WhoIs Privacy and Proxy Service Abuse

ICANN has a draft study that looks at abuse of the Whois database.

This study, conducted by the National Physical Laboratory (NPL) in the United Kingdom, analyzes gTLD domain names to measure whether the percentage of privacy/proxy use among domains engaged in illegal or harmful Internet activities is significantly greater than among domain names used for lawful Internet activities. Furthermore, this study compares these privacy/proxy percentages to other methods used to obscure identity ­ notably, Whois phone numbers that are invalid.

Richard Clayton, the primary author of the report, has a blog post:

However, it’s more interesting to ask whether this percentage is somewhat higher than the usage of privacy or proxy services for entirely lawful and harmless Internet activities? This turned out NOT to be the case ­ for example banks use privacy and proxy services almost as often as the registrants of domains used in the hosting of child sexual abuse images; and the registrants of domains used to host (legal) adult pornography use privacy and proxy services more often than most (but not all) of the different types of malicious activity that we studied.

Richard has been telling me about this work for a while. It's nice to see it finally published.

Posted on October 1, 2013 at 9:09 AM • 13 Comments

Comments

Brian M.October 1, 2013 10:37 AM

There's lots of abuse of the WHOIS database, and a lot of companies can't care less about cleaning things up. I've hunted 419 fraudsters, and false entries are typical. Many registrars just don't care, for whatever reason.

RSaundersOctober 1, 2013 10:54 AM

A great contribution to the dialog. As Brian mentioned, registrars don't care what their customers do after they pay their fees. This report measures the scale of the problem, and shows how huge it is. Incremental measures may cut down the rate of growth, but a fundamental architectural change will be needed to address an issue that has grown this large. Sad facts, but at least we have some facts.

Not really anonymousOctober 1, 2013 10:59 AM

Not all of the TLDs provide contact information. For example tonic only provides the name server names.
That's how it should be. These days you mostly want to contact the ISP instead of the domain name holder about abuse issues anyway. People that have hosted websites and the like, generally don't make good technical contacts for resolving problems (like things were 15 years ago) and forcing them to include contact information is more likely to facilitate abuse (particularly for websites covering controversial topics and media lawyers running protection rackets) than facilitating resolving of technical issues.

decentralOctober 1, 2013 11:12 AM

My last registrar was a namecoin domain. No info needed, no possible way for oppressive regimes like the US to seize it.

MikeBOctober 1, 2013 4:26 PM


After reading Clayton's blog excerpt, it already looks like the study is suspect. By putting banks into the "entirely lawful and harmless" category, I'm afraid that they badly skewed their results.

Clive RobinsonOctober 1, 2013 4:40 PM

@ MikeB,

With regards the bankers, the irony was not lost on me either.

It also reminded me of the line in Hitchickers where after 15years of field research Ford Prefect doubles the entry in the guid on earth from "harmless" to "mostly harmless".

rbarclayOctober 2, 2013 1:31 AM

@Not really anonymous

I work somewhere that sends out a lot of abuse reports, and for certain types (Defacements/Fake Pharmacy redirectors etc., basically anything that involves the site in question not actively spreading malware or phishing) it's more effective to contact the domain owner than the ISP.

Especially if it's a mass-hoster with tight profit margins - quite some of those won't do anything and won't even forward reports to their customers. They think that if their customer notices something has come up, they'll just move someplace else - or generate (expensive) support calls.

I think a way to contact the domain owner is necessary - though I don't care if it's just a mail-forwarder, the domain owner can be as anonymous as s/he wants, as long as I can be reasonably sure abuse reports will reach someone who actually cares.

WmOctober 2, 2013 7:37 AM

I have a fake telephone number in my registration - 123-456-7890. I don't think that there is any law requiring a valid phone number in the U.S. The last thing I need is to give out my phone number to everyone. In fact, a phone number is not required, as far as I know to get a domain mane and some people, believe it or not, don't have a phone. I also put in a generic, but valid, address - General Delivery, town, state, gendel-zip. Like I also really want to tell the world where I live. Very private people like myself are not going to expose themselves to the world.

Not really anonymousOctober 2, 2013 8:47 AM

@rbarclay: There are standard email addresses that can be used to contact domain owners which are documented in rfc 2142. This includes webmaster@, postmaster@, hostmaster@ and abuse@ amoung others.

Mike the goatOctober 2, 2013 10:08 AM

wm: I agree. I have a valid postmaster@ and abuse@ alias if people really want to contact me regarding my domain. I use a whois obfuscation proxy on my business domain and ehh, slightly misleading data on my private domain. I have seen organizational structure and info leaked on WHOIS before. I do not wish to expose more than I have to.

SMOctober 2, 2013 1:01 PM

As a security auditor, WHOIS information that contains identifying information that isn't entirely generic is written up as a low finding, and we always recommend to use anon/proxy information when possible. This is a common security practice.

TomOctober 2, 2013 6:23 PM

Ok. Now we know that banks and child pornographers tend to use whois proxies - but what about honest people?

Dirk PraetOctober 2, 2013 8:10 PM

@ SM

As a security auditor, WHOIS information that contains identifying information that isn't entirely generic is written up as a low finding, and we always recommend to use anon/proxy information when possible.

I agree. Anything but generic information can be used for social engineering, phishing and the like. Not to mention being spammed on a continuous basis by scammers and other morons trying to trick you into registring [your_name].cn , .hk and other exotic extensions you have no use whatsoever for. Having those handled by a 3rd party that knows what it's doing is a convenient way to shield you from such issues. As well as obstructing LE when you're up to no good, of course.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..