'Whois protection service'

Mark_Foster · January 27, 2005, 3:26am

Hi folks.
Don't post a lot here but i'm figuring you folks will know more about this
than my local NOG...

When investigating a host that spammed me today, I noted that when I
whois'd the domain that the mailserver involved has forward/reverse dns
pair for, the domain whois information comes up as follows:

Found crsnic referral to whois.enom.com.

Registration Service Provided By: Registerfly.com
Contact: support@registerflysupport.com
Visit: http://www.RegisterFly.com

Domain name: xmux.com

Registrant Contact:
RegisterFly.com - Ref# 14155933
Whois Protection Service - ProtectFly.com (14155933.fly@spamfly.com)

I'm unsure how appropriate it is to post anything more specific in the
open forum, but i've never seen this before. Whats the deal with hiding a
domain name owners true identity?
Is this not simply yet another protect-the-spammers mechanism?

I followed up the chain - the authoritive DNS servers for the domain in
question are hosts within a different domain, and this also has the same
protection engaged....

Is this old hat or something new? Is this still conformant to standard
.com/net registrant rules and regs? (here in .nz, the registry information
is required to be current and valid, and i've never seen a Registrar pass
itself off as the owner of a domain before (at least in any legitimate
situation))

Thanks in advance,
Mark.

Joshua_Brady1 · January 27, 2005, 3:47am

Hi folks.

Hello Mark,

Don't post a lot here but i'm figuring you folks will know more about this
than my local NOG...

Glad to have you on NANOG.

When investigating a host that spammed me today, I noted that when I
whois'd the domain that the mailserver involved has forward/reverse dns
pair for, the domain whois information comes up as follows:

Found crsnic referral to whois.enom.com.

Registration Service Provided By: Registerfly.com
Contact: support@registerflysupport.com
Visit: http://www.RegisterFly.com

Domain name: xmux.com

Registrant Contact:
RegisterFly.com - Ref# 14155933
Whois Protection Service - ProtectFly.com (14155933.fly@spamfly.com)

I'm unsure how appropriate it is to post anything more specific in the
open forum, but i've never seen this before. Whats the deal with hiding a
domain name owners true identity?
Is this not simply yet another protect-the-spammers mechanism?

It will probably be called off-topic, flamed and dragged through the
mud, yet to answer your question. It is fully legit, yet it does have
its bad sides. I use it personally to keep prank callers from calling
me directly.

[soms@posche /]$ whois somsworld.com
[Querying whois.internic.net]
[Redirected to whois.godaddy.com]
[Querying whois.godaddy.com]
[whois.godaddy.com]

Registrant:
   Domains by Proxy, Inc.
   15111 N Hayden Rd., Suite 160
   PMB353
   Scottsdale, Arizona 85260
   United States

   Registered through: GoDaddy.com
   Domain Name: SOMSWORLD.COM
      Created on: 25-Aug-04
      Expires on: 25-Aug-05
      Last Updated on: 18-Jan-05

   Administrative Contact:
      Private, Registration SOMSWORLD.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      15111 N Hayden Rd., Suite 160
      PMB353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599 Fax --
   Technical Contact:
      Private, Registration SOMSWORLD.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      15111 N Hayden Rd., Suite 160
      PMB353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599 Fax --

   Domain servers in listed order:
      NS1.HITMANIT.COM
      NS2.HITMANIT.COM

I followed up the chain - the authoritive DNS servers for the domain in
question are hosts within a different domain, and this also has the same
protection engaged....

Is this old hat or something new? Is this still conformant to standard
.com/net registrant rules and regs? (here in .nz, the registry information
is required to be current and valid, and i've never seen a Registrar pass
itself off as the owner of a domain before (at least in any legitimate
situation))

It is all current information, and valid. I have gotten letters passed
through to me from godaddy. Its a perfectly legit situation. Yet in
your case it may not be, and it may be used to hide the person.

Valdis_Kletnieks · January 27, 2005, 4:03am

I'm unsure how appropriate it is to post anything more specific in the
open forum, but i've never seen this before. Whats the deal with hiding a
domain name owners true identity?

Happens all the time..

Is this not simply yet another protect-the-spammers mechanism?

Bingo. Be glad you found any info - some spammers have been taking advantage
of the fact that some registries update the DNS every 5 minutes and the whois
info every 12 hours, so with proper timing you can have the DNS go live, and
have 11 hours and 50 minutes of carefree spamming before the Whois goes live
and they figure out who you are and complain...

Is this old hat or something new? Is this still conformant to standard
.com/net registrant rules and regs? (here in .nz, the registry information
is required to be current and valid, and i've never seen a Registrar pass
itself off as the owner of a domain before (at least in any legitimate
situation))

Remember that registrars *like* spammers who burn through 200 domains/week,
because they can collect $9 for each one. Every week.

And there's even a few registrars that are basically just spammer shell
corporations, so they can burn through 200 domains a week *without* having
to pay $9 per (or more correctly, they pay themselves). What? 200+ registrars
or whatever we're up to, and you thought they were *all* clean??

(They're not *all* bad, evill and black-hat - as far as I can tell, GoDaddy
provides a similar service - but if you end up calling them because there's a
problem, they're not at all amused - and take their ire out on the problem user)

Further discussion is probably better done on spam-l@peach.ease.lsoft.com

Mark_Foster · January 27, 2005, 4:18am

> I'm unsure how appropriate it is to post anything more specific in the
> open forum, but i've never seen this before. Whats the deal with hiding a
> domain name owners true identity?

Happens all the time..

*snip*

(They're not *all* bad, evill and black-hat - as far as I can tell, GoDaddy
provides a similar service - but if you end up calling them because there's a
problem, they're not at all amused - and take their ire out on the problem user)

Further discussion is probably better done on spam-l@peach.ease.lsoft.com

Thanks to those who've responded both on and off list - it seems the rules
are different on your side of the world. I'll go the other way (as I
usually do) and chase the IPs involved (I usually pursue both out of
curiosity, but had not seen the aforementioned whois output before).

My thanks - can close this thread now before I get moderated.

Mark.