The Curious Correlation Between .biz Domains, Bad Whois Data, and Spam
Terry Calhoun, IT Trends Commentator
Society for College and University Planning (SCUP)
University of Michigan
J'e's been busy playing detective and he's discovered some interesting loopholes
in various procedures related to ICANN policies. I've noticed "bad"
whois registration addresses before but never followed through to do anything
about them. Maybe now that J'e has laid all of this out for us, more of us can
join in to plug these spam holes.
***
J'e St Sauver, Ph.D. (j'[email protected])
Director, User Services and Network Applications
University of Oregon Computing Center
If you take the time to deconstruct the spam you receive, one of the most interesting
things to scrutinize is any URL contained in the body of the spam. Notice any
pattern to the URLs you see? Ever wonder who's behind those all those different
domain names?
Non-network-geeks may not know that every domain has (or at least is *supposed*
to have) accurate registrant information available via "whois." For
example, if you have access to a unix shell account, the command:
whois -h whois.networksolutions.com syllabus.com
will show you the whois data associated with this Web site's domain." If you'd
prefer a Web-based whois, you can try http://www-whois.internic.net/cgi/whois.
The general requirement that domains have accurate registrant information is
explicitly defined at Registrar
Advisory Concerning Whois Data Accuracy. Later that same year, the ICANN
Security and Stability Advisory Committee did a nice job of explaining
why accurate whois data is absolutely key to the security and stability of the
network.
If you find a .com or .net domain, spamvertised or otherwise, that happens
to have inaccurate whois data, you can easily report it using the online
form.
Thus, for example, if you see a whois U.S. street address that looks suspicious,
you can use any of a variety of online address verification tools (such as USPS)
to check at least the superficial validity of that address. (The more profound
question of whether or not a valid address is actually the right valid
address for a given entity is a more subtle question that we'll set aside for
now, along with the issue of doing address verification for non-U.S. addresses
where computerized address validation tools may not be available.)
Anyhow, if you should happen to find a street address associated with a .com
or .net address that turns out to be wrong, you can report that problem using
the Internic's online form. For the most part, .com and .net whois data is generally
pretty clean, and when you find a .com or .net domain that has data that isn't
right, you can easily get that whois data cleaned up (or the registration data
for that domain "registrar locked" or deleted).
But what about .biz? I don't know about you, but I've been seeing an *awful*
lot of spam that uses .biz domain names lately, and I think I've begun to understand
why that's happening.
Specifically, even though .biz is an top-level domain that's registered via
ICANN-accredited registrars (just like .com and .net domains), and .biz domain
registrations are theoretically subject to the same whois data accuracy requirements
as .com and .net, some things are "done a little differently" in the
.biz domain name space.
For example, you can't submit reports about inaccurate .biz whois data via
http://reports.internic.net/cgi/rpt_whois/rpt.cgi
- that form simply won't accept complaints about .biz domain names.
If you contact neulevel.biz, the registry operator for .biz, about inaccurate
.biz whois data, neulevel.biz shrugs its electronic shoulders, sending you "bug
off" boilerplate like the following verbatim text I received from NeuLevel
when I tried complaining about a spamvertised .biz domain with bad whois data:
Please note that NeuLevel is a third party provider of registry services
to over 100 ICANN-accredited .BIZ registrars. As a registry, we only provide
a database in which registrars store their customers' domain name records.
Only the respective registrars can delete or block a domain from resolving,
if the registrar determines that the domain's registration violates one
or more clauses in the terms of use. Therefore, the most appropriate party
with whom you should file your complaint is the sponsoring registrar,
whose name appears in Line 3 of the domain name's WHOIS record found at
http://www.whois.biz
You can get the registrar's contact information by submitting a WHOIS
query for "Registrar" instead of domain name.
You can also report domains with inaccurate WHOIS information directly
to ICANN by completing the ICANN report form:
http://reports.internic.net/cgi/rpt_whois/rpt.cgi.
If you're having a boring day, and want an interesting little research project
as an alternative to working through the New York Times crossword puzzle, check
the list of .biz registrars
[http://www.neulevel.biz/partners/registrars.html].
Now try building a page with links to each .biz registrar's bad whois reporting
mechanism. Daunting task, isn't it? Do you find some .biz registrars who apparently
lack any readily identifiable mechanism for reporting bad whois data?
Yep, I sort of thought you might.
Given all that, it is little wonder that sightings of .biz domains in spam
have become extremely common.
De facto tolerance of the use of .biz domains in spam, and failure to take
steps to police inaccurate .biz whois data will eventually lead to:
· more and more spammers selecting .biz domains for spamvertised URLs,
and
· more and more sites using the presence of a .biz URL as a spam filtering
criterion.
For example, if you use the default rules distributed with SpamAssasssin,
the mere presence of a .biz top-level domain URL in a message is currently worth
0.784 points (toward a total of 3.0 points typically required for a message
to get flagged as spam).
ICANN and NeuLevel really need to take affirmative steps to clean up and reclaim
.biz before that TLD ends up getting completely written off by material sections
of the Internet, to the detriment of legitimate .biz domain name registrants.
Auditing all existing .biz whois data for accuracy, and disabling .biz domains
demonstrably used in conjunction with spam will be key first steps in that effort.
***
As usual, J'e's made some good points about what he's discovered. According
to the ICANN Web site, the NeuLevel public contact for the generic Top Level
Domain ".biz" is: Barbara Blackwell, Manager, Public Relations, NeuLevel,
+1 202 533 2730, Fax: +1 202 533 2976, http://www.nic.biz.
However, although that phone number works, she's no longer there. I wonder who
I should report that to?
