On Thu, Apr 19, 2018 at 05:57:48PM -0400, b...@theworld.com wrote: > One of the memes driving this WHOIS change is the old idea of > "starving the beast". > > People involved in policy discussions complain that "spammers" -- many > only marginally fit that term other than by the strictest > interpretation -- use the public WHOIS data to contact domain owners. > > I've countered that 20+ years experience trying to "starve the beast" > by trying to deny them access to email and other casual contact info > has proven the approach to be useless.
I've been trying to kill this same meme for years, and it just won't die. It's related to the equally-silly meme that says that email/newsgroup archives should have the addresses of participant obfuscated, and it's just as wrong. Let me make yet one more likely-futile effort: 1. WHOIS data is a poor source of email addresses. It always has been. Much richer ones exist and new ones show up all day, every day. The same can be said for mailing list/newsgroup archives. Moreover, many of those people are poor choices as victims. 2. Those much richer sources include (and this is far from exhaustive): - subscribing to mailing lists - acquiring Usenet news feeds - querying mail servers - acquiring corporate email directories - insecure LDAP servers - insecure AD servers - use of backscatter/outscatter - use of auto-responders - use of mailing list mechanisms - use of abusive "callback" mechanisms - dictionary attacks - construction of plausible addresses (e.g. "firstname.lastname") - purchase of addresses in bulk on the open market. - purchase of addresses from vendors, web sites, etc. - purchase of addresses from registrars, ISPs, web hosts, etc. - domain registration (some registrars ARE spammers) - misplaced/lost/sold media - harvesting of the mail, address books and any other files present on any of the hundreds of millions of compromised systems annnnnnd - the security breach/dataloss incident of the day 3. The bottom line is that, starting about 15 years ago, it became effectively impossible to keep any email address *that is actually used* away from spammers. [1] Simultaneously, it became a best practice to assume this up front and design defenses accordingly. 4. You know who is best-protected by restrictions on WHOIS and obfuscated domain registration? Spammers, phishers, typosquatters, and other abusers. It's not a coincidence that the number of malicious domains has skyrocketed as these practices have spread. (And "skyrocket" is not an exaggeration. I've been studying abuser domains for 15+ years and I have no hesitation saying that easily 90% of all domains are malicious. And that's likely a serious understatement. Why? Because whereas you and I and other NANOG-ish people register one here, one there, whether for professional or personal or other use, abusers are registering them by the tens of thousands and more. Much more.) ---rsk [1] Yes, there are edge cases. I *know*.