<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [nc-whois] WHOIS and SPAM - survey show no connection
Title: Message
Marilyn,
Thanks. I've penciled in next Tuesday
at 11:00. Since the rest of the Security and Stability Advisory Committee
is included in this note, let me hereby encourage others on the committee to
accept Marilyn's invitation to join their next conference call
Tuesday.
That said, I think it will
be helpful to sketch the main issues in advance of the call so we can make as
much progress as possible. Between the opinion we posted formally and my
last note, I think we've pretty much had our say on this
matter.
Let me know the details of
the call and I'll join in. I assume it's scheduled for an hour. I
have appointments in the afternoon and will have to scoot no later than
noon.
Steve
-----Original
Message----- From: Cade,Marilyn S - LGA [mailto:mcade@att.com]
Sent: Wednesday, January 15, 2003 12:41 PM To: Steve
Crocker; dnssac-comment@icann.org Cc: nc-whois@dnso.org; Louis Touton
(E-mail); Ram Mohan; Tony Holmes (E-mail) Subject: RE: [nc-whois]
WHOIS and SPAM - survey show no connection
Steve, The WHOIS TF today agreed that they
were very interested in inviting you and fellow members of the Advisory
Committee to our next call, which is next Tuesday, at 11:00 a.m. EST. We
are anxious to dialogue with the Advisory Committee and appreciate receiving
your final report when it was posted to the Names Council by Louie Touton.
The TF is
interested in a more extensive dialogue than can be provided by one member,
and we are anxious to ensure that there are several Advisory Committee members
available to discuss their views and findings with us. If it turns out
that Tuesday at 11:00 am. EST is not possible, can you contact me off list,
please, and we'll work together on a different time/date. However, we want to
make it next week, given our time lines.
We appreciate receiving
your response and your responsiveness.
Best regards, Marilyn
Cade and Tony Harris, co-chairs
-----Original
Message----- From: Steve Crocker
[mailto:steve@stevecrocker.com] Sent: Wednesday, January 15, 2003
12:33 PM To: Cade,Marilyn S - LGA;
dnssac-comment@icann.org Cc: nc-whois@dnso.org; 'Louis Touton
(E-mail)'; 'Ram Mohan' Subject: RE: [nc-whois] WHOIS and SPAM -
survey show no connection
Marilyn,
Good to hear from you. We'll be
glad to interact with the TF. Ram Mohan is also a member of both the
TF and our committee, and he's volunteered to be a bridge as well.
(I've cc'd him explicitly on this message, which presumably means he'll get
three copies!)
In addition to Philip Sheppard's note
citing the FTC that indicates the whois database is not a primary source of
email addresses for spammers, we're also getting email from others
indicating the opposite. This obviously bears further study. My
own experience suggests email addresses are indeed collected from the whois
database. I get a fair amount of mail addressed to
hostmaster@<domainname> for one of my domains, and there is absolutely
*no* instance of that email address being used in any other
context.
To press the point a bit further, it
seems to me there are two parts to this puzzle, one based in fact and one
based in policy. The factual question is whether the whois database
does, in fact, get used for gather email addresses for spam. As I
said, we're getting a range of opinions on this, but I expect we'll be able
to get a reasonably good handle on this after a while. The policy
question is whether the whois database is required to be publicly accessible
as a whole. I consider it a separate question as to whether individual
entries should be accessible and to whom. The issue for this
discussion is whether an entire whois database should be made
available. If so, that's an exposure that needs to be understood and
made known to everyone who places an entry into the database.
Let me also note that a related issue
has come up with respect to the DNS database, and that some have raised a
concern that the combination of the DNS database and the whois database
results in a considerable amount of information which can be exploited for
commercial purposes.
Thanks,
Steve
Steve, on behalf of Tony Harris and
myself as co-chairs, we will discuss an invitation to the committee to
talk with the TF. In the meantime, perhaps we could all be thinking about
how best to ensure cross communication between the Advisory Committee and
the TF as you receive comments.
Regards, Marilyn Cade
Steve, interesting to read the Security and
Stability Advisory Committee recommendation on Whois. In relation to
privacy you state: "it is widely believed that Whois data is a
source of e-mail addresses for the distribution of spam". This may
be a wide belief but empirical evidence from the US Federal Trade
Commission tells us otherwise. See the last sentence of the note below
in particular.
Philip
------------------
To find out which
fields spammers consider most fertile for harvesting, investigators
"seeded" 175 different locations on the Internet with 250 new,
undercover email addresses. The locations included web pages,
newsgroups, chat rooms, message boards, and online directories for web
pages, instant message users, domain names, resumes, and dating
services. During the six weeks after the postings, the accounts received
3,349 spam emails. The investigators found that:
- 86 percent of the addresses posted to web pages
received spam. It didn't matter where the addresses were posted on the
page: if the address had the "@" sign in it, it drew spam.
- 86 percent of the addresses posted to newsgroups
received spam.
- Chat rooms are virtual magnets for harvesting
software. One address posted in a chat room received spam nine minutes
after it first was used.
Addresses posted in other areas on the Internet
received less spam, the investigators found. Half the addresses posted
on free personal web page services received spam, as did 27 percent of
addresses posted to message boards and nine percent of addresses listed
in email service directories. Addresses posted in instant message
service user profiles, "Whois" domain name
registries, online resume services, and online dating services did not
receive any spam during the six weeks of the
investigation.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|