Slashdot Mirror
Many Domains Registered With False Data
bakotaco writes "According to research carried out by the US Government Accountability Office (GAO) many domain owners are hiding their true identity. The findings could mean that many websites are fronts for spammers, phishing gangs and other net criminals. The report also found that measures to improve information about domain owners were not proving effective." From the article: "The GAO took 300 random domain names from each of the .com, .org and .net registries and looked up the centrally held information about their owners. Any user can look up this data via one of the many whois sites on the net. The report found that owner data for 5.14% of the domains it looked at was clearly fake as it used phone numbers such as (999) 999-9999; listed nonsense addresses such as 'asdasdasd' or used invalid zip codes such as 'XXXXX'. In a further 3.65% of domain owner records data was missing or incomplete in one or more fields."
I work at an ISP. We've had customers in the past whose domain names expired because they didn't update their address and phone number with their registrar, the person whose email address was on the record left the company, and they didn't get the renewal notice.
It doesn't happen as often now as it used to. Either businesses are getting better at remembering that their domain names need to be updated along with everything else, or the registrars are better at finding other ways to notify them of renewals.
But I ran into one case (with Network Solutions, IIRC -- it was a few years ago) where I personally updated the contact information associated with a role account and discovered, a year or two later, that the registrar had somehow resurrected the old, deleted contact info.
Including the spammer who was trying to forge email from my domain a few years ago. Registered his domain with a non-existent yahoomail account, amongst other false data. Backed off when I lit up the yahoo account and seized control of his domain.
God forbid that anyone would do that to simply protect their private information.
It has been found that a/s/l data is not always truthful.
It does not allways have to be with criminal intent.. can also be simply not wanting the assocaiated spam.
Maybe some people just want to be Anonymous Cowards.
Or that a great many domain owners see no reason to post their personal data up on the web where it is available to spammers, phishers or other net criminals. Not to mention random psychos who have some beef with the site's contents.
I have a domain, and I use false information. What to know why? Because when I had my email and real address on my domain name, I got junk mail to my house, and spam to my email address! Until they can hide the contact info from the general public, I will keep falsifying my public information.
Perhaps these domain owners are just concerned with their privacy. One of my domains is an absolute ghost town, with zero visitors besides me, and absolutely no chance of someone linking to it. However, I receive regular spam, simply because I provided an accurate email address that can be fetched by any number of WHOIS lookups on the Web. Next time, I'm putting up fake data.
body massage!
When you KNOW spammers "harvest" mailing addresses, telephone numbers and email addresses from WHOIS databases, would you give your information out if the registrar says they will share this information with anyone?
I will never use registrars who do not implement some form of anti-spam measures..
Just my $0.02...
Karma: Bad (but who really cares anyway?)
What about us regular folk who have a domain? I don't want the world knowing where I live, especially if I'm somebody who runs a blog with unpopular political views.
Check out my podcast: DreamStation.cc Video Game Show
I happen to be at the home of (999)999-9999 on asdasdasd street in XXXXX area code and I get so much junk mail/telemarketing calls you would not believe it.
300 sites times 5.14 % = 15.42 sites.
How is 0.42 of a domain clearly fake?
Maybe, just maybe, domain owners are sick of being spammed at their listed contact info. I know I am. It comes in all forms, too - email, snail-mail, telemarketers.
Pardon my English, but that sucks rocks.
Fortunately, some registrars offer privacy proxy services allowing you to list the registrar as the contact in the whois info. Unfortunately, not all registrars offer this service.
It may also be the case that people using obviously fake whois info do so for the legitimate purpose of free speech to avoid repressive governments or private institutions. The implication that all anonymous speech is fraudulent is unwarranted.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
If I were a smart spammer I would register it in someone elses name. Someone hillbilly who lives in the middle of nowhere. Maybe in the mountains. Odds fo getting caught, low. Looks real good to registrar, sure. Those won't show up in this search.
Evolution or ID?
"The findings could mean that many websites are fronts for spammers, phishing gangs and other net criminals."
or they could mean that many people - who dont run comercial businesses - do not want all of their personal contact information available to anyone on the internet. Just because you have a domain does not mean that you want everyone around the world to have your personal address and phone number.
You'd be a fool to put that much info in the public domain.
I'll just use my special getting high powers one more time...
If noone is enforcing these domain registration rules, then apparently you are allowed to put in anything you like. I guess that will be changing soon.
Also, why does everyone need to know that information? Is there a privacy concern here?
He who knows best knows how little he knows. - Thomas Jefferson
I use a WHOIS guard service for all my domains, for a fee the company I registered my domains at lists their email/phone/address instead of mine, and forwards whatever they receive to me.
This way my domains have valid info but at the same time not everyone out there can get my address or phone number.
The IT section color scheme sucks.
I have been threatened and harassed from people who do a "whois" on my web site address and then come find me. When you've got a family and children you become a little touchy about that kind of stuff. Not that finding me is really that difficult but I see no reason to make it any easier. So my domain registration info is garbage.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Personally I would rather let the terrorists (cyber or otherwise) win than give up my privacy. Domain owners are justified in wanting anonymity.
"many domain owners are hiding their true identity [and could be] fronts for spammers, phishing gangs and other net criminals."
I hide my mailing address and use a rarely-checked email address to reduce the SPAM and physical junk mail I have to deal with. The scammers/SPAMmers don't want me to know who they are...I want to limit the information they have about me. Go figure.
Why is the GAO - Government Accountability Office, scanning the Internet for invalid phone numbers on domain names? Did they get too much money one year? We'll need a GAO Accountability Office to find out...
I frequently use fake contact information for domains that are for personal use. If I don't wish my name, address, and phone number to be publicly available why should I have to? The registrar knows who I am (I had to pay with a valid credit card), so it's not like Uncle Sam couldn't get the info on me if they need it, I just don't see the reason to put it out in the world and encourage unwanted solicitors and/or spam.
"The crows seemed to be calling his name, thought Caw."
Comment removed based on user account deletion
This is why the GAO is doing what it's doing. This has no (0) benefits for consumers.
sulli
RTFJ.
I'm still waiting for my extradition notices.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Instead of using your name, they put their company info in the whois of your domain. Some registrars provide the service for free, while others charge (mine charges 2.99$ per year).
Dvorak on Doomtech
Admittedly, I'm one of these people that owns domains with false info. When I registerred my first domain, I wrote down 'Supreme Commander of the Universe' as my name. Before long, I started recieving mail addressed to 'Mr. Supreme Commander of th'. Not sure I wanna put my real address down.
"Derp de derp."
I agree completely with not having the information publicly available.
My site has photos of lots of quite expensive art that I own. I am not particularly happy that anyone who sees it can simply look up my name and address and find out where I live.
There needs to be something better.
Biggus Dickus?
If brevity is the soul of wit, then how does one explain Twitter?
Perhaps a lot of those names with bogus contact info are being used in the domain parking business - that's where people register thousands of names and monitor the traffic for a couple of days to deside which ones are getting hits and which are not. The good ones might then be paid-for and updated with better contact info while the poor ones are released without payment.
But there is a bigger issue: Why should those of use who buy domain names be forced to reveal our contact information to the world?
The reason is that the intellectual property industry, which dominates ICANN, forced this down our throats.
It is an ICANN rule that is in violation of the privacy laws of many countries.
Some lazy law enforcement types claim that they need an open "whois" to enforce the law. That is not true. Law enforcement types have tools (subpoenas) to open closed databases, and, moreover, allowing access to law enforcment does not require that the public be granted the same access 24x7x365.
There is a claim that "whois" data for DNS has operational value, yes it has some, but it is of much lower value operationally than the value of the whois data for IP addresses, a separate and disinct database.
The other week I met an attorney for a large company (very large) who routinly registers domain names anonymously - so as to avoid giving notice of the company's actions. Yet at the same time he watches new registrations and has a tool that automatically sends out cease and desist letters to names that offend his regular expression. Fair? Not really. An exercise in economic bullying? Yes.
I have a number of domain names registered. I have received a total of 3 pieces of junk mail in the 5 years I've held the domains. Oddly one for for a corprate credit card. I have a separate email acount for the domains and it gets almost no spam.
I feel the benifits of having someone contact me due to forgoten registration/ problems and other reasons outweigh the anonymous aproach.
Note that complete and accurate whois information is a prerequisite for maintaining a domain registration.
If you're in the U.S., register the domain(s) with a P.O. box for the address and a cellular phone number. I've been doing that for years, and have had exactly zero problems with people harassing me in any way. Of course, it means that you have to periodically go to the P.O. box to pick up any domain-related mail, but I already was having a fair bit of mail delivered to the box anyway.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
I actually had someone use the data from my domain registration to stalk me and my wife...
thank God i set the address to an old address where i used to live. How do i know that he used that data?
in his emails to us, he talked about how he was watching our apartment and described the old apartment i used to work at perfectly.
so - get fscked if you think i'll ever use my real personal data for my domains.
guns kill people like spoons make Rosie O'Donnell fat.
... a new study finds that 99% of anonymous FTP users give out 'foo@bar.org' as their email address.
You waited 30 seconds to post that?
You are all a bunch of idots.
A) why does my private information need to become public just because I register a domain? I most certainly should not be required to provide a home address and telephone number let alone my real name just because I like to have a domain.
B) why should the registrar or ISP get to make additional money on top of the already outrageous costs associated with registering a domain name just to protect my information that shouldn't be required anyway?
C) My domain information is fake. Fuck em.
Check out my sci-fi/humor trilogy at PatriotsBooks.
In my case, I take advantage of the registrar's confidentiality for my personal domain because I had started getting snail mail, email, and phone calls that resulted from the info presented in the domain registration record. I get enough of that crap without handing my info to those scum on a silver platter.
I was getting ready to rant and say well, of course individuals use fake information because, as the article already points out -- Any user can look up this data via one of the many whois sites on the net - and most users don't actually want to be looked-up.
I was getting ready to talk about the difference between 'personal use' domains, where the ability to contact the owner is almost immaterial to the correct operation of the personal use, and how the reverse is true for corporate domain users where you'd bloody well have valid dns, technical, and ABUSE contact information clearly laid out.
And then I did something I almost never do - I RTFA and whoaaaa, isn't this a bit outside of the GAO jurisdiction? To wit, from their own website (URL:http://www.gao.gov/about/what.html) Congress asks GAO to study the programs and expenditures of the federal government. GAO, commonly called the investigative arm of Congress or the congressional watchdog, is independent and nonpartisan. It studies how the federal government spends taxpayer dollars. GAO advises Congress and the heads of executive agencies (such as Environmental Protection Agency, EPA, Department of Defense, DOD, and Health and Human Services, HHS) about ways to make government more effective and responsive. GAO evaluates federal programs, audits federal expenditures, and issues legal opinions. When GAO reports its findings to Congress, it recommends actions. Its work leads to laws and acts that improve government operations, and save billions of dollars.
So, where is the direct federal impact, ability to make government more efficient (oh, unless you meant the Patriot Act enforcement agencies...), and study of taxpayer dollars related to GAO's research?
And what the heck is the GAO doing colluding with ICANN, other than to more tightly couple its operations with that of the US government?
PS: Why not look at .gov names? Oh wait, perhaps you cannot because (http://slashdot.org/article.pl?sid=02/09/21/12592 11&tid=95) "Verisign stopped providing access to information about the .gov internet domain, which is restricted to US government bodies, over concerns the data could be used in planning internet attacks."
Please define, in advance and universally, who the "people who legitimately need this information" are. If I get a phishing expedition message that uses a compromised website as a hiding place, how does a registrar differentiate between my wanting to contact that person to inform them of the compromise, and Bob The Spammer's desire to send that person spam? And, as a domain owner, which would weigh heaviest in your mind - preventing spam from Bob, or not finding out for days or weeks that your server has been used for criminal activities, and a prosecuter in Chicago now wants to speak with your attorney about negotiatiating your plea?
This is why the default is to publish the information. Using proxy registrations must have provisions for passing such notifications through to the responsible parties, or it violates the spirit and letter of the regulations that require responsible party contact information in the first place. I don't know many people who are going to provide such as service for free.
Perhaps a compromise would be that you could chose one public contact method... Some way that you can be reached for domain- or server-related notifications. And, of course, there is no requirement that what you publish be your "personal contact info", because it is simple to set up an email address for a specific purpose.
I've gotten tons of junkmail. From registrar of america alone I probably get 1 piece of mail per domain per month trying to con me into switching.
I did find a solution I used temporarily that put a stop to all the junkmail.
In your Address Line 2 use: "THIS MAIL PROBABLY CONTAINS ANTHRAX"
I stopped doing that after a while because I wasn't sure if that was legal but it was effective either way.
I find it more likely that these are people trying to AVOID the spammers (both internet, and other) that strip e-mail address, phone numbers, addresses, etc from whois and send them all kinds of crap.
- AMW
That said, there should be strict laws against knowingly sending unsolicited commercial email of any sort using a private domain, and the first violation should result not only in jail time, but also in a ten year ban on the individual and/or company being allowed to register ANY domain name.
And which country would pass (and enforce) these laws?
The large majority of the spam I receive isn't from my country... and, I really don't give a rat's ass about another country's laws.
I suspect people in other countries feel the same about laws made by my country.
--Phillip
Can you say BIRTH TAX
I heard a rumor that someone is inventing a data processing machine that will analyze information. I think they are nicknaming it 'computer'.
"Your having a bad day when the voices in your head put you on hold"
I agree that the ISP should have correct contact information on file. It makes good business sense as long as they don't abuse it. I just don't think it needs to be published in the whois directory. Buying a private domain listing is exactly like buying an unlisted landline from the phone company. People have been using the names of their pets for decades to avoid paying the fee to be unlisted.
If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
What I can't figure out is how they looked at 900 domains total and found that 46.26 of them had bad information.
If you are not allowed to question your government then the government has answered your question.
Yes, I mean to emphasize "ME" because I'm one of the millions of domain owners that uses fake information to keep from being spammed to death (electronically or physically) on either my role email account or mailing address. Yes, I'm well briefed in the ways of various registrars privacy options. I even utilize GoDaddy's on a couple of my domains. Why would I want to pay another $10/yr for privacy options? It's just not worth it. I'd rather let people contact me through my websites where I can prevent the use of spiders than freely hand out my details via WHOIS.
Simple, when it's a personal domain, the tech contact and domain owner are, oddly enough, the same person.
At present, I have the choice, fill in bogus information, or provide my personal information (which I do).
Small/personal site owners don't necessarily want their private info out. And the amount of crap spam I get which is clearly trolled from my whois record is annoying.
Lost at C:>. Found at C.
If they aren't on the east coast how do you explain the navy episode where a boat sailed from Springfield harbor to NYC in a very short time?