no whois info ?

While doing a quick sample of my spam to see where spamvertized web sites were hosted and registered, I came across the domain vestigial3had.com

shell1% whois vestigial3had.com

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "VESTIGIAL3HAD.COM".

yet,
shell1% host -tns vestigial3had.com
vestigial3had.com name server ns1.kronuna.biz
vestigial3had.com name server ns2.kronuna.biz
shell1%

What gives ? How can their be no whois info anywhere ?

         ---Mike

While doing a quick sample of my spam to see where spamvertized web sites
were hosted and registered, I came across the domain vestigial3had.com

shell1% whois vestigial3had.com

...

No match for "VESTIGIAL3HAD.COM".
What gives ? How can their be no whois info anywhere ?

Read NANOG archives - Verisign now allows immediate (well, within about 10
minutes) updates of .com/.net zones (also same for .biz) while whois data
is still updated once or twice a day. That means if spammer registers new
domain he'll be able to use it immediatly and it'll not yet show up in
whois (and so not be immediatly identifiable to spam reporting tools) -
and spammers are in fact using this "feature" more and more!

Now it so happens that I've long ago added internal dns resolver code
into completewhois engine to find list of nameservers (because whois
for some CCtld was not showing it and sometimes even for internic it
was wrong) and now this is done by default on ALL domains (no matter
if they show up in whois or not) and if nameservers from whois are
available they are compared to the list of the nameservers reported
from dns and both are shown. For your domain I see the following
(which nicely explains it to those who are surprised about not
seeing real whois):

$ whois -h whois.completewhois.com vestigial3had.com
[whois.completewhois.com]
Elan Completewhois.Com Whois Server, Version 0.91a16, compiled on Dec 7, 2004
Please see http://www.completewhois.com/help.htm for command-line options
Use of this server and any information obtained here is allowed only
if you follow our policies at http://www.completewhois.com/policies.htm

[DOMAIN whois information for VESTIGIAL3HAD.COM ]
   Domain Name: VESTIGIAL3HAD.COM
   Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org
   TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm
   Registry: VeriSign, Inc. - http://www.verisign-grs.com
   Registrar: Whois data parsing problem, no registrar information found
   Whois Server: rs.internic.net
   Name Server[from dns, dns ip]: NS2.KRONUNA.BIZ 219.154.96.29
   Name Server[from dns, dns ip]: NS1.KRONUNA.BIZ 200.124.75.9

Domain VESTIGIAL3HAD.COM not found in registry whois server.
But this domain appears to be deligated in dns. This is either an error
with registrar whois database or it is possible this domain was recently
registered and whois data is not yet available. Completewhois domain
information above should list current nameservers as has been found in
dns, for more information regarding this domain, please do whois lookup on
these nameservers or ips

P.S. If you're going to do whois on nameserver ips next, then you can
do the following combined lookup:
$ whois -h whois.completewhois.com "nsips vestigial3had.com"

But so you don't all overwhelm the engine with same query, I saved you the
results, you can retreive with "whois -h completewhois.com R#75944680" or at
http://www.completewhois.com/cgi-bin/whois.cgi?query=75944680&options=retrieve

Read NANOG archives - Verisign now allows immediate (well, within about 10
minutes) updates of .com/.net zones (also same for .biz)

Yes, I was aware of that.

while whois data
is still updated once or twice a day.

I (wrongly) assumed that the initial whois data would be immediately there to be seen at registration time....

That means if spammer registers new
domain he'll be able to use it immediatly and it'll not yet show up in
whois (and so not be immediatly identifiable to spam reporting tools) -
and spammers are in fact using this "feature" more and more!

What a lovely well thought out feature....

         ---Mike

shell1% whois vestigial3had.com

...

No match for "VESTIGIAL3HAD.COM".
What gives ? How can their be no whois info anywhere ?

Read NANOG archives - Verisign now allows immediate (well, within about 10
minutes) updates of .com/.net zones (also same for .biz) while whois data
is still updated once or twice a day. That means if spammer registers new
domain he'll be able to use it immediatly and it'll not yet show up in
whois (and so not be immediatly identifiable to spam reporting tools) -
and spammers are in fact using this "feature" more and more!

You can also make whois information private, usually for an additional fee.

I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet. It would be nice to somehow incorporate this into a SpamAssassin check somehow.

         ---Mike

shell1% whois vestigial3had.com

...

No match for "VESTIGIAL3HAD.COM".
What gives ? How can there be no whois info anywhere ?

You can also make whois information private, usually for an additional fee.

I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet.

I would doubt that.

We have started hiding the information for clients who request it for a simple reason: use of WHOIS data for marketing.

Anyone want to guess how many credit cards have been offered to "Host Master" and "Master Host" addressed to our Technical contact address?

We have clients complaining about the junk email, junk faxes and junk postal mail that results from these listings.

Then there's the folks who send out offers to "renew" domains, but in the very fine print say "this is not a bill" and are really an attempt to transfer the domain name to another provider. We've had customers fall for these, thinking the invoices were from us, and in cases where the customer didn't have their domain locked against transfers, have their web sites go dark.

It would be nice to somehow incorporate this into a SpamAssassin check somehow.

Your basic assumption is faulty.

The WHOIS data is there to ensure there's someone to contact. As long as the data listed can be used to reach the domain holder for legitimate purposes (technical problems, etc.), why should you care if the listed address is a Care Of address, the email address goes through a redirect or is handled by an agent trusted by the domain holder?

Yes, I understand the concern that spammers might use the mechanism to hide. I'm concerned about that too, but not enough to override my concern about the marketing use of the data, often in campaigns that border on scams.

Yes, I agree. I am talking about not having *ANY* whois info. I dont see how any of your arguments justify

% whois vestigial3had.com

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "VESTIGIAL3HAD.COM".

Hopefully this is just a case of the whois info not catching up with the registration.... There should always be some way to contact the domain holder, or registrar. Right now, there is none for this domain which is wrong IMO.

         ---Mike

Jeff Rosowski wrote:

shell1% whois vestigial3had.com

...

No match for "VESTIGIAL3HAD.COM".
What gives ? How can their be no whois info anywhere ?

How about the following... (note that just because someone is using someone as their authoritative name server doesn't mean that the other people (in this case kronuna.biz) have anything to do with it...

[peterh@localhost ~]$ dig ns vestigial3had.com
<snip>
;; ANSWER SECTION:
vestigial3had.com. 172800 IN NS ns1.kronuna.biz.
vestigial3had.com. 172800 IN NS ns2.kronuna.biz.

[peterh@localhost ~]$ whois kronuna.biz
[Querying whois.neulevel.biz]
[whois.neulevel.biz]
Domain Name: KRONUNA.BIZ
Domain ID: D8290016-BIZ
Sponsoring Registrar: TUCOWS INC.
Sponsoring Registrar IANA ID: 69
Domain Status: ok
Registrant ID: TU9XLFHXRK2QTZCE
Registrant Name: domain administrator
Registrant Organization: Tehillimzeiger Pushkaya
Registrant Address1: Suite M-242, Christamar 43-B
Registrant Address2: Avda. De las Naciones Unidas
Registrant City: Puerto Banus - Marbella
Registrant State/Province: Malaga
Registrant Postal Code: 29660
Registrant Country: Spain
Registrant Country Code: ES
Registrant Phone Number: +371.7338359
Registrant Email: dljans@pisem.net

<snip>

Hi!

[peterh@localhost ~]$ dig ns vestigial3had.com
<snip>
;; ANSWER SECTION:
vestigial3had.com. 172800 IN NS ns1.kronuna.biz.
vestigial3had.com. 172800 IN NS ns2.kronuna.biz.

[peterh@localhost ~]$ whois kronuna.biz
[Querying whois.neulevel.biz]
[whois.neulevel.biz]
Domain Name: KRONUNA.BIZ
Domain ID: D8290016-BIZ
Sponsoring Registrar: TUCOWS INC.
Sponsoring Registrar IANA ID: 69

There are like a gazillion spam sites on that server. Its a spamnest.
Nameserver(s) are inside SBL also.

Bye,
Raymond.

I dont follow ? It seems to me they do answer for the domain.
granite# dig vestigial3had.com
;; ANSWER SECTION:
vestigial3had.com. 1M IN A 200.124.75.12

;; AUTHORITY SECTION:
vestigial3had.com. 1M IN NS ns1.kronuna.biz.
vestigial3had.com. 1M IN NS ns2.kronuna.biz.

;; ADDITIONAL SECTION:
ns1.kronuna.biz. 27S IN A 200.124.75.9
ns2.kronuna.biz. 27S IN A 219.154.96.29

granite# dig axfr vestigial3had.com @200.124.75.9

; <<>> DiG 8.3 <<>> axfr vestigial3had.com @200.124.75.9
; (1 server found)
$ORIGIN vestigial3had.com.
@ 1M IN SOA @ root (
                                         240420115 ; serial
                                         8H ; refresh
                                         1M ; retry
                                         1W ; expiry
                                         1H ) ; minimum

                         1M IN NS ns1.kronuna.biz.
                         1M IN NS ns2.kronuna.biz.
                         1M IN MX 10 www
                         1M IN A 200.124.75.12
* 1M IN A 200.124.75.12
a 1M IN A 221.5.250.122
*.a 1M IN A 221.5.250.122
a6 1M IN A 221.5.250.122
*.a6 1M IN A 221.5.250.122
e 1M IN A 221.5.250.122
*.e 1M IN A 221.5.250.122
g 1M IN A 221.5.250.122
*.g 1M IN A 221.5.250.122
i 1M IN A 221.5.250.122
*.i 1M IN A 221.5.250.122
m 1M IN A 221.5.250.122
*.m 1M IN A 221.5.250.122
mail 1M IN CNAME @
www 1M IN CNAME @
@ 1M IN SOA @ root (
                                         240420115 ; serial
                                         8H ; refresh
                                         1M ; retry
                                         1W ; expiry
                                         1H ) ; minimum

;; Received 1 answer (21 records).
;; FROM: granite.sentex.ca to SERVER: 200.124.75.9
;; WHEN: Thu Dec 9 20:00:30 2004

More fun...

Mike Tancsa wrote:

                        1M IN MX 10 www
                        1M IN A 200.124.75.12

[peterh@localhost ~]$ whois 200.124.75.12
inetnum: 200.124.64/19
responsible: GoldToe International Inc.
address: 60 Market Square, 0, 0
address: 0 - Belize - 0
country: BZ
02

nic-hdl: PDL
person: GoldToe International Inc.
e-mail: eemsregent@YAHOO.COM
address: Box CB13039, 1956,
address: 11946 - Nassau -
country: BS

a 1M IN A 221.5.250.122

[peterh@localhost ~]$ gwhois 221.5.250.122
[Querying geektools.com]
[geektools.com]
GeekTools Whois Proxy v5.0.4 Ready.
Checking access for 207.171.180.101... ok.
Final results obtained from whois.apnic.net.
html
inetnum: 221.5.128.0 - 221.5.255.255
netname: CNCGROUP-CQ
descr: CNC Group Chongqing province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN

I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet. It would be nice to somehow incorporate this into a SpamAssassin check somehow.

Please don't, there are legitimate reasons to have private domain names. One of the main reasons my domains are private is I got tired of the spam and direct snail mail I got to the contact addresses. Also, some people, like incest survivors, feel better not having their name out there as an owner of a related support site.

Taking away the usefulness of private registrations won't stop the spammers. It will just impact the privacy of the regular folks.

I wonder what % of domains that have their whois info hidden or "private" are throwaway spam domains... Some number approaching 100% I would bet. It would be nice to somehow incorporate this into a SpamAssassin check somehow.

Please don't, there are legitimate reasons to have private domain names. One of the main reasons my domains are private is I got tired of the spam and direct snail mail I got to the contact addresses.

The internet is a public space. If your domain is being abused / misused, how are people supposed to contact the domain holder or registrar if there is no whois record for the domain OR the registrar ? Remember, I am talking about domains that whois servers says does not exist, but for whose DNS is active in the root name servers. In this case, I was talking about the domain vestigial3had.com which was registered this AM, and by the time it shows up in the whois records 24hrs later, is thrown away by the spammer after blasting out their spam....

Anyways, its there now

    Domain Name: VESTIGIAL3HAD.COM
    Registrar: BIZCN.COM, INC.
    Whois Server: whois.bizcn.com
    Referral URL: http://www.bizcn.com
    Name Server: NS1.KRONUNA.BIZ
    Name Server: NS2.KRONUNA.BIZ
    Status: REGISTRAR-LOCK
    Updated Date: 09-dec-2004
    Creation Date: 09-dec-2004
    Expiration Date: 09-dec-2005

Registrant Contact:
    Uno More
    haun nito huannni@mail333.com
    371-6352202 fax: 371-6352202
    Briezha 5-6
    Riga Riga LV 1021
    lv

.... Yeah, one more throwaway spam domain....

Also, some people, like incest survivors, feel better not having their name out there as an owner of a related support site.

... Roll account/PO Box....

         ---Mike

[...]

Read NANOG archives - Verisign now allows immediate (well, within
about 10 minutes) updates of .com/.net zones (also same for .biz)
while whois data is still updated once or twice a day. That means if
spammer registers new domain he'll be able to use it immediatly and
it'll not yet show up in whois (and so not be immediatly
identifiable to spam reporting tools) - and spammers are in fact
using this "feature" more and more!

This tempts me to hack something into Exim that does a whois on
previously-unseen sender domains, and give a deferral if the whois
denies existence of the domain. Is this likely to have any meaningful
effect?

abuse@cabal.org.uk (Peter Corlett) wrote:

[...]
> Read NANOG archives - Verisign now allows immediate (well, within
> about 10 minutes) updates of .com/.net zones (also same for .biz)
> while whois data is still updated once or twice a day. That means if
> spammer registers new domain he'll be able to use it immediatly and
> it'll not yet show up in whois (and so not be immediatly
> identifiable to spam reporting tools) - and spammers are in fact
> using this "feature" more and more!

This tempts me to hack something into Exim that does a whois on
previously-unseen sender domains, and give a deferral if the whois
denies existence of the domain. Is this likely to have any meaningful
effect?

No. It depends too much on

  (a) the registry and registrar for the domain
  (b) overall whois availability to that TLD (not everybody uses whois)
  (c) your connectivity to the whois servers involved (possibly more than one)

Yours,
  Elmar.

Captain's Log, stardate Thu, 09 Dec 2004 15:10:14 -0500, from the fingers of Daniel Senie came the words:
<snip>

�We have clients complaining about the junk email, junk faxes and
�junk postal mail that results from these listings.

<snip>

I agree,

Even the .ie domain registry doesn't add personal information by default. For example, one of the domains I've registered has only the registrant name and the DNS host's name. This is our full .ie whois info:

domain: blah
descr: BLAH
descr: Body Corporate (Ltd,PLC,Company)
descr: Registered Business Name
admin-c: ABA822-IEDR
tech-c: IBH1-IEDR
nserver: AUTH-NS1.IRISHBROADBAND.IE
nserver: AUTH-NS2.IRISHBROADBAND.IE
source: IEDR

person: Ken Gilmour
nic-hdl: ABA822-IEDR
source: IEDR

person: Irish Broadband Hostmaster
nic-hdl: IBH1-IEDR
source: IEDR

I disagree, I think this may be ok, but its specifically because its
for .com/.net whois (not ok for general TLD). Reasons are:
1. Internic.net / CRSNIC whois has no limit set on number of queries
    client from particular ip can make before queries are denied (or
    it may have limit but its set very high) and its data is almost
    always available and quite fast (but there were some outages).
2. Internic.net data is very brief listing only when domain was
    registered and which registrar and status
3. If there is a problem getting whois data at the moment, SMTP
    connection would not be denied but only deferred

I think what should be done based on data is:
1. Check creation data and if the domain is very new (not even in
    whois or in whois but registration date is today or yesterday)
    then defer it for 48 hours but count the connection and report
    to some central system. If after one day from that new domain
    came way too many attempts to send email, then it maybe assumed
    fairly safely the domain is being setup by spammer. Additionally
    if there are spam reports that came about the domain then a
    responsible registrar (like godaddy) would put it on hold and this
    would be reflected in the domain status. I'll also note that
    registar has 72 hours in which they can delete newly registered
    domain if they believe the registration was fraudelent (i.e. stolen
    credit card) and not have to pay registrar for it - in fact that is
    quite often what happens to spammer used domains.
2. You probably should not accept email from domains that have any kind
    of HOLD status (this is the same as domain not deligated in dns) but
    again this should not be outright denial but deferral (in case its
    just that somebody forgot to pay registration feee).
3. By checking Internic whois you get a name of the registrar (i.e.
    opensrs, enom, etc) and can decide that if the registrar is too
    "dirty" you do not want to accept email from domain. If enough
    people do it, this may cause registrar to become more responsible
    towards who they let register domains.

It maybe quite good if several of us come together and create a project
to create such whois filtering library for SMTP. This library can then
be called from extensions for Sendmail, Postfix, Exim and other popular
mailers. I certainly will be willing to help with my whois programming
skills but I have no experience (yet) writing extensions for MTAs.

[...]

This tempts me to hack something into Exim that does a whois on
previously-unseen sender domains, and give a deferral if the whois
denies existence of the domain. Is this likely to have any
meaningful effect?

No. It depends too much on
(a) the registry and registrar for the domain
(b) overall whois availability to that TLD (not everybody uses whois)
(c) your connectivity to the whois servers involved (possibly more
than one)

You have a point if I were attempting to do this for all TLDs, but at
least for a first cut, I'm only interested in .com/.net. A single
query of whois.crsnic.net (and not bothering to follow referrals)
would be sufficient to determine the existence of the domain in whois.

There's some awful tinpot domain registrars out there where you have
to wonder if their whois server is on the end of a dialup link, but
fortunately I'm not attempting to access those. Connectivity from here
to the CRSNIC server is good and no worse than to any other server I
may wish to query for purposes of black- or greylisting.

Peter Corlett wrote:

There's some awful tinpot domain registrars out there where you have
to wonder if their whois server is on the end of a dialup link, but
fortunately I'm not attempting to access those. Connectivity from here
to the CRSNIC server is good and no worse than to any other server I
may wish to query for purposes of black- or greylisting.

Doing live queries of domain names like that, on the fly - even if you cache lookup data - will lead to your IP getting rate limited or even blocked by most whois servers, unless you register your IP with them for doing bulk whois lookups.

  srs

I don't want to turn this into a domain policy discussion, but
here are a few comments (in some semblance of order) which relate
to the operational aspects.

1. Anyone controlling an operational resource (such as a domain) can't
be anonymous. This _in no way_ prevents anyone from doing things
anonymously on the Internet: it just means that they can't control an
operational resource, because that way lies madness.

2. If someone wants to remain anonymous -- say, as in the example Janet
cited, of sexual abuse victims -- then one of the very LAST things they
should do is register a domain. Doing so creates a record (in the
registrar's billing department if nowhere else) that clearly traces
back to them. Further, an anonymously-registered domain isn't much
good without services such as DNS and web hosting: and those, of course,
represent still more potential information leaks.

Anyone who thinks their "anonymous" registration is truly anonymous
is in for a rude awakening: if the data isn't already in the wild,
it will be as soon as the spammers find it useful to make it so.

It's much better, if anonymity is the goal, not to begin by causing
this data to exist.

3. Anonymous domain registration, like free email services, is an
abuse magnet. [Almost] nobody offering either has yet demonstrated the
ability to properly deal with the ensuing abuse: they've simply forced
the costs of doing so onto the entire rest of the Internet.

It's thus not surprising that a pretty good working hypothesis is to
presume that any domain which either (a) has anonymous registration or
(b) has contact addresses at freemail providers is owned by people
intent on abusing the Internet. No, it's not always true, but as a
first-cut approximation it works quite well. Doubly so if the domain
is in a TLD known to be spammer-infested (e.g., ".biz") and triply so
if the domain name itself screams "spam" (e.g. "cheap-phentermine-online.biz"). [1]

4. Spammers have a myriad of ways of "harvesting" mail addresses that
yield the same data but without requiring WHOIS output. For example, some
of the malware they've released prowls through all the sent/received mail
on infected systems...which means that if anyone using their brand-new
anonymously-registered domain happens to send a single message to someone
else -- who is already or subsequently infected -- then the address in
question will shortly be in the wild, bought and sold and used by spammers.

Note that some of the infected systems are mail servers, so even if the
sender and recipient are secure from infection, the address in question
may still be acquired. And no doubt some of them are inside registrars
and DNS hosts and web hosts, just like they're [nearly] everywhere else.

And this is just one way that addresses are harvested.

5. Spam is about far more than than merely SMTP these days. SPIM (IM
spam) and SPIT (VOIP spam) and adware and all kinds of other things
are being used -- and by _the same people_, e.g. Spamford, to do exactly
the same thing: put content in front of eyeballs. Even if we could throw
a switch and cut off all SMTP spam, the respite would only be temporary.
So just trying to hide from SMTP spam, although it might provide the
comfortable illusion of accomplishing something in the short term,
is useless in the long term.

6. Spam is a problem for everyone, and so it's everyone's responsibility
to fight it. Those who want the privilege of controlling operational
resources must also accept the responsibility of doing their part.

---Rsk

[1] To save you the trouble of looking it up:

Domain Name: CHEAP-PHENTERMINE-ONLINE.BIZ
Domain ID: D3193600-BIZ
Sponsoring Registrar: DOTSTER
Domain Status: ok
Registrant ID: DOTS-1025016423
Registrant Name: N K
Registrant Organization:
Registrant Address1: -
Registrant Address2: n/a
Registrant City: -
Registrant State/Province: -
Registrant Postal Code: -
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.3155551212
Registrant Facsimile Number: +1.3155551212
Registrant Email: info2000go@yahoo.com

and so on. A 200-foot-high billboard would only be slightly more obvious.