A proposal to let Internet service providers conceal the contact information for their business customers is drawing fire from a number of experts in the security community, who say the change will make it harder to mitigate the threat from spam and malicious software.
The American Registry for Internet Numbers (ARIN) — one of five regional registries worldwide that is responsible for allocating blocks of Internet addresses – later this month will consider a proposal to ease rules that require ISPs to publish address and phone number information for their business customers.
The idea has support from several ISPs that claim the current policy forces ISPs to effectively publish their customer lists.
“I operate in a very competitive business, and there are instances where I can show that my competitors have gone out and harvested customers’ contact information and used that to try to take those customers away,” said Aaron Wendel, chief technical officer at Kansas City based Wholesale Internet Inc., and the author of the proposal. “I have yet to find another private industry that is not government-related that requires you to make your customer lists publicly available on the Internet.”
Critics of the plan say it will only lead to litigation and confusion, while aiding spammers and other shady actors who obtain blocks of addresses by posing as legitimate businesses.
Jeff Chan, who maintains Surbl.org, a list of Web sites that have appeared in spam e-mails, said in written comments on the proposal that it would effectively require a court order to ARIN to discover the business user of an Internet address, as the proposal doesn’t contemplate a process by which ISPs would be required to disclose the information.
“Such restrictions could severely hamper private operations that significantly help to secure the Internet, such as security research, botnet and malware mitigation, notification about cracked servers and networks, etc,” Chan wrote. “By slowing down access to contact information, indeed severely restricting access to it, routine actions which today help protect the Internet community could be severely obstructed to the point of preventing them from happening in many cases.”
Security experts from Paypal commented that ARIN should be considering ways to make the ownership of address blocks more transparent – not less – citing research published by KrebsOnSecurity.com that examined the ISPs that were most commonly identified on the Top Ten Worst ISP lists, from ten different organizations that measure ISP reputation.
“The concerns we raise above to be aren’t purely hypothetical either. Just this week we’ve seen the publishing of data about possibly malicious ISPs that paints with a fairly broad brush because of how registration data is represented to the outside world,” wrote Andy Steingrubel and Jon Orbeton, members of Paypals’ security team. “Without better visibility into the actual bad actors the community is forced to view certain large ISPs with more suspicion than they may be due. More accurate records….can help to prevent this situation.”
Chief among concerns voiced by those in the security industry is that the policy change would make it easier to hide the tracks of so-called snowshoe spammers. According Spamhaus.org, these are spammers who use “many fictitious business names, fake names and identities, and frequently changing postal dropboxes and voicemail drops. Conversely, legitimate mailers try hard to build brand reputation based on a real business address, a known domain and a small permanent range of sending Internet addresses. Snowshoers often use anonymized or unidentifiable WHOIS records, whereas legitimate senders are proud to provide their bona fide identity.”
Indeed, Spamhaus has identified a fairly large number of snowshow spammers apparently operating out of Wholesale Internet.
Wendel said his company has a full-time employee who handles abuse complaints and disconnects customers who generate spam abuse complaints.
“Unfortunately, spammers are attracted to us because [our service is] cheap and their liability [for losing servers to abuse complaints] is much lower. That’s just the nature of the business, unfortunately.”
Still, Wendel said he was somewhat unprepared for the public reaction to his proposal.
“Before I floated this [proposal], I got a lot of people saying, ‘Good luck, and keep your head down.’ I knew I’d catch some flack for it, but it’s generated a bit more flack than I expected.”
ARIN is expected to decide on the proposal later this month at its meeting in Toronto.