matts Posted January 23, 2007 Posted January 23, 2007 Well, you start out by allowing anyone to register as many domains as they please, without ever bothering to even check their contact details (e.g. admin or tech mail, phone number). Then when the complaints start coming in, just pretend it's not your fault the details are bogus, or that you failed to exercise due diligence when the complaints were received. When that doesn't work, try thinly veiled "slander" or "libel" threats, and see if that scares the complainants off. Then finally, when all else fails, tell the complainants that you can't freeze the domains "just for spam". If they should be so audacious as to send you select passages from the CAN-spam act outlining "knowingly facilitating" just stop responding completely. That's the directnic and enom way, as with others (some just skip to the last few steps). And then we wonder why putting these guys out of business is like herding kittens? When the ISPs take such a hit and miss approach as many do, and the registrars refuse to clamp down on these rolling, bogus spam domains, and when the money involved is enough to offset even the bad PR, why not just keep shifting along? What are the odds some ISP or registrar will actually turn your billing details over to law enforcement, let alone "flag" you to prevent future abuse. Meanwhile, my little county mail system catches (thanks to greylisting, SA, amavisd, ImageInfo AND Symantec SMSSMTP in combination, about 90%, now numbering over a thousand per day! Ah well, what's a little bandwidth here and there? Oh wait, it's TAXPAYERS' bandwidth. Guess I'll have to keep pounding on them so the citizens don't lynch me, huh? Matt Sullivan Senior IT Security Analyst Manatee County Government
turetzsr Posted January 23, 2007 Posted January 23, 2007 <snip> Ah well, what's a little bandwidth here and there? Oh wait, it's TAXPAYERS' bandwidth. Guess I'll have to keep pounding on them so the citizens don't lynch me, huh? Matt Sullivan Senior IT Security Analyst Manatee County Government Hi, Matt! ...Maybe you and some like-minded county and municipal government staff and citizens can convince enough of those taxpayers to direct their law enforcement and lawmaking representatives to take action....
bobbear Posted January 23, 2007 Posted January 23, 2007 Tell me about it - it's something I, (and many others), have been banging on about for years. I stick to trying to get out and out criminal fraudsters put out of business by direct approaches to registrars as 'ordinary' spammers are even more impossible to get suspended. I've not personally had experience of directnic but as far as I am concerned registrars such as Enom, Joker and even top level domain registrars such as HKDNR are no better than the criminals that they aid and abet by refusing to take action on evidential criminal abuse reports that even Inspector Clouseau would be able to follow. Just try to get HKDNR to suspend the domain of norden.hk - a notorious money laundering criminal fraudster, (Norden United), & prolific spammer allied to 'phishing' gangs who uses a zombie botnet herded by an Apache webserver on an Enom registered nameserver domain, (bg-arati.com), - I've found it impossible. It's about time the 'criminal friendly' registrars such as the above were reined in and forced to realise that they are not 'special' in any way by their position, nor are they above the law and there is no reason whatsoever why they should not be compelled to make judgements about their clients as every other member of the chain is expected to do. How could this be achieved? I don't know - I'm no expert - just a user who's sick of blackhat registrars, but it strikes me that ICANN could play more of a part, perhaps by insisting that all accredited registrars have a common AUP that would not only empower them to take action but require them to & perhaps under the accreditation agreement all aspects of the whois data must be 'check/ response' verified before the domain is activated & thereafter at prescribed intervals - no webmail addresses should be accepted, (that would halve Yahoo's client base for a start....), no PO boxes, and definitely no anonymizer services. Think of the difference it could make if spamcop reports on criminal & spamvertised domains were routed to the registrars who were obliged to treat them seriously, make valued judgements & immediately suspend the offending domains.
rooster Posted January 24, 2007 Posted January 24, 2007 Tell me about it - it's something I, (and many others), have been banging on about for years. <SNIP> It's about time the 'criminal friendly' registrars such as the above were reined in and forced to realise that they are not 'special' in any way by their position, nor are they above the law and there is no reason whatsoever why they should not be compelled to make judgements about their clients as every other member of the chain is expected to do. How could this be achieved? I don't know - I'm no expert - just a user who's sick of blackhat registrars, but it strikes me that ICANN could play more of a part, perhaps by insisting that all accredited registrars have a common AUP that would not only empower them to take action but require them to & perhaps under the accreditation agreement all aspects of the whois data must be 'check/ response' verified before the domain is activated & thereafter at prescribed intervals - no webmail addresses should be accepted, (that would halve Yahoo's client base for a start....), no PO boxes, and definitely no anonymizer services. <SNIP> bobear; I hope this reproduces OK. I just swithched From Windows to Linux this afternoon, and things work differently. At risk of being impertinent (so what else is new?) I'd like to intrude a cross reference to http://forum.spamcop.net/forums/index.php?showtopic=6756; another SC thread that expresses my frustration with the state of affairs in Canada; specifically, proposed changes to CIRA Registration Policy that would provide the option of anonymity to new domain registrants. CIRA (Canadian Internet Registration Authority) is legislatively mandated to set policy for, and operate, the dot-ca domain.
Farelf Posted January 24, 2007 Posted January 24, 2007 ... the state of affairs in Canada; specifically, proposed changes to CIRA Registration Policy that would provide the option of anonymity to new domain registrants.The proposals extend the spirit of Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) to domain registrants - presumably this thinking is on the assumption they (registrants) are innocent until proven guilty and the inconvenience to a rabid minority who are questing anti-spammers is as nothing compared to the potential and unwarranted harm to the individuals who are registrants. Frankly I don't understand the CIRA stand on that (if I have encapsuled it correctly) - general internet presence is about as public as can be, those who want to be faceless in front of such presence must intend the rest of us, if not harm then surely no good. But as a (desultorily) questing anti-spammer I may be over-simplifying somewhere in balance of the pro/anti proposal argument.
bobbear Posted January 24, 2007 Posted January 24, 2007 bobear; <snip> At risk of being impertinent (so what else is new?) I'd like to intrude a cross reference to http://forum.spamcop.net/forums/index.php?showtopic=6756; another SC thread that expresses my frustration with the state of affairs in Canada; specifically, proposed changes to CIRA Registration Policy that would provide the option of anonymity to new domain registrants. CIRA (Canadian Internet Registration Authority) is legislatively mandated to set policy for, and operate, the dot-ca domain. Feel free - as one of the "many others" your contributions are always valuable & welcome. The fuller the debate on this issue the better IMHO. The registrars have had an easy, accountability free ride for far too long & it strikes me that the proposed CIRA changes would give them an even easier ride by making more difficult the only existing option of challenge under the ICANN accreditation agreement, (false whois data), that all registrars are supposed to respond to, albeit in a time frame that makes the challenge almost pointless. I read about the changes with interest and more than a little apprehension as FOI restrictions under so-called privacy arguments always concern me and generally should, IMHO, be resisted unless there are powerful arguments to the contrary. Most if not all of the information that appears in the whois fields is basic public domain information and I can see little justification in restricting the data as it seems to me to have little or no impact on an individual's privacy - i.e. the 'privacy' argument seems to be a spurious one. However, what I don't have a grasp for is how much the present system is abused to genuinely impact privacy and how that has affected the genuine registrant.
dra007 Posted January 24, 2007 Posted January 24, 2007 It is ironic that any other institution requires far more rigid proof of address before issuing a registration. Notwithstanding, stolen identities are at the finger tips of fraudulent spammers anyway. At least, using that instead of bogus addressess, one would hope would make them even more liable. As I understand, US still has no laws against identity theft.
rooster Posted January 24, 2007 Posted January 24, 2007 Steve; The proposals extend the spirit of Canada's The Personal Information Protection and Electronic Documents Act (PIPEDA) to domain registrants - Tru dat. The CIRA proposal cites the PIPEDA a number of times. What is missing is rationale for applying it to the CIRA Domain Registration process. It is standard business practice to protect registrant credit and financial information that CIRA might gather when obtaining registration fees. But, as you so aptly say; - general internet presence is about as public as can be, those who want to be faceless in front of such presence must intend the rest of us, if not harm then surely no good....which seems to extend the policy so that the principal, or a contractually obligated agent, of a .ca domain is removed from public purview and accountability, then I submit the PIPEDA is not an appropriate source/case document to cite. My sense is, if the CIRA policy ever gets challenged in court, an informed and prudent judge would deem it unjustified and not in the public interest. This is the point where I come a cropper. Canada does not have federal legislation appropriate to the internet as it is today. For a variety of reasons, Bill C-37 (circa 2005) is tabled, gathering dust, and already outdated. It is difficult to argue against the CIRA proposed policy change when appropriate source documents, nominated authorities, and support literature either don't exist, or involves resources beyond the marshalling of the one opposing it; ...like me. In plain language, this issue needs serious input from persons with a comprehensive overview, and credentials. I have to say, I was disappointed when no other members of CIRA ventured to respond to my OP on this issue. Either "they" do not deign to audit this Forum... which would explain a lot about how such an ill-conceived policy could get past the committee stage, or they chose to ignore it. Either way, I am confident their vaunted attestation that there was extensive consultation [1] is specious and suspect. To add insult to irony, the only invitation I received from CIRA for input was: Membership Consultation January 8 - February 5, 2007 Your Voice Counts As a dot-ca domain Registrant and CIRA Member, you can participate in the policies and decisions that shape the Internet in Canada. CIRA is consulting our members about the proposed Board of Directors compensation package via an online survey. The survey is being conducted on behalf of CIRA by an impartial third-party and your opinions and comments will remain confidential. It's probably more waggish than apt, but the CIRA policy strikes me as making about as much sense as telling the 411 operator your house is on fire, but you can't tell her the address because its your policy to never give out that information over the phone. To which the op might enjoin; "But how are the firemen supposed to get to your house?" Exciting the bemused retort; "Well duhhh! In a big red truck!" bobear; The registrars have had an easy, accountability free ride for far too long & it strikes me that the proposed CIRA changes would give them an even easier ride by making more difficult the only existing option of challenge under the ICANN accreditation agreement, (false whois data), that all registrars are supposed to respond to, albeit in a time frame that makes the challenge almost pointless. This raises a number of signicant points worth consideration. Taking just the first one that comes to mind: complacency and complicity by domain registrars is arguably the most significant contributor to the pandemy of StDs (Spamvertized Domains). This characteristic neglect is also, arguably, the one vulnerability in the DNR system that advances spammers objectives because it makes finding opportunities for internet self-regulation an increasingly discouraging undertaking. This facilitation accounts for the burgeoning presence of spammers, allowing them to 'create' domains (the 'raison d'être' for SMTP spam) that are nothing more than ephemera. If CIRA sees as part of it's mandate the preserving of accountability in the .ca DNR, then who is going to be tasked with responding to abuse complaints on a timely basis? And what mechanisms are to be instituted? If CIRA sees itself as the arbiter of last resort, then there is going to have to be a bureaucracy and investment of capital of some size created and under it's aegis. Seen in this light, recent CIRA policy could be interpreted to signal a mission of empire building and career furtherance. Like politics. - i.e. the 'privacy' argument seems to be a spurious one. However, what I don't have a grasp for is how much the present system is abused to genuinely impact privacy and how that has affected the genuine registrant. Spurious indeed. As at Oct.26, 2006, there were only 750,000 “.ca†registrations [2]. The limited information I have suggests there is only a handful of registration contests in a given year. Dealing with them would be a part-time job easily handled by a clerk whose job description would budget for about 7 hours a week over the year, plus 1 (one) hour/wk budgeted for titled supervisor/officer/executive time. This, of course, doesn’t factor in (catered) executive committee meetings, conferences, Professional Development Courses and Seminars and (expensed) breakfast meetings, transportation compensation, flight, limo and hotel allocations, 4 weeks paid vacation, 70 hours paid sick leave, and free parking. The clerk, on the other hand, would be an unpaid comp/sci intern entitled to free coffee, and donuts on Fridays provided he/she goes out and gets them and can keep the crumbs and jelly drips from out the keyboard. [1] <http://www.cira.ca/en/Whois/whois-backgrounder.html> “CIRA’s new approved WHOIS policy was developed following extensive and far-reaching public consultations with numerous CIRA and WHOIS stakeholders such as: • Registrants; • Certified Registrars; • A random sample of 1000 Canadians; • Leading organizations and experts in the areas of: o Law enforcement o Internet use o Intellectual property o Privacy, and; • Members of the CIRA Board of Directors.†[2] <http://www.cira.ca/news-releases/191.html>
turetzsr Posted January 24, 2007 Posted January 24, 2007 <snip>As I understand, US still has no laws against identity theft....Happily, your understanding is incorrect: there are state laws against identity theft; there are also related federal laws dealing with consumer credit, criminal identity theft and privacy/information security. <g>
Recommended Posts
Archived
This topic is now archived and is closed to further replies.