Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy The Internet

Privacy Advocates Bemoan the Problems With WHOIS 174

An anonymous reader writes "The Globe and Mail is reporting that net privacy advocates are spurring ICANN into scrapping WHOIS. The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters, and compare the problems to those being experienced on a broader scale by email users. 'WHOIS, much like e-mail, is an age-old Internet relic that comes from a time when the Internet was almost considered a network of trustworthy users. E-mail has, quite clearly, some massive problems coping in the modern age, but it's still here. It stands to reason, then, that WHOIS won't be going anywhere any time soon. Just like e-mail, it's prone to abuse. But again, just like e-mail, it's too useful to axe.'"
This discussion has been archived. No new comments can be posted.

Privacy Advocates Bemoan the Problems With WHOIS

Comments Filter:
  • Whois is useful? (Score:5, Insightful)

    by morgan_greywolf ( 835522 ) on Tuesday October 30, 2007 @10:32AM (#21171401) Homepage Journal
    For what? These days, everybody is registering private domains through people like DomainsByProxy. Whois is becoming more and more useless. Might as well chuck it.
    • by mwvdlee ( 775178 ) on Tuesday October 30, 2007 @10:37AM (#21171475) Homepage
      And what kind of method is DomainsByProxy using to check domain name availability?
      • Whatever, they can make a new "WHOIS" that doesnt give out your address, phone number, email address, and basically all your private contact information - on the internet. Before someone can get whois information, they should be questioned to make sure they have a legitimate claim - and then the questioner should forward that complaint/information to the site owner, and allow the site owner to decide whether to divulge their information to that person or not. Basically, its what a lot of domain services a
        • I think giving out the owner name to anyone that asks is very important. Other than that I agree - the contact info should be private.

          Sites are already supposed to monitor a handful of well-known email addresses like abuse@ and whatever else. That should be enough.
          • There are two reasons you'd want the owner's name - you're trying to contact them because of content on their website / email, or you're trying to sue them because you think you should own their domain name due to trademark law. If you want to contact them, use the contact info on their website; if it's not valid, then the whois owner information probably isn't either.

            The trademark ownership issue has been a major driver since before ICANN - the IETF Ad-Hoc Committee that was trying to expand the number of

          • They are *supposed* to but few people do.
        • Having some kind of contact methods for the administrative, technical, and billing users is valuable, but there's no need for it to be a personal email address - especially for a domain that belongs to a business, where that information is likely to change or be handled by a group of people. You might as well have generic addresses like domreg_admin@yourdomain.com. Spammers are still going to try to abuse it, but if nothing else you can put an auto-responder that tells the sender to use a web form.

          The tec

      • by wfberg ( 24378 )
        The SRS.

        If you've ever tried WHOIS'ing a domain in the process of being registered, transferred or dropped it should be quite obvious WHOIS isn't used.

        Besides, the availability database doesn't contain (nor does it need to) registrant's (private) information. In the case of com/net/org, that information is kept at the registrar, rather than at the registry. Some newfangled registries do keep those details centrally, but an API for checking availability wouldn't need to return it.
        • .org is "thick" -- meaning the registry stores WHOIS information. .com and .net are "thin" -- meaning registrars store WHOIS information.

          And yes, whois should NEVER be used for availability (and no registrar uses it for availability) -- they use the Domain Check command to see if a domain is available.

          However, registrars do use WHOIS for Transfers.
    • Re: (Score:2, Interesting)

      by ztransform ( 929641 )
      I have to agree.

      I've tried to privately register every single one of my domains, and end up paying more for what is effectively "not listing my number in the telephone book", just because I don't want SPAM.

      I say scrap whois. But still make registration of e-mail mandatory so the registrar can still contact domain owners.

      I would guess the real-world equivalent is car registration (number) plates. In most countries the name and address of the registration plate owner is not publicly available presumably to de
    • for plenty of us (Score:4, Insightful)

      by CarpetShark ( 865376 ) on Tuesday October 30, 2007 @10:55AM (#21171771)
      Speak for yourself. I use whois every day. It's invaluable.
      • Speak for yourself. I use whois every day. It's invaluable.

        Are you a spammer?

        There would be no other reason to use whois since it is unreliable. If people want to give out their information to the entire World Wide Web then they should do it on their own Web sites. People should not have to pay extra money, or risk losing their domain names (because they are breaking ICANN rules), or possibly risk going to jail (in at least some countries I would presume) for not wanting spammers, stalkers, poperotzy, or law enforcement officials to know where they live (police a

        • Re:for plenty of us (Score:5, Interesting)

          by CarpetShark ( 865376 ) on Tuesday October 30, 2007 @12:00PM (#21172839)

          Are you a spammer?

          There would be no other reason to use whois since it is unreliable.


          Then why are you asking a question you think you know the answer to, if not that you think you're wrong? As it happens, you're VERY wrong. It's not the be-all-and-end-all of domain details, no, but it's very useful; for quickly finding out the status of a potential customer's domain, for finding out who owns an IP address that's exhibiting abuse, etc.
      • by hackstraw ( 262471 ) on Tuesday October 30, 2007 @11:52AM (#21172717)
        Speak for yourself. I use whois every day. It's invaluable.

        Really? Can someone elaborate on its usefulness? I gave up on it years ago. (also, I simply don't need to know this info anymore)

        When I was a SPAM vigalante, I would do whois lookups, and usually the information was clearly bogus. Often, if the info was not bogus, it was outdated. And I've heard from many people that are legitimate people doing legitimate things with their hostnames that would never give real information for whois lookups because they simply don't want to be the target of SPAMers or whatever else could come from having any personal information laying around for some random person to have fun with.

        I would never put accurate or relavant info into a whois lookup, and I don't expect anyone else to do so either. Nothing good can come from it, unless maybe you hold the killer domain and you hope someone will try to buy it from you.

        I also lie about any personal info to protect my privacy, unless there is something explicity beneficial for me for someone else to have relevant info. I also tell all of the door to door sales people trying to sell me some crap for my house that I rent. They immediately say "Oh", and walk away. I also pay extra to have my phone number unlisted.

        I'm still on some lists, but not that many. And the fewer the better.

        • Really? Can someone elaborate on its usefulness? I gave up on it years ago. (also, I simply don't need to know this info anymore)

          When I was a SPAM vigalante, I would do whois lookups, and usually the information was clearly bogus. Often, if the info was not bogus, it was outdated.

          Well, there are lots of TLDs out there, each with different standards, and lots of different types of domains to lookup. What you get when you look up a site likely to be targetted by spammers isn't necessarily what you'll get whe

        • Re: (Score:3, Interesting)

          by davebooth ( 101350 )
          Really? Can someone elaborate on its usefulness? I gave up on it years ago.

          The whois database has one MAJOR use.. Most firewalls dont bother to look up DNS before they filter packets - too much overhead, in most cases. That means when you're creating firewall rules you're working purely in numeric addresses. So, if I determine that a bunch of cracked machines or scriptkiddies is making a nuisance of themselves, how do I blackhole an entire ISPs dynamic allocation block without being able to look up that I

          • by nuzak ( 959558 )
            Even if ICANN kills whois (which is itself doubtful) IP whois isn't likely to go away. The annoying personal info requirement is only a "feature" of domain name whois.

            BGP4 data is pretty good when you want to find ip ranges to block. RouteViews, Team Cymru, and The CIDR Report are all pretty good resources there. It's usually a bit more coarse-grained than IP whois, but it doesn't rely on the ISPs updating SWIPS records that may go out of date or never get added in the first place.
        • by caluml ( 551744 )

          Can someone elaborate on its usefulness?
          I don't find it as useful for domain names. But you can look up ASes, Handles, and IP addresses among two other things.

          dig news.bbc.co.uk
          whois 212.58.226.33
          whois AS2818
          whois BBC-RIPE
    • In response to customer inquiries about why such-and-such a domain isn't resolving, I do hundreds of checks a month to verify that domains actually exist, since a sizable percentage have non-functioning DNS. I also query to see if domains we are about to drop from our authoritative DNS service are actually gone.

      Not to say the whole whois scheme is a mess, but some sort of non-DNS, free service needs to exist to verify that a certain domain either exists or doesn't.

      The other thing that irritates people the m
      • Re: (Score:3, Informative)

        by nuzak ( 959558 )
        You don't need whois to check for the existence of a domain. Just look up its NS glue record.

        What WHOIS is really good for is getting the registration date of a domain, which is a nice indicator of whether a domain is actually a throwaway spam domain or an established site. It'd be nice if the dates actually came back in a consistent format, but at least it's usually human-readable. IP whois is also nice when you're looking at an ISP that actually bothers to fill out SWIPS records for allocations. I've
        • Not all domains have NS glue records, however.
          • by Otto ( 17870 )

            Not all domains have NS glue records, however.
            True, but he's talking about checking the existence of a domain, in which case making a query to the root servers will return the nameserver for that domain, if it exists. Okay, so it may not need glue records in particular, but it must have nameserver records in the root, because that is what defines the domain's very existence.
            • Re: (Score:3, Informative)

              by jani ( 4530 )
              Name server records are not what "defines the domain's very existence", it only defines whether the domain exists in DNS.

              There are cases where e.g. name server changes or domain name transfers results in a loss of name server data in the root servers. The domain still exists, but it is or will quickly be in an unusable state.

              So, to reiterate:

              DNS shows you whether the domain works.
              WHOIS currently shows you whether the domain exists, as well as domain ownership information.

              If ICANN wants to get rid of whois f
  • by Kelson ( 129150 ) * on Tuesday October 30, 2007 @10:35AM (#21171453) Homepage Journal
    In one episode last season, Ando showed up at Niki's house, having been able to find her because she listed her home address on the WHOIS record for her website.

    (The unspoken moral: use a PO Box, or some guy from halfway around the world will drop in on you unexpectedly.)
    • Re: (Score:2, Interesting)

      by maitai ( 46370 )
      Back around 1996 or so I had someone show up my house after retrieving my address from my domains WHOIS record.

      They'd received some bounced emails from an email address they didn't recognize (mine), assumed they're emails were being 'hijacked' (as they put it). They then looked up the WHOIS information for my domain (which included the same email address in the record), realized it was local and drove out to my house.

      Of course, I was the system admin for their upstream provider... and they already knew me
    • I really appreciated that, because it showed that, like most of Hollywood, these writers only know enough to be dangerous -- but unlike most of Hollywood, they're stopping with what they know.

      This after losing all respect for Law & Order: "He's using an encrypted IP address, so I can't trace him directly, but I can put up a trace program, so that the next time he goes online, visits a website, we'll see the same encrypted IP address, and be able to trace him." (This is almost certainly filtered through
    • by Xyrus ( 755017 )
      Simultaneously, I've used whois information to help keep people from getting scammed.

      Like any tool, it has good and bad uses.

      ~X~
  • What is the problem? (Score:2, Interesting)

    by Anonymous Coward
    The advocates complain that the system doesn't do enough to protect domain owner information from spammers and fraudsters

    Every major domain registrar lets you do a "private domain registration" for a few bucks extra. They replace the WHOIS data with generic info plus a uniqueID, which lets you contact the domain owner through the registrar.

    Pretty simple - not rocket science.

    I am sure that the registrars will happily hand over the actual domain registration info to duly authorized law enforcement with a cour
    • Every major domain registrar lets you do a "private domain registration" for a few bucks extra

      Actually, some cc-tlds forbid it. They don't give out the owner on the whois request, but they do on their website after entering a captcha. The captcha itself however hasn't stopped persistent spammers and even domain name scammers.

      A few years ago a certain registrar started sending out lots of snailmail warning people that their domain name was about to expire. Many customers immediately responded by signing

      • We had an even more amusing one. Some company (Domain Names LLC or something equally stupid) registered a random domain name and changed the WHOIS details to match a domain we legitimately owned. Once that was done, they then fired off an invoice to us requesting payment for that domain. Needless to say, they got nothing.
  • by InitZero ( 14837 ) on Tuesday October 30, 2007 @10:41AM (#21171541) Homepage
    It used to be when I had to contact someone, the whois information was accurate, complete and, when I dialed the number, I got a live human being that actually was able to address my issue. And, life was good.

    Now, it seems even reputable domains are hiding behind private registrations or have outdated or deliberately incorrect information. Bleh. Problems that used to be able to be solved with a pleasant phone call now require hours of my time if the task is even possible.

    So, my first choice would be that whois domain information take a giant step backward to the days when it was useful information. If that isn't an option (and going back in time rarely is possible), get rid of it altogether.
    • "hello?"

      "hi, this is some random yahoo you don't know who is looking at your website. i have my own agenda about what needs to be 'fixed' on your website. whenever i go to your website it doesn't do x, and i want that done"

      "oh, ok sir, we'll get right on that, give me a few hours"

      when was that ever a valid scenario for you

      i hope you're talking about fighting email spam or worms from rogue domains
      • by InitZero ( 14837 )
        I know that interpersonal voice communications conducted over an old fashion telephone line between peers is the antithesis of all that is the tech world and Slashdot. Still, it can be rather effective at times.

        True story...

        I was the IT Director for a mergers and acquisitions company. We were a couple days away from closing on a mid-sized ($72 million) transaction. Money had already been wired into escrow. We are in the United States but the company's owner was vacationing in South Africa. The company we we
        • Yet phone was still your last resort AND while WHOIS was certainly convenient in this particular case, it most likely would have still been possible to get their phone number from somewhere else.

          Oh AND AND AND ... you're talking about a business.

          What about guys who set up a small web site out of their homes and are leaving themselves open to spammers and such by having their home address and phone # in their WHOIS info ? They can either get a PO (although in that case they're still fscked for the phone #) o
          • by InitZero ( 14837 )
            > What about guys who set up a small web site out of their homes

            Ummmmm... You mean people such as myself? I have owned my domain since 1997, have always hosted it myself (though never in my house) and have always used real contact information that actually comes right to me. In, geez, ten years, I have only received two phone calls and both were calls I was glad to receive.

            Yes, I'm sure spammers target me based on the whois information but with an email address of firstname@domain.tld, I doubt most of my
      • "hello?"

        "Hi Sir, this is Jack from DomainsRus. We want to warn you that your domain will expire 'real soon now' (9 months) and that you better register your domain IMMEDIATELY or you will lose your website. Registration only costs $159.99! Can I have your credit card number?"

        -- or --

        "Hi Sir, this is Jack from DomainScam.com. I want to BUY your domain!"

        -- or --

        "Hi. I was calling for ... ... Steee-faaan. Stee-faan, I found your resume online and I think I have a job opportunity you might be interested in. Do
  • by gsfprez ( 27403 ) on Tuesday October 30, 2007 @10:43AM (#21171583)
    i sold an old Mac laptop with system 7.5 to a girl for $200 with a printer about 7 years ago. She had little money, and for what she needed - a way to type homework in her dormroom and print it - $200 seemed reasonable - it did what she told me she wanted it to do, and she tested it at my place and everything worked just fine (2 cheers for Word 5.1 on system 7!). I made it clear that this was *not* an internet workhorse, and that if she wanted that, she needed to go to the bookstore and buy a new computer. "No no, i just want to type papers and print them in my dorm room".

    So, of course, the first thing she did was attempt to install a bunch of new internet software (browsers, school's First Class server client) on it which of course didn't work. Then she took it to the school helpdesk, and they (rightly) had no idea what to do, so instead of telling her to get jammed, they screwed it up completely. So, she calls and says she wants to return it because it doesn't work. I'm like - yeah, what the hell do i want with a fscked up powerbook and printer? I don't want to buy it - i just sold it to you like two weeks ago.

    time passes... and i start getting threatening emails from some guy on a yahoo account with ($myname)fucker@yahoo.com. Then he starts saying that he's going to come after my wife and hes watching her car when she comes home at night. That was fscking it. Its the girl's mental patient boyfriend.

    Long story short - he was actually stalking whoever in the hell was in my old apartment - it was pure coincidence that the new tennants also owned a Honda Civic too.

    Where, do you think, he got the address? Of course, from my whois entry when i didn't have any money to buy a PO Box.

    Yeah, if you think i'll ever give out my information to my actual home or office location - ever - you've gone daisy, my son. ICANN and everyone else can demand all they want that my info be correct - but i don't answer to them, so they can kiss my ass.

    In fact, because of this, a guy who started, then stole, the website of a non-profit (they've set the donations address to their address, but the actual non-profit is in Africa, so its hard for them to fight the problem) is going to be getting a legal foot up its ass because i know where he is and where he lives and his work address - all because he's broadcasted it in whois and on his webpage.

    ICANN can't make me do anything.
    • by LiquidCoooled ( 634315 ) on Tuesday October 30, 2007 @10:58AM (#21171831) Homepage Journal
      Wouldn't it be more likely that the stalker got your address from his girlfriend?
      Afterall you just said she came to your house to check out the computer.

      • by gsfprez ( 27403 )
        my place - i meant my office.

        Also, "boyfriend" may have been a strong term... they were "sorta" dating... he was trying to impress her by getting her money back from me... but she wouldn't have anything to do with him when this whole thing started.

        She was actually not a bad person - and she felt bad about the whole thing. She was just being unreasonable about the computer... i offered to re-clean up the machine and put it back the way it was when i sold it to her for $25 (for my time - probably $5 an hour
    • Re: (Score:3, Insightful)

      by InitZero ( 14837 )
      > if you think i'll ever give out my information to my actual home or office location

      Don't confuse privacy (or safety) with anonymity.

      Just because you don't give out your address doesn't mean you're safe. A false sense of security is often worse than a real sense of caution or even fear.

      What's the goofy slogan bantered around Slashdot so often? Security through obscurity and all...

      Matt
      • by nuzak ( 959558 )
        Information that isn't there AT ALL isn't "obscure". It's INACCESSABLE.

        Here's how you tell the difference:

        My real name is "puneyrf h. sneyrl", but that's encrypted in a really secret way that I won't tell you (and no it's not REALLY my name).

        My home address is out there on the net somewhere. Go tell me what it is.

    • by tftp ( 111690 )
      Well, this is exactly why I do my best to never sell anything privately, especially such a complicated thing as a computer. In the gsfprez's case it's obvious that the sale was not very profitable. The sale was legal and all that, but some people just don't understand what they are buying, and even if they do they like to think that the sale contract can be changed at will, at any time, as long as one side wants it bad enough. Do you think this girl's boyfriend would be stalking the local Fry's manager, for
    • The lesson I take away from your story is to never ever sell someone a computer that wont do what they want it to do, even if they tell you they don't want to do it. Plus, Macs with out OSX are worth less than nothing, charging anything for them should be a felony.
      • by barzok ( 26681 )
        Read his post again. He sold it to her seven years ago. OS X may not have even been out yet (depending upon when in 2000 it was).
    • by Sloppy ( 14984 )

      Your problem isn't whois. Your problem is that there are crazy people in the world.

      If I'm psycho, I can drive up Jeopardy Lane, randomly pick the house at address 9764, and start harassing them.

    • by jotok ( 728554 )
      ICANN, in fact, can write policy to which member nations agree that would cause you to lose all of your domains unless you arrange some method by which you can be contacted.

      Say your domain is found to be hosting the malware-du-jour. Tons of people are complaining, but you don't know about it, because you put fake info into your registration. The first you find out about it is when your ISP pulls the plug. Does this sound like a good idea to you?
  • It does me no good to try to contact someone through WHOIS with their nonexistent email address, their disconnected phone number, and their fake shell company. In those instances where I can work out a networking problem with a legitimate company, university, or ISP based on accurate WHOIS info, it makes life much easier than calling a techno-peasant receptionist and explaining who it might be int what possible department that might handle the kind of thing I need to talk to someone about, only to find out
  • The internet is a venue for free speech, and any discussion of privacy concerns need to keep that in mind. From the American perspective, free speech is sancrosact, and one guarantor of free speech is anonymity. WHOIS (in theory) removes the ability to publish anonymous content via a self-owned website.

    Most of the people clamoring for WHOIS to remain are those who have intellectual property to protect (especially trademarks). Without getting into a debate about whether trademarks should exist (please! t
    • It's also a matter of liability. If someone is putting up illegal content (libel, slander, kiddie porn, warez) it would be nice to know who owns the domain [and presumably the servers it points to].

      And as I'll point out for the 20th time on Slashdot ... "freedom of speech" is FROM THE GOVERNMENT, not private citizens. If AT&T doesn't want to host your website anymore, that's up to them, not you. At most it's a breach of contract not a violation of the 1st amendment.

      Tom
      • . "freedom of speech" is FROM THE GOVERNMENT, not private citizens. If AT&T doesn't want to host your website anymore, that's up to them, not you.

        I would contend that all corporations, but especially ones granted a governement monopoly, are not private citizens. In fact, to some (but an insufficent) degree, the government is making them act more like the government than a private citizen. To wit, IBM cannot have a policy of not hiring [insert racial epitat here]. I think the federal government shou

        • When they become a monopoly one could argue they're a common carrier at that point, that for the greater good of society they charge a fair price and do not restrict the content (much like airlines and the like).

          However, I don't think ISPs fall under that.

          The problem with taking away liability [e.g. ability to police content] from the telcos is you leave a void. If I can't find the owner of a website, and I can't force the telco [or isp] to remove illegal content, then we have anarchy. You'd be free to sa
          • The problem with taking away liability [e.g. ability to police content] from the telcos is you leave a void. If I can't find the owner of a website, and I can't force the telco [or isp] to remove illegal content, then we have anarchy.

            I agree that this is a problem. If someone invents a way where the courts can be used to give such a directive, I doubt I would fight it. But I have a very large problem with telcos filling that void. I think it is properly a government function and that it should not be o

      • That is true, but in the case of a company (Farmers) threatening you with lawsuits because of your website's assessment of their service, the first amendment prevents the legal system from enforcing their wishes to take down your site...
        -nB
        • Exactly. The point is, the 1st amendment stops the government (on behalf of the people or selected complainants) from abridging speech. Get the same bs when people complain about being searched at Best Buy. The protection against unlawful search and seizure is simply from agents of the state. When a security guard searches you without first asking permission or performing a lawful citizens arrest, they're committing an assault. Different laws.

          But all too often people trump out "their rights," it'd be n
  • Anyone who has had to deal with the Domain Registry of America will understand this.

    Soon after one of our clients register a domain with us, these lovely people will send a very convincing snail-mail to the customer based on their whois data with a payslip attached, saying words to the effect of "Your domain will expire unless you register with us!"

    In the UK, the Office of Fair Trading seem to have turned a blind eye to this despite numerous complaints.

    -daedalusblond
  • So when are we going to replace email with Internet Mail 2000?
  • by sherriw ( 794536 ) on Tuesday October 30, 2007 @11:07AM (#21171973)
    I own a number of domains and I completely agree that the WHOIS system needs a major overhaul. For one or two domains I actually purchase extra whois privacy from GoDaddy, but for the most part this is just added cost for me to patch a broken system. Why can't I pick and choose what info to show?

    On top of it, if I own a .ca domain, I'm forced to use my real name not my company name and my .ca registrar does not offer domain privacy on .ca domains.

    I get a ton of spam to the email address I use for my domains, so this address has it's anti-spam set WAY up. I even get occasional phone calls about my domains- usually scams, but recently it was a good thing because I sold one of my domains for $5K (though why the person couldn't just use the contact info on the actual website is beyond me).

    But, basically I think you should be able to opt for privacy at no cost. Seems like a no-brainer to have a privacy flag as part of the database. Or maybe provide a url of a contact page where you can determine what to show or just provide a contact form box.
    • GoDaddy is usually about $8 for a domain, and another $8 for privacy service (this goes up and down all the time, I know, based on sales, quantity, and whatnot). I got tired of not knowing if my domain would cost me $5 one year, $18 the next, and so on, since I manage multiple domains with different TLDs. Then, if you ever have to contact their tech support, well... lets just say I hate phone trees. I'm not trying to advocate any one company, but I did my research and found a registrar that charges a flat $
  • by www.sorehands.com ( 142825 ) on Tuesday October 30, 2007 @11:08AM (#21171989) Homepage
    I am suing (http://www.barbieslapp.com/spam/e360/timeline.htm) Moniker for providing anonymous whois to David Linhardt (http://www.spamhaus.org/organization/statement.lasso?ref=3).

    Moniker has been providing Linhardt/e360Insight, with hundreds of anonymous domain names. This makes it difficult, if not impossible, to determine which domains are his. With anonymous registration you cannot tell if the 1000 of spam you received today are from 1000 different companies that may have mistakenly added you to their list or from one hardcore spammer.

    Legitimate businesses have no reason to hide their identity.
  • Fix it or flush it (Score:3, Insightful)

    by Opportunist ( 166417 ) on Tuesday October 30, 2007 @11:08AM (#21171991)
    What is it useful for? To contact a domain owner and inform him about abuse or fraud, or identify someone who is using a domain for criminal activity. So far the theory.

    In practice, you can rest assured that not a single domain used for things like ID theft has ever been registered to a real name. Earlier, they registered with registrars who didn't check information (so you had funny entries like some guy whose information was already grabbed in an earlier phish registering a domain for a server in Malaysia), and when registrars felt the pressure, they simply use registrars now that allow you to put their name in instead. Complaining with those registrars results in a "we're looking into it" until the domain is no longer used by the ID thief, so the problem solves itself.

    So either require people to put in truthful information and remove registrars that don't comply, or get rid of it altogether. In its current state it serves no useful purpose. The current system only aids criminals, on both ends.
    • What is it useful for? To contact a domain owner and inform him about abuse or fraud, or identify someone who is using a domain for criminal activity. So far the theory.


      Getting rid of whois on that basis would be "throwing the baby out with the bathwater", as they say. There's nothing wrong with the tool -- just with the tools who allow incorrect data to be entered.
    • by geekoid ( 135745 )
      Too abd, so sad, your're wrong.

      The information in WHOIS has been sued in criminal cases, and in fact sometime bad information have given indicators that have help. Like someone using the same information with just a minor change.

      You're smart, you wouldn't do it but your also not a criminal.
      Criminals tend to be stupid, overconfident, and leave a trail of similarity through their lives.

      There have been many time when people have used it to find out who is behind websites so they can determine a bias behind a m
  • WHOIS is rather lame because of fake data, and most who fake data do usually do so because they don't want to give worthwhile contact details to the whole world. However, a lame WHOIS is better than no WHOIS in my opinion. I think it's valuable to have at least a registrant name provided in WHOIS, at the very least to serve as some record of who originally registered a given domain name in the unlikely but not unheard of issue of hijacking. I think perhaps ICANN should build and maintain a private contact d
  • I would say the best use of WHOIS is when you need to contact the owner of a business domain. Like many others I've seen boatloads of complaints from people here about their own private domains and how badly they hate WHOIS.

    To those private owners, I could care less if their home information is available through WHOIS, as long as they aren't selling illegal merchandise through said domain and pumping spam for it all over the world.

    However, when international criminals register domains to sell pirated software / bogus pills / etc ... I do believe WHOIS is still useful. When you can obtain the WHOIS information for the criminal domain, it gives you someone to contact about that activity. People who care enough to do this have managed to progressively change the policies of registrars who were frequently used by spammers for nefarious purposes.

    And further investigation into WHOIS data can lead someone to even more critical information, as well. Being as the WHOIS record contains information on the DNS servers that are resolving the domain, a person who wants to really dig deep can find where those were sold as well. A little hint: the spammers often use only a short list of DNS servers for a large number of their domains.

    So in summary, before people rally around ICANN with pitchforks and torches to demand the demise of WHOIS, I ask you please consider a solution for the applications where WHOIS is still useful before insisting that it goes away completely.
  • I think that WHOIS should be required to keep an accurate, legit database of domain registrants. Registrants of domains should be required to have at the least a verified mailing address and phone number, and logically an email address as well so they can communicate with the registrar.

    Compare having a domain to purchasing real estate. You would never get anywhere trying to rent or purchase a retail location with a bogus name, address, phone number, email address, etc. I think domain registrants should h
  • I believe there should be NO PROXIES for domain name info. I think having such feeds into SPAMMERS. I'd rather be able to go to a WHOIS and find out who the heck is SPAMMING me and get them to stop. (I've done this on a couple of occasions.)

    - Saj
  • by guruevi ( 827432 ) on Tuesday October 30, 2007 @11:53AM (#21172727)
    I use whois everyday to check domains and IP's from command line. The simplest way to get an IP range is just "whois xxx.xxx.xxx.xxx" and then block/allow the whole range depending on your needs.

    It's an invaluable network tool and just like DNS, you can't just scrap it. That there is abuse is always going to be a problem and that can be done with any list you put your data on. Ever wondered why you get so much credit card offers in your mailbox? Yes, it's because your name and address is somewhere on a list and most likely you have put yourself on it by using your address with either a banking institute or a vendor. You can't stop abuse by taking away services just like you can't say that you are going to solve those credit card offers in your mailbox by removing the postal services. If you do, the abuse is just going to shift from whois to your webhosters' site or DNS just like the credit card offers will be carried out by FedEx or UPS.
  • by Animats ( 122034 ) on Tuesday October 30, 2007 @12:19PM (#21173175) Homepage

    The actual ICANN report, [icann.org] shows they're deadlocked, all right. See this timeline. [ncdnhc.org]

    Most of the privacy advocates are referring to the European Directive on Privacy. That only applies to individuals not engaged in business. For businesses, the The European Electronic Commerce Directive (2000/31/EC) [sitetruth.com] applies. And it's very clear. Any "natural or legal person providing an information society service" must disclose name, real-world address, and E-mail address. No exceptions.

    California has a similar law. It's more narrowly drawn, only applying to sites that take credit cards, but it's a criminal law - six months in jail for not disclosing the "actual name and address" of the business.

    WHOIS policy should take that into account. There's a legal obligation to disclose name and address information for businesses. It's not optional.

    Our SiteTruth [sitetruth.com] system is based on these laws. If a web site is selling or advertising something, and we can't find a business name and address for it, its rating is toast. We scan each site for human-readable postal addresses (some people would call this "semantic web" technology). We check commercial business databases. We check SSL certificates. We look at Open Directory. If we can't find a business name and address after doing all that, the site's rating is a red "do not enter" sign, and we kick them down to the bottom of search results. Once we have a business name and address, we have something to look up in business databases, corporation records, business license records, credit ratings, criminal records, etc. Plenty of data is available about businesses once you have a name and address. No more "on the Internet, no one knows if you're a dog". We know.

    We haven't found WHOIS data very useful in doing this. WHOIS data quality is awful. Many entries are phony. Mailing addresses on the web site itself tend to be more accurate. Using a phony business address is felony fraud in most jurisdictions, so that's relatively rare, and mostly shows up on phishing sites. So we cross-check with anti-phishing databases to kick those sites out.

    It's quite possible to use this approach to check WHOIS information in bulk. If ICANN actually cared about WHOIS data quality, they'd check the data against postal databases and business databases. They don't.

  • ...at my last job I would use it a lot to lookup the full range of netblocks for mail servers that did not behave well with greylisting. Mail farms with greylisting when the other end treats 4xx's like 5xx's is annoying.

    It's also the method I used to stop abusive networks (usually in china) from hitting ours. You know one address, you can find the full range assigned to them using whois.

  • I remember years back when I first got DSL and, for a lark, ran a whois lookup on my IP address. I nearly shit my pants when my private customer info with SBC appeared. So much for anonymity on the internet, I thought.

    For anyone who does have DSL, or otherwise is spending their time pretending to be a 16yo girl on usenet, this link [dslreports.com] might be helpful to get yourself a more appropriate "Private Customer" designation. I'm sure cable users have a similar option available to them.

    The lesson I took away for the
  • by Tolvor ( 579446 ) on Tuesday October 30, 2007 @12:47PM (#21173649)

    I have had a long dislike of whois.

    For one it gives people a major way to steal domain names. People look up the domain name that they want in the public record, find the email address, and try to crack the email. If they can get the access to the email then more than likely the domain can be stolen. Then us poor techs get a call several months later from the true customer wondering what happened to their domain. Whois reveals too much information.

    Secondly it isn't accurate. People see their name in whois and think that means they get to make decisions on the account/domain. Just because your name appears in whois does not mean you are listed on the account itself. But try explaining that to their ex-(terminated)-webmaster.

    And lastly WhoIs is a major pain to explain. Try telling a paranoid customer that all domains appear in whois, and that you can't remove a domain itself from whois. My sup can't remove it from whois. The president of MegaDomainRegistrar can't remove it. Sorry, no, I don't have a phone number for ICANN. We can hide the info, but we can't make it disappear.

    But then to be fair, I can't think of an alternative system to keep the domains and websites fair and accountable. Compaining to a registrar/webhoster about a domain/site is next to useless unless it is unquestionably illegal or definately a trademark issue. Most cases get shunted to the legal department which give the unhappy complaintant a copy of the AcceptableUsePolicy and asked to submit proof of infraction (yeah, good luck). Usually it takes a dedicated lawyer to get things done in these cases. So for now, whois stays.

    • by geekoid ( 135745 )
      "...nd try to crack the email."
      Because there is no other way to get the email address?

      "But try explaining that to their ex-(terminated)-webmaster."
      Why? he's an idiot. Any webmaster that does this deserves to be unemployed. How hard is it to say "No, it is none of your concern" then hang the hell up. If he calls back notify the company that he is trying to gain illegal access to there site. That will end it.

      "And lastly WhoIs is a major pain to explain. "

      Whaat? are you from the short bus of IT staffing?
      I have
  • I think this is crazy. The whole point of having a domain name, is so that people can look you up and contact you. If you don't like that some of them do contact you, or that some of them contact you for purposes other than what you intended (they send you a Viagra ad instead of a HTTP request) then get over it. Or tell people to use your IP address instead of a name, or live within someone else's domain (there isn't really anything wrong with your personal web page being at http://someisp.com/~yourname [someisp.com])
    • by llefler ( 184847 )
      (there isn't really anything wrong with your personal web page being at http://someisp.com/~yourname [someisp.com]).

      Well, unless you want to run your own server so that you can use whatever software you like. Of course, your ISP could assign yourname.someisp.com to your IP, but they aren't willing to do that. If they were, there would be no market for dyndns.

      The whole point of any contact info is so that YOU can determine how you want to be contacted. Personally, I think an accurate whois would be useful. I use it from t
  • The Canadian Internet Registration Authority (CIRA) will implement [www.cira.ca] a new WHOIS policy in March to comply with Canadian privacy laws (particularly PIPEDA [wikipedia.org]).
  • I have owned domains for around 8 years now, and have used WHOIS even longer. Sure there is fake information out there, but legitimate domains will have working contact information 99.99% of the time. These days, I've mainly been looking up information for abuse contacts at large e-mail provider domains, but generally it's been useful just to find some sort of live contact for website problems, or any other failed or crippled service.

    Back in '99, I planned ahead before I registered my domains. I rented a P.
  • Anyone who wants to scrap whois servers just for domain ownership privacy reasons obviously doesn't know about its usefulness for getting assignee of record for IP blocks. That's much more useful when dealing with spam or security issues. Instead of getting the domain name owner, you're getting the info for the people who actually use that specific block, as well as the info for whoever assigned them that block. Very important in case you're getting hit by someone who won't respond to your complaints, becau
  • Privacy? Abuse? (Score:3, Interesting)

    by PPH ( 736903 ) on Tuesday October 30, 2007 @07:31PM (#21178517)
    I've owned a domain name for a number of years now. Other than using a P.O. Box for the contact info. I've never had any problems with fraud or abuse. I get the occasional offer to buy it (its a somewhat popular name) but nothing I'd consider to be a nuisance.

    I think hiding the ownership of a domain (or IP address information) opens up opportunities for more fraud and, balancing that against privacy, I'd rather know who I'm communicating with.

    If someone needs privacy, there are ways to get it.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...