Re: [gnso-rap-dt] revised WHOIS note

[Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>]

James,

Spamhaus, SURBL, Knujon, and several academic anti-spam and ant-crime  
researchers have tied use of proxy registrations to criminal domain  
usage - especially in the case of pharma and other high-volume spam.   
The privacy services are also victimized in these cases, as the  
criminals do not (conveniently) provide their real details.  By using  
the privacy service though, they can avoid having to come up with  
randomized patterns for their fake whois, as their criminal  
registration details are hidden in with legitimate ones as far as the  
public can tell.  This has a negative impact on those privacy  
registration services, as their reputation is impinged by criminal  
behavior, so there is a natural incentive for those types of services  
to do a better job screening applicants (I would point to GoDaddy as a  
provider that does a good job keeping such actors out in general by  
the way).  The question is (and this is asked and speculated on widely  
within the security community) is whether there are some "fake",  
"complicit", or "clueless" privacy services out there that facilitate  
such activities.  I'm not sure about the status of that research -  
I'll ping some of my friends in the anti-spam biz on that.
Rod

Rod Rasmussen
President and CTO
Internet Identity
1 (253) 590-4088

On Jul 21, 2009, at 3:16 PM, James M. Bladel wrote:

> But does this not present the paradox of a criminal entering  
> fraudulent
> WHOIS data, and then purchasing (or stealing) Proxy Services to  
> obscure
> that fraudulent data?
>
> Or, does this scenario presume that a (not very bright) criminal will
> operate a fraudulent website, but enter their -valid- contact
> information behind a Proxy service?  This is analogous to someone
> burglarizing an darkened home, but leaving their wallet behind.
>
> My point in all of this is simply that I am not aware of any
> quantifiable data that establishes a clear and conclusive link
> implicating proxy / privacy services and criminal behaviors.  In fact,
> the recent SSAC report seems to indicate that these services provide
> some security benefits for registrants versus hijacking / compromised
> accounts.
>
> Thanks--
>
>
> J.
>
>
>   -------- Original Message --------
> Subject: Re: [gnso-rap-dt] revised WHOIS note
> From: Roland Perry <roland@xxxxxxxxxxxxxxxxxxxxxxxx>
> Date: Tue, July 21, 2009 2:16 pm
> To: gnso-rap-dt@xxxxxxxxx
>
>
> In message
> <20090721111333.9c1b16d3983f34082b49b9baf8cec04a.870be0e1f5.wbe@xxxxxxxxx
> ureserver.net>, at 11:13:33 on Tue, 21 Jul 2009, James M. Bladel
> <jbladel@xxxxxxxxxxx> writes
>
> > I guess I'm not clear on what is meant by "Abuse of WHOIS proxy
> > services." Do you mean bad actors using fraudulent / stolen data to
> > open these accounts, or compromised accounts?
> earlier Mike said:
>
> #particularly when registrars are providing the service and do not
> #divulge underlying WHOIS info upon reasonable evidence of abuse, as
> #clearly required by the RAA.
>
> Meanwhile, as someone who tries to help victims of e-crime, I find the
> proxy-WHOIS is very often used to obscure the fraudster's details. I'm
> aware that they might just be hiding false details, but shouldn't
> registrars be doing more checks on such things? For example, where a
> domain is paid for by a Credit Card, making available as default the
> address details used to verify that payment.
> --
> Roland Perry