Re: Is WHOIS going to go away?

[Rich Kulawiec <rsk () gsp org>]

On Thu, Apr 19, 2018 at 05:57:48PM -0400, bzs () theworld com wrote:
> One of the memes driving this WHOIS change is the old idea of
> "starving the beast".
>
> People involved in policy discussions complain that "spammers" -- many
> only marginally fit that term other than by the strictest
> interpretation -- use the public WHOIS data to contact domain owners.
>
> I've countered that 20+ years experience trying to "starve the beast"
> by trying to deny them access to email and other casual contact info
> has proven the approach to be useless.

I've been trying to kill this same meme for years, and it just won't die.
It's related to the equally-silly meme that says that email/newsgroup
archives should have the addresses of participant obfuscated, and it's
just as wrong.  Let me make yet one more likely-futile effort:

1. WHOIS data is a poor source of email addresses.  It always has been.
Much richer ones exist and new ones show up all day, every day.  The
same can be said for mailing list/newsgroup archives.  Moreover, many
of those people are poor choices as victims.

2. Those much richer sources include (and this is far from exhaustive):

        - subscribing to mailing lists
        - acquiring Usenet news feeds
        - querying mail servers
        - acquiring corporate email directories
        - insecure LDAP servers
        - insecure AD servers
        - use of backscatter/outscatter
        - use of auto-responders
        - use of mailing list mechanisms
        - use of abusive "callback" mechanisms
        - dictionary attacks
        - construction of plausible addresses (e.g. "firstname.lastname")
        - purchase of addresses in bulk on the open market.
        - purchase of addresses from vendors, web sites, etc.
        - purchase of addresses from registrars, ISPs, web hosts, etc.
        - domain registration (some registrars ARE spammers)
        - misplaced/lost/sold media
        - harvesting of the mail, address books and any other files
                present on any of the hundreds of millions of
                compromised systems

annnnnnd

        - the security breach/dataloss incident of the day

3. The bottom line is that, starting about 15 years ago, it became
effectively impossible to keep any email address *that is actually
used* away from spammers.  [1]  Simultaneously, it became a best practice
to assume this up front and design defenses accordingly.

4. You know who is best-protected by restrictions on WHOIS and obfuscated
domain registration?  Spammers, phishers, typosquatters, and other abusers.
It's not a coincidence that the number of malicious domains has skyrocketed
as these practices have spread.  (And "skyrocket" is not an exaggeration.
I've been studying abuser domains for 15+ years and I have no hesitation
saying that easily 90% of all domains are malicious.  And that's likely
a serious understatement.  Why?  Because whereas you and I and other
NANOG-ish people register one here, one there, whether for professional
or personal or other use, abusers are registering them by the tens of
thousands and more.  Much more.)

---rsk

[1] Yes, there are edge cases.  I *know*.