<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [nc-whois] WHOIS and SPAM - survey show no connection
Title: Message
Steve, The WHOIS TF today agreed that they
were very interested in inviting you and fellow members of the Advisory
Committee to our next call, which is next Tuesday, at 11:00 a.m. EST. We
are anxious to dialogue with the Advisory Committee and appreciate receiving
your final report when it was posted to the Names Council by Louie Touton.
The TF is interested
in a more extensive dialogue than can be provided by one member, and we are
anxious to ensure that there are several Advisory Committee members available to
discuss their views and findings with us. If it turns out that Tuesday at
11:00 am. EST is not possible, can you contact me off list, please, and we'll
work together on a different time/date. However, we want to make it next week,
given our time lines.
We appreciate receiving
your response and your responsiveness.
Best regards, Marilyn
Cade and Tony Harris, co-chairs
-----Original
Message----- From: Steve Crocker
[mailto:steve@stevecrocker.com] Sent: Wednesday, January 15, 2003
12:33 PM To: Cade,Marilyn S - LGA;
dnssac-comment@icann.org Cc: nc-whois@dnso.org; 'Louis Touton
(E-mail)'; 'Ram Mohan' Subject: RE: [nc-whois] WHOIS and SPAM - survey
show no connection
Marilyn,
Good to hear from you. We'll be glad
to interact with the TF. Ram Mohan is also a member of both the TF and
our committee, and he's volunteered to be a bridge as well. (I've cc'd
him explicitly on this message, which presumably means he'll get three
copies!)
In addition to Philip Sheppard's note
citing the FTC that indicates the whois database is not a primary source of
email addresses for spammers, we're also getting email from others indicating
the opposite. This obviously bears further study. My own
experience suggests email addresses are indeed collected from the whois
database. I get a fair amount of mail addressed to
hostmaster@<domainname> for one of my domains, and there is absolutely
*no* instance of that email address being used in any other
context.
To press the point a bit further, it seems
to me there are two parts to this puzzle, one based in fact and one based in
policy. The factual question is whether the whois database does, in
fact, get used for gather email addresses for spam. As I said, we're
getting a range of opinions on this, but I expect we'll be able to get a
reasonably good handle on this after a while. The policy question is
whether the whois database is required to be publicly accessible as a
whole. I consider it a separate question as to whether individual
entries should be accessible and to whom. The issue for this discussion
is whether an entire whois database should be made available. If so,
that's an exposure that needs to be understood and made known to everyone who
places an entry into the database.
Let me also note that a related issue has
come up with respect to the DNS database, and that some have raised a concern
that the combination of the DNS database and the whois database results in a
considerable amount of information which can be exploited for commercial
purposes.
Thanks,
Steve
Steve, on behalf of Tony Harris and
myself as co-chairs, we will discuss an invitation to the committee to talk
with the TF. In the meantime, perhaps we could all be thinking about how
best to ensure cross communication between the Advisory Committee and the TF
as you receive comments.
Regards, Marilyn Cade
Steve, interesting to read the Security and
Stability Advisory Committee recommendation on Whois. In relation to
privacy you state: "it is widely believed that Whois data is a source
of e-mail addresses for the distribution of spam". This may be a
wide belief but empirical evidence from the US Federal Trade
Commission tells us otherwise. See the last sentence of the note below in
particular.
Philip
------------------
To find out which
fields spammers consider most fertile for harvesting, investigators
"seeded" 175 different locations on the Internet with 250 new, undercover
email addresses. The locations included web pages, newsgroups, chat rooms,
message boards, and online directories for web pages, instant message
users, domain names, resumes, and dating services. During the six weeks
after the postings, the accounts received 3,349 spam emails. The
investigators found that:
- 86 percent of the addresses posted to web pages
received spam. It didn't matter where the addresses were posted on the
page: if the address had the "@" sign in it, it drew spam.
- 86 percent of the addresses posted to newsgroups
received spam.
- Chat rooms are virtual magnets for harvesting
software. One address posted in a chat room received spam nine minutes
after it first was used.
Addresses posted in other areas on the Internet
received less spam, the investigators found. Half the addresses posted on
free personal web page services received spam, as did 27 percent of
addresses posted to message boards and nine percent of addresses listed in
email service directories. Addresses posted in instant message service
user profiles, "Whois" domain name registries, online
resume services, and online dating services did not receive any spam
during the six weeks of the investigation.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|