[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Is WHOIS going to go away?

On Thu, Apr 19, 2018 at 05:57:48PM -0400, bzs at theworld.com wrote:
> One of the memes driving this WHOIS change is the old idea of
> "starving the beast".
> People involved in policy discussions complain that "spammers" -- many
> only marginally fit that term other than by the strictest
> interpretation -- use the public WHOIS data to contact domain owners.
> I've countered that 20+ years experience trying to "starve the beast"
> by trying to deny them access to email and other casual contact info
> has proven the approach to be useless.

I've been trying to kill this same meme for years, and it just won't die.
It's related to the equally-silly meme that says that email/newsgroup
archives should have the addresses of participant obfuscated, and it's
just as wrong.  Let me make yet one more likely-futile effort:

1. WHOIS data is a poor source of email addresses.  It always has been.
Much richer ones exist and new ones show up all day, every day.  The
same can be said for mailing list/newsgroup archives.  Moreover, many
of those people are poor choices as victims.

2. Those much richer sources include (and this is far from exhaustive):

	- subscribing to mailing lists
	- acquiring Usenet news feeds
	- querying mail servers
	- acquiring corporate email directories
	- insecure LDAP servers
	- insecure AD servers
	- use of backscatter/outscatter
	- use of auto-responders
	- use of mailing list mechanisms
	- use of abusive "callback" mechanisms
	- dictionary attacks
	- construction of plausible addresses (e.g. "firstname.lastname")
	- purchase of addresses in bulk on the open market.
	- purchase of addresses from vendors, web sites, etc.
	- purchase of addresses from registrars, ISPs, web hosts, etc.
	- domain registration (some registrars ARE spammers)
	- misplaced/lost/sold media
	- harvesting of the mail, address books and any other files
		present on any of the hundreds of millions of
		compromised systems


	- the security breach/dataloss incident of the day

3. The bottom line is that, starting about 15 years ago, it became
effectively impossible to keep any email address *that is actually
used* away from spammers.  [1]  Simultaneously, it became a best practice
to assume this up front and design defenses accordingly.

4. You know who is best-protected by restrictions on WHOIS and obfuscated
domain registration?  Spammers, phishers, typosquatters, and other abusers.
It's not a coincidence that the number of malicious domains has skyrocketed
as these practices have spread.  (And "skyrocket" is not an exaggeration.
I've been studying abuser domains for 15+ years and I have no hesitation
saying that easily 90% of all domains are malicious.  And that's likely
a serious understatement.  Why?  Because whereas you and I and other
NANOG-ish people register one here, one there, whether for professional
or personal or other use, abusers are registering them by the tens of
thousands and more.  Much more.)


[1] Yes, there are edge cases.  I *know*.