Study Suggestion Number 15

[study-suggestion-response@xxxxxxxxx]

Submitted By:
[Redacted for privacy reasons]

Topic:
Is there a correlation between the means used to access Whois information (port 
43 versus web-based access) and the use of Whois data for facilitating illegal 
or undesirable activities (such as spam)?

Hypothesis:
Those using Whois data to facilitate illegal or undesirable activities (such as 
spam) depend on port 43 access to Whois to obtain Whois data.

How the hypothesis could be falsified:
Produce data showing that the web is the primary means by which those 
facilitating illegal or undesirable activities using Whois data are accessing 
the Whois database, and/or that the prevalence of such activities does not 
correspond to the means of access available.

Utility:
If much if not all use of the Whois database to facilitate illegal or 
undesirable activities is traceable to data mining over port 43, perhaps a 
proposal that focuses on controlling the means of access to Whois (such as 
perhaps by allowing a combination of web-based access, providing alternate 
solutions for legitimate current uses of port 43, and authenticated port 43 
access), rather than completely removing particular fields of data from 
availability, could be effective in controlling data mining, spam, or other 
harms, while at the same time preserving substantially unrestricted access for 
legitimate uses.

Type of Study Needed:
A quantitative study of abuse of Port 43 versus web-based access to Whois. 

Data that needs to be collected:
First, data would need to be collected about the practices of various 
registries and registrars with regard to the dissemination of Whois data. 
Identify registry/registrar combinations in which different combinations of 
security features and access are present. Because of uniform Whois policies in 
gTLDs, ccTLDs may be considered. However, as a practical matter there may still 
be variability in the services offered by some registrars and their compliance 
with gTLD policies. In any event, care should be taken that to provide relevant 
comparisons. For instance, the .eu ccTLD offers substantially the same Whois 
information (except for the combination of the Administrative Contact and the 
Registrant) as .com, but allows access only over web-based access from the 
registry, while .com requires web and port 43 access from the registrar only. 

A sampling of domains in different registries and registrars would be 
registered. Contact e-mails used to register the domains would be used for no 
other purposes, and monitored to determine the volume of unsolicited 
communications received by each. Track differences in spam received at 
addresses available over Port 43 versus addresses not available over port 43.


Population to be surveyed:
Empirical data of port 43 versus web-based queries, and/or empirical data of 
spam or other illegitimate communications received at addresses available over 
port 43 Whois versus addresses available only by web-based access (and/or 
access with other security features).

Sample Size:
There is no particular population identified, so there may be few requirements 
beyond being numerous for statistical significance. Other aspects of diversity 
may be considered, such as samples related to domains registered at a variety 
of registrars.

Type of Analysis:
The data produced should readily serve to either prove or disprove the stated 
hypothesis, once sorted and characterized by registry, registrar, and their 
corresponding Whois access and security practices.