ARIN WHOIS for leads

Jimmy Hess mysidia at
Fri Jul 26 23:34:28 UTC 2013

On 7/26/13, John Curran <jcurran at> wrote:
> ARIN will run the Whois database however you folks collectively want it run.
> Write up the change you seek (should be fairly easy), show rough consensus
> in the community for the change (slightly more difficult task), and then,

I personally think  there is too little evidence at this point of
widespread abuse to merit restricting access to WHOIS.    Assuming you
don't consider   sending DMCA-like request letters  to  technical or
abuse contacts an abuse of WHOIS.       I can see how such things
might be construed as spam in high volume,  for large networks
that     provide only  IP  connectivity services that aren't subject
to DMCA letter provisions    and don't have a policy of  turning off
 IP transit/telco services   for   Trademark/Copyvio   without a court

My very strong recommendation would be:
     * Conduct a study on the subject of WHOIS  "marketing spam" type abuse.

Am I correct in suggesting,  that  the ARIN staff would have authority
to create temporary "dummy" IP address and ASN allocations of various
sizes for short periods of time, using multiple   e-mail To domains,
 and announcing them among the  new allocations,   and finding  some
ISP to  bring up some of the prefixes,  for the purpose of  studying,
 if these contacts   (that could have been learned only through WHOIS)
receive e-mail?

I would be interested in...
   * Is whether there is an AS allocated,   IP address allocated,  ORG
allocated, or just POC handle created,   or  BGP announcement for a
certain prefix    correlated   with the probability that a contact is
   * Who did the spam come from?
   * What IP addresses requested WHOIS on  "dummy allocations" or
"dummy org"  records   that shouldn't have shown up on the internet,
e.g.  so  "legitimate"  WHOIS queries  should be minimal?

If someone studies that and finds there is a correlation to spam based
on WHOIS listing alone,
then perhaps....

there must be a solution for this....   on occasion;   allocate one or
two new AS numbers and a /24 on a temporary basis  (6 to 12 months)
solely for "spammer detection"  purposes,  in other words
"intentional erroneous allocations"  that the RIR would publish as if
a real allocation.

If spam is received...  research into what IP addresses  performed
WHOIS requests for those,    and publish   for the world to see,
every email message received,   plus any followups into
search-for-the-guilty to clear up  the pattern of network contact

In other words:   for starters,  assume the number of  "bad actors" is
small,  and   let the community  pressure them  and their peers to
retaliate,      before    diminishing the average usefulness of WHOIS
to everyone,   (which restricting access to a small number of users

> My guess is someone is using your mass whois database, looking
> at the most recently issued/created AS numbers, and cold calling.
> --------------------------------------------
> I'd be interested in knowing who it is, so I can be sure to
> never buy from them.
> scott

More information about the NANOG mailing list