A system that allows anti-spam activists to report entities that bulk-register domain names using false or misleading identity data is about to gain a much-needed new privacy feature: The option for activists not to expose their identities to the very spammers they’re trying to report.
The Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the Internet’s domain name system, runs a program called the WHOIS Data Problem Reporting System (WDPRS). It’s designed to allow Internet community members to alert registrars about customers that list incomplete or inaccurate contact records for domain registrations.
The policy of requiring registrars to make WHOIS data publicly searchable is no doubt a contentious one, but the reality is that spammers and scammers frequently bulk register large numbers of domains in one go, and tend to take their business to registrars that don’t ask too many questions. Indeed, some domain registrars have built a business out of catering to spammers and scammers.
In many cases, spammers will mass-register domains using completely bogus contact information, or — as appears to have been the case with hundreds of domains that were used recently in an attack against KrebsOnSecurity.com — with the contact information belonging to people whose stolen credit cards were used to fraudulently register the spammy domains.
Some anti-spam activists have pursued bulk registrants with false WHOIS data because, under ICANN’s rules, registrars are supposed to investigate and eventually suspend domains whose owners fail to respond to requests to verify or correct false WHOIS data. And in direct response to a massive influx of reporting on these domains by such activists, ICANN built the WPDRS.
But at some point, ICANN began sharing the names and email addresses of people who were reporting the erroneous WHOIS information with the registrars for each offending domain, exposing the identities of any anti-spam activists who used their real contact information in reporting the issues to ICANN.
Ronald Guilmette, an anti-spam activist and a frequent user of the WDPRS, said ICANN’s decision to share reporter information with registrars puts reporters in the awkward and ironic position of having to spoof their identify to report domain registrants who are spoofing their identities.
“It should not be news to ICANN that some of these registrars are not lily white,” Guilmette said. “The effect of forwarding reporter information is a chilling one, and ICANN is in effect going to be discouraging people from even filing these reports because of fear of retaliation.”
I reached out to ICANN on this issue, and heard from Stacy Burnette, the organization’s director of contractor compliance. Burnette said ICANN had heard the concerns of the community and would be making changes to the system as a result.
“We’ve received some comments about our current WDPR system, and how it identifies reporter information, so we are making an adjustment whereby a reporter can elect to have identity information revealed or not,” Burnette said. “If they elect to not have that information revealed, we will not send the reporter’s name and email address.”
Burnette declined to offer a date by which the changes would be made. “We’re working to make sure this happens shortly,” she said.