no whois info ?

Rich Kulawiec wrote:

  > 1. Anyone controlling an operational resource (such as a domain) can't

be anonymous. This _in no way_ prevents anyone from doing things
anonymously on the Internet: it just means that they can't control an
operational resource, because that way lies madness.

As long as that person is contactable, why should it matter if they are anonymous? If you get a quick response to abuse@some_anonymous_domain.net, does it REALLY matter to you if the person's name is Tom, John, or Susan?

There seem to be two definitions of "anonymous" floating around here. One seems to equal "no working contact information", and one seems to equal "private registration ala domainsbyproxy.net". I can understand why people might want to take non-existent whois records into account, but I just don't see the argument against anonymous records.

Killing anonymous records won't stop spammers. It can however harm a vulnerable section of the Internet.

2. If someone wants to remain anonymous -- say, as in the example Janet
cited, of sexual abuse victims -- then one of the very LAST things they
should do is register a domain. Doing so creates a record (in the
registrar's billing department if nowhere else) that clearly traces
back to them. Further, an anonymously-registered domain isn't much
good without services such as DNS and web hosting: and those, of course,
represent still more potential information leaks.

There are layers of privacy. Let's say a person has a restraining order against an ex-husband, ex-girlfriend, etc. That person has moved and doesn't want to be easily found. Now, which will be easier for the ex - typing in whois, or somehow getting the billing records from the registrar?

As for DNS & web hosting - there are sites out there that offer anonymous hosting & DNS to groups like abuse survivors, etc.

It's much better, if anonymity is the goal, not to begin by causing
this data to exist.

Great! So, if you are a vulnerable minority, don't use the internet. Don't have political free speech in your country? Don't talk. You have an abusive ex? Sorry, can't help you. Whistle blower? The hell with you. Pissed off a drug dealer by turning them in? Good for you! Sorry, we have to take away your internet access now.

100% Anonymity is not possible, true. Neither is 100% security. But does that mean you give up running any kind of firewall?

3. Anonymous domain registration, like free email services, is an
abuse magnet. [Almost] nobody offering either has yet demonstrated the
ability to properly deal with the ensuing abuse: they've simply forced
the costs of doing so onto the entire rest of the Internet.

OK, how many anonymous domains (ala domainsbyproxy) have you been unable to contact? Real numbers, please. I'm not talking about missing or false whois records.

It's thus not surprising that a pretty good working hypothesis is to
presume that any domain which either (a) has anonymous registration or
(b) has contact addresses at freemail providers is owned by people
intent on abusing the Internet. No, it's not always true, but as a
first-cut approximation it works quite well.

I'm sorry, I guess I'm still one of those "innocent until proven guilty" folks. Yes, it means first run spammers get me. That's a price I'm willing to pay. If, as an end user, you want more aggressive filtering, that should be up to you. I have no problem with that.

If decisions start impacting innocents on the Internet at large, THAT's a problem.

4. Spammers have a myriad of ways of "harvesting" mail addresses that
yield the same data but without requiring WHOIS output.

Yes, they do. But, I get less spam, and MUCH less snail mail, with anonymous registrations.

6. Spam is a problem for everyone, and so it's everyone's responsibility
to fight it. Those who want the privilege of controlling operational
resources must also accept the responsibility of doing their part.

I agree. But why should it matter if you know the name of the person controlling an operational resource if they are responsible net citizens?

It matters if we're talking about Tom, John or Susan working for some
commercial company and contacting me as part of the activity of that
entity, in that case I'd like to know about the domain and don't want
to see its whois data hidden. Same goes for ip block data used by
commercial companies - I do not agree with having this data be hidden
or not listing use/allocation of the ip block to some company.

So my view of it is the same as current practice and laws (at least in US)
which require business (including DBA) registrations in county/state
registrar and requirying and making public corporate records, including
address of the company and list of its officers.

william(at)elan.net wrote:

It matters if we're talking about Tom, John or Susan working for some commercial company and contacting me as part of the activity of that
entity, in that case I'd like to know about the domain and don't want
to see its whois data hidden.

I find it somewhat amusing that the whois record for elan.net refers to a hostmaster role account and a P.O. Box.

I do agree that a "one size fits all" rule rarely fits all situations. Do I support anonymous registrations for non-commercial sites as long as they can still be contacted? Yes. Do I support them for large corporations? Not necessarily. Do I support the right of end users to filter their mail any way they choose? Sure. Do I support the right of a provider to filter their user's mail any way they choose? Not necessarily.

Unfortunately, there isn't a perfect way to tell if a site is commercial or not by it's domain name. To me, a false positive is worse than spam getting through. I realize other people have other opinions. I just don't want to see wide spread filtering of mail from anonymous (ala domainsbyproxy) whois records. I feel it damages an important part of the internet with little long term benefit.

william(at)elan.net wrote:

> It matters if we're talking about Tom, John or Susan working for some
> commercial company and contacting me as part of the activity of that
> entity, in that case I'd like to know about the domain and don't want
> to see its whois data hidden.

I find it somewhat amusing that the whois record for elan.net refers to
a hostmaster role account and a P.O. Box.

That PO Box is registered to the company and as such you can request
from USPS a copy of the registration and will find current office address
and contact name. Note that if PO Box is used by individual than the
address and name are kept confidential unless that individual indicated
he's going to use PO Box for business activities. The rules about privacy
of information on PO Boxes pretty much supports what I wrote, so thank
you for giving me a chance to show our own practical example

I do agree that a "one size fits all" rule rarely fits all situations.
Do I support anonymous registrations for non-commercial sites as long as
they can still be contacted? Yes. Do I support them for large
corporations? Not necessarily. Do I support the right of end users to
filter their mail any way they choose? Sure. Do I support the right of
a provider to filter their user's mail any way they choose? Not
necessarily.

The last one is same as previous one - you have chosen your provider and
as such there is a contractual relationship for getting these services
if you do not believe the services meet your needs, you find another
provider, So its all the same and is basicly the right of the user to
choose how his/hers email would be filters and that maybe direct choice
of exactly which mail filters are to be used or it maybe a choice of which
company would filter the email or all of that maybe outsourced to ISP.

Unfortunately, there isn't a perfect way to tell if a site is commercial
or not by it's domain name.

If somebody sends me an email with morgage offer, I consider it to be
a commercial email and expect to come registered mrtgage broker with
publickly known address. Same for almost all other offers you receive
by unsolicited email.

To me, a false positive is worse than spam getting through. I realize
other people have other opinions. I just don't want to see wide spread
filtering of mail from anonymous (ala domainsbyproxy) whois records.

I note that I did not suggest that nor do I see any easy way to implement
it (because godaddy has one of the most stict rules about limiting access
to whois by automated means).

My current project goal is to only use use internic whois data (which
means no registrant's or contact names or addresses) and only use it to
stop use of domains where registrar has put a hold status on it or where
the domain registrations it too new to be in whois (and email would not
be denied but simply postponed until more information is known about the
registrant and registrar had a chance to decide if their new domain and
its use are in violation of their policies or not). The goal is to combat
through-away domains and force spammers to use well known names that can
be traced to them and their business activities. Then legal and other
pressure can be applied to those known business entities to stop their
abuse of email infrastructure.

Ditto. I'd add one thing though: allowing anonymous registration is not
necessarily the same thing as allowing all details of registration to be
publicly queryable under all circumstances. In any case (whether happily or
sadly) local laws can often get in the way of total openness.

The operational aspect of this I think is as follows: if an operator had a
problem with a network endpoint in 1995, then there was a good chance whois
<domainname> would reach someone clueful, as the majority of network
endpoints were clueful (for some reading thereof); hence whois <domainname>
was useful for network debugging. In 2004, I'd suggest the wider
penetration of the internet means whois <domainname> on its own is not a
useful operational tool any more. Even whois -h rir <inetnum> is becoming
less useful, and to an extent whois <asnumber>. The argument for people not
wanting to put personal information up on domain name registrations is I'd
have to say a little similar to the reason some providers don't like having
their (true) NOC number on whois <provider.net>; i.e. they don't want junk
calls. Which leaves you in essence with hop-by-hop debugging according to
peering agreements. Or "is anyone here from $provider" messages.

Alex

I'm going to try to keep this short, hence it's incomplete/choppy. Maybe
we should take it to off-list mail with those interested.

Great! So, if you are a vulnerable minority, don't use the internet.

I said precisely the opposite.

  This _in no way_ prevents anyone from doing things
  anonymously on the Internet: it just means that they can't
  control an operational resource, because that way lies madness.

And anyone who *is* a vulnerable minority should avoid doing this (that
is, deliberately exposing themselves by controlling an operational
resource) at all costs, because it self-identifies and instantly
compromises the very privacy they seek/need/want.

This doesn't stop anybody from doing anything they want online --
*except* controlling those resources, which is, like I said earlier,
is one of the very last things they should want to do if they're truly
concerned about their privacy.

And the other side of it is: I don't think an Internet with anonymous people
controlling operational resources is workable.

OK, how many anonymous domains (ala domainsbyproxy) have you been unable
to contact?

I *never* attempt to contact the owners of a domain which appears to be the
source of abuse, anonymous or otherwise. It's a complete waste of time.
I use the means at my disposal to ascertain whether it's really them (which,
99% of the time, is blindingly obvious) and then act accordingly. In the
remaining 1% of the cases, where substantial doubt remains, I note it and
await further developments. Sometimes those further developments include
reports/claims of joe-jobs; sometimes they include clinching proof (either
way) that eluded me; sometimes they're not forthcoming for a very long time.

<shrug> So be it. But I learned long ago that (modulo some very rare cases)
the only thing that can come out of contacting said domain owners is possible
disclosure of the means by which the abuse was detected, and the fact that
it _has_ been detected, and that's not a good thing.

But, I get less spam, and MUCH less snail mail, with anonymous registrations.

Today, perhaps. Do you really think it's going to stay that way? Surely
you must know that eventually the spammers WILL get their hands on your
"private" domain registration data, WILL use it to spam -- and oh-by-the-way
will also make a tidy profit doing a side business in selling it to anyone
with cash-in-hand?

C'mon, these are people with bags of money to spend. Do you *really* think
that the underpaid clerk at J. Random Registrar is going to turn down $50K
in tax-free income in exchange for a freshly-burned CD? And of course, once
the data's in the wild, it's not like those who are selling it will balk at
providing it to customers who have serious axes to grind.

Or if you want to believe in the fiction of 100% trustworthy registrars,
what happens when one of their [key] systems is zombie'd? Or when somone
figures out how to hijack one of the data feeds and snarf all the brand-new
domain data as soon as it's created?

There is a market for this data. Therefore it will be acquired and sold.

And attempts to maintain the pretense that it's otherwise -- while no doubt
inflating the profits of those peddling "anonymous" registration -- are
disengenuous, and in the long run, potentially very damaging, with the extent
of the damage perhaps proportional to the degree on which people rely on it.
(More bluntly: some people are going to be burned very badly by this. And
the subsequent inevitable litigation won't undo it.)

I agree. But why should it matter if you know the name of the person
controlling an operational resource if they are responsible net citizens?

Maybe, but I think where we differ is that I strongly believe that responsibility
(for operational resources) _requires_ public identification.

[ Oh: please note: content is not an operational resource. F'instance, I have
no problem, for instance, with someone running a blog anonymously. I have a
serious problem with someone running a network anonymously. ]

---Rsk

Rich Kulawiec wrote:

And the other side of it is: I don't think an Internet with anonymous people
controlling operational resources is workable.

OK, how many anonymous domains (ala domainsbyproxy) have you been unable to contact?

I *never* attempt to contact the owners of a domain which appears to be the
source of abuse, anonymous or otherwise.

I'm confused. You never try to contact the owners of a domain which appears to be the source of abuse, but insist that domains can't be anonymous?

All rhetoric aside, this appears to be a question of what it means to have
a domain.

Once upon a time, domain names were (somewhat) hard to get, and were given
to organizations important enough to merit Internet connectivity (which
was also somewhat hard to get). If you saw abuse coming from somewhere,
you could look at the host the abuse was coming from, find the contact
information for their domain, and contact their employer's or university's
IT department to complain. To make matters even easier, the Internet was
small enough at that point that dealing with such complaints wasn't all
that overwhelming.

That was ten or fifteen years ago. Now, domain names can be gotten by
anybody with a few dollars, and having your own domain name is required if
you want to be able to take your e-mail address with you when switching
e-mail providers. Since lots of people want their e-mail addresses to be
portable, there are lots of domains out there. I don't have actual stats
on this, but I'm guessing that the percentage of domains that have hosts
in them, and are therefore capable of being the source of abuse, is
probably pretty small. A domain name is therefore now more like a phone
number. Perhaps this is a mistake. Perhaps domain names are far too
important to be wasted on individual conveninece. But if so, we're
several years too late for that argument to be very useful.

At this point, IP addresses tend to be a much better identifier of the
party responsible for a network user than their domain name. If you're
looking for a useful contact to talk to about a network problem, rather
than some poor end user to harrass, you're probably much better off
contacting the ISP or organization and that contact information is far
more likely to be associated with the IP address than the domain name.
Of course, there's also the question about whether the listed contact
information on a static IP address should be the ISP's or the end user's,
but that's much better discussed on the ARIN public policy mailing list
and its equivalents than here.

My question at this point is whether contact information for domains (or
at least, for domains which aren't themselves criticial infrastructure)
has any useful purpose at all. Domains without hosts in them aren't going
to have technical problems (unless the lack of hosts is itself a technical
problem) or abuse problems (except in terms of forgeries, which are really
somebody else's problem). Domains with only an MX record strike me as the
responsibility of whoever is providing the MX or DNS service. Domains
with actual hosts in them are probably the most similar to the domains of
a decade ago, but even there the IP addresses involved may be a better
indicator of who to talk to about things.

-Steve

So my view of it is the same as current practice and laws (at least in

US)

which require business (including DBA) registrations in county/state
registrar and requirying and making public corporate records, including
address of the company and list of its officers.

Interesting how many companies are "parked" at a lawyers
office, i.e. the official address of the company
is that of it's legal firm. One wonders why an abuse
organization would not use this same tactic and
register a legal firm as the administrative contact.

This is entirely separate from the operational issue
of who controls the nameservice for the domain and
who controls the routers and servers referenced
by A records in the domain. That is not something
that a registry can help with. Granted, it would
be good to have a real technical contact for every
domain that gets you to the same people who control
nameservice etc. However, that will always be
secondary information.

The network itself is the primary contact information
for a domain. Every nameserver has an IP address
whose connectivity can be tracked through the network.
Same thing for mail servers and anything else with
an A record. This means that operationally it is
far more important for the RIR whois directory to
have working technical contacts.

Fortunately, the RIRs do regularly put some effort
into keeping their whois listings up to date. If more
people would speak up coherently on this issue then
perhaps we will see the day when only accurate
contact info exists in the RIR whois directories.
As for domain name registries, they are not
terribly relevant for operations, just for serving
legal documents.

--Michael Dillon

Michael.Dillon@radianz.com writes:

Interesting how many companies are "parked" at a lawyers office,
i.e. the official address of the company is that of it's legal
firm. One wonders why an abuse organization would not use this same
tactic and register a legal firm as the administrative contact.

How much do you suppose the law firm would charge you for handling the
email influx if you got joe-jobbed? Sysadmin time is cheaper than
lawyer time, last I checked.

                                        ---Rob

A few weeks ago, we had a customer contact us regarding issues communicating with a domain. Investigation revealed that the domain handled it's own primary DNS server and the secondary DNS was pointed to another provider which had restricted outside queries to that particular server (and wasn't authoritative for the domain in the first place). The problem was that the TTL's on the NS RRs were different by 2 days and the remaining NS in cache was refusing queries.

IP addresses weren't registered to the responsible party. Domain wasn't registered to responsible party. We had to relay the information in a "best effort" approach through three different organizations in the hopes that the responsible person would get informed and fix the problem. This is not the ideal method of contact and wasted man hours in multiple organizations due to inaccurate information. The primary use of whois is still valid and anonymous/inaccurate records waste time and money for legitimate purposes.

-Jack