I'm not even sure how to begin this post, but let me tell you — my head explodes when I try to contact WHOIS "contacts" about criminal activity — FAIL.
I think ICANN wants to do the right thing here, and has stated on multiple occasions that inaccurate WHOIS data is reason for registrar termination. That's a Good Thing.
I'm assuming that the various RIRs also have a similar policy, but admittedly, I'm not sure (and it's late and I don't feel like looking up each of the RIR policies on it) and experience has proven to me that criminals don't adhere to registrar/RIR policies — they don't care, and we seem to pretty much let them get away with it.
Are we just stupid, and they are smart?
No, we are stupid.
No one in the policy-making bodies has seemed to have discovered this fact yet, and continue to allow criminals free reign.
This has got to stop.
I wrote a blog article earlier this evening for my company's blog, singling out Turkey.
Having said that, I didn't necessarily want to single out Turkey, but it just so happens that I spent an unacceptable amount of time trying to find 'someone who cares' in Turkey to mitigate some Eastern European criminal activity that we have observed.
Now, this is not a unique experience, but it is exemplary of the issues that we face — we cannot get the attention of the rsonsile parties to mitigate criminal activity.
How do we fix this?
Seriously. How do we fix this?
I find this very, very disturbing — and the criminals find comfort.
We have to change this. Immediately.
But first, we have to find people who actually give a damn, and that is proving harder and harder.
Shame.
By Fergie, Advanced Threats Researcher, Emerging Threats & Operational Intelligence. Visit the blog maintained by Fergie here.
Related topics: Cybercrime, ICANN, Internet Governance, Policy & Regulation, Security, Whois
To post comments, please login or create an account.
Top-Level DomainsSponsored byMinds + Machines | |
MobileSponsored bydotMobi | |
DNSSponsored byNeustar UltraDNS | |
DNS SecuritySponsored byAfilias | |
IPv6Sponsored byNominum | |
SecuritySponsored byVerisign |
Bravo!
Verified WHOIS is the solution. I've been advocating this for years, e.g. see most recently our comments in relation to the WHOIS accuracy study. It's a proactive solution, inexpensive to implement, maintains a level-playing field amongst registrars, and eliminates abuse before it even starts. In other words, it reduces overall crime ex-ante, rather than trying to add "more police" or "harsher penalties" ex-post.
Go read the policy-making body workgroups and archives, and it comes up again and again, yet ICANN ignores the obvious solution.
It does not matter. For WHOIS there should simply be two option:
1) I am providing proper details as I want to be contacted
2) I don't want to be contacted
This, as setting up fake companies in various countries around the world where the legal system is hard to catch you, as they are in your pocket anyway, is way too easy.
As such, requiring verified whois is not going to help anyway. It will never be accurate, especially for the folks who do not want to be found.
The original intent of WHOIS is to provide contact information for domains, it's not optional.
That was indeed the original intent. It was also the original intent of the domain name system that it be deep, rather than broad. That hasn't happened either.
It was not anticipated that every man and his dog would have his own domain name. It was not anticipated that criminals and other bad faith actors would be significant players. The original intent behind a number of historical decisions has not meshed well with the reality of how the system is applied in practice.
You claim "original intent" as though it were the very Word of God. It isn't. It was a policy constructed with an expectation that it would be useful given the anticipated uses of the system. When Jeroen says that there should be two options, he is suggesting a new policy based on observation of how the system has actually been used in practice. This may seem radical — heretical, even — but we are allowed to consider new policies based on our experiences. To do so is not blasphemy against Jon Postel.
If you dont read your abuse or whatever mailbox is listed in the whois record.
There's other rubbish that's far wrong - and you do need registrars and registries to step up (there are several that are doing a great job).
Going after them head down and horns hooking isnt the way though, Garth.
Ferg understands - he's engaged constructively with registrars and knows not to tar them all with the same brush.
You keep saying this but don't provide any proof that I'm doing such a thing.
I'm not really sure what I've done to offend you so much, but your constant comments to me are so over the top, personal, and short on substance.
I lay out clearly the issues I have with certain Registrars. There are around 500 unique domain registration companies, I've talked about 20 at most, the 20 causing the problems and profiting from the illicit traffic. We've got data backing all this up, data that has never been effectively disputed by you or the Registrars. In fact, it's been supported by HostExploit, MyNetWatchman, Spamhaus, StopBaware, and ICANN itself.
As far as arguing why the Registrars are so sainted and infallible, Suresh, you have not provided a fragment supporting the concept.
I contend it is YOU who paints me with a broad brush.
Speak for yourself, I knew exactly what was going to happen. Policy without policy enforcement is useless policy. What we've had is a list of rules for Registrars and registrants to follow and no one enforcing them. ICANN is now playing catch-up and the crooks are deeply entrenched, now owning their own ISPs and accreditations. This is something I(and many others) predicted long ago. The de facto policy of Registrars policing themselves was a recipe for disaster and has been an abysmal failure.
I challenge you to show where I said anything close to that.
It's the policy whether the bad players like it or not, and now that we're trying to enforce we're getting attacked. Big surprise.
Even if you would require that valid information is present(*) and accurate, setting up a fake company with all the official paperwork is too easy. As such, the cost of verification is too high and impossible anyway.
As such thus my proposal: let people to either say "I don't want any valid info to be shown" or "these are details which are valid so you can contact me, as I actually care about my network".
* = is "DomainsByProxy" "valid"?
Validation is very hard. Accuracy in Whois is an unfunded mandate. No one profits from the accuracy. Many profit from obfuscation.
The thin veneer of policy combined with an ineffective implementation mechanism gets overwhelmed by the substantial economics underlying this issue. Until that is resolved, I fear that the fundamentals are unlikely to change.
Jeroen's option 2 is necessary in a number of cases, and involves freedom of speech. In addition, routinely looking up whois data is impractical because of query limits that many servers impose. That's why Abusix makes a DNS copy of (part) of that data. They don't attempt validation, though. DNSWL maintains a whitelist. Both organizations work on data from IP whois databases, maintained by RIRs.
How can one distinguish a good, interoperable domain name? I would guess that a few automatic verifications, e.g. a minimum number of days since registration, some consistency checks w.r.t. DNS data, and cross-checking relevant IPs, would provide a good starting point. Shouldn't that be done independently of ICANN?