important for the RIR whois directory to have working technical contacts. Fortunately, the RIRs do regularly put some effort into keeping their whois listings up to date. If more people would speak up coherently on this issue then perhaps we will see the day when only accurate contact info exists in the RIR whois directories. As for domain name registries, they are not terribly relevant for operations, just for serving legal documents. --Michael Dillon
Michael.Dillon@radianz.com writes:
Interesting how many companies are "parked" at a lawyers office, i.e. the official address of the company is that of it's legal firm. One wonders why an abuse organization would not use this same tactic and register a legal firm as the administrative contact.
How much do you suppose the law firm would charge you for handling the email influx if you got joe-jobbed? Sysadmin time is cheaper than lawyer time, last I checked. ---Rob
Michael.Dillon@radianz.com wrote:
The network itself is the primary contact information for a domain. Every nameserver has an IP address whose connectivity can be tracked through the network. Same thing for mail servers and anything else with an A record. This means that operationally it is far more important for the RIR whois directory to have working technical contacts.
A few weeks ago, we had a customer contact us regarding issues communicating with a domain. Investigation revealed that the domain handled it's own primary DNS server and the secondary DNS was pointed to another provider which had restricted outside queries to that particular server (and wasn't authoritative for the domain in the first place). The problem was that the TTL's on the NS RRs were different by 2 days and the remaining NS in cache was refusing queries. IP addresses weren't registered to the responsible party. Domain wasn't registered to responsible party. We had to relay the information in a "best effort" approach through three different organizations in the hopes that the responsible person would get informed and fix the problem. This is not the ideal method of contact and wasted man hours in multiple organizations due to inaccurate information. The primary use of whois is still valid and anonymous/inaccurate records waste time and money for legitimate purposes. -Jack
I'm going to try to keep this short, hence it's incomplete/choppy. Maybe we should take it to off-list mail with those interested. On Sat, Dec 11, 2004 at 10:06:10PM -0700, Janet Sullivan wrote:
Great! So, if you are a vulnerable minority, don't use the internet.
I said precisely the opposite. This _in no way_ prevents anyone from doing things anonymously on the Internet: it just means that they can't control an operational resource, because that way lies madness. And anyone who *is* a vulnerable minority should avoid doing this (that is, deliberately exposing themselves by controlling an operational resource) at all costs, because it self-identifies and instantly compromises the very privacy they seek/need/want. This doesn't stop anybody from doing anything they want online -- *except* controlling those resources, which is, like I said earlier, is one of the very last things they should want to do if they're truly concerned about their privacy. And the other side of it is: I don't think an Internet with anonymous people controlling operational resources is workable.
OK, how many anonymous domains (ala domainsbyproxy) have you been unable to contact?
I *never* attempt to contact the owners of a domain which appears to be the source of abuse, anonymous or otherwise. It's a complete waste of time. I use the means at my disposal to ascertain whether it's really them (which, 99% of the time, is blindingly obvious) and then act accordingly. In the remaining 1% of the cases, where substantial doubt remains, I note it and await further developments. Sometimes those further developments include reports/claims of joe-jobs; sometimes they include clinching proof (either way) that eluded me; sometimes they're not forthcoming for a very long time. <shrug> So be it. But I learned long ago that (modulo some very rare cases) the only thing that can come out of contacting said domain owners is possible disclosure of the means by which the abuse was detected, and the fact that it _has_ been detected, and that's not a good thing.
But, I get less spam, and MUCH less snail mail, with anonymous registrations.
Today, perhaps. Do you really think it's going to stay that way? Surely you must know that eventually the spammers WILL get their hands on your "private" domain registration data, WILL use it to spam -- and oh-by-the-way will also make a tidy profit doing a side business in selling it to anyone with cash-in-hand? C'mon, these are people with bags of money to spend. Do you *really* think that the underpaid clerk at J. Random Registrar is going to turn down $50K in tax-free income in exchange for a freshly-burned CD? And of course, once the data's in the wild, it's not like those who are selling it will balk at providing it to customers who have serious axes to grind. Or if you want to believe in the fiction of 100% trustworthy registrars, what happens when one of their [key] systems is zombie'd? Or when somone figures out how to hijack one of the data feeds and snarf all the brand-new domain data as soon as it's created? There is a market for this data. Therefore it will be acquired and sold. And attempts to maintain the pretense that it's otherwise -- while no doubt inflating the profits of those peddling "anonymous" registration -- are disengenuous, and in the long run, potentially very damaging, with the extent of the damage perhaps proportional to the degree on which people rely on it. (More bluntly: some people are going to be burned very badly by this. And the subsequent inevitable litigation won't undo it.)
I agree. But why should it matter if you know the name of the person controlling an operational resource if they are responsible net citizens?
Maybe, but I think where we differ is that I strongly believe that responsibility (for operational resources) _requires_ public identification. [ Oh: please note: content is not an operational resource. F'instance, I have no problem, for instance, with someone running a blog anonymously. I have a serious problem with someone running a network anonymously. ] ---Rsk
Rich, <registrar_hat_current="on"> <epp_coauthor_hat="on"> <registry_hat_expired="on"> You have an opinion, but I'm unable to detect a basis for that opinion. Allocations of string-space do not give rise to control over any resource other than (conditionally) the string. Publication of association(s) between strings and addresses, as well as the formation of an association subject to a publication policy, involves zero or more parties other than a "registrant", and there are several orders of magnitude fewer entities other than "registrants" that participate in address association and association publication. </registrar_hat_current> </epp_coauthor_hat> </registry_hat_expired> <p3p_spec_coauthor_hat="on"> It wouldn't hurt you to read our spec, if only for the nomenclature. If you read some EU data directives, so much the better. </p3p_spec_coauthor_ha> <nanog_er_weenie_hat="on"> You may want to look at the whois policies of the RIRs and some of the ccTLD operators. </nanog_er_weenie_hat> <ietf_whoisfix_bof_cochair="on"> See also http://www.imc.org/ietf-whois/mail-archive/msg00218.html and rfc3912 </ietf_whoisfix_bof_cochair="on"> Eric
Rich Kulawiec wrote:
And the other side of it is: I don't think an Internet with anonymous people controlling operational resources is workable.
OK, how many anonymous domains (ala domainsbyproxy) have you been unable to contact?
I *never* attempt to contact the owners of a domain which appears to be the source of abuse, anonymous or otherwise.
I'm confused. You never try to contact the owners of a domain which appears to be the source of abuse, but insist that domains can't be anonymous?
On Sun, 12 Dec 2004, Janet Sullivan wrote:
I'm confused. You never try to contact the owners of a domain which appears to be the source of abuse, but insist that domains can't be anonymous?
All rhetoric aside, this appears to be a question of what it means to have a domain. Once upon a time, domain names were (somewhat) hard to get, and were given to organizations important enough to merit Internet connectivity (which was also somewhat hard to get). If you saw abuse coming from somewhere, you could look at the host the abuse was coming from, find the contact information for their domain, and contact their employer's or university's IT department to complain. To make matters even easier, the Internet was small enough at that point that dealing with such complaints wasn't all that overwhelming. That was ten or fifteen years ago. Now, domain names can be gotten by anybody with a few dollars, and having your own domain name is required if you want to be able to take your e-mail address with you when switching e-mail providers. Since lots of people want their e-mail addresses to be portable, there are lots of domains out there. I don't have actual stats on this, but I'm guessing that the percentage of domains that have hosts in them, and are therefore capable of being the source of abuse, is probably pretty small. A domain name is therefore now more like a phone number. Perhaps this is a mistake. Perhaps domain names are far too important to be wasted on individual conveninece. But if so, we're several years too late for that argument to be very useful. At this point, IP addresses tend to be a much better identifier of the party responsible for a network user than their domain name. If you're looking for a useful contact to talk to about a network problem, rather than some poor end user to harrass, you're probably much better off contacting the ISP or organization and that contact information is far more likely to be associated with the IP address than the domain name. Of course, there's also the question about whether the listed contact information on a static IP address should be the ISP's or the end user's, but that's much better discussed on the ARIN public policy mailing list and its equivalents than here. My question at this point is whether contact information for domains (or at least, for domains which aren't themselves criticial infrastructure) has any useful purpose at all. Domains without hosts in them aren't going to have technical problems (unless the lack of hosts is itself a technical problem) or abuse problems (except in terms of forgeries, which are really somebody else's problem). Domains with only an MX record strike me as the responsibility of whoever is providing the MX or DNS service. Domains with actual hosts in them are probably the most similar to the domains of a decade ago, but even there the IP addresses involved may be a better indicator of who to talk to about things. -Steve
--On 11 December 2004 12:07 -0500 Rich Kulawiec <rsk@gsp.org> wrote:
I don't want to turn this into a domain policy discussion,
Ditto. I'd add one thing though: allowing anonymous registration is not necessarily the same thing as allowing all details of registration to be publicly queryable under all circumstances. In any case (whether happily or sadly) local laws can often get in the way of total openness. The operational aspect of this I think is as follows: if an operator had a problem with a network endpoint in 1995, then there was a good chance whois <domainname> would reach someone clueful, as the majority of network endpoints were clueful (for some reading thereof); hence whois <domainname> was useful for network debugging. In 2004, I'd suggest the wider penetration of the internet means whois <domainname> on its own is not a useful operational tool any more. Even whois -h rir <inetnum> is becoming less useful, and to an extent whois <asnumber>. The argument for people not wanting to put personal information up on domain name registrations is I'd have to say a little similar to the reason some providers don't like having their (true) NOC number on whois <provider.net>; i.e. they don't want junk calls. Which leaves you in essence with hop-by-hop debugging according to peering agreements. Or "is anyone here from $provider" messages. Alex
Jeff Rosowski wrote:
shell1% whois vestigial3had.com
...
No match for "VESTIGIAL3HAD.COM". What gives ? How can their be no whois info anywhere ?
How about the following... (note that just because someone is using someone as their authoritative name server doesn't mean that the other people (in this case kronuna.biz) have anything to do with it... [peterh@localhost ~]$ dig ns vestigial3had.com <snip> ;; ANSWER SECTION: vestigial3had.com. 172800 IN NS ns1.kronuna.biz. vestigial3had.com. 172800 IN NS ns2.kronuna.biz. [peterh@localhost ~]$ whois kronuna.biz [Querying whois.neulevel.biz] [whois.neulevel.biz] Domain Name: KRONUNA.BIZ Domain ID: D8290016-BIZ Sponsoring Registrar: TUCOWS INC. Sponsoring Registrar IANA ID: 69 Domain Status: ok Registrant ID: TU9XLFHXRK2QTZCE Registrant Name: domain administrator Registrant Organization: Tehillimzeiger Pushkaya Registrant Address1: Suite M-242, Christamar 43-B Registrant Address2: Avda. De las Naciones Unidas Registrant City: Puerto Banus - Marbella Registrant State/Province: Malaga Registrant Postal Code: 29660 Registrant Country: Spain Registrant Country Code: ES Registrant Phone Number: +371.7338359 Registrant Email: dljans@pisem.net <snip>
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more!
You can also make whois information private, usually for an additional fee.
Hi!
[peterh@localhost ~]$ dig ns vestigial3had.com <snip> ;; ANSWER SECTION: vestigial3had.com. 172800 IN NS ns1.kronuna.biz. vestigial3had.com. 172800 IN NS ns2.kronuna.biz.
[peterh@localhost ~]$ whois kronuna.biz [Querying whois.neulevel.biz] [whois.neulevel.biz] Domain Name: KRONUNA.BIZ Domain ID: D8290016-BIZ Sponsoring Registrar: TUCOWS INC. Sponsoring Registrar IANA ID: 69
There are like a gazillion spam sites on that server. Its a spamnest. Nameserver(s) are inside SBL also. Bye, Raymond.
At 07:49 PM 09/12/2004, Peter John Hill wrote:
Jeff Rosowski wrote:
shell1% whois vestigial3had.com
...
No match for "VESTIGIAL3HAD.COM". What gives ? How can their be no whois info anywhere ?
How about the following... (note that just because someone is using someone as their authoritative name server doesn't mean that the other people (in this case kronuna.biz) have anything to do with it...
[peterh@localhost ~]$ dig ns vestigial3had.com <snip> ;; ANSWER SECTION: vestigial3had.com. 172800 IN NS ns1.kronuna.biz. vestigial3had.com. 172800 IN NS ns2.kronuna.biz.
I dont follow ? It seems to me they do answer for the domain. granite# dig vestigial3had.com ;; ANSWER SECTION: vestigial3had.com. 1M IN A 200.124.75.12 ;; AUTHORITY SECTION: vestigial3had.com. 1M IN NS ns1.kronuna.biz. vestigial3had.com. 1M IN NS ns2.kronuna.biz. ;; ADDITIONAL SECTION: ns1.kronuna.biz. 27S IN A 200.124.75.9 ns2.kronuna.biz. 27S IN A 219.154.96.29 granite# dig axfr vestigial3had.com @200.124.75.9 ; <<>> DiG 8.3 <<>> axfr vestigial3had.com @200.124.75.9 ; (1 server found) $ORIGIN vestigial3had.com. @ 1M IN SOA @ root ( 240420115 ; serial 8H ; refresh 1M ; retry 1W ; expiry 1H ) ; minimum 1M IN NS ns1.kronuna.biz. 1M IN NS ns2.kronuna.biz. 1M IN MX 10 www 1M IN A 200.124.75.12 * 1M IN A 200.124.75.12 a 1M IN A 221.5.250.122 *.a 1M IN A 221.5.250.122 a6 1M IN A 221.5.250.122 *.a6 1M IN A 221.5.250.122 e 1M IN A 221.5.250.122 *.e 1M IN A 221.5.250.122 g 1M IN A 221.5.250.122 *.g 1M IN A 221.5.250.122 i 1M IN A 221.5.250.122 *.i 1M IN A 221.5.250.122 m 1M IN A 221.5.250.122 *.m 1M IN A 221.5.250.122 mail 1M IN CNAME @ www 1M IN CNAME @ @ 1M IN SOA @ root ( 240420115 ; serial 8H ; refresh 1M ; retry 1W ; expiry 1H ) ; minimum ;; Received 1 answer (21 records). ;; FROM: granite.sentex.ca to SERVER: 200.124.75.9 ;; WHEN: Thu Dec 9 20:00:30 2004
More fun... Mike Tancsa wrote:
1M IN MX 10 www 1M IN A 200.124.75.12
a 1M IN A 221.5.250.122 [peterh@localhost ~]$ gwhois 221.5.250.122 [Querying geektools.com] [geektools.com] GeekTools Whois Proxy v5.0.4 Ready. Checking access for 207.171.180.101... ok. Final results obtained from whois.apnic.net.
[peterh@localhost ~]$ whois 200.124.75.12 inetnum: 200.124.64/19 responsible: GoldToe International Inc. address: 60 Market Square, 0, 0 address: 0 - Belize - 0 country: BZ 02 nic-hdl: PDL person: GoldToe International Inc. e-mail: eemsregent@YAHOO.COM address: Box CB13039, 1956, address: 11946 - Nassau - country: BS html inetnum: 221.5.128.0 - 221.5.255.255 netname: CNCGROUP-CQ descr: CNC Group Chongqing province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN
william(at)elan.net <william@elan.net> wrote: [...]
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more!
This tempts me to hack something into Exim that does a whois on previously-unseen sender domains, and give a deferral if the whois denies existence of the domain. Is this likely to have any meaningful effect? -- Just last week, someone called every morning to speak to President Gore. By Friday, the operator was flustered, and finally snapped, "You call every day asking that, and every day I tell you that Mr. Gore lost the election. Why?" "I just like hearing that. It's a great start for the day!"
abuse@cabal.org.uk (Peter Corlett) wrote:
william(at)elan.net <william@elan.net> wrote: [...]
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more!
This tempts me to hack something into Exim that does a whois on previously-unseen sender domains, and give a deferral if the whois denies existence of the domain. Is this likely to have any meaningful effect?
No. It depends too much on (a) the registry and registrar for the domain (b) overall whois availability to that TLD (not everybody uses whois) (c) your connectivity to the whois servers involved (possibly more than one) Yours, Elmar. -- "Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren." (PLemken, <bu6o7e$e6v0p$2@ID-31.news.uni-berlin.de>) --------------------------------------------------------------[ ELMI-RIPE ]---
On Fri, 10 Dec 2004, Elmar K. Bins wrote:
william(at)elan.net <william@elan.net> wrote: [...]
Read NANOG archives - Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers new domain he'll be able to use it immediatly and it'll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this "feature" more and more!
This tempts me to hack something into Exim that does a whois on previously-unseen sender domains, and give a deferral if the whois denies existence of the domain. Is this likely to have any meaningful effect?
No. It depends too much on
(a) the registry and registrar for the domain (b) overall whois availability to that TLD (not everybody uses whois) (c) your connectivity to the whois servers involved (possibly more than one)
I disagree, I think this may be ok, but its specifically because its for .com/.net whois (not ok for general TLD). Reasons are: 1. Internic.net / CRSNIC whois has no limit set on number of queries client from particular ip can make before queries are denied (or it may have limit but its set very high) and its data is almost always available and quite fast (but there were some outages). 2. Internic.net data is very brief listing only when domain was registered and which registrar and status 3. If there is a problem getting whois data at the moment, SMTP connection would not be denied but only deferred I think what should be done based on data is: 1. Check creation data and if the domain is very new (not even in whois or in whois but registration date is today or yesterday) then defer it for 48 hours but count the connection and report to some central system. If after one day from that new domain came way too many attempts to send email, then it maybe assumed fairly safely the domain is being setup by spammer. Additionally if there are spam reports that came about the domain then a responsible registrar (like godaddy) would put it on hold and this would be reflected in the domain status. I'll also note that registar has 72 hours in which they can delete newly registered domain if they believe the registration was fraudelent (i.e. stolen credit card) and not have to pay registrar for it - in fact that is quite often what happens to spammer used domains. 2. You probably should not accept email from domains that have any kind of HOLD status (this is the same as domain not deligated in dns) but again this should not be outright denial but deferral (in case its just that somebody forgot to pay registration feee). 3. By checking Internic whois you get a name of the registrar (i.e. opensrs, enom, etc) and can decide that if the registrar is too "dirty" you do not want to accept email from domain. If enough people do it, this may cause registrar to become more responsible towards who they let register domains. It maybe quite good if several of us come together and create a project to create such whois filtering library for SMTP. This library can then be called from extensions for Sendmail, Postfix, Exim and other popular mailers. I certainly will be willing to help with my whois programming skills but I have no experience (yet) writing extensions for MTAs. -- William Leibzon Elan Networks william@elan.net
Elmar K. Bins <elmi@4ever.de> wrote:
abuse@cabal.org.uk (Peter Corlett) wrote: [...]
This tempts me to hack something into Exim that does a whois on previously-unseen sender domains, and give a deferral if the whois denies existence of the domain. Is this likely to have any meaningful effect?
No. It depends too much on (a) the registry and registrar for the domain (b) overall whois availability to that TLD (not everybody uses whois) (c) your connectivity to the whois servers involved (possibly more than one)
You have a point if I were attempting to do this for all TLDs, but at least for a first cut, I'm only interested in .com/.net. A single query of whois.crsnic.net (and not bothering to follow referrals) would be sufficient to determine the existence of the domain in whois. There's some awful tinpot domain registrars out there where you have to wonder if their whois server is on the end of a dialup link, but fortunately I'm not attempting to access those. Connectivity from here to the CRSNIC server is good and no worse than to any other server I may wish to query for purposes of black- or greylisting. -- The advice given me about Maglites is to hold it out sideways from yourself but at shoulder height, this makes the opponent think you are standing 3 foot to one side of reality. - Rob Adams in the Monastery
In an earlier episode I pointed out to the list-resident VGRS person that the dynamic properties introduced for one marketing purpose would have a consequence in another problem domain, but no point revisiting that issue. abuse@cabal.org.uk (Peter Corlett) wrote:
There's some awful tinpot domain registrars out there where you have to wonder if their whois server is on the end of a dialup link, but fortunately I'm not attempting to access those.
The ICANN Registrar agreement has no transactional temporal property for :43 queries. In fact, quite a few registrars associated with one of several outsource business models, e.g., the Tucows HRS customers (complete), the Pool thead customers (partial addr allocation), etc., use common :43 servers. I've tried to work this problem, but it appears to require cooperation between isps and registrars, and that's just not happening, and agreement that persistent (hours or longer) name-to-address associations factor into the prevelant economic spam business models, and that's just not happening either as spam-presentation (to the user or the interposing device) is the problem of choice. Schemes to exhaust the dotted quad space, or exhaust the dotted string space (*lists generally) just don't help identify one asset economic spam schemes appear to require to extract value from the spam-presentation instances -- a return path that works. So, call the small registrars names as long as you want, and as long as you don't want to pay for a service, and spend your money elsewhere on something that works better, for some value of better. Cheers, Eric <{registry,registrar,isp}_hat = "off">
Peter Corlett wrote:
There's some awful tinpot domain registrars out there where you have to wonder if their whois server is on the end of a dialup link, but fortunately I'm not attempting to access those. Connectivity from here to the CRSNIC server is good and no worse than to any other server I may wish to query for purposes of black- or greylisting.
Doing live queries of domain names like that, on the fly - even if you cache lookup data - will lead to your IP getting rate limited or even blocked by most whois servers, unless you register your IP with them for doing bulk whois lookups. srs
participants (18)
-
abuse@cabal.org.uk
-
Alex Bligh
-
Daniel Senie
-
Elmar K. Bins
-
Eric Brunner-Williams in Portland Maine
-
Jack Bates
-
Janet Sullivan
-
Jeff Rosowski
-
Ken Gilmour
-
Michael.Dillon@radianz.com
-
Mike Tancsa
-
Peter John Hill
-
Raymond Dijkxhoorn
-
Rich Kulawiec
-
Robert E.Seastrom
-
Steve Gibbard
-
Suresh Ramasubramanian
-
william(at)elan.net