ARIN WHOIS for leads
Jimmy Hess
mysidia at gmail.com
Fri Jul 26 23:34:28 UTC 2013
On 7/26/13, John Curran <jcurran at arin.net> wrote:
> ARIN will run the Whois database however you folks collectively want it run.
> Write up the change you seek (should be fairly easy), show rough consensus
> in the community for the change (slightly more difficult task), and then,
I personally think there is too little evidence at this point of
widespread abuse to merit restricting access to WHOIS. Assuming you
don't consider sending DMCA-like request letters to technical or
abuse contacts an abuse of WHOIS. I can see how such things
might be construed as spam in high volume, for large networks
that provide only IP connectivity services that aren't subject
to DMCA letter provisions and don't have a policy of turning off
IP transit/telco services for Trademark/Copyvio without a court
order.
My very strong recommendation would be:
* Conduct a study on the subject of WHOIS "marketing spam" type abuse.
Am I correct in suggesting, that the ARIN staff would have authority
to create temporary "dummy" IP address and ASN allocations of various
sizes for short periods of time, using multiple e-mail To domains,
and announcing them among the new allocations, and finding some
ISP to bring up some of the prefixes, for the purpose of studying,
if these contacts (that could have been learned only through WHOIS)
receive e-mail?
I would be interested in...
* Is whether there is an AS allocated, IP address allocated, ORG
allocated, or just POC handle created, or BGP announcement for a
certain prefix correlated with the probability that a contact is
spammed?
* Who did the spam come from?
* What IP addresses requested WHOIS on "dummy allocations" or
"dummy org" records that shouldn't have shown up on the internet,
e.g. so "legitimate" WHOIS queries should be minimal?
---
If someone studies that and finds there is a correlation to spam based
on WHOIS listing alone,
then perhaps....
there must be a solution for this.... on occasion; allocate one or
two new AS numbers and a /24 on a temporary basis (6 to 12 months)
solely for "spammer detection" purposes, in other words
"intentional erroneous allocations" that the RIR would publish as if
a real allocation.
If spam is received... research into what IP addresses performed
WHOIS requests for those, and publish for the world to see,
every email message received, plus any followups into
search-for-the-guilty to clear up the pattern of network contact
abuse.
In other words: for starters, assume the number of "bad actors" is
small, and let the community pressure them and their peers to
retaliate, before diminishing the average usefulness of WHOIS
to everyone, (which restricting access to a small number of users
does).
> My guess is someone is using your mass whois database, looking
> at the most recently issued/created AS numbers, and cold calling.
> --------------------------------------------
> I'd be interested in knowing who it is, so I can be sure to
> never buy from them.
>
> scott
--
-JH
More information about the NANOG
mailing list