ICANN ICANN Email List Archives

[raa-consultation]


<<< Chronological Index >>>    <<< Thread Index >>>

Prior verification of whois data via postal verification codes

  • To: <raa-consultation@xxxxxxxxx>
  • Subject: Prior verification of whois data via postal verification codes
  • From: "Mark Samson" <Mark_Samson@xxxxxxxxxxxxxx>
  • Date: Sun, 12 Aug 2007 19:40:44 +0100

Fake whois data is not checked in reasonable time
=================================================

Parts of the Internet are monitoring 95% of email as spam. Many spam groups
are easily registering hundreds of spam advertised sites a day that redirect
to phishing, illegal pharmacy and piracy software sites. Anyone
investigating the registrant details of these domains has 0% confidence in
the accuracy of the registrant contact information as it is easily falsified
with no checks in an appropriate time period.

Under the current Accreditation agreement and ICANN policies, it seems up to
the world to prove that registrant details are false, rather than for the
registrant to verify that the details are true when first registering a
domain. Only when challenged a registrant has 15 days to respond to
inquiries by the Registrar concerning the accuracy of contact details. The
ICANN Whois Data Problem Report System (WDPRS) takes 45 days. Many criminal
activities concerning domain names only require the domain to be active in
the period for which a victim is likely to read and access the domain via
the spam email. How often do you read your email ?. A spam email campaign
only needs domains to be active for a few days for the great majority of
responses. Many spam groups send new spams advertising new domains every 3
to 7 days. Clearly the system greatly favours fake registrant details and
criminal activity.


Prior verification of whois data via postal verification codes
==============================================================

ICANN can greatly improve matters by changing the Accreditation agreement so
that first time registrants have to verify their contact details before the
Registrar enables them to access and use their domains. This might work as
follows:

1) The first time Registrant buys the domain name, but it is temporarily
held by the Registrar and cannot be used by the Registrant.

2) The Registrar sends a verification code by normal postal mail ("snail
mail") to the Registrant using the Registrant's contact information that
will be used for the whois data for the domain.

3) If the contact information is correct, the Registrant receives the posted
verification code and enters the code on the Registrar's website, enabling
access to the domain and registration of the contact details in the whois
data for that domain.

4) The Registrant only has to go through this process once and can registrar
further domains, using the verified contact details without requiring
verification codes to be posted to them.


Pros and Cons
=============

There is a minor cost of postage of the verification code to the first time
registrant and a delay before they can access their first registered domain.
The registrant would most likely pay this cost and any Registrar worthy of
accreditation should easily be able to manage this process.

Registrants involved in criminal activity, will find it complicated to
register multiple domains around the world with different fake contact
addresses, as they will need to receive the verification code for each
contact address. Even if they manage to have an accomplice at an address to
receive the code, it will be easier for authorities to investigate a
recipient at a real address.

ICANN will have an easier job in improving the integrity of whois data, as
"Mickey Mouse" fake contact address details can no longer be used and
authorities will know that a registrant address has been checked at
registration.











<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy