Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Public Comment: Draft Report on WHOIS Accuracy

February 16th 2010 in Uncategorized

Details here:


In short, if all three accuracy criteria are strictly applied, i.e.:

  1. the address must be deliverable
  2. an independent linkage between name and address must be found; and
  3. the respondent must acknowledge ownership, AND confirm that all details are current and correct,

then only 23% of WHOIS records can be considered fully accurate.

With a slight relaxation of the criteria to:

  1. the address must be deliverable
  2. an independent linkage between name and address exists, or the WHOIS information enables us to track down the respondent, even if it was not possible to otherwise confirm a link between name and address
  3. the respondent must acknowledge ownership,

then the proportion of WHOIS records which are accurate more than doubles, to 46%, and only 6% fail on all three.

A sample of only 1419 records was drawn from the top five generic top level domains (gTLDs, covering .com, .org, .net. .info and .biz).  Because there are many subtleties and provisos within the document, such as acknowledging the fact that getting a respondent to acknowledge ownership can be difficult when the respondent has an aversion to answering any questions for a survey (and how many of us have expressed a dislike of such phone calls), I recommend that if you are interested in WHOIS accuracy you should read the report in its entirety, rather than focus purely on the “23% of WHOIS records can be considered to be fully accurate”.

I think it is appropriate to quote the penultimate paragraph of the conclusion:

“There is no question that there are people who register domains without disclosing their full or real identity. While we didn’t find any cases where an identity had been stolen (that is, among the persons we contacted who had domains registered in their name, none denied having registered the domain), it would seem that, given the latitude that people have in choosing what information to provide when registering a domain name, identity theft may not be necessary; it is all too easy to enter any or no name, along with an unreliable or undeliverable address.”

Comments are closed.

But some of us haven’t forgotten the past… "Spyware cybersigns point to Begg-Smith": http://www.smh.com.au/articles/2006/03/03/1141191842651.html   The SMH article links to stopscum.com which has some interesting information: http://www.stopscum.com/dale-begg-smith-adscpm-a-spyware-low-life-criminal-distributor-wins-an-olympic-gold-medal-for-australia/   Fox Sports notes that “Begg-Smith has made a small fortune from internet advertising, but he rarely talks […]

Previous Entry

Source: http://www.icann.org/en/announcements/announcement-12feb10-en.htm This is another document worth reading (even if it is 107 pages long) for those of us interested in ‘security’ for users of the internet as a whole.  I consider it an important document because Chapter 6 discusses “malicious use of domain names” and what ICANN can do about it, […]

Next Entry