ICANN Cracks Down on Invalid WHOIS Data

DotNM writes "Internet News reports that ICANN, the Internet Corporation for Assigned Names and Numbers, is beginning a crackdown on invalid data in the WHOIS database. In ICANN's annual report, they found that nearly 5000 of the 24148 complaints were due to inaccurate WHOIS information. Some of the domain names in question had the address information of known spammers in the database. Registrars, the companies you register your domains with, are under contractual obligations to ensure this information is correct and accurate. Do you believe this is a step in the right direction? Why?"

I wholeheartedly agree.

[Silent+Plummet]

Absolutely, this is a step in the right direction. A contractual agreement is a contractual agreement, and there is no "right to a domain name", last time I checked. Forcing content providers (i.e. spammers) to remain personally identifiable can only help.

Good for spammers

[anti11es]

I don't know about the rest of you, but I have mostly correct information, only because I don't want to lose my domain over something like this. What I really hate about having all this information public is I get a lot of spam (both email and snail mail). Email isn't a problem with good filters, but there isn't much you can do to "filter" out the snail mail, you at least still have to throw it away. Spammers must love the whois database, and they'll love it even more when all the data is valid.

Re:Good for spammers

[Animaether]

There's always dyndns if you want your server easily accessible, whilst not wanting your information too public.
I kno www.SomeNameHere.com looks cooler, but since it's really a private little thing, I'm not sure that should be an argument.

Change of the rules

[Leffe]

I strongly think that there should be a correct address avaible for each and every domain name out there. But! I don't think letting it out to the public is a very good idea. I can think of numerous incidents where evil people obtained the addresses of targets from their domain names. It would not be good to hide this information from the police as they can surely obtain some valuable information from a registry like this :)

So, change the rules to only let the magic people that operate the internet and the law see it.

Re:Change of the rules

[Fastolfe]

I don't think this is very practical. How do you define who the "good guys" are? How do you keep the information away from the "bad guys"?

Every Joe in the country does not need his own second-level DNS domain. For those that believe they have a solid reason to have their DNS domain parented that far up the DNS hierarchy, they need to be aware that public registration is a requirement for that.

I don't really see a problem with that, especially for domains like ".com", which are meant to be commercial.

Now, for the new TLDs like ".name", I might see a case where DNS registration might not need to be accompanied with a publicly-visible registration, but for the rest, why not? It helps everyone identify who's responsible for a domain so that problem and abuse reports get handled in an efficient manner.

If we pull domain contact information from the public, someone still needs to be an effective first line for abuse and problem reports. If someone has a misconfiguration or malicious user that's impacting my network, I'd better damn well have a number I can call to get that issue resolved. If I can't get that in the WHOIS database, I'd better be able to call someone who can obtain it on my behalf.

I guess for me, it boils down to having responsible contact information available for every netblock and DNS domain that's registered. This doesn't necessarily need to be the end user (and in the case of third-level DNS domains or a customer's small netblock, it isn't even today), but if users are going to register assets high enough in the "tree" (second-level DNS domains and large IP netblocks), they need to accept the responsibility of keeping valid contact information available to the public, because nobody else is going to do it for them. You're free to sub-delegate those resources (third and fourth-level DNS domains or smaller blocks of IP addresses, for example), making you the contact for those end users, or if you choose to require their contact information be publicly available, they would be. It's just gotta be someone. The gTLD registrars I don't think are staffed to be that someone.

My two cents.

First, ICANN should crack down

On the people abusing the WHOIS data for spamming. If I didn't get so much damn spam (not just email, but regular mail!), I wouldn't be so included to falsify my data just enough to avoid it. If they call me on it, whoops, typo! Sorry!

I second that motion

[broothal]

Yes I believe this is a step in the right direction. As a matter of fact, I believe it's about fscking time they cleaned up their act. I don't know what percentage of those with fake info are spammers, but I do know, that 99% of the spammers has fake whois information. This makes it pretty hard to track them down, and hit them where it hurts - on their pouch. Spammers couldn't care less about losing an account or two - there's only one thing that can hurt them - that's going after them and their money. Fake whois information was an effective shield against that.

This policy sucks.

Spammers are a problem, but this is a terrible way to deal with it.

What if I want to be able to host a website realtively anonymously, so that people don't know that I am running the website?

For example, what if I were gay, and wanted to host a website about gays, but I didn't want my employers to be able to do a search and find out that I am gay so they can discriminate against me?

Also, spammers and other marketers harvest the info from the registration datatbase. Back when the Internet was all educational facilitities, requiring people to register who they are made sense. Now it does not.

Hopefully this policy will not affect services that act as proxies to register names under their name rather than the name of te acual server owner.

Re:No, I don't believe it is...

[LostCluster]

You've never had a right to privacy as a domain owner. If that bothers you, don't use DNS and just publish your web server's IP number.

Nobody cares about mining data from WHOIS

You know that huge, 5+ paragraph bit of text you get with any WHOIS query that's really damn annoying?

An employer who shall remain nameless used the WHOIS database to get sales leads. When they got blocked for too many queries per day, they simply set up more systems- they were blocked by specific IP, not range.

The most amusing part was the nonchalant reaction when said employer called Verisign and asked if they could pay for more access, the answer was no, but when Verisign was told "we'll be accessing the data anyway", the answer was "okay". You'd think it would be more along the lines of "you do that, and you'll be violating our terms of use and we'll sue the crap out of you".

Do you really think Verisign gives a crap about the privacy of info in the whois database?

I think it's good

[Himring]

I recently received a letter indicating that the email address I had listed in the whois for my domain was invalid and that if I didn't update it I could lose my domain. I promptly did so. I both did not want to lose my domain, and was glad to see they are keeping that information accurate.

For intents and purposes, we're dealing with addressing, and just like each physical address the post office deals with needs to be as accurate as possible for mail to be delivered effeciently, so do the cyber addresses that exist need to be in order for things to work correctly and effeciently.

I work at a corporation where a former engineer setup several hundred remote domains with all servers having the exact same host name. This meant for years we could only utilize the network on an IP level (e.g., all scripts and so forth not being able to use hosts names, but instead using the differing IP addresses of each server). Now, I know there are ways around this, but logistically, we had to wait to "fix it right" and have now done so, but the point is, fore-thought into proper addressing, accurate information, etc., when dealing with networking -- or the postal system -- is essential. Keeping things up-to-date is also essential.

We bitch about mail being slow, but how many of us haved moved and then taken the time to inform each addressy of that move especially when the postal system lets us know to do so by still delivering the mail to us with the little yellow "inform sender of address change" sticker?

I'm glad to see the enforcement of accurate information take place....

Re:It's a rule, play by it.

[Frater+219]

Absolutely.

The purpose of WHOIS contact information is to allow users and operators of other Internet sites to get in touch with you if your site is causing a problem. The Internet is cooperative, recall -- it could not exist at all without the thousands of sites and networks agreeing to carry each other's traffic. This cooperation requires that operators be able to contact one another in case of a problem. The alternative is that if I see anything even remotely resembling an attack coming from your network, I block your entire network -- regardless of whether you yourself are responsible, or some idiot who signed up as your customer.

If you want cooperation from the rest of the network -- in the form of allowing your traffic rather than blocking it -- you have to be reachable in case of problems. You don't get to operate an Internet site and not be accountable for it, because your site's behavior impacts everyone else on the network.

Your obligation to be reachable to other Internet operators does not go away just because spammers can abuse it -- just as a business's obligation to file incorporation papers (including a physical address) with the state doesn't go away just because the Mafia can search incorporation papers for your business's address and come around to demand protection money. The problem there is the Mafia, not the incorporation papers.

If you are concerned about spammers taking your WHOIS contact information and spamming you, you have reason to be -- spammers will take email addresses from anywhere and abuse them. However, you should recognize that this is the fault of spammers, not WHOIS: put the spammers in jail for computer crime, and the problem goes away.

Excellent move! Make domain owners responsible.

[bigberk]

I think this is an excellent move. As an anti-spam activist, I frequently report blatantly invalid WHOIS contact info to both the registrar and to ICANN -- and never hear back from anyone. It's amazing when you see spammers' domains with fake cities (in the wrong country), blatantly invalid email addresses, etc.

I can understand that some people have reservations about posting their private information in public databases, but options such as PO Boxes are available (I use a PO Box myself). Also think of it in context: if someone knows your name and wants to find your address, they can easily do so anyway. You can also give a cell phone number instead of a home phone, of course.

ICANN't

[TheUnFounded]

believe their gonna force me post my personal information on a global public database. I have very good reasons for NOT posting it.

1) I don't have a correct email address listed, so I don't get spam.
2) I don't have a correct snail mail address listed, so I don't get junk mail
3) I don't have a correct phone number listed, so I don't get telemarketers.

Seems to me like this will be a huge benefit to any company who's ever solicited me in a way I hate. Score: Businesses, 1; Users, 0

Re:We can do it. We have the technology.

[SuperBanana]

The US Postal Service, along with most of its counterpart postal authorties around the world, sells a master database of all "deliverable" addresses to vendors so that they can create services that will easily detect incorrect addresses such as streets that don't exist in the given town, or a number that doesn't exist on a real street. In short, if you have this software, you can reliably predict if the postal serivce would bounce a piece of mail as an invalid address and know why.

Most people, in fact all breathing people around the world, realize that almost any town bigger than 50 people has a "Main Street". In short, if you put "25 Main Street" and then the name of any city or town in the entire US, you can reliably predict that it will pass the deliverable address database checks with flying colors.

My experience

[macdaddy]

There was an unused domain I wanted to purchase a year or so ago. They guy paid in 10 years in advance for the domain. All of the WHOIS information was bogus. The address pointed to a a chip manufacturer, I forget which though. The domain have no DNS records. It was just a dead domain. Basically there was no way to track down the owner of this unused domain to make an offer to buy the domain. The registrar wouldn't help. They wouldn't even contact their own customer to ask that they fix their WHOIS information. Maybe I should have made a complaint to ICANN and gotten the domain revoked. To this day the domain still hasn't been used and still has no valid WHOIS or DNS records. What a waste.

Thats risky.

[sheetsda]

Do you suppose they'll let you take the domain if you want to switch hosting services? They registered it, it has their info on it, and (I'm guessing) they paid for it (out of money you gave them of course).

Um no

[Seven001]

I own a few domains and I never put the right phone number in. I also have an email address strictly set aside for domains only - which catches TONS of spam, and I tend to catch a little bit of snail mail spam as well - usually from the same company that tries to trick people into switching to them and paying $25+ a year. I hate the way that whois info is public though, and you have to pay (usually more than the price of the domain where I register domains) to make it private. It should be automatically private, at no cost. Someone above mentioned something about the reason that is there is for complaints and such - well I just happen to have an idea that could fix that problem easily. Make any complaints or inquiries go through the registrar. Kind of like a registrar private messaging system. It might seem like a lot, but I think it is little to ask to help stop the whois info harvesting and millions of spam emails that get sent as a result of it. ICANN already has a ton of requirements that registrars have to meet, why not one more.

Re:It's a rule, play by it.

[JPriest]

I have registered a total of 4 domains, after using valid information on the first one I refuse to make the same mistake again. My first domain expired in 2001 and I still get credit card offers from it. Like it or not, it is still a public database containing personal information. I can't really blame people for using incorrect information.

Forget the spammers... it's the stalkers!

How many personal domains are out there? And how many freaks are there online who'd wet themselves over the chance to stalk people whose website the dislike or whose website turns them on or whatever the hell it is that they get off on?

My websites all point to my former address. I moved because some freak was harassing me and I was worried he was going to show up on my doorstep some day. I didn't update the listing and won't for at least another year, unless I get a PO box, and I'm sure as hell not going to spend the money on that when I'm getting zero benefit on it.

My registrar has my real contact info. That's all that matters. If someone has a complaint about one of my sites that can't be resolved by emailing me, they can write to my hosting provider or my registrar.

Re:Forget the spammers... it's the stalkers!

[Fastolfe]

Why do you feel it's necessary to register a DNS domain under a gTLD? That's your decision, and with that decision comes an obligation to provide contact information for activity that occurs under that DNS domain. Just because you're on the Interweb and not the Internet like the rest of us doesn't exempt you from the rules.

Your registrar isn't going to accept calls in the middle of the night because your PC is infected with a virus or DDoS agent and is saturating my network with traffic. That's not their job. Either publish contact information or get your DNS domain and/or network addresses from a provider that will publish their own information on your behalf.

Re:Forget the spammers... it's the stalkers!

[Avihson]

I never even considered stalkers, I chose anonymity for convenience.
My registrar emails me too frequently with "special offers" and I get site related junkmail even though my whois data does not point to my address. I can only surmise that the registrar is making a few bucks on the side selling data.

If there was a valid reason for the FBI or the IP-Police to kick down my door, they can do a dig on me, go to the switch up the road, and pull the line. When I pop out of the door to look at the wires, they can rush me with all their SWAT gear.

For everyone else - It's the internet, use it to contact me, or lookup the netblock owner, they get a check from me every month. If the law enforcement officers can't do that, they should be kicked back to parking meter duty.

I have an unlisted phone number for a reason, I'm sure not going to post it in the whois database!

It's the wrong way to go

[Catbeller]

1. The internet was not designed to be a telephone system or a post office. Anonymity and openness are what made it what it is today. Want a secure communications system? Build one. IP was not designed for businesses and their needs. Closed systems existed before busineses stampeded on to the internet. If they want registered users and trusted boxes, then they should build an alternative network that does not connect to the internet itself. Leave what is, alone.

2. Spoofing whois is essential for people who wish to use the internet to get messages across that powerful people want suppressed. Or at the very least, powerful people will retaliate.

For instance:

mediawhoresonline.com -- the people behind the Horse (out to pasture at the moment) were afraid of retaliation in their personal and private lives. They have some justification for this, for Bush and his people have grown famous for their ruthless vengeance against anyone who crosses them - Valerie Plame, Wilson, Richard Clark, the owners of that restaurant in Texas tht called the cops on the Bush Girls (business shut down for "code violations"), the Funeralgate affair (nailed the whistleblower AND her department). And innumerable others whom we don't hear about because, well, reporters don't want to cross the Bush family either.

Buzzflash.com also hides their identies for the same reason, I think.

Now, on to the cultbusters. During the late '90's, a lot of ex-Scientologists went online, mainly on the Usenet on alt.religion.scientology, but also branched out into the web as well. They had to hide their identities: the utter certainty of the destruction of their lives if they ever were outed was paramount. The viciousness of the attacking Sea Org (secret agents oh my) is legendary, and you can check it out at xenu.net, as well as any number of other sites.

Just don't use the WayBack machine: they purged the history of the internet of all the critical sites with any teeth at the behest of the Hubbardites.

Now there are others: the Moonies, the nutballs in Japan, any number of small, evil little cults all over the U.S. If you want to expose them, anonymity is key. And anonymity was long held constitutional in the U.S. under the 1st amendment as necessary to demand redress of wrongs without fear of retaliation.

I fake my whois info, and always will.

3. Registering users will not stop the spam. Oh please. People who send billions of messages and make millions of dollars aren't scared of fines or jail time. They're rich; they won't see real jail. This registration crackdown is happening because the control freaks in law enforcement can't stand seeing anonymous communications. It's like nails on chalkboard to them. I think Pratchett said it best when he wrote that cops, if they had their way, would make everyone sit at home, at their tables, with their hands on top of the table where the cops can see them.

It's not like we haven't seen this coming. The jail doors are clanging shut, and they won't let us bang on any pipes in Morse code without the ability to listen in any time they'd like.

Companies and individuals are different

[gorbachev]

I will never, ever register any of my personal domains with valid registration information. There's absolutely no way.

I will not have all the people who don't like what I publish on my websites harrass me at my home address, which is the only "valid" address I currently have to use in my whois records. I will not give that information out in public for any reason. There are way too many net.kooks out there for me to volunteer my home address.

I will also not pay to get a p.o. box to avoid being harrassed. Why should I pay to be left alone?

For businesses, however, I do agree, the whois records should be valid and uptodate. This includes the spamming parasites, who've made it an art form to forge every single record of theirs they possibly can.

Hell no!

[Snaller]

All registrats who don't care should lose their ability to register names! So many times i've complained about faulty information to some registra, and their reply was "there is nothing we can do about" - well if not you who the fuck else! Idiots.

Re:It's a rule, play by it.

[blutrot]

Another thing that should be mentioned is it is very easy to forge an email address. I am able to run my own SMTP server and send forged emails to whomever I want (I don't, so don't flame me for that).

Having the WHOIS access, as mentioned on the parent, allows spammers to grab our contact information and use their forged email systems to send out spam. I have heard of cases where an SMTP server will bounce a message back saying to resend in three hours. If the mail is resent in 3 hours, the mail is allowed back through. Similar systems exists that do similar mail authentication. However, I should not have to go through the trouble of going through all these security measures just to keep a person from sending me an email I do not want.

Back to the original context, I believe that WHOIS information should be kept accurate and private. This will allow me, as a user, to run a website on a controvertial topic if I chose to, allows me to be and feel safer from disgruntles readers, and allow authorities to crack down on websites with illegal content.

Re:Lots of useless data in there

[Space+cowboy]

Well, if there's no data to be had, there's nothing anyone can do. I do think that's a pretty statistically insignificant proportion of IP addresses though, even with AOL doing it...

Some NAT firewalls send extra headers (X-NAT-PROPOGATED-FOR') similar to proxies ('HTTP_FORWARDED_FOR' and similar), and I try to pick up on those where I can, but at the end of the day, any system has to have *something* to work with.

The fraction of IP addresses that oscillate or change city a lot is very small (1%). The vast majority of the located addresses that I have don't change at all.

As for relevance, well as I've mentioned before it's an experiment. If it turns out to be useful, excellent; if not, well I have some interesting data to play with :-) So far it looks promising, but it's very early days.

Simon.

Re:It's a rule, play by it.

[Richard_at_work]

Actually, you can have a restraining order restricting the person from having any CONTACT with you, which includes email, phone, physical conversation. You are asking the court to restrain the other party from contacting you. I should know, Ive used one :)

Re:It's a rule, play by it.

[cubicledrone]

If you want to make a dent in spamming, just take away their property(including house and car, in fact the food out of the fridge and their clothes too) and empty their bank accounts.

If you want to make a dent in spamming, just violate the first, fourth, fifth, sixth and eighth amendments. Simple!

Re:Get a Lawyer

[acceleriter]

Great idea. Free speech for those who can afford to pay an attorney to act as an agent.

Re:It's a rule, play by it.

[tyldis]

First off: I'm a poor student and live in Norway. I have a few hobby domains, mostly so I can run my own email configuration.

I haven't recieved any snailmail spam, most likely because I'm not American, but one evening I got a [lovely] call from China. A female (yes, I was shocked myself, first time a girl calls me!) said something about representing some huge business.
Her english was bad so I couldn't really hear what she was saying, but I finally figured out that they had heard about 'my large and great company' and that I was known worldwide for my splendid leadership and nose for business.

I kinda freaked out, hung up and went for my tinfoil hat. I changed the contact info, but when my registrar complained that my address 'BOFH Avenue 666' was bouncing I had to change it back.

Bottom line, I would very much appreciate some kind of mechanism that would protect your privacy a little bit better. The problem is that the Internet is global and legislation is very different around the globe so the solution would have to be technical.

Re:It's a crappy rule; change it.

[AaronD12]

I agree... that information should be private.

I just registered a domain using my correct information (my registrar would not allow an "invalid" e-mail address), and voila... I've gotten over 500 spam a day on that e-mail address. Previous to the registration, I was getting about 1/10th of that, which is still far too many.

As long as we follow the rules and fill out valid information, there will be bastards that won't follow the rules and will take advantage of us.

False Entitlements

[firewood]

The system has been abused for year. So, I'm sure there are those who feel entitled to the privacy and anonynimity they've been able to get for free so far.

I liken them to homeowners and small businesses who are dumping their pollution directly into the river, and then complaining when told that the same new environmental laws which apply to mega-toxic-corp upsteam also apply to them. However, just like the river, which may supply drinking water to people living downstream, DNS is a public service hosted on other peoples servers, not your own. If you want to use a public service (as opposed to running your own private DNS server for your buddies, etc.) you may have to abide by public rules.

The beginnings of a clean-up mechnism are simple. Notify people to clean up their DNS records and then randomly snail mail letters to a percentage of domain owners. Lock domains for owners who do not respond.

If you want your privacy and anonynimity, which was not implicit in the original rules for DNS service, pay for a proxy service (electronic equivalent of a PO box, answering service, subsidiary in the Bahama's, etc.). But don't depend on being entitled to a mechanism which makes you look exactly like joe toxic spammer at zero cost, and which leads to a Tragedy of the Commons.

Because I want a persistent address

[phr1]

If I have a lower level domain under some ISP, then I'm trapped with them. If my ISP's service goes down the tubes, or if they go out of business altogether, or if they jack up their prices or whatever, I can't switch ISP's without losing email or web contact with anyone I gave my address or URL to. I move around a lot; my physical addresses and phone numbers change all the time. My internet domain is the most stable point of contact that I have.

I had a stable email address with an ISP for about ten years, but the ISP discontinued my service plan and said I'd have to change addresses if I wanted to stay with them, so that's why I registered a domain, so I have a permanent net address that I can give out to friends and acquaintances. That doesn't mean I want it advertised to the public. It's like an unlisted phone number. I'm ok with the registrar having my contact info in case law enforcement needs to find me, but I see absolutely no reason they have to publish it in WHOIS.

Re:It's a rule, play by it.

[Bagheera]

If you want to make a dent in spamming, just violate the first, fourth, fifth, sixth and eighth amendments. Simple!

1st Amendment: Spam is not protected free speech. Commercial speech, which the vast majority of spam is, isn't covered here. We are talking about people who are selling you herbal viagra and the like. Unless you somehow want to include SPAM in a religious context?

4th Amendment: While I certainly don't support pressing the fourth amendment, the government has already set numerous precedents with the (failed) War on Drugs when it comes to seizing property. Ask any boat owner who lost their boat because one of the crew snuck a joint on board, and they got pegged with the Coastie's Zero Tolerance policy. Personally, I find drug dealers less offensive than spammers. People GO TO drug dealers for their product. Spammers force themselves into your in-box and around your filters.

Note that the government can say it's OK to seize spammer's assets - like they did with drug dealers, and the seizure then becomes lawful in any case.

5th Amendment: How are you applying it here? The 4th amendment covers search and siezure. The 5th would only apply if we assumed no process.

6th Amendment: Doesn't appear to apply here. The original comment about seizing spammer's

8th Amendment: Define "excessive" in this context? Is it somehow OK for a spamemr to send out 5 million bulk emails to people who didn't want them, using machiens that were compromised, on someone elses network? Would, say, ten cents per spam for bail be adequate?

I seem to remember the precept that "Illegally acquired" assets are forfiet. Since spam is, in many cases (and we would assume that we are not going after "legit" marketers here) illegal under one law or another, it's a safe bet that the spammer's assets would count as "illegaly acquired."

The constitution is a great document, and it's already suffering a lot of abuse at the hands of the (past, present and future) administration. But siezing a spammer's assets doesn't count as abusing the spammer's constitutional rights. It counts as letting the punishment fit the crime, and serving justice in the public interest.