Archive for the “whois” Category

.ca Whois Harvesting

The .ca domains are run by an organization in Canada at   Their whois access terms of service is shown below.  It prohibits things like “unauthorised aggregation or collection of information from the WHOIS database.”  It has been well known for years that has been harvesting this information and selling the historical data in whois history reports.  This practice may circumvent the whois privacy system put in place by CIRA and may be in conflict with Canadian privacy laws that states that historic data should be made anonymous or be deleted.

When CIRA received complaints about this they would not answer for months.  The Privacy Commissioner of Canada was notified and they recommended contacting  When that was done filed a bogus lawsuit in US federal court thousands of miles from the person complaining.  When CIRA was asked about this their response was:

“Domain Tools is not packaging and selling private information, but rather, is consolidating and making available (typically old) publicly available information found on our public WHOIS service … CIRA has written directly to Domain Tools in this regard to try and address this.”

The issue is not “private information” but rather the “personal information” that was contained in the public whois database in the past but is no longer public.  When CIRA was asked to release the letter to CIRA’s attorney said it would not be released publicly and if a member of public wanted to see CIRA’s letter to they would need to take legal action against CIRA!  (More information about who operates is here)

A request was made to the CIRA Board to release the letter as it involves matters of public policy and affects the .ca registrants.  CIRA has also been asked to comply with the Alberta Privacy Breach Notification Law and notify .ca registrants of the status of the historic whois data and describe what steps are being taken to reduce the risk of harm and notify the registrants.  This would include, of course, releasing the letter sent to

.ca WHOIS terms of service:

You shall use the WHOIS database on the Website solely for the following purposes:

  1. to query the availability of a domain name;
  2. to identify the holder of a domain name; and/or
  3. to contact the holder of a domain name in regard to the domain name or the respective website.

You may not use the WHOIS information for any other purpose.  Prohibited uses include, but are not limited to:

  • unauthorised aggregation or collection of information from the WHOIS database;
  • access or use of the WHOIS database to send unsolicited communications of any kind, other than those reasonably required in the course of fulfilling the purposes set out above; and
  • access or use of the WHOIS database for commercial, advertising, market research, solicitation, or any other purposes which may be reasonably viewed as intrusive to a reasonable domain name holder.

You may not use automated processes that send multiple queries or data to the WHOIS database, except as reasonably necessary to register domain names or modify existing  registrations. By submitting any query to the WHOIS, you agree to abide by and comply with the WHOIS Terms and Legal Notice.

Port 43 WHOIS Service

ICANN requires registrars to provide whois on “port 43” in addition to web-based queries.  This is a specific protocol to request records.  These servers are notoriosly unreliable.  Some registrars, such as Godaddy, give out truncated data and others scramble the fields to try to prevent harvesting.

ICANN periodically audits whois port 43 compliance but they are often slow to do anything about it.

ICANN’s 2010 – 2011 port 43 whois audit

ICANN’s 2006 port 43 whois audit

WHOIS Servers Security

Many web-based and port 43 servers have controls to try to enforce the notices in their banner notices to prevent harvesting of the data.  These security mechanisms include those annoying CAPTCHA boxes and ip address limits.  However, most harvesters have long since learned how to circumvent these protections by doing things such as using many IP addresses to hide who they are.   Some registrars also “scramble” the fields so the output is not a set format to try to prevent harvesting but this is also easy to circumvent with some simple programming.

As a result, the “security” mechanisms only make it more time consuming and difficult for legitimate users to use the system.  Even though many groups have looked at the issue a full legal analysis of the legal authority behind how the whois system is operated never gets done.  Most of the rules are just legacy procedures back when the Internet was used by a few hundred people.

Thick and Thin Registries

The .com and .net are called “Thin” registries.  This is because the registry does not keep the entire whois record.  They just keep the registrar and the name servers.  The registrars are responsible for keeping the entire whois record.  This was done in the late 1990’s because Network Solutions had a monopoly and when competition was introduced the concern was that they would use their market position to take business from the new registrars.  Even though this is not relevant anymore the system has never been changed.

Other registries are “Thick” registries and they maintain the entire whois record.

ICANN WHOIS Policy Development

ICANN has an endless stream of groups looking at whois policies.  This has gone on for at least 10 years and most people have dropped out of the process because not much happens.  There are commenting procedures for most of these reports.

2012 WHOIS report | Comments

ICANN Board correspondence related to whois

WHOIS Survey Working Group

ICANN WHOIS Policy Review

ICANN CEO found using fake whois data

Rights and Responsibilities When Registering a Domain Name

ICANN has set forth a list of Rights and Responsibilities for the registrant and registrar of domain names.  When you register a domain you are required to do things such as agree to post your valid contact information publicly and agree to the trademark dispute policy.  ICANN requires accurate information but the rules are so vague and imprecise there are no actual requirements to do anything:

“Under the approach of the Registrar Accreditation Agreement, the registrar is given discretion to act as appropriate in light of the particular circumstances of each case.” 

In other words, registrars do what they want so ICANN does not have to enforce anything related to whois accuracy but they do maintain a reporting system.

The Domain Dispute policies are similar to the UDRP policy covering .com/.net/org, etc:

a. Applicable Disputes. You are required to submit to a mandatory administrative proceeding in the event that a third party (a “complainant”) asserts to the applicable Provider, in compliance with the Rules of Procedure, that

(i) your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and

(ii) you have no rights or legitimate interests in respect of the domain name; and

(iii) your domain name has been registered and is being used in bad faith.

In the administrative proceeding, the complainant must prove that each of these three elements are present.

b. Evidence of Registration and Use in Bad Faith. For the purposes of Paragraph 4(a)(iii), the following circumstances, in particular but without limitation, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith:

(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant’s mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location.

WHOIS Banner Notices

The whois outputs from the various registrars and ip address outputs almost all have a nearly identical banner such as the .org banner:

Access to .ORG WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient’s own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

According to an attorney on the board of Domain Tools these notices are not binding because the data is mandated to be public.  In fact if you ask the operators of the whois databases for the legal authority to place these restrictions on the data you will not get much of a response.   However, the Registrar Accreditation Agreement with ICANN does have provisions for bulk access to the whois databases for a fee:

3.3.6 In addition, Registrar shall provide third-party bulk access to the data subject to public access under Subsection 3.3.1 under the following terms and conditions: Registrar shall make a complete electronic copy of the data available at least one (1) time per week for download by third parties who have entered into a bulk access agreement with Registrar. Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data. Registrar’s access agreement shall require the third party to agree not to use the data to allow, enable, or otherwise support any marketing activities, regardless of the medium used. Such media include but are not limited to e-mail, telephone, facsimile, postal mail, SMS, and wireless alerts. Registrar’s access agreement shall require the third party to agree not to use the data to enable high-volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. Registrar’s access agreement must require the third party to agree not to sell or redistribute the data except insofar as it has been incorporated by the third party into a value-added product or service that does not permit the extraction of a substantial portion of the bulk data from the value-added product or service for use by other parties.

IP Address Whois

IP addresses are also registed via the so-called Regional internet registries or RIR’s.  A list is at  the IP addresses could be registrered to the web site’s hosting company or to the company directly.  The information is sometimes incomplete or outdated.

This information may be useful in some situations.  For instance, if a web site or e-mail claims to be a local bank but their IP is registered in some other country it could be the sign of a scam.

The IP address information can be used to file abuse complaints or copyright “takedown notices” under the Digital Millenium Copyright Act (DMCA).

Europeans Restrict IP Address Whois Data

The European IP address registry (RIPE) has started locking out those making whois queries to their web site under some vague claim that Eurpean privacy laws would be broken if unrestricted access is given.  After complaints were made another vaugue statement was published that claimed to be a “legal framework.”  This document does not identify and specific laws, case decisions, official rulings, or anything that would make it a “legal framework” for restricting the data to worldwide Interenet users.  It does not even address the fact that the users agreed to make the information public when they registered for IP addresses which is the central legal issue.

Their argument is that the contact data of ISP’s and hosting companies is “personal data” and needs protection.  However, since the data was placed in the database with the express purpose of making it public it is actually exempt from the data protection laws.  In addition, RIPE claims that that they will segregate the abuse contacts from the other contacts in the future so the abuse contacts will not be restricted.  However, RIPE will not explain why an abuse contact is different than other ISP contacts under EU privacy laws.  Nor will they explain how blocking access based on IP address will do anything other than prevent legitimate users from using the system (spammers/harvesters routinely use many IP’s to circumvent the restrictions).

The truth is that a few anti-spam zealots convinced RIPE to restrict the database because they thought nobody would complain.  Even though very little spam is attributed to IP address whois harvesting, the zealots were successful in disrupting a security service used by thousands of Internet users around the world.  Sites such as can no longer combine data from domain and IP address whois outputs to present users with a combined output.  The result is reduced security for Internet users because a few RIPE insiders got a few unwanted e-mails.  If anyone complains about the policy they are immediately branded as a spammer/harvester regardless of the actual use.  Actually, most of the people that want the data want it to complain about spammers.

This type of autonomous action for whois data is commonplace.  In the case of IP address the data is owned by the US government under the IANA contract.  This fact is disregarded and entities such as RIPE haphazardly place restrictions on the data because nobody stops them.  For instance the North American registry states: “You may not use, allow to use, or otherwise facilitate the use of ARIN WHOIS data for advertising, direct marketing, marketing research, or similar purposes.”  However, there is no law against these activities and the US government has not mandated these restrictions on the data so it looks like ARIN simply created the restrictions themselves without authority.  (Actually they copied the same banner from other whois servers because “that is the thing to do” which is why there is no actual documentation as to the reasons for the restrictions.


Unauthorized Name Server Use

Currently there is no system in place to prevent unauthorized use of your name servers.  In other words anyone can put “” as a DNS server for their domain.

This situation can lead to large amounts of traffic to a DNS server.  The traffic appears like a “dictionary attack” looking for different host names and much of the traffic came from Google’s network from domain .  Google would not respond to inquiries as to why all this traffic was coming from them.  The traffic was about 75% of the total DNS traffic.

The came the problems of getting the unwanted entries removed.  The entries were from many years ago and are associated with domains not under my control.  They are scattered throughout different domain TLD’s such as .com, .org, .info,etc.  The proper complaint process in a situation like this is to follow the various contractual relationships.  The registrant to contact their registrar who, in turn, contact the various registries such as .org, ,com, ,info, etc.  Since this is a coordination issue between different TLD’s the ICANN should have a policy in place to deal with it.

In practice nobody knows what to do and everybody wants someone else to handle it.  In some cases the entries were deleted within a day or two.  In the case of GoDaddy/Wild West Domains they have had the issue for 17 days finally “fixed” the problem.  However, instead of just changing the nameservers they replaced it with “Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM.”   It is amazing how it takes them 17 days to do something stupid such as incorrectly accusing their own customer of Spamming AND Abuse when that is not the case.

At first ICANN stated they would ensure GoDaddy/Wild West Domains complied with the request.  But once that didn’t happen ICANN staff refused to help and just sent me to the general registrar complaint box at  So far ICANN won’t provide any type of policy for registrars to follow in these situations so nobody knows what to do even though this security flaws has existed for many years.  At least 50 e-mails have been sent to various parties to try to get these entries removed.  Eventually Godaddy updated the records.

The worst response is the Afilias registry who refuses to do anything.  Their chief technology officer, Ram Mohan, has so many complaints his voice mail is full.  Afilias is even refusing to give me a list of domains using my nameserver even though they claim they have the list.  Most of time they won’t respond but I can see they get the messages because they visit this web page for updates.  They claim Melbourne IT registered the unauthorized nameserver with them.  of course they won’t answer any inquiries.

The ICANN Registrar Accrediation Agreement (RAA) section 3.2.2 requires the registrar to notify the registry of changes within 5 business days (ICANN staff has tried to claim this only fits under the innacurate whois section 3.7.7 whcih does not require the registrars, or ICANN, to do anything.  As usual, ICANN is searching for reasons not to do anything rather than correct the problem).

With unauthorized nameservers domains could be mistakenly be attributed to an innocent party.  For instance, criminals could use a domain for illegal activity and then point the domain to innocent parties to throw law enforcement off the track.  An unscrupulous trademark owner could register well known trademarks using whois privacy and use your nameservers then claim you are involved in pattern of such conduct.