[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ga] Privacy and Whois databases
Very well put, I only wish I could do as well.
Peter Veeck
John C Klensin wrote:
> On Fri, 15 Oct 1999 21:19:05 -0500 Peter Veeck <veeck@texoma.net>
> wrote:
>
> > I use whois to fight spam abuse. Are Spam complaints going
> > to be taken over by ICANN or a subset thereof?
>
> (This note is going to be long and a bit technical. I apologize
> in advance and anyone who believes that all problems are easy
> should just skip it. Additional disclaimer: these are personal
> impressions based on a bit of experience and thought --I have no
> idea whether anyone else in MCI WorldCom would agree and they
> certainly aren't corporate positions.)
>
> Peter,
>
> This case worries me a lot, because I can argue that either
> whois is important to it or that it is nearly irrelevant. The
> problem also looks different depending on whether you see those
> tables as sources of information for fighting spammers (and you
> and I do) or as sources of addresses for use by the spammers
> (the amount of spam I get as the result of being in those tables
> is trivial compared to what shows up from other sources, and
> the CDs of millions of addresses for people to bother don't
> appear to be significantly populated from Whois).
>
> For background, in my day job, I've ended up with administrative
> responsibility for MCI.NET; if you check the Whois tables,
> you'll find my name and phone number there. Until 13
> months ago, MCI.NET (with a fairly deep hierarchy) was the
> management domain for internetMCI: there were never supposed to
> be any user/customer mail addresses in the domain, but there
> were many routers, mail and web servers, system management
> stations, etc. internetMCI was pretty aggressively antispammer,
> with a significant full-time staff dedicated to fighting the
> activity, and there are a good number of ex-spammers, would-be
> spammers, and even a few ex-large-bandwidth customers who can
> attest to that. When we sold internetMCI to Cable and
> Wireless, most of the spam-fighting apparatus went to them along
> with the equipment, customers, etc.
>
> But the spammers --or those who supply them with software and
> tools-- either don't know that the sale occurred or don't care,
> so MCI.NET has become a popular address for faking into
> messageIDs, "From:", fields, bogus server names, etc., and is
> used far more in those ways than it was, e.g., two years ago.
> That the addresses are being faked is, in almost all cases,
> obvious to anyone who has a clue about email and who takes a
> minute to examine the trash that they have received.
>
> It is also worth noting that, as for most business activities,
> when things get large, they get specialized: even if
> information is public, for a large domain, the top-level
> contacts in the Whois tables are _exactly_ what the specs say
> they are, i.e., administrative, technical, and billing contacts
> for _namespace_ management. They may not have much to do with
> email systems or, in especially bad cases, may not be more
> effective at reaching the email people in their organizations
> than an end user might be.
>
> So, let's see what happens today. A user receives spam and
> finds it offensive. There are a bunch of neat tools on the
> market that either intercept the stuff sight unseen or take a
> referral from that user and start sending out complaint messages
> -- to postmaster, root, any address in whois, etc., at all of
> the apparently-relevant domains. But those tools aren't too
> smart, especially in the hands of clueless users (we recently
> had the authors of one tell us that being more careful would
> slow down the software and be inefficient (!)).
>
> So, these faked addresses produce a large flow of messages (some
> of them quite abusive and threatening) to people who aren't
> responsible for the spam or its relaying, have little or no
> control over organizational mail servers, and, if there are
> specific people in the organization whose jobs focus on
> spammer-fighting and who have the skills and tools to do so,
> they don't get reached. I, and I assume most of us, do forward
> those notes to the right places, but some considerable time gets
> lost in the process.
>
> And time is important: typically, the real offenders are
> originating the junk from short-lived dialup accounts. If they
> can be tracked down at all, one has to capture the dialup
> address and timestamps from the email header, identify the ISP,
> get to _their_ antispam people, and find out which customer was
> using that address at that time (that assumes little relaying
> and fakery goes on; otherwise the tracing process has to be done
> recursively, one site/organization at a time. Now, here, the
> whois tables might help us identify a site contact to discuss
> things with, but, as in our case, the larger and better-staffed
> the ISP is, the less likely it is that the whois path will be
> particularly efficient. And many ISPs don't keep those
> detailed logs for a very long time: if the spammer can succeed
> in evading identification for long enough (in some cases we have
> encountered, only 24 hours), it can't be found at all.
>
> Even if we (or someone closer to the user -- we really shouldn't
> be involved at all in this part of the process) find the right
> ISP, privacy and business considerations often prevent their
> identifying the customer to us. If they care (some do more than
> others), they must identify the customer and take responsibility
> for discouraging the behavior (noting that shutting down the
> account of a dialup user is nearly pointless -- it just shows up
> somewhere else a few minutes later). But those are other
> issues.
>
> Conclusion: the whois data, even if available, aren't an
> especially good tool for fighting spam, although they may be
> better than anything else right now (see below). And, if they
> are needed, replacing them with the smail, inquiries to
> registrars, or proofs of why the information is important, just
> aren't going to be adequate substitutes because of those
> timeout problems.
>
> However, it is often extremely important to be able to use the
> Whois data for the reasons for which they (and the rule that
> sites running email must support a "postmaster" address) were
> originally intended: to get a message to someone about
> something, in the name space, on the mail system, or elsewhere
> relevant, that the involved system is broken and needs fixing up
> from the inside. In the Whois case, relying on a DNS SOA record
> (or something similar) to obtain the contact information can be
> pointless -- the canonical complaint is "your DNS server is
> broken and is causing network damage", and that requires a path
> that doesn't depend upon being able to access the DNS server.
> Remember that, ultimately, the information in those tables is
> about the management of a name space... it is not about who runs
> a business, where to find the web master, or who is the chief
> poo-bah in charge of cutting off customers who violate network
> norms.
>
> Oddly, the trademark issues that keep coming up as examples of
> why the data need to be public may be less difficult, just
> because obtaining information in strictly real-time may be a bit
> less important. I haven't seen anything that feels to me like
> the right formula yet (some of the ideas that have been floated
> feel distinctly not-right, but I think there may be a reasonable
> one somewhere). For example, there may be some possibilities
> involving registering or credentialing people who would engage
> in legitimate intellectual property searches to get them
> different access than random users might have while ensuring
> those mechanisms don't create another monopoly or another
> "business opportunity" for registries or registrars. And, if
> _their_ privacy is important, we could imagine third-party
> organizations, keys, and certificates that would provide
> credentials while protecting privacy.
>
> That obviously isn't a case for either "should be completely
> open" or "should be completely closed" or even for "user
> option". It is a strong suggestion that there are more
> possibilities if we think creatively about the issues and what
> we are trying to accomplish.
>
> And that brings us back to the fighting of the spammers. I
> think some creative work is needed. It isn't clear to me that
> ICANN is the right place to do the work or to make whatever
> guidelines are needed. I think most ISPs, and companies who
> receive a lot of spam complaints, would be delighted to publish,
> either as part of Whois data that was always exposed or through
> some agreed-upon DNS entry, contact information for anyone who
> believes spam is originating from their sites and that the odds
> of persuading others to go along are pretty good. A "for
> alleged spam, contact" address could be published, even for a
> domain whose real contact information needed to be hidden from
> general view, by pointing to a third party (since many of the
> sites requiring anonymity don't run mail servers, they might
> find that recruiting someone to accept such mail and return a
> brief response, ideally after an automated review, quite easy).
> Or we could try to standardize another address like
> "postmaster". But we would all need a convention about where
> to put the information and how to present it that could be used
> by low-clue users and whatever tools they select.
>
> Like it or not, these are complex systems. Everything is
> related to everything else. Answers that are developed from
> only a single perspective, or with the needs of only a single
> user group, in mind, will almost always be wrong because they
> will foul up something else of [nearly] equal importance. We
> need to figure out how to work together to get all of the issues
> and considerations onto the table, to eliminate the fantasies,
> and then to construct a solution space and see what can be
> created in it.
>
> My impression is that the turmoil of the last few years has made
> it hard to think creatively about these problems and to inject
> any solutions that might be found into the systems. Too much
> else has been going on, and it has been too tempting to identify
> any change or suggestion as a plot with one sinister purpose or
> another. But maybe this, or right after we get through the
> election, is the right time. And maybe the GA would be a good
> place to at least initiate the discussion, rather than just
> turning into a series of simplistic straw polls on a small
> fraction of the options or arguments about which objective is
> most important.
>
> john