The Curious Correlation Between .biz Domains, Bad Whois Data, and Spam

Terry Calhoun, IT Trends Commentator
Society for College and University Planning (SCUP)
University of Michigan

J'e's been busy playing detective and he's discovered some interesting loopholes in various procedures related to ICANN policies. I've noticed "bad" whois registration addresses before but never followed through to do anything about them. Maybe now that J'e has laid all of this out for us, more of us can join in to plug these spam holes.

***

J'e St Sauver, Ph.D. (j'e@oregon.uoregon.edu)
Director, User Services and Network Applications
University of Oregon Computing Center

If you take the time to deconstruct the spam you receive, one of the most interesting things to scrutinize is any URL contained in the body of the spam. Notice any pattern to the URLs you see? Ever wonder who's behind those all those different domain names?

Non-network-geeks may not know that every domain has (or at least is *supposed* to have) accurate registrant information available via "whois." For example, if you have access to a unix shell account, the command:

whois -h whois.networksolutions.com syllabus.com

will show you the whois data associated with this Web site's domain." If you'd prefer a Web-based whois, you can try http://www-whois.internic.net/cgi/whois.

The general requirement that domains have accurate registrant information is explicitly defined at Registrar Advisory Concerning Whois Data Accuracy. Later that same year, the ICANN Security and Stability Advisory Committee did a nice job of explaining why accurate whois data is absolutely key to the security and stability of the network.

If you find a .com or .net domain, spamvertised or otherwise, that happens to have inaccurate whois data, you can easily report it using the online form.

Thus, for example, if you see a whois U.S. street address that looks suspicious, you can use any of a variety of online address verification tools (such as USPS) to check at least the superficial validity of that address. (The more profound question of whether or not a valid address is actually the right valid address for a given entity is a more subtle question that we'll set aside for now, along with the issue of doing address verification for non-U.S. addresses where computerized address validation tools may not be available.)

Anyhow, if you should happen to find a street address associated with a .com or .net address that turns out to be wrong, you can report that problem using the Internic's online form. For the most part, .com and .net whois data is generally pretty clean, and when you find a .com or .net domain that has data that isn't right, you can easily get that whois data cleaned up (or the registration data for that domain "registrar locked" or deleted).

But what about .biz? I don't know about you, but I've been seeing an *awful* lot of spam that uses .biz domain names lately, and I think I've begun to understand why that's happening.

Specifically, even though .biz is an top-level domain that's registered via ICANN-accredited registrars (just like .com and .net domains), and .biz domain registrations are theoretically subject to the same whois data accuracy requirements as .com and .net, some things are "done a little differently" in the .biz domain name space.

For example, you can't submit reports about inaccurate .biz whois data via
http://reports.internic.net/cgi/rpt_whois/rpt.cgi - that form simply won't accept complaints about .biz domain names.

If you contact neulevel.biz, the registry operator for .biz, about inaccurate .biz whois data, neulevel.biz shrugs its electronic shoulders, sending you "bug off" boilerplate like the following verbatim text I received from NeuLevel when I tried complaining about a spamvertised .biz domain with bad whois data:

Please note that NeuLevel is a third party provider of registry services to over 100 ICANN-accredited .BIZ registrars. As a registry, we only provide a database in which registrars store their customers' domain name records. Only the respective registrars can delete or block a domain from resolving, if the registrar determines that the domain's registration violates one or more clauses in the terms of use. Therefore, the most appropriate party with whom you should file your complaint is the sponsoring registrar, whose name appears in Line 3 of the domain name's WHOIS record found at
http://www.whois.biz You can get the registrar's contact information by submitting a WHOIS query for "Registrar" instead of domain name.

You can also report domains with inaccurate WHOIS information directly to ICANN by completing the ICANN report form:
http://reports.internic.net/cgi/rpt_whois/rpt.cgi.

If you're having a boring day, and want an interesting little research project as an alternative to working through the New York Times crossword puzzle, check the list of .biz registrars
[http://www.neulevel.biz/partners/registrars.html]. Now try building a page with links to each .biz registrar's bad whois reporting mechanism. Daunting task, isn't it? Do you find some .biz registrars who apparently lack any readily identifiable mechanism for reporting bad whois data? Yep, I sort of thought you might.

Given all that, it is little wonder that sightings of .biz domains in spam have become extremely common.

De facto tolerance of the use of .biz domains in spam, and failure to take steps to police inaccurate .biz whois data will eventually lead to:

· more and more spammers selecting .biz domains for spamvertised URLs, and
· more and more sites using the presence of a .biz URL as a spam filtering criterion.

For example, if you use the default rules distributed with SpamAssasssin, the mere presence of a .biz top-level domain URL in a message is currently worth 0.784 points (toward a total of 3.0 points typically required for a message to get flagged as spam).

ICANN and NeuLevel really need to take affirmative steps to clean up and reclaim .biz before that TLD ends up getting completely written off by material sections of the Internet, to the detriment of legitimate .biz domain name registrants. Auditing all existing .biz whois data for accuracy, and disabling .biz domains demonstrably used in conjunction with spam will be key first steps in that effort.

***

As usual, J'e's made some good points about what he's discovered. According to the ICANN Web site, the NeuLevel public contact for the generic Top Level Domain ".biz" is: Barbara Blackwell, Manager, Public Relations, NeuLevel, +1 202 533 2730, Fax: +1 202 533 2976, http://www.nic.biz. However, although that phone number works, she's no longer there. I wonder who I should report that to?

comments powered by Disqus

Campus Technology News

Sign up for our newsletter.

I agree to this site's Privacy Policy.