<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [nc-whois] WHOIS and SPAM - survey show no connection
Title: Message
We will put you guys/gals up first. We have
much other work to do, so our call will go on for a second hour, probably. BUT,
you can have the 11:00 a.m. time slot. :-)
I included Tony Holmes, on the previous
email, because of the comment about the linkage between the DNS and WHOIS,
merely as an FYI. He is doing some work in ENUM, as am I, and although ENUM is
technically NOT an ICANN issue, certainly the issue of linking other services to
the WHOIS, or DNS, is related and of concern.
Best, and "you're on!" Hope to see several
Advisory Committee members as well. Please do rsvp to me, privately, so I can
get enough ports. Thanks. Marilyn
Marilyn,
Thanks. I've penciled in next
Tuesday at 11:00. Since the rest of the Security and Stability Advisory
Committee is included in this note, let me hereby encourage others on the
committee to accept Marilyn's invitation to join their next conference call
Tuesday.
That said, I think it
will be helpful to sketch the main issues in advance of the call so we can
make as much progress as possible. Between the opinion we posted
formally and my last note, I think we've pretty much had our say on this
matter.
Let me know the details
of the call and I'll join in. I assume it's scheduled for an hour.
I have appointments in the afternoon and will have to scoot no later than
noon.
Steve
-----Original
Message----- From: Cade,Marilyn S - LGA [mailto:mcade@att.com]
Sent: Wednesday, January 15, 2003 12:41 PM To: Steve
Crocker; dnssac-comment@icann.org Cc: nc-whois@dnso.org; Louis
Touton (E-mail); Ram Mohan; Tony Holmes (E-mail) Subject: RE:
[nc-whois] WHOIS and SPAM - survey show no connection
Steve, The WHOIS TF today agreed that
they were very interested in inviting you and fellow members of the Advisory
Committee to our next call, which is next Tuesday, at 11:00 a.m. EST.
We are anxious to dialogue with the Advisory Committee and appreciate
receiving your final report when it was posted to the Names Council by Louie
Touton.
The TF is
interested in a more extensive dialogue than can be provided by one member,
and we are anxious to ensure that there are several Advisory Committee
members available to discuss their views and findings with us. If it
turns out that Tuesday at 11:00 am. EST is not possible, can you contact me
off list, please, and we'll work together on a different time/date. However,
we want to make it next week, given our time lines.
We appreciate
receiving your response and your responsiveness.
Best regards, Marilyn
Cade and Tony Harris, co-chairs
-----Original
Message----- From: Steve Crocker
[mailto:steve@stevecrocker.com] Sent: Wednesday, January 15, 2003
12:33 PM To: Cade,Marilyn S - LGA;
dnssac-comment@icann.org Cc: nc-whois@dnso.org; 'Louis Touton
(E-mail)'; 'Ram Mohan' Subject: RE: [nc-whois] WHOIS and SPAM -
survey show no connection
Marilyn,
Good to hear from you. We'll be
glad to interact with the TF. Ram Mohan is also a member of both the
TF and our committee, and he's volunteered to be a bridge as well.
(I've cc'd him explicitly on this message, which presumably means he'll
get three copies!)
In addition to Philip Sheppard's note
citing the FTC that indicates the whois database is not a primary source
of email addresses for spammers, we're also getting email from others
indicating the opposite. This obviously bears further study.
My own experience suggests email addresses are indeed collected from the
whois database. I get a fair amount of mail addressed to
hostmaster@<domainname> for one of my domains, and there is
absolutely *no* instance of that email address being used in any other
context.
To press the point a bit further, it
seems to me there are two parts to this puzzle, one based in fact and one
based in policy. The factual question is whether the whois database
does, in fact, get used for gather email addresses for spam. As I
said, we're getting a range of opinions on this, but I expect we'll be
able to get a reasonably good handle on this after a while. The
policy question is whether the whois database is required to be publicly
accessible as a whole. I consider it a separate question as to
whether individual entries should be accessible and to whom. The
issue for this discussion is whether an entire whois database should be
made available. If so, that's an exposure that needs to be
understood and made known to everyone who places an entry into the
database.
Let me also note that a related issue
has come up with respect to the DNS database, and that some have raised a
concern that the combination of the DNS database and the whois database
results in a considerable amount of information which can be exploited for
commercial purposes.
Thanks,
Steve
Steve, on behalf of Tony Harris and
myself as co-chairs, we will discuss an invitation to the committee to
talk with the TF. In the meantime, perhaps we could all be thinking
about how best to ensure cross communication between the Advisory
Committee and the TF as you receive comments.
Regards, Marilyn Cade
Steve, interesting to read the Security and
Stability Advisory Committee recommendation on Whois. In relation to
privacy you state: "it is widely believed that Whois data is a
source of e-mail addresses for the distribution of spam". This
may be a wide belief but empirical evidence from the US Federal
Trade Commission tells us otherwise. See the last sentence of the note
below in particular.
Philip
------------------
To find out which
fields spammers consider most fertile for harvesting, investigators
"seeded" 175 different locations on the Internet with 250 new,
undercover email addresses. The locations included web pages,
newsgroups, chat rooms, message boards, and online directories for web
pages, instant message users, domain names, resumes, and dating
services. During the six weeks after the postings, the accounts
received 3,349 spam emails. The investigators found that:
- 86 percent of the addresses posted to web pages
received spam. It didn't matter where the addresses were posted on
the page: if the address had the "@" sign in it, it drew spam.
- 86 percent of the addresses posted to
newsgroups received spam.
- Chat rooms are virtual magnets for harvesting
software. One address posted in a chat room received spam nine
minutes after it first was used.
Addresses posted in other areas on the Internet
received less spam, the investigators found. Half the addresses posted
on free personal web page services received spam, as did 27 percent of
addresses posted to message boards and nine percent of addresses
listed in email service directories. Addresses posted in instant
message service user profiles, "Whois" domain name
registries, online resume services, and online dating services did not
receive any spam during the six weeks of the
investigation.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|