'Whois protection service'
Hi folks. Don't post a lot here but i'm figuring you folks will know more about this than my local NOG... When investigating a host that spammed me today, I noted that when I whois'd the domain that the mailserver involved has forward/reverse dns pair for, the domain whois information comes up as follows: Found crsnic referral to whois.enom.com. Registration Service Provided By: Registerfly.com Contact: support@registerflysupport.com Visit: http://www.RegisterFly.com Domain name: xmux.com Registrant Contact: RegisterFly.com - Ref# 14155933 Whois Protection Service - ProtectFly.com (14155933.fly@spamfly.com) I'm unsure how appropriate it is to post anything more specific in the open forum, but i've never seen this before. Whats the deal with hiding a domain name owners true identity? Is this not simply yet another protect-the-spammers mechanism? I followed up the chain - the authoritive DNS servers for the domain in question are hosts within a different domain, and this also has the same protection engaged.... Is this old hat or something new? Is this still conformant to standard .com/net registrant rules and regs? (here in .nz, the registry information is required to be current and valid, and i've never seen a Registrar pass itself off as the owner of a domain before (at least in any legitimate situation)) Thanks in advance, Mark.
On Thu, 27 Jan 2005 16:26:00 +1300 (NZDT), Mark Foster <blakjak@blakjak.net> wrote:
Hi folks.
Hello Mark,
Don't post a lot here but i'm figuring you folks will know more about this than my local NOG...
Glad to have you on NANOG.
It will probably be called off-topic, flamed and dragged through the mud, yet to answer your question. It is fully legit, yet it does have its bad sides. I use it personally to keep prank callers from calling me directly. [soms@posche /]$ whois somsworld.com [Querying whois.internic.net] [Redirected to whois.godaddy.com] [Querying whois.godaddy.com] [whois.godaddy.com] Registrant: Domains by Proxy, Inc. 15111 N Hayden Rd., Suite 160 PMB353 Scottsdale, Arizona 85260 United States Registered through: GoDaddy.com Domain Name: SOMSWORLD.COM Created on: 25-Aug-04 Expires on: 25-Aug-05 Last Updated on: 18-Jan-05 Administrative Contact: Private, Registration SOMSWORLD.COM@domainsbyproxy.com Domains by Proxy, Inc. 15111 N Hayden Rd., Suite 160 PMB353 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax -- Technical Contact: Private, Registration SOMSWORLD.COM@domainsbyproxy.com Domains by Proxy, Inc. 15111 N Hayden Rd., Suite 160 PMB353 Scottsdale, Arizona 85260 United States (480) 624-2599 Fax -- Domain servers in listed order: NS1.HITMANIT.COM NS2.HITMANIT.COM
It is all current information, and valid. I have gotten letters passed through to me from godaddy. Its a perfectly legit situation. Yet in your case it may not be, and it may be used to hide the person.
Thanks in advance, Mark.
-- Joshua Brady
On Thu, 27 Jan 2005 16:26:00 +1300, Mark Foster said:
Happens all the time..
Is this not simply yet another protect-the-spammers mechanism?
Bingo. Be glad you found any info - some spammers have been taking advantage of the fact that some registries update the DNS every 5 minutes and the whois info every 12 hours, so with proper timing you can have the DNS go live, and have 11 hours and 50 minutes of carefree spamming before the Whois goes live and they figure out who you are and complain...
Remember that registrars *like* spammers who burn through 200 domains/week, because they can collect $9 for each one. Every week. ;) And there's even a few registrars that are basically just spammer shell corporations, so they can burn through 200 domains a week *without* having to pay $9 per (or more correctly, they pay themselves). What? 200+ registrars or whatever we're up to, and you thought they were *all* clean?? ;) (They're not *all* bad, evill and black-hat - as far as I can tell, GoDaddy provides a similar service - but if you end up calling them because there's a problem, they're not at all amused - and take their ire out on the problem user) Further discussion is probably better done on spam-l@peach.ease.lsoft.com
On Wed, 26 Jan 2005 Valdis.Kletnieks@vt.edu wrote:
*snip*
Thanks to those who've responded both on and off list - it seems the rules are different on your side of the world. I'll go the other way (as I usually do) and chase the IPs involved (I usually pursue both out of curiosity, but had not seen the aforementioned whois output before). My thanks - can close this thread now before I get moderated. :) Mark.
participants (3)
-
Joshua Brady -
Mark Foster -
Valdis.Kletnieks@vt.edu