[zone transfers, a spammer's dream?]

Gadi_Evron1 · December 9, 2004, 1:52am

zone transfers, a spammer’s dream? (4.79 KB)

Rich_Kulawiec · December 9, 2004, 3:24pm

It doesn't matter: that toothpaste came out of the tube a long time
ago. Spammers have been buying and selling domain registration
information for years, and anyone with cash-in-hand can buy as much
of it as they want: either by TLD or by country or by category.

Here's just a tiny tip-of-the-iceberg sample of the hundreds (?) of
buyers, sellers, and brokers for WHOIS data and tools to manipulate it:

        http://www.bestextractor.com/
        http://www.massmailsoftware.com/whois/
        http://lists.freebsd.org/pipermail/freebsd-chat/2004-January/001942.html
        http://gnso.icann.org/mailing-lists/archives/dow1-2tf/msg00121.html
        http://www.sherpastore.com/store/page.cfm/2003

You can find as many more as you wish by using your favorite search
engine to look for various combinations of

extractor whois contact domain fresh leads market target email url

and then just following the links back to their sites. (If the sites
are down, don't worry: they'll be back soon, maybe with a new domain,
maybe on a new web host.)

How are they getting it? I don't know. Maybe they have deals with
registrars; maybe they have deals with registrar employees; maybe they
just breached registrar security. Or maybe something else entirely.

However they're getting it, they're getting updates: in fact, updated
information carries higher market value. And anyone who is so foolish
as to believe that their "private" (obfuscated, cloaked, whatever) domain
registration information is *really* private is in for a rude awakening.

The irony of all this is that spammers already have all this information
-- yet registrars have gone out of their way to make it as difficult as
possible for everyone else to get it (rate-limiting queries and so on).

---Rsk

Alex_Bligh1 · December 9, 2004, 4:59pm

They clearly don't "already have" this information, or they wouldn't
be
a) offering to pay people for it
b) continue to be trying to obtain it by data mining.

Your argument is roughly equivalent to "The irony of this is that drug
dealers already have drugs -- yet governments have gone out of their
way to make it as difficult as possible for everyone else to get them".
Or "Credit card fraudsters already have credit card numbers - yet
credit card companies have gone out of their way to make it is
difficult as possible for everyone else to get them".

IE sure, there's a lot of leaked information out there (often including
personal data), that doesn't mean responsible registries should add
to it.

Note also that responsible registries do provide query access (automable
where necessary) to registration data in a variety of different ways;
not all make it "as hard as possible" for others to access it.

I will leave it to the reader's judgment to work out which registries
come under the category "responsible".

Alex

Paul6 · December 9, 2004, 5:11pm

agreed. also of note is that at least from here, the .ca folks have fixed
the issue.

-p

Kandra_Nygards · December 9, 2004, 5:46pm

Alex Bligh wrote:

The irony of all this is that spammers already have all this information
-- yet registrars have gone out of their way to make it as difficult as
possible for everyone else to get it (rate-limiting queries and so on).

They clearly don't "already have" this information, or they wouldn't
be
a) offering to pay people for it
b) continue to be trying to obtain it by data mining.

There are lots of small-time spammers. Rest assured that the big fish already have access to most major zonefiles.

Your argument is roughly equivalent to "The irony of this is that drug
dealers already have drugs -- yet governments have gone out of their
way to make it as difficult as possible for everyone else to get them".
Or "Credit card fraudsters already have credit card numbers - yet
credit card companies have gone out of their way to make it is
difficult as possible for everyone else to get them".

Drugs are bad. Domains aren't. For a certain value of aren't.
Credit card numbers are all you need to commit fraud. Domains aren't. For a certain value of aren't.

IE sure, there's a lot of leaked information out there (often including
personal data), that doesn't mean responsible registries should add
to it.

Such as... selling access to the data to anyone who pays? No, responsible registries should of course not do this.

- Kandra

Alex_Bligh1 · December 9, 2004, 5:53pm

Indeed. I wasn't suggesting they should.

Alex

Valdis_Kletnieks · December 9, 2004, 6:10pm

It all depends on the registry's moral and ethical stance, and whether
it feels more responsibility to the public trust, or responsibility to
"maximize shareholder value". A large enough payment does wonders for
shareholder value, and an incredible number of companies don't seem to
feel any great need to benefit the public trust if not forced to do so.

And of course, even a not-large payment often suffices, especially if it
involves a suitcase and maximizing an underpaid employee's value...

Rich_Kulawiec · December 9, 2004, 8:17pm

They clearly don't "already have" this information, or they wouldn't
be
a) offering to pay people for it
b) continue to be trying to obtain it by data mining.

Sure, some of "them" quite clearly don't. And so they're buying it
from those who do, or acquiring it themselves. But lots of "them"
have it, and have means to acquire updates to it when it suits them.

This can't be surprising to anybody, given the amount of money
being thrown around, the technical sophistication that's been
displayed, and the usual assortment of security issues.

Your argument [...]

It's not an argument. I'm just reporting the news. Well, okay,
I suppose I'm also arguing that there's no point in maintaining the
pretense that registrars are keeping it all tucked away safe from
[automated] prying eyes because it's obvious to everyone that *if*
that was ever true, it stopped being true a long time ago.

It's done. It's over. It's history. Any debate about how it
_should_ have been kept tucked safe away has been rendered moot,
and while it might still hold some philosophical interest, its
practical value is nil.

Note also that responsible registries do provide query access (automable
where necessary) to registration data in a variety of different ways;
not all make it "as hard as possible" for others to access it.

<shrug> I think it's time to abandon the charade and simply publish
all of it -- one static web page per domain, refreshed when the
backing info changes. That would at least level the playing field,
and pull the rug out from under those who are selling it.

---Rsk

Alex_Bligh1 · December 11, 2004, 1:42pm

Or he's decided not to proceed for whatever reason. Perhaps he read:
http://tinyurl.com/6datz
http://tinyurl.com/6p9pt
http://tinyurl.com/6sv4p
http://tinyurl.com/5r9nu
etc. and decided not to bother.

Alex

_Stephane_Bortzmeyer · December 14, 2004, 9:52am

a message of 174 lines which said:

171 uk.zone

Everything is in subdomains like co.uk, so there is no point in
blocking zone transfers for the TLD.

Todd_Vierling · December 14, 2004, 2:50pm

For the same reason, it is perfectly normal to

$ dig @<LETTER>.root-servers.net. . axfr