[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ga] Privacy and Whois databases
On Fri, 15 Oct 1999 21:19:05 -0500 Peter Veeck <veeck@texoma.net>
wrote:
> I use whois to fight spam abuse. Are Spam complaints going
> to be taken over by ICANN or a subset thereof?
(This note is going to be long and a bit technical. I apologize
in advance and anyone who believes that all problems are easy
should just skip it. Additional disclaimer: these are personal
impressions based on a bit of experience and thought --I have no
idea whether anyone else in MCI WorldCom would agree and they
certainly aren't corporate positions.)
Peter,
This case worries me a lot, because I can argue that either
whois is important to it or that it is nearly irrelevant. The
problem also looks different depending on whether you see those
tables as sources of information for fighting spammers (and you
and I do) or as sources of addresses for use by the spammers
(the amount of spam I get as the result of being in those tables
is trivial compared to what shows up from other sources, and
the CDs of millions of addresses for people to bother don't
appear to be significantly populated from Whois).
For background, in my day job, I've ended up with administrative
responsibility for MCI.NET; if you check the Whois tables,
you'll find my name and phone number there. Until 13
months ago, MCI.NET (with a fairly deep hierarchy) was the
management domain for internetMCI: there were never supposed to
be any user/customer mail addresses in the domain, but there
were many routers, mail and web servers, system management
stations, etc. internetMCI was pretty aggressively antispammer,
with a significant full-time staff dedicated to fighting the
activity, and there are a good number of ex-spammers, would-be
spammers, and even a few ex-large-bandwidth customers who can
attest to that. When we sold internetMCI to Cable and
Wireless, most of the spam-fighting apparatus went to them along
with the equipment, customers, etc.
But the spammers --or those who supply them with software and
tools-- either don't know that the sale occurred or don't care,
so MCI.NET has become a popular address for faking into
messageIDs, "From:", fields, bogus server names, etc., and is
used far more in those ways than it was, e.g., two years ago.
That the addresses are being faked is, in almost all cases,
obvious to anyone who has a clue about email and who takes a
minute to examine the trash that they have received.
It is also worth noting that, as for most business activities,
when things get large, they get specialized: even if
information is public, for a large domain, the top-level
contacts in the Whois tables are _exactly_ what the specs say
they are, i.e., administrative, technical, and billing contacts
for _namespace_ management. They may not have much to do with
email systems or, in especially bad cases, may not be more
effective at reaching the email people in their organizations
than an end user might be.
So, let's see what happens today. A user receives spam and
finds it offensive. There are a bunch of neat tools on the
market that either intercept the stuff sight unseen or take a
referral from that user and start sending out complaint messages
-- to postmaster, root, any address in whois, etc., at all of
the apparently-relevant domains. But those tools aren't too
smart, especially in the hands of clueless users (we recently
had the authors of one tell us that being more careful would
slow down the software and be inefficient (!)).
So, these faked addresses produce a large flow of messages (some
of them quite abusive and threatening) to people who aren't
responsible for the spam or its relaying, have little or no
control over organizational mail servers, and, if there are
specific people in the organization whose jobs focus on
spammer-fighting and who have the skills and tools to do so,
they don't get reached. I, and I assume most of us, do forward
those notes to the right places, but some considerable time gets
lost in the process.
And time is important: typically, the real offenders are
originating the junk from short-lived dialup accounts. If they
can be tracked down at all, one has to capture the dialup
address and timestamps from the email header, identify the ISP,
get to _their_ antispam people, and find out which customer was
using that address at that time (that assumes little relaying
and fakery goes on; otherwise the tracing process has to be done
recursively, one site/organization at a time. Now, here, the
whois tables might help us identify a site contact to discuss
things with, but, as in our case, the larger and better-staffed
the ISP is, the less likely it is that the whois path will be
particularly efficient. And many ISPs don't keep those
detailed logs for a very long time: if the spammer can succeed
in evading identification for long enough (in some cases we have
encountered, only 24 hours), it can't be found at all.
Even if we (or someone closer to the user -- we really shouldn't
be involved at all in this part of the process) find the right
ISP, privacy and business considerations often prevent their
identifying the customer to us. If they care (some do more than
others), they must identify the customer and take responsibility
for discouraging the behavior (noting that shutting down the
account of a dialup user is nearly pointless -- it just shows up
somewhere else a few minutes later). But those are other
issues.
Conclusion: the whois data, even if available, aren't an
especially good tool for fighting spam, although they may be
better than anything else right now (see below). And, if they
are needed, replacing them with the smail, inquiries to
registrars, or proofs of why the information is important, just
aren't going to be adequate substitutes because of those
timeout problems.
However, it is often extremely important to be able to use the
Whois data for the reasons for which they (and the rule that
sites running email must support a "postmaster" address) were
originally intended: to get a message to someone about
something, in the name space, on the mail system, or elsewhere
relevant, that the involved system is broken and needs fixing up
from the inside. In the Whois case, relying on a DNS SOA record
(or something similar) to obtain the contact information can be
pointless -- the canonical complaint is "your DNS server is
broken and is causing network damage", and that requires a path
that doesn't depend upon being able to access the DNS server.
Remember that, ultimately, the information in those tables is
about the management of a name space... it is not about who runs
a business, where to find the web master, or who is the chief
poo-bah in charge of cutting off customers who violate network
norms.
Oddly, the trademark issues that keep coming up as examples of
why the data need to be public may be less difficult, just
because obtaining information in strictly real-time may be a bit
less important. I haven't seen anything that feels to me like
the right formula yet (some of the ideas that have been floated
feel distinctly not-right, but I think there may be a reasonable
one somewhere). For example, there may be some possibilities
involving registering or credentialing people who would engage
in legitimate intellectual property searches to get them
different access than random users might have while ensuring
those mechanisms don't create another monopoly or another
"business opportunity" for registries or registrars. And, if
_their_ privacy is important, we could imagine third-party
organizations, keys, and certificates that would provide
credentials while protecting privacy.
That obviously isn't a case for either "should be completely
open" or "should be completely closed" or even for "user
option". It is a strong suggestion that there are more
possibilities if we think creatively about the issues and what
we are trying to accomplish.
And that brings us back to the fighting of the spammers. I
think some creative work is needed. It isn't clear to me that
ICANN is the right place to do the work or to make whatever
guidelines are needed. I think most ISPs, and companies who
receive a lot of spam complaints, would be delighted to publish,
either as part of Whois data that was always exposed or through
some agreed-upon DNS entry, contact information for anyone who
believes spam is originating from their sites and that the odds
of persuading others to go along are pretty good. A "for
alleged spam, contact" address could be published, even for a
domain whose real contact information needed to be hidden from
general view, by pointing to a third party (since many of the
sites requiring anonymity don't run mail servers, they might
find that recruiting someone to accept such mail and return a
brief response, ideally after an automated review, quite easy).
Or we could try to standardize another address like
"postmaster". But we would all need a convention about where
to put the information and how to present it that could be used
by low-clue users and whatever tools they select.
Like it or not, these are complex systems. Everything is
related to everything else. Answers that are developed from
only a single perspective, or with the needs of only a single
user group, in mind, will almost always be wrong because they
will foul up something else of [nearly] equal importance. We
need to figure out how to work together to get all of the issues
and considerations onto the table, to eliminate the fantasies,
and then to construct a solution space and see what can be
created in it.
My impression is that the turmoil of the last few years has made
it hard to think creatively about these problems and to inject
any solutions that might be found into the systems. Too much
else has been going on, and it has been too tempting to identify
any change or suggestion as a plot with one sinister purpose or
another. But maybe this, or right after we get through the
election, is the right time. And maybe the GA would be a good
place to at least initiate the discussion, rather than just
turning into a series of simplistic straw polls on a small
fraction of the options or arguments about which objective is
most important.
john