Re: [gnso-rap-dt] revised WHOIS note

[Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>]

Thanks Jeff,

I'll see about getting some contributions from folks in the community  
on the question.  I want to emphasize that the issue I am pointing out  
here isn't that proxy registrations are being used PRIMARILY by  
criminal spammers (and other sorts of criminals), but rather that  
they're being used by at least some, and that makes life harder for  
just about everyone.  The folks chasing down cybersquatting activity  
probably run into proxy registrations far more often than us going  
after hard-core criminals, but I'll let them speak to that.  We  
certainly see specific groups using this technique as their M.O. - for  
example - and why I felt compelled to reply on this thread - just last  
week we ran into a group that has all of their domains tied into what  
looks like a fictitious privacy service.  There are a couple dozen  
domains in that one, all tied to malware C&C and distribution.  I  
can't share the names at this time - it's an active case, and this is  
a public list.  Is this a major problem in the grand scale of things?   
As Jeff points out, this probably depends on your viewpoint.  I also  
believe the solution lies with having well-defined and enforced  
policies, procedures, and responsibilities for all parties  
investigating and responding to queries about abuse being perpetrated  
using privacy protected domain names.  Is that within scope?  I'd say  
it's at least something we could comment on and perhaps provide some  
information, beyond that - well, that's what all those fun calls are  
for right?  :-)
Best,

Rod Rasmussen
President and CTO
Internet Identity
1 (253) 590-4088

On Jul 21, 2009, at 8:43 PM, Neuman, Jeff wrote:

> I believe getting the data will be important, but as we have seen
> before, once the data comes in, it can be sliced in a large number of
> ways depending on the side you are on.
>
> One key point to note is that whether there is a link or not between
> proxy services and criminal activity, there is certainly a strong
> perception in a number of communities that there is a link and that
> standards should be developed to come up with best practices to guide
> registrars operating proxy or anonymous WHOIS services, especially  
> as it
> relates to revealing the true identity of the registrant when one
> perceives that that registrant has wronged a third party.  They  
> believe
> that so long as there is a predictable, standardized process to  
> retrieve
> that information, so they can pursue the appropriate legal remedy,  
> then
> may be adequate.
>
> I am not commenting on whether this is in the scope of this group or  
> not
> (as I have not recently read the charter), but just stating what  
> others
> have shared with me.
>
> Jeffrey J. Neuman, Esq.: NeuStar, Inc.
> Vice President, Law & Policy
>
>
> The information contained in this e-mail message is intended only for
> the use of the recipient(s) named above and may contain confidential
> and/or privileged information. If you are not the intended recipient  
> you
> have received this e-mail message in error and any review,
> dissemination, distribution, or copying of this message is strictly
> prohibited. If you have received this communication in error, please
> notify us immediately and delete the original message.
>
>
>
> -----Original Message-----
> From: owner-gnso-rap-dt@xxxxxxxxx [mailto:owner-gnso-rap-dt@xxxxxxxxx]
> On Behalf Of eckhaus jeff
> Sent: Tuesday, July 21, 2009 7:13 PM
> To: 'Rod Rasmussen'; James M. Bladel
> Cc: Roland Perry; gnso-rap-dt@xxxxxxxxx
> Subject: RE: [gnso-rap-dt] revised WHOIS note
>
>
> Rod,
>
> Could you provide the data and the findings to the group that you
> reference regarding the studies by "Spamhaus, SURBL, Knujon, and  
> several
> academic anti-spam and ant-crime researchers" along with the  
> methodology
> used.
>
> I think the Working Group would like to see the quantifiable data  
> and as
> a registrar I would love to see the findings and details so that we  
> can
> help the community if there is a need here.
>
>
>
> Thanks
>
> Jeff
>
>
>
>
>
> -----Original Message-----
> From: owner-gnso-rap-dt@xxxxxxxxx [mailto:owner-gnso-rap-dt@xxxxxxxxx]
> On Behalf Of Rod Rasmussen
> Sent: Tuesday, July 21, 2009 3:37 PM
> To: James M. Bladel
> Cc: Roland Perry; gnso-rap-dt@xxxxxxxxx
> Subject: Re: [gnso-rap-dt] revised WHOIS note
>
>
> James,
>
> Spamhaus, SURBL, Knujon, and several academic anti-spam and ant-crime
> researchers have tied use of proxy registrations to criminal domain
> usage - especially in the case of pharma and other high-volume spam.
> The privacy services are also victimized in these cases, as the
> criminals do not (conveniently) provide their real details.  By using
> the privacy service though, they can avoid having to come up with
> randomized patterns for their fake whois, as their criminal
> registration details are hidden in with legitimate ones as far as the
> public can tell.  This has a negative impact on those privacy
> registration services, as their reputation is impinged by criminal
> behavior, so there is a natural incentive for those types of services
> to do a better job screening applicants (I would point to GoDaddy as a
> provider that does a good job keeping such actors out in general by
> the way).  The question is (and this is asked and speculated on widely
> within the security community) is whether there are some "fake",
> "complicit", or "clueless" privacy services out there that facilitate
> such activities.  I'm not sure about the status of that research -
> I'll ping some of my friends in the anti-spam biz on that.
>
> Rod
>
> Rod Rasmussen
> President and CTO
> Internet Identity
> 1 (253) 590-4088
>
> On Jul 21, 2009, at 3:16 PM, James M. Bladel wrote:
>
> > But does this not present the paradox of a criminal entering
> > fraudulent
> > WHOIS data, and then purchasing (or stealing) Proxy Services to
> > obscure
> > that fraudulent data?
> >
> > Or, does this scenario presume that a (not very bright) criminal will
> > operate a fraudulent website, but enter their -valid- contact
> > information behind a Proxy service?  This is analogous to someone
> > burglarizing an darkened home, but leaving their wallet behind.
> >
> > My point in all of this is simply that I am not aware of any
> > quantifiable data that establishes a clear and conclusive link
> > implicating proxy / privacy services and criminal behaviors.  In  
> > fact,
> > the recent SSAC report seems to indicate that these services provide
> > some security benefits for registrants versus hijacking / compromised
> > accounts.
> >
> > Thanks--
> >
> >
> > J.
> >
> >
> >  -------- Original Message --------
> > Subject: Re: [gnso-rap-dt] revised WHOIS note
> > From: Roland Perry <roland@xxxxxxxxxxxxxxxxxxxxxxxx>
> > Date: Tue, July 21, 2009 2:16 pm
> > To: gnso-rap-dt@xxxxxxxxx
> >
> >
> > In message
> <20090721111333.9c1b16d3983f34082b49b9baf8cec04a.870be0e1f5.wbe@xxxxxxxx
> c
> > ureserver.net>, at 11:13:33 on Tue, 21 Jul 2009, James M. Bladel
> > <jbladel@xxxxxxxxxxx> writes
> >
> > > I guess I'm not clear on what is meant by "Abuse of WHOIS proxy
> > > services." Do you mean bad actors using fraudulent / stolen data to
> > > open these accounts, or compromised accounts?
> > earlier Mike said:
> >
> > #particularly when registrars are providing the service and do not
> > #divulge underlying WHOIS info upon reasonable evidence of abuse, as
> > #clearly required by the RAA.
> >
> > Meanwhile, as someone who tries to help victims of e-crime, I find  
> > the
> > proxy-WHOIS is very often used to obscure the fraudster's details.  
> > I'm
> > aware that they might just be hiding false details, but shouldn't
> > registrars be doing more checks on such things? For example, where a
> > domain is paid for by a Credit Card, making available as default the
> > address details used to verify that payment.
> > --
> > Roland Perry