NordVPN Promotion

Home / Blogs

The Sad State of WHOIS, and Why Criminals Love It

I’m not even sure how to begin this post, but let me tell you—my head explodes when I try to contact WHOIS “contacts” about criminal activity—FAIL.

I think ICANN wants to do the right thing here, and has stated on multiple occasions that inaccurate WHOIS data is reason for registrar termination. That’s a Good Thing.

I’m assuming that the various RIRs also have a similar policy, but admittedly, I’m not sure (and it’s late and I don’t feel like looking up each of the RIR policies on it) and experience has proven to me that criminals don’t adhere to registrar/RIR policies—they don’t care, and we seem to pretty much let them get away with it.

Are we just stupid, and they are smart?

No, we are stupid.

No one in the policy-making bodies has seemed to have discovered this fact yet, and continue to allow criminals free reign.

This has got to stop.

I wrote a blog article earlier this evening for my company’s blog, singling out Turkey.

Having said that, I didn’t necessarily want to single out Turkey, but it just so happens that I spent an unacceptable amount of time trying to find ‘someone who cares’ in Turkey to mitigate some Eastern European criminal activity that we have observed.

Now, this is not a unique experience, but it is exemplary of the issues that we face—we cannot get the attention of the rsonsile parties to mitigate criminal activity.

How do we fix this?

Seriously. How do we fix this?

I find this very, very disturbing—and the criminals find comfort.

We have to change this. Immediately.

But first, we have to find people who actually give a damn, and that is proving harder and harder.

Shame.

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Fergie, Director of Threat Intelligence

Filed Under

Comments

Bravo! Garth Bruen  –  May 13, 2010 2:02 PM

Bravo!

Verified WHOIS is the solution George Kirikos  –  May 13, 2010 3:19 PM

Verified WHOIS is the solution. I’ve been advocating this for years, e.g. see most recently our comments in relation to the WHOIS accuracy study. It’s a proactive solution, inexpensive to implement, maintains a level-playing field amongst registrars, and eliminates abuse before it even starts. In other words, it reduces overall crime ex-ante, rather than trying to add “more police” or “harsher penalties” ex-post.

Go read the policy-making body workgroups and archives, and it comes up again and again, yet ICANN ignores the obvious solution.

Whois does not matter jeroen  –  May 14, 2010 9:39 AM

It does not matter. For WHOIS there should simply be two option:
1) I am providing proper details as I want to be contacted
2) I don’t want to be contacted

This, as setting up fake companies in various countries around the world where the legal system is hard to catch you, as they are in your pocket anyway, is way too easy.

As such, requiring verified whois is not going to help anyway. It will never be accurate, especially for the folks who do not want to be found.

NOT optional Garth Bruen  –  May 14, 2010 1:27 PM

The original intent of WHOIS is to provide contact information for domains, it's not optional.

Original intent meets current reality The Famous Brett Watson  –  May 14, 2010 3:32 PM

That was indeed the original intent. It was also the original intent of the domain name system that it be deep, rather than broad. That hasn't happened either. It was not anticipated that every man and his dog would have his own domain name. It was not anticipated that criminals and other bad faith actors would be significant players. The original intent behind a number of historical decisions has not meshed well with the reality of how the system is applied in practice. You claim "original intent" as though it were the very Word of God. It isn't. It was a policy constructed with an expectation that it would be useful given the anticipated uses of the system. When Jeroen says that there should be two options, he is suggesting a new policy based on observation of how the system has actually been used in practice. This may seem radical -- heretical, even -- but we are allowed to consider new policies based on our experiences. To do so is not blasphemy against Jon Postel.

Even accurate whois is useless .. Suresh Ramasubramanian  –  May 15, 2010 2:38 PM

If you dont read your abuse or whatever mailbox is listed in the whois record. There's other rubbish that's far wrong - and you do need registrars and registries to step up (there are several that are doing a great job). Going after them head down and horns hooking isnt the way though, Garth. Ferg understands - he's engaged constructively with registrars and knows not to tar them all with the same brush.

Back it up Suresh Garth Bruen  –  May 15, 2010 4:42 PM

and knows not to tar them all with the same brush.
You keep saying this but don't provide any proof that I'm doing such a thing. I'm not really sure what I've done to offend you so much, but your constant comments to me are so over the top, personal, and short on substance. I lay out clearly the issues I have with certain Registrars. There are around 500 unique domain registration companies, I've talked about 20 at most, the 20 causing the problems and profiting from the illicit traffic. We've got data backing all this up, data that has never been effectively disputed by you or the Registrars. In fact, it's been supported by HostExploit, MyNetWatchman, Spamhaus, StopBaware, and ICANN itself. As far as arguing why the Registrars are so sainted and infallible, Suresh, you have not provided a fragment supporting the concept. I contend it is YOU who paints me with a broad brush.

Speak for yourself Garth Bruen  –  May 15, 2010 4:34 PM

It was not anticipated that every man and his dog would have his own domain name. It was not anticipated that criminals and other bad faith actors would be significant players
Speak for yourself, I knew exactly what was going to happen. Policy without policy enforcement is useless policy. What we've had is a list of rules for Registrars and registrants to follow and no one enforcing them. ICANN is now playing catch-up and the crooks are deeply entrenched, now owning their own ISPs and accreditations. This is something I(and many others) predicted long ago. The de facto policy of Registrars policing themselves was a recipe for disaster and has been an abysmal failure.
You claim "original intent" as though it were the very Word of God.
I challenge you to show where I said anything close to that. It's the policy whether the bad players like it or not, and now that we're trying to enforce we're getting attacked. Big surprise.

Even if you would require that valid jeroen  –  May 16, 2010 1:50 PM

Even if you would require that valid information is present(*) and accurate, setting up a fake company with all the official paperwork is too easy. As such, the cost of verification is too high and impossible anyway. As such thus my proposal: let people to either say "I don't want any valid info to be shown" or "these are details which are valid so you can contact me, as I actually care about my network". * = is "DomainsByProxy" "valid"?

Validated/accurate Whois is an unfunded mandate without economic basis Ram Mohan  –  May 18, 2010 5:07 PM

Validation is very hard. Accuracy in Whois is an unfunded mandate. No one profits from the accuracy. Many profit from obfuscation.

The thin veneer of policy combined with an ineffective implementation mechanism gets overwhelmed by the substantial economics underlying this issue. Until that is resolved, I fear that the fundamentals are unlikely to change.

What does it take to build a validated whois? Alessandro Vesely  –  May 19, 2010 7:39 AM

Jeroen’s option 2 is necessary in a number of cases, and involves freedom of speech. In addition, routinely looking up whois data is impractical because of query limits that many servers impose. That’s why Abusix makes a DNS copy of (part) of that data. They don’t attempt validation, though. DNSWL maintains a whitelist. Both organizations work on data from IP whois databases, maintained by RIRs.

How can one distinguish a good, interoperable domain name? I would guess that a few automatic verifications, e.g. a minimum number of days since registration, some consistency checks w.r.t. DNS data, and cross-checking relevant IPs, would provide a good starting point. Shouldn’t that be done independently of ICANN?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion