[gnso-ff-pdp-may08] Whois through DNS - The Details

[Marc Perkel <marc@xxxxxxxxxx>]

Continuing with my line of thinking .....

WHY HAVE A DNS VERSION FOR WHOIS

The reason to have a DNS based version of Whois is for high speed 
distributed access to whois data for real time queries of whois 
information. As someone in the spam filtering business I'm looking at it 
from that perspective. There are other perspectives as well and others 
should join in.
What I do is front end spam filtering. The customers point their MX to 
our servers, we filter it, and forward the good email on to the 
customer's existing server. This is done in real time so that the email 
users don't see any noticeable delays.
In the spam filtering world we use DNS to post all kinds of data, much 
of which is unrelated to the original purpose of DNS. We are essentially 
using DNS as a high speed database and we, in the spam filtering world, 
have very solid and widely used tools for doing this. So I'm talking 
about using existing and well accepted technology. No new technology or 
untested technology is being suggested here.
The existing Whois infrastructure isn't suitable to handle the speed or 
load levels required. DNS however is suitable and it is an established 
method used in the spam filtering industry. Thus the idea here that I'm 
suggesting is to take parts of the public information that already 
exists in whois and make that same information available to the world 
through a different high speed protocol.
WHAT WHOIS INFORMATION NEEDS TO BE AVAILABLE THROUGH DNS?

Generally the registrant is of little use in detecting spam. However the 
registrant might be useful in detecting good email. Many spam filtering 
companies not only focus on actively detecting spam. Many of us focus on 
detecting good email to avoid false positives. It is more important to 
not block good email than it is to block junk email. So in the spam 
filtering world we might create a registrant reputation database that 
would be useful in classifying good registrants.
As to fast flux, if the registrars were to publish DNS nameserver change 
information through DNS that could be useful. This is not part of the 
current Whois protocol, but it is public information in that if I were 
to monitor all domains I could construct this information myself, 
although it would be massively inefficient. So this wouldn't reveal 
anything that wasn't already technically public.
I would also be interested in the age of the domain. Or alternatively 
the starting date, or perhaps the expiration date. Much fraud is done by 
new domains which I might subject to a higher level of scrutiny. 
However, if the domain is paid up several years in advance then that 
indicates permanence which can be used as a white rule.
Another key piece of information would be the registrar of the domain. 
There may be some registrars that are very exclusive and very expensive 
that spammers would never use (with the exception of free mail domains 
like Google, yahoo, hotmail). But more importantly - if I know the 
registrar and I detect an issue then I know where to report the problem. 
For example, someone impersonating Well Fargo Bank registers 
wellsfargo.cn and sends fraud spam, if I know that they registered with 
godaddy.com then I could send an automated email to them that a domain 
under their control is being used for fraud.
Additionally the email address of the technical contact is also useful 
for reporting problems.
I believe much spam, fraud, and abuse can be stopped through fast 
automated reporting of problems. If this information were published 
through DNS then we in the spam filtering community can work with the 
registrars to quickly report and shut down domains being used for fraud.
WHY AN INFORMATION BASED SOLUTION IS BETTER THAN A RESTRICTION BASED 
SOLUTION
The quick answer is response speed and precision. Policy is slow and 
imprecise. I can't think of any way through policy that we can 
distinguish good fast flux from bad fast flux. If we restrict free 
speech then it might take years to undo the damage. And those in the 
fraud world will just change methods and move on.
In the spam filtering world if I see a new scam I might be able to write 
a new rule in minutes and block that scam. If my rule also takes out 
some free speech I can modify my rule to fix that quickly. The more 
information I have to work with the more accurately I can distinguish 
between free speech and fraud. Thus the free speech is passed and the 
fraud is blocked and reported.
THE NATURE OF SPAM AND FRAUD

A little education about spam and fraud. In order for a fraud to work 
there has to be a plan that includes advertising the scam to victims, 
getting victims to respond, and getting the victims money. If any part 
of the process is disrupted then that scam fails and we win.
Spam always wants to to do something. The want you to click on this 
link. They want you to reply to an email address. They want you to call 
some phone number. And one of the easiest ways of detecting spam and 
fraud is to focus on what the message wants you to do.
Most spam wants you to click on a link and go to a web site. These links 
either have an IP address or a domain name as part of the link. IP 
addresses are more easily shut down. However a domain name using fast 
flux is not.
When I get an email I scan it for links to domains that are blacklisted 
in URIBL lists. These lists use DNS as a database (as I am suggesting 
here) to list domains that are web sites used by spammers to get your 
money and defraud you. These lists are built cooperatively by spam 
filtering companies coming together and building them. Thus if we see a 
domain name being used for fraud spam then we can blacklist it and stop 
all email that links to that domain. This disrupts one part of the 
process and makes the fast fluxing useless.
If we can detect that a domain is fast fluxing that isn't yet listed we 
can determine if the domain should be listed taking into account whois 
information and combining it with other information we know. This will 
allow us in the real time world to respond faster and stop fraud using 
the information provided. And the faster we can make an accurate 
determination the faster we can stop the fraud.
DETECTING SPAM BY BEHAVIOR

Most of the spam that I block is based on the behavior of the spammer 
rather than the content of the message. There are tricks that only 
spammers do and if that trick can be detected it can be blocked based on 
the spammer using the trick. Sometimes it's a combination of factors 
where if the message is doing A B and C then only spammers do that. Thus 
fast fluxing in itself might not be spam. But fast fluxing AND wanting 
you to give up a password would be.
I have some interesting tricks to detect spambots and I can detect spam 
bots with near 100% accuracy on the first attempt to send spam. One 
thing I do is post fake high numbered MX records pointing to IP 
addresses on the same machine that hosts the lowest numbered MX record. 
I also have a middle ring of fallback servers so in theory these high MX 
records should never see traffic. However spammers often try to go in 
the back door thinking the backup servers have less spam filtering than 
the main server. So they try the high numbered MX records first. Thus 
hosts hitting the high MX records are noted and I return a 451 temporary 
error telling them to come back later. This by itself doesn't get them 
blacklisted.
Spam bots however after being rejected or delivering spam don't close 
the connection with a QUIT command as their spam is delivered and being 
polite just uses up processor and bandwidth that can be used to spam 
someone else. So I also watch for the no quit and note that as well. So 
if I see the combination of hign numbered MX hits AND no quit and there 
is any one of other sins I track (bogus HELO, etc.) I can instantly ID 
the IP as a spam bot and can get them into the blacklist within 2 
minutes of the attempted spam. And anyone using my blacklist can then 
block spam on their system based on my listing of the virus infected IP.
This is just an example of what we do and others in the spam filtering 
industry do. We look at a lot of information and make automated 
decisions. The Whois information would help us do a better job. So the 
solution to fast flux might not be in ICANN doing something to stop it, 
but helping other through information to stop it.
CONTACT INFORMATION FOR REPORTING IS IMPORTANT

Often filtering companies detect a problem that could be stopped at the 
source if we could just alert the source that there is a problem. In the 
case of spambots, the source is the ISP who provides access to the 
internet to the virus infected victim. If the ISPs knew of problems then 
they could take action like temporary port 25 blocks or calling their 
customer to let them know their computer has been hacked so they can fix 
it. Thus I suggest that through WHOIS and policy that we create a 
problem reporting infrastructure so that those of us who detect a 
problem can communicate that to those who need to know about the 
problem. And we need high speed DNS based whois so that we can use 
automation to do this.
CONCLUSION

I believe that the worlds spam bots can be completely (or 99%+) defeated 
through information, communication, ISP tools, and publishing best 
practices and this can be done without restricting free speech or civil 
liberties. This war is winnable and if we are careful and think it 
through we can have a nearly fraud free, spam free world. Quite frankly, 
I'd like to win this spam war and put myself out of business. I have 
other things I want to do with my life and although I make a good living 
at this I have better things to do.
Hopefully I have given you all something to think about. Feel free to 
jump in and expand or tell me why I'm wrong.