RE: [nc-whois] WHOIS and SPAM - survey show no connection

["Steve Crocker" <steve@stevecrocker.com>]

Title: Message

Marilyn,

 

Good to hear from you.  We'll be glad to interact with the TF.  Ram Mohan is also a member of both the TF and our committee, and he's volunteered to be a bridge as well.  (I've cc'd him explicitly on this message, which presumably means he'll get three copies!)

 

In addition to Philip Sheppard's note citing the FTC that indicates the whois database is not a primary source of email addresses for spammers, we're also getting email from others indicating the opposite.  This obviously bears further study.  My own experience suggests email addresses are indeed collected from the whois database.  I get a fair amount of mail addressed to hostmaster@<domainname> for one of my domains, and there is absolutely *no* instance of that email address being used in any other context.

 

To press the point a bit further, it seems to me there are two parts to this puzzle, one based in fact and one based in policy.  The factual question is whether the whois database does, in fact, get used for gather email addresses for spam.  As I said, we're getting a range of opinions on this, but I expect we'll be able to get a reasonably good handle on this after a while.  The policy question is whether the whois database is required to be publicly accessible as a whole.  I consider it a separate question as to whether individual entries should be accessible and to whom.  The issue for this discussion is whether an entire whois database should be made available.  If so, that's an exposure that needs to be understood and made known to everyone who places an entry into the database.

 

Let me also note that a related issue has come up with respect to the DNS database, and that some have raised a concern that the combination of the DNS database and the whois database results in a considerable amount of information which can be exploited for commercial purposes.

 

Thanks,

 

Steve

-----Original Message-----
From: Cade,Marilyn S - LGA [mailto:mcade@att.com]
Sent: Wednesday, January 15, 2003 7:52 AM
To: steve@stevecrocker.com; dnssac-comment@icann.org
Cc: nc-whois@dnso.org; Louis Touton (E-mail)
Subject: RE: [nc-whois] WHOIS and SPAM - survey show no connection

Steve, on behalf of Tony Harris and myself as co-chairs, we will discuss an invitation to the committee to talk with the TF. In the meantime, perhaps we could all be thinking about how best to ensure cross communication between the Advisory Committee and the TF as you receive comments.

 

Regards, Marilyn Cade

-----Original Message-----
From: Philip Sheppard [mailto:philip.sheppard@aim.be]
Sent: Wednesday, January 15, 2003 4:43 AM
To: steve@stevecrocker.com; dnssac-comment@icann.org
Cc: nc-whois@dnso.org; NC (list); Louis Touton ICANN
Subject: [nc-whois] WHOIS and SPAM - survey show no connection

Steve, interesting to read the Security and Stability Advisory Committee recommendation on Whois. In relation to privacy you state: "it is widely believed that Whois data is a source of e-mail addresses for the distribution of spam".  This may be a wide belief but empirical evidence from the US Federal Trade Commission tells us otherwise. See the last sentence of the note below in particular.

Philip

------------------

http://www.ftc.gov/bcp/conline/pubs/alerts/spamalrt.htm. 

To find out which fields spammers consider most fertile for harvesting, investigators "seeded" 175 different locations on the Internet with 250 new, undercover email addresses. The locations included web pages, newsgroups, chat rooms, message boards, and online directories for web pages, instant message users, domain names, resumes, and dating services. During the six weeks after the postings, the accounts received 3,349 spam emails. The investigators found that:

• 86 percent of the addresses posted to web pages received spam. It didn't matter where the addresses were posted on the page: if the address had the "@" sign in it, it drew spam.
   
• 86 percent of the addresses posted to newsgroups received spam.
   
• Chat rooms are virtual magnets for harvesting software. One address posted in a chat room received spam nine minutes after it first was used.

Addresses posted in other areas on the Internet received less spam, the investigators found. Half the addresses posted on free personal web page services received spam, as did 27 percent of addresses posted to message boards and nine percent of addresses listed in email service directories. Addresses posted in instant message service user profiles, "Whois" domain name registries, online resume services, and online dating services did not receive any spam during the six weeks of the investigation.