Slashdot Mirror
ICANN Cracks Down on Invalid WHOIS Data
DotNM writes "Internet News reports that ICANN, the Internet Corporation for Assigned Names and Numbers, is beginning a crackdown on invalid data in the WHOIS database. In ICANN's annual report, they found that nearly 5000 of the 24148 complaints were due to inaccurate WHOIS information. Some of the domain names in question had the address information of known spammers in the database. Registrars, the companies you register your domains with, are under contractual obligations to ensure this information is correct and accurate. Do you believe this is a step in the right direction? Why?"
Just because a rule has gone unenforced for years doesn't make it an invalid rule. I think the Internet would become a much better place if everybody with bad WHOIS information lost their domains until they corrected it.
I looked at using the whois db for my IP to city project, but rejected it because (a) it's forbidden [which was the most important reason, honest
So I just depend on good folks like yourselves to fill in the data. I think that gets around the various patents that Quova etc. have got on populating a city/ip database as well
Frankly I'd give it about 50% accuracy, and I'm approaching that without using it at all...
Simon
Physicists get Hadrons!
I remember I got this email from NetworkSolutions promising to hide your contact information so I looked it up in my email archive. It costs an extra 5 bucks and promises to protect you from spammers and telemarketers.
:)
Something about this is ironic.
Someone needs to speak to NetSol about the ICANN report.
-----
Protect Your Privacy
from Spammers and Telemarketers
When you register a domain name, your address, e-mail, and phone number are published in the public WHOIS database. ICANN requires this personal information to be available for anybody to view on the web. With
Private Registration you can deter spammers, telemarketers, identity thieves, harassers, stalkers and others who access this database.
Private Registration provides you with alternate contact information for your domain name registrations. The contact information you want to keep private is kept out of the public WHOIS database.
For a limited time you can add Private Registration to each of your existing domain name registrations for the introductory price of just $5 a year. Terms and conditions are included in our Service Agreement.
To add Private Registration
1) Log into your Network Solutions Account
2) From the Account Details page, click on one of your domain names
3) In Domain Details, click "Make this a private registration"
4) Check the domain name registration(s) you want to make private and
click continue
Introductory Offer Only $5 a year
Sunny
Be my Friend
The US Postal Service, along with most of its counterpart postal authorties around the world, sells a master database of all "deliverable" addresses to vendors so that they can create services that will easily detect incorrect addresses such as streets that don't exist in the given town, or a number that doesn't exist on a real street. In short, if you have this software, you can reliably predict if the postal serivce would bounce a piece of mail as an invalid address and know why.
It'd be interesting to see what would result if WHOIS is washed against such a list...
The guys I bought hosting from also registerred the domain for me, and put in their info for the whois. This way I don't get any lamers using it to spam me.
The Yasashii Syndicate ||
Some whois databases already put the e-mail address in an image so that spiders cant harvest them, most do not. This means that a first timer will quickly find his/her e-mail address useless becuase of the sheer amount of spam the address gets.
Then there is the question of privacy and personal safety. Let's say I believe that some cult exists only for the sole purpous of ripping people off, and I put up a web site warning other people and telling them of my personal experiences. The cult memebers that feel outraged by my blasphemy might look up who I am by the database, and I would be risking life and limb by putting opinions on the web.
Now someone is bound to ask "Hey, what about kiddy pr0n". Well, that's why I think the autorities should have access to that information, just as they have some other rights not bestowed upon us regular joes.
The next argument will then prolly be
Those who would sacrifice a little freedom for temporal safety deserve neither to be safe or free.
- Benjamin Franklin
I think this is hypocrisy and not even quite realistic. It's easy to quote famous people from behind a keyboard, but I just wonder how many of the slashdot crowd would actually put the money where their mouth is. After all, living together is but a series of compromises. No one can live their lives as they whish. Chance and other people will prevent this.
And as someone said
No man is an island,
Entire of itself.
Each is a piece of the continent,
A part of the main.
But I digress...
The registrar should be required to verify, not only at purchase time, but on a regular basis, the billing address for the domain registrant. The whois information should not be required to be public - since it contains addresess, phone numbers and email addresses. Yes, you could get this information somehow if you looked - but this information should not be made public in the context of a simple directory listing.
Above all it's stupid. Anyone putting correct information in there is not breaking the law anyway.
Also what if I hosted a website that said unpopular things about the Government or the Church of Scientology etc. Do I really want to be able to be harassed/tracked down?
I've had my domain since about 1997. At some point during the 'Net boom, some idiot company harvested a BUNCH of WHOIS info. At the time I had the correct information in there (INCLUDING phone number).
Well...I got on every telemarketing phone call list imaginable...AS A BUSINESS. You think it's hard stopping residential telemarketing? Wait until you start getting phone calls at your house asking you to buy Pitney Bowes postage equipment, insurance for your employees, etc, etc.
It was a NIGHTMARE. All I could do was ask the individuals to a) place me on their do not call list, and b) ask where they bought my information from (information that, not a SINGLE COMPANY was able to provide).
So, since then, I've used a P.O. Box for mail, and I FLAT REFUSE to give a phone number.
I'll start providing valid information when I know that it isn't going to be harvested by any slimy company out there.
I couldn't give two flying fucks about your "privacy" issues. If you're so paranoid you won't put your info into the WHOIS, then just DON'T BUY A DOMAIN NAME.
Well, I don't give two flying fucks about your "valid WHOIS" issues. I have a private site. It's not for you, it's not for others, it's for me. It recieves MY mail, and provides services to select friends. That's all it does.
I should not need to give out all my contact information to the world just so I can locate my damn server on the internet easily.
Here's a suggestion. I've only been doing this for about a week but it's been effective so far. In WHOIS, list your email address as dns-admin@yourdomain.blah. Configure your mail server to accept email to this address but then send a bounce with "5.1.1 User has moved; please try dnsadmin@yourdomain.blah" message (note the lack of hyphen). Configure dnsadmin@yourdomain.blah to go to your real mailbox.
This works because no spammer ever uses their real email address, so they'll think their message was accepted and they'll never see the bounce. Meanwhile, a real human being who actually needs to communicate with you will get the bounce with your real address.
As for physical contact information, the best I've come up with so far is a PO box. But that costs money.
irb(main):001:0>
Second question. Why not have some small fee in order to access the WHOIS database. Make it a dollar charge, that has to be charged to a credit card with correct contact information (for example, they fax you the data). If someone abuses the database, then they get cut off.
Third question, and the most important. How the hell can we make a better system where the 98% of us who do not abuse resources do not get screwed by a few bad apples who will do anything for a buck. Do we make it a charge, so there can not be an easy profit? Do we have a system where a few trusted people are allowed to forward requests, and block those they know are from the bad apples? How do we identify the bad apples?
This all pisses me off. I hate it how one person can force the rest of us to NEED locks for doors. It would be better if they did not exsist.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
There is no reason why this information needs to be publicly available. The correct information could be stored privately with ICANN and available through the proper channels (For example: a warrant).
:P).
:)
The one time I used all of my correct information I ended up getting a) prank phone calls, b) calls from people who disagreed with some of the sites messages (think free choice vs. life, not PORN
The people who are lazy to call end up mailing you. Sure you can setup an account that just collects all of the email and then dumps it, but what about that 1 legitimate email every year or so?
I was constantly emailed by other domain firm to con me out of more money through false renewal claims (Your domain is about to expire: NetSol).
If ICANN were really serious about your information being correct it would have done something years ago. These half ass attemtps to enforce a questionable policy don't convince me that they really care.
I've tried being nice and having all of my information public. Now I'm happy to live on 123 Freedom Lane, Chimichanga New Mexico.
I've owned my domain since the late 90's, and for the first couple years I had legit info in the .whois dbase.
I used to write a lot about moronic white supremicist groups around the country.
One day I saw my home phone and address being passed around on skinhead message boards, and the real-life threats began.
I'll never provide legit info again, ever. I'd rather lose my domain than have someone come to my door and threaten to kill my "nigger loving" family, again.
I, for one, refuse to let my personal information become public.
What if I were the operator of a website that contained opinions that were very contraversial? One example I can think of is the abortion debate. There are extremists on both sides who will spend every waking moment trying to ruin the lives of people on the other side of the debate.
Do I want to invite people to my house to vanalize my property or burglarize me if I can help it? Certianly not.
I have always used fake information, except for my phone and email contact (I figure that its pretty immune to what I'm worried about, I can filter spam, etc) which I leave in case my registrar accidentialy forgets who my domain belongs to.
How do they know I do not live at this address? Are they going to send someone out? What if its just a drop box for mail?
Do you believe this is a step in the right direction? Why?
Just firing from the hip here, but corporations and real estate have to have accurate contact information too. I'm guessing this has to do with preventing squatting, and with resolving legal issues which involve the owner of the property in question. Both of these issues have correlaries in domain name space.
Stop-Prism.org: Opt Out of Surveillance
WRONG. If you have a "private site" all you are entitled to is giving out your IP address.
It's not for you, it's not for others, it's for me.
That's too bad because the DNS is a PUBLIC database. The Internet is PUBLIC. You don't make the rules; ICANN does. If you don't like it -- tell your friends to set up their own DNS servers with pointers to your IP.
I should not need to give out all my contact information to the world just so I can locate my damn server on the internet easily.
Again, that's your opinion, but you don't make the rules, bud. If you want to "locate your damn server on the Internet easily" then why don't you try writing your IP down and keeping it in your wallet. Otherwise, stop whining, and play by the rules.
Do you also think you shouldn't have to register your car, or get emissions testing, because you're better or your privacy is more important than anyone else?
Do you fill out your Tax Return as "John Doe, 123 Fake St., Anytown USA 12345?"
Three years ago some jackass from /. thought it would be funny to call up my home phone and leave a nasty drunken message because I disagree with him about the current SUV craze. The reason he was able to do this was because (stupid me) I kept accurate whois information for my domain names. Had I pissed him off enough, there was nothing keeping him from coming to my home.
Requiring public, accurate whois information is idiotic. I think a requirement for accurate information held in confidence by ICAN is a good idea (to be available to the police with a warrant). Before you run out there cheering for accurate public information, think about how you would feel if every email and every web posting you made had your home phone & address on it. If everyone were sane and reasonable, it would be good. Since everyone's not, and someone can anonymously e.g. burn your house down, it's bad.
Spammers are just going to get phones with junk info and PO boxes. This can only hurt, not help.
I'm surprised to see the responses I'm seeing on a site where most people ostensibly argue for free speech and anonymity.
A few years ago California set up a website regarding a gun confiscation program (taking registered guns from lawful owners). I discovered that the WHOIS information revealed the website was owned/operated by someone in Bejing, China and hosted in Australia - facts severely inappropriate for the purpose of the website & gov't program. When this information was made public, the WHOIS data quickly changed several times, apparently to cover up a political problem. Would have been nice to demand the coverup info be restored to the correct original & politically revealing WHOIS data.
The proposal to force all domains to use valid WHOIS data would be a boon to law-enforcement efforts. But that leads to another potential concern.
In the US, it's not a problem to express yourself. You can say whatever you like about the government and get away with it. OK, not quite anything. In other countries, however, including western countries like Germany and France, freedom of expression is non-existant -- you may only say what the government allows you to say. In the two countries I've mentioned, it's not much of a problem, because they've basically only banned racist expressions. But there are more than enough other countries (China, anyone?) that actively work to suppress their citizens from expressing themselves freely. For dissidents in such countries, false WHOIS data may be necessary for freedom of expression. Is ICANN trying to help such governments crack down on their citizens?
If ICANN wishes to enforce this rule, I agree with the procedure outlined in the parent post, but disagree that spammer's domains should be treated separately.
The problem is, how do you recognize a spammer's domain? If you simply look at the "to" address, it will result in a lot of legitimate sites getting spammed, because a real spammer will fake the from address. If you look at the originating sender, I've had enough (virus) spam that apparently originated at my mail server. The header information was modified -- the IP did not belong to my mail server. But you can't backtrace to find the domain if the IP is in a dynamically allocated range. Once again, 1:0 for the spammers.
The few honest souls who are dumb enough to use valid information will get caught anyway. Now if we are talking about domains that are linked in spam, that's a little easier to deal with, but there is still a large potential for abuse. So a spammer doesn't like a site. Voila, take them down. In fact, anyone could effectively disrupt any website they like.
Of course, spammers should be prosecuted, provided they are within the jurisdiction of a state that cares (e.g., the US). But intellegent spammers work offshore anyway, which puts them beyond the reach of any western regulatory body except ICANN. We can go after their domains, but there's no easy solution to determine which domains are pure spam.
What happens when a host or a user on your network starts spewing forth harmful data (say, a DDoS attack)?
.com DNS domain, but if you feel that it's necessary to have a presence that high in the DNS tree, someone needs to be reachable in the event you have a problem. The only one higher in the DNS hierarchy is the "com" domain, and I doubt ICANN or a gTLD registrar is going to take my calls about one of your users.
If it takes me a week to wind my way through the legal system because you chose to make it difficult for me to contact you, you can bet that I'm holding you partially responsible for the damages that extra week caused.
WHOIS contact information isn't about documenting your name and address for Big Brother, it's about being a responsible Internet organization. No one is twisting your arm and saying you have to have an Interweb presence with a
If nothing else, at least use the contact information of an agent (lawyer) or a proxy service (like Domains By Proxy), so that at least we have some path to get ahold of you if we need to.
I own my domains, not some company. My I am not going to publish my phone number, and get more junk calls like the postal spam I get due to the fact I used my legitimate address (at the time) for registering my domain(s) years ago.
.inc TLD, with data linked to corporate registration number and state and country of inc.? and leave the rest of us alone!
What's next, publishing my SSN and birthday in whois data?
I know some other countries (france, for example) are very strict and will only issue domains to a company with a tax ID and right to the name. Well, go right ahead france, but I think the generic domains (com/net/org) should remain open to all without prying eyes.
If we wanted such open access to domain owner data, how how about a
A-FUCKING-MEN! My domain points at my old address for exactly this reason. My registrar can contact me via e-mail if they need to. That goes for everyone else too. When you start getting stalkers calling your house at 3 in the morning saying they're going to kill you (and you have reason to suspect they have the resources to get a passport and a plane ticket to do so), you don't fuck around. That's also why I keep a loaded gun on the premesis over my fiance's objections. And don't give me that shit about contacting the cops. The local police were too clueless, even though I did the investigation for them (providing chat logs, recordings on the answering machine, whatnot), and the feds didn't give a damn (went as far as to say that it wasn't illegal to make death threats over the phone). Phone couldn't (wouldn't) block the calls so I had to change the number. Bullshit if you ask me. Thank you, for opening my eyes to the world.
I recently used the network solutions "private listing" feature. For $5/year they put their address/phone number and a constantly changing email address in the WHOIS DB. They answer calls, forward certified mail, and forward email to my private contact info. I maintain full control of the registration.
I think the point was domains were supposed to be for businesses and orginizations ie places that have headquarters. The only real thing I could see was allowing one contact to be minimal name and email but requiring one valid and complete technical contact. But if you didn;t like the rules when you signed up you should have not aquired a domain. It would be nice if every incomplete entry was purged for noncompliance.
No sir I dont like it.
Personally I am so glad to hear this. About 100 or so of those complaints came from our company. The biggest tool spammers use to cover their tracks is bad whois info. How can you serve papers on someone if you don't have an address? Even the wimpy CanSpam law can't be enforced without an address. Without one its not worth the disk space it takes up.
This information is also needed for admin work between networks. This information is used by Systems Admins to contact each other when things get weird between networks not just for catching spammers. It a great time saver when a sick server on a network is hitting ours to be able to type "whois" and find an email address and a phone number for the person you need to talk with to fix the problem. These are helpful calls between networks to keep it all working. Its not so much contacting the owner as much as contacting the SysAdmin.
I do see the problem with personal sites and whois info that contains personal information. What we do for the sites we host that aren't corporate sites is we carry the Techinal Zone Contact Address and phone number as the address and phone numder for the site. This way the site can be contacted and the owners can be indirectly contacted without their home addresses or phone numbers exposed to the strange. This way if some weirdo calls they get to talk to us. Most hosting companies will do this. If they don't move your site to one that does.
You can't complain about having to have updated information on your whois. You agreed to it when you bought your domain. It was in the EULA.
Besides how can you enjoy the smell of burning mail servers if you don't know where to build the fire?
Not that I would ever do anything like thatI used to have a domain regged with NSI, mainly thru intertia - I had registered it back before the competitive registration stuff.. (In fact, before you had to pay - GASP!)
Originally I had a phone in my name, and I had it listed. Eventually, I moved, and I did not obtain a phone. I currently have no phone number to provide. I eventually changed the old obsolete phone number, and put 000-0000 in its place.
Then one day (back when the whole 'valid whois thing started') NSI sent me an email telling me I better get my correct info listed or they were gonna turn me off.
The cycle went more or less as follows:
"You must list your phone number"
"I dont *HAVE* a phone number"
"You must provide correct contact info"
"Ok, the correct info is 'I dont *have* a phone number', how do I list that, correctly?"
"Im sorry, you must list your phone number"
(ad naseum)
After about half a dozen rounds of that, I moved the registration elsewhere and havent had a problem since. It still has 000-0000 listed. My name, email address, and mailing address are all properly and correctly listed.
(The mail address is a PO box I maintain anyway so as to keep my mail seperate from where I physically live, mainly becuase its a rural area and the local punks like to play mailbox baseball $20/yr for a small box is a cheap price to pay to know my mail is safe and secure behind a little locked door, in a building thats kept *very* secure)
I'm curious what anyone else might have to say about that. Is having a phone number a prerequisite for registering a domain name? If not, then how should someone who does not have a phone indicate that, so that the record *is* in fact accurate? I feel that making up a real-appearing, but false, phone number would be more inaccurate and wrong than listing something which makes it obvious it isnt a valid number.