RE: Fw: [gnso-acc-sgb] Report for today

[<mortenla@xxxxxxxxxxxxxx>]

I'd wager that it's not even the correct domain name reviewed through
WHOIS.  Most of these phishers spoof the domain in the "From" field.
Since the headers weren't provided, we can't really tell where the email
came from.  It would be very difficult for Bank of America to "police
their domain" as suggested, without access to the WHOIS record.
 
I wouldn't be opposed to the idea of some type of "pre-screening"
process for private companies to be able to access the protected data
for anti-fraud efforts, but this would need to be done on a one-time
basis or maybe on some time of bi-annual renewal basis instead of every
time the company has to investigate a fraud.  Many of these large
companies like Bank of America are the target of a phishing attack
multiple times each day.  It's not unusual for them to be working 25-50
separate and distinct fraudulent sites in a given day.  If they needed
to go through a "screening" process each time, it would be extremely
detrimental to the anti-fraud efforts.



-----Original Message-----
From: owner-gnso-acc-sgb@xxxxxxxxx [mailto:owner-gnso-acc-sgb@xxxxxxxxx]
On Behalf Of Margie Milam
Sent: Friday, May 25, 2007 10:48 AM
To: ross@xxxxxxxxxx
Cc: gnso-acc-sgb@xxxxxxxxx
Subject: RE: Fw: [gnso-acc-sgb] Report for today

That's correct.  

I disagree with Ross that this is out of scope since we are talking
about whether registrars currently deploy some technological limitations
on Port 43, and whether such limitations could be useful in developing a
tiered access approach to WHOIS.  

I believe that the registrar's current practices, including
blacklisting/whitelisting IP addresses, rate limits per IP addresses,
and truncated records per IP address, may be some of the limitations
that could be evaluated in our work.  As a registrar, I agree with Ross
that any changes to WHOIS access need to be implementable and not cost
prohibitive.   

Margie 


-----Original Message-----
From: Ross Rader [mailto:ross@xxxxxxxxxx]
Sent: Friday, May 25, 2007 11:23 AM
To: Margie Milam
Cc: gnso-acc-sgb@xxxxxxxxx
Subject: Re: Fw: [gnso-acc-sgb] Report for today

Completeness is a service specific notion. In this case, the whois query

was conducted through the non-authoritative registry whois which has
different collection and publication requirements. Authoritative
registrar whois requirements are slightly different, leading to the
payload as illustrated in the example below. There is a second type of
non-authoritative whois data, also known as "referral whois data" which
are those whois services provided by third party services who are simply

reproducing the data found at the authoritative whois service offered by

the registrar. Depending on the method of query, there are policy
issues, probably out of scope for this working group, related to the
methods of acquisition and publication of this type of data by these
third parties.

Tucows does not employ rate limiting in its whois services, however we
do employ query limiting and blacklisting (blacklisting is a form of
rate limiting I suppose, if the rate limit is always assumed to be
zero).

So yes, the earlier whois data that was published was complete, as is
the record Margie reproduced below - the difference between the two is
only the source of the data, in this case Verisign registry and Tucows
registrar.

Margie Milam wrote:
> Is this information from the registry WHOIS or the registrar WHOIS 
> published through Port 43?
> 
> The reason for my question is that I understand that some registrars 
> will apply rate-limits on Port 43 with respect to certain blacklisted
IP
> addresses, and will only publish a truncated WHOIS record (similar to
> this) when they receive inquiries from an IP address that they believe
> is abusing Port 43.   I don't know if Tucows uses this method with
> respect to Port 43 (perhaps Ross can clarify).   
> 
> This could be relevant to our analysis as we explore, per Ross'
> suggestion, the technical possibilities related to Port 43,that could
be
> utilized in a tiered access approach. 
> 
> I note that if I go to the Tucows website and do a WHOIS lookup on 
> bankofamerica.com, I get the complete WHOIS record (see below).
> 
> 
> Margie
> 
> ___________________________________________
> 
> Whois info for, bankofamerica.com:
> 
> Registrant:
>  Bank of America
>  1201 Main St.
>  TX1-609-12-15
>  Dallas, TX 75202
>  US
> 
>  Domain name: BANKOFAMERICA.COM
> 
>  Administrative Contact:
>     Administrator, Domain  Domain.Administrator@xxxxxxxxxxxxxxxxx
>     1201 Main Street, 12th Floor
>     M/S TX1-609-12-15
>     Dallas, TX 75202
>     US
>     214-508-7868
>  Technical Contact:
>     HostMaster, The  hostmaster@xxxxxxxxxxxxxxxxx
>     2000 Clayton Road
>     M/S CA4-704-04-21
>     Concord, CA 94520-2425
>     US
>     +1.9256928812
> 
> 
>  Registrar of Record: TUCOWS, INC.
>  Record last updated on 16-Mar-2007.
>  Record expires on 28-Dec-2010.
>  Record created on 28-Dec-1998.
> 
>  Domain servers in listed order:
>     NS4.BANKOFAMERICA.COM   171.159.192.15
>     NS3.BANKOFAMERICA.COM   171.161.160.15
>     NS1.BANKOFAMERICA.COM   171.159.64.15
> 
> 
>  Domain status: clientTransferProhibited
>                 clientUpdateProhibited Margie
> 
> -----Original Message-----
> From: Ross Rader [mailto:ross@xxxxxxxxxx]
> Sent: Friday, May 25, 2007 9:39 AM
> To: Margie Milam
> Cc: gnso-acc-sgb@xxxxxxxxx
> Subject: Re: Fw: [gnso-acc-sgb] Report for today
> 
> Margie Milam wrote:
>> Where is the rest of the WHOIS information?  If this is this the 
>> complete record, a lot of currently required information is missing.
> 
>> The email address is missing from this, as well as the phone number
of
> 
>> the various contacts.   It would be very difficult to contact Bank of

>> America or send them an email if there were issues related to the
> domain
>> name.
> 
> There is nothing missing from this record.
> 
> -ross
> 
>