A system that allows anti-spam activists to report entities that bulk-register domain names using false or misleading identity data is about to gain a much-needed new privacy feature: The option for activists not to expose their identities to the very spammers they’re trying to report.
The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the Internet’s domain name system, runs a program called the WHOIS Data Problem Reporting System (WDPRS). It’s designed to allow Internet community members to alert registrars about customers that list incomplete or inaccurate contact records for domain registrations.
The policy of requiring registrars to make WHOIS data publicly searchable is no doubt a contentious one, but the reality is that spammers and scammers frequently bulk register large numbers of domains in one go, and tend to take their business to registrars that don’t ask too many questions. Indeed, some domain registrars have built a business out of catering to spammers and scammers.
In many cases, spammers will mass-register domains using completely bogus contact information, or — as appears to have been the case with hundreds of domains that were used recently in an attack against KrebsOnSecurity.com — with the contact information belonging to people whose stolen credit cards were used to fraudulently register the spammy domains.
Some anti-spam activists have pursued bulk registrants with false WHOIS data because, under ICANN’s rules, registrars are supposed to investigate and eventually suspend domains whose owners fail to respond to requests to verify or correct false WHOIS data. And in direct response to a massive influx of reporting on these domains by such activists, ICANN built the WPDRS.
But at some point, ICANN began sharing the names and email addresses of people who were reporting the erroneous WHOIS information with the registrars for each offending domain, exposing the identities of any anti-spam activists who used their real contact information in reporting the issues to ICANN.
Ronald Guilmette, an anti-spam activist and a frequent user of the WDPRS, said ICANN’s decision to share reporter information with registrars puts reporters in the awkward and ironic position of having to spoof their identify to report domain registrants who are spoofing their identities.
“It should not be news to ICANN that some of these registrars are not lily white,” Guilmette said. “The effect of forwarding reporter information is a chilling one, and ICANN is in effect going to be discouraging people from even filing these reports because of fear of retaliation.”
I reached out to ICANN on this issue, and heard from Stacy Burnette, the organization’s director of contractor compliance. Burnette said ICANN had heard the concerns of the community and would be making changes to the system as a result.
“We’ve received some comments about our current WDPR system, and how it identifies reporter information, so we are making an adjustment whereby a reporter can elect to have identity information revealed or not,” Burnette said. “If they elect to not have that information revealed, we will not send the reporter’s name and email address.”
Burnette declined to offer a date by which the changes would be made. “We’re working to make sure this happens shortly,” she said.
The overriding concern is not so much for privacy as the general obscurity of the WPDR process especially when escalation is required. As a case in point, one of our client’s “competitors” has been operating what amounts to a scam for several years now from several sites backed by provably false registrant info. Our reports have been duly filed with ICANN, the defects in the registration pointed out, etc. yet no progress against the registrant or registrar ever seems to get made.
There is a need for more disclosure by ICANN to show a list of steps taken following a report, the waiting and response periods in the process and a more clear list of “next steps” which may be taken once a report has not been acted upon by the registrant and registrar.
I’ve heard this same complaint about ICANN for over 10 years…i.e. slow to respond, slow to act, toward legitimate complaints. Many people feel they are part of the problem in trying to make the Internet a safer place. Is it intentional or unintentional neglect and slowness?
Perhaps we need a new leading body that is more responsive to the people it supposedly protects??
ICANN’s budget depends on receiving a few cents from every domain name registration.
Spammers and other scammers register massive numbers of domains, since they can’t be used long before spam filters block any email that mentions them. It’s hard to imagine a legitimate business that would need or want several hundred identical websites using different domain names simultaneously, yet that’s standard procedure for spamvertised domains. The number of spammer-registered domains is very large compared to the number of spammers.
So, what percentage of ICANN’s budget would evaporate if the problem of fraudulent domain registrations were suddenly solved?
Does anyone think it’s ironic that complainants want their contact info to be private however the complaints they are submitting are regarding accurate contact info for domains.
What ever happened to being able to know your accuser?