Home / Blogs

The Sad State of WHOIS, and Why Criminals Love It


I'm not even sure how to begin this post, but let me tell you — my head explodes when I try to contact WHOIS "contacts" about criminal activity — FAIL.

I think ICANN wants to do the right thing here, and has stated on multiple occasions that inaccurate WHOIS data is reason for registrar termination. That's a Good Thing.

I'm assuming that the various RIRs also have a similar policy, but admittedly, I'm not sure (and it's late and I don't feel like looking up each of the RIR policies on it) and experience has proven to me that criminals don't adhere to registrar/RIR policies — they don't care, and we seem to pretty much let them get away with it.

Are we just stupid, and they are smart?

No, we are stupid.

No one in the policy-making bodies has seemed to have discovered this fact yet, and continue to allow criminals free reign.

This has got to stop.

I wrote a blog article earlier this evening for my company's blog, singling out Turkey.

Having said that, I didn't necessarily want to single out Turkey, but it just so happens that I spent an unacceptable amount of time trying to find 'someone who cares' in Turkey to mitigate some Eastern European criminal activity that we have observed.

Now, this is not a unique experience, but it is exemplary of the issues that we face — we cannot get the attention of the rsonsile parties to mitigate criminal activity.

How do we fix this?

Seriously. How do we fix this?

I find this very, very disturbing — and the criminals find comfort.

We have to change this. Immediately.

But first, we have to find people who actually give a damn, and that is proving harder and harder.


By Fergie, Director of Threat Intelligence

Related topics: Cybercrime, Cybersecurity, ICANN, Internet Governance, Policy & Regulation, Whois


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Bravo! Garth Bruen  –  May 13, 2010 7:02 AM PDT


Verified WHOIS is the solution George Kirikos  –  May 13, 2010 8:19 AM PDT

Verified WHOIS is the solution. I've been advocating this for years, e.g. see most recently our comments in relation to the WHOIS accuracy study. It's a proactive solution, inexpensive to implement, maintains a level-playing field amongst registrars, and eliminates abuse before it even starts. In other words, it reduces overall crime ex-ante, rather than trying to add "more police" or "harsher penalties" ex-post.

Go read the policy-making body workgroups and archives, and it comes up again and again, yet ICANN ignores the obvious solution.

Whois does not matter jeroen  –  May 14, 2010 2:39 AM PDT

It does not matter. For WHOIS there should simply be two option:
1) I am providing proper details as I want to be contacted
2) I don't want to be contacted

This, as setting up fake companies in various countries around the world where the legal system is hard to catch you, as they are in your pocket anyway, is way too easy.

As such, requiring verified whois is not going to help anyway. It will never be accurate, especially for the folks who do not want to be found.

NOT optional Garth Bruen  –  May 14, 2010 6:27 AM PDT

The original intent of WHOIS is to provide contact information for domains, it's not optional.

Original intent meets current reality The Famous Brett Watson  –  May 14, 2010 8:32 AM PDT

That was indeed the original intent. It was also the original intent of the domain name system that it be deep, rather than broad. That hasn't happened either.

It was not anticipated that every man and his dog would have his own domain name. It was not anticipated that criminals and other bad faith actors would be significant players. The original intent behind a number of historical decisions has not meshed well with the reality of how the system is applied in practice.

You claim "original intent" as though it were the very Word of God. It isn't. It was a policy constructed with an expectation that it would be useful given the anticipated uses of the system. When Jeroen says that there should be two options, he is suggesting a new policy based on observation of how the system has actually been used in practice. This may seem radical — heretical, even — but we are allowed to consider new policies based on our experiences. To do so is not blasphemy against Jon Postel.

Even accurate whois is useless .. Suresh Ramasubramanian  –  May 15, 2010 7:38 AM PDT

If you dont read your abuse or whatever mailbox is listed in the whois record.

There's other rubbish that's far wrong - and you do need registrars and registries to step up (there are several that are doing a great job).

Going after them head down and horns hooking isnt the way though, Garth.

Ferg understands - he's engaged constructively with registrars and knows not to tar them all with the same brush.

Back it up Suresh Garth Bruen  –  May 15, 2010 9:42 AM PDT

and knows not to tar them all with the same brush.

You keep saying this but don't provide any proof that I'm doing such a thing.

I'm not really sure what I've done to offend you so much, but your constant comments to me are so over the top, personal, and short on substance.

I lay out clearly the issues I have with certain Registrars. There are around 500 unique domain registration companies, I've talked about 20 at most, the 20 causing the problems and profiting from the illicit traffic. We've got data backing all this up, data that has never been effectively disputed by you or the Registrars. In fact, it's been supported by HostExploit, MyNetWatchman, Spamhaus, StopBaware, and ICANN itself.

As far as arguing why the Registrars are so sainted and infallible, Suresh, you have not provided a fragment supporting the concept.

I contend it is YOU who paints me with a broad brush.

Speak for yourself Garth Bruen  –  May 15, 2010 9:34 AM PDT

It was not anticipated that every man and his dog would have his own domain name. It was not anticipated that criminals and other bad faith actors would be significant players

Speak for yourself, I knew exactly what was going to happen. Policy without policy enforcement is useless policy. What we've had is a list of rules for Registrars and registrants to follow and no one enforcing them. ICANN is now playing catch-up and the crooks are deeply entrenched, now owning their own ISPs and accreditations. This is something I(and many others) predicted long ago. The de facto policy of Registrars policing themselves was a recipe for disaster and has been an abysmal failure.

You claim "original intent" as though it were the very Word of God.

I challenge you to show where I said anything close to that.

It's the policy whether the bad players like it or not, and now that we're trying to enforce we're getting attacked. Big surprise.

Even if you would require that valid jeroen  –  May 16, 2010 6:50 AM PDT

Even if you would require that valid information is present(*) and accurate, setting up a fake company with all the official paperwork is too easy. As such, the cost of verification is too high and impossible anyway.

As such thus my proposal: let people to either say "I don't want any valid info to be shown" or "these are details which are valid so you can contact me, as I actually care about my network".

* = is "DomainsByProxy" "valid"?

Validated/accurate Whois is an unfunded mandate without economic basis Ram Mohan  –  May 18, 2010 10:07 AM PDT

Validation is very hard. Accuracy in Whois is an unfunded mandate. No one profits from the accuracy. Many profit from obfuscation.

The thin veneer of policy combined with an ineffective implementation mechanism gets overwhelmed by the substantial economics underlying this issue. Until that is resolved, I fear that the fundamentals are unlikely to change.

What does it take to build a validated whois? Alessandro Vesely  –  May 19, 2010 12:39 AM PDT

Jeroen's option 2 is necessary in a number of cases, and involves freedom of speech. In addition, routinely looking up whois data is impractical because of query limits that many servers impose. That's why Abusix makes a DNS copy of (part) of that data. They don't attempt validation, though. DNSWL maintains a whitelist. Both organizations work on data from IP whois databases, maintained by RIRs.

How can one distinguish a good, interoperable domain name? I would guess that a few automatic verifications, e.g. a minimum number of days since registration, some consistency checks w.r.t. DNS data, and cross-checking relevant IPs, would provide a good starting point. Shouldn't that be done independently of ICANN?

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks