Yahoo Mail/Gmail 2024 Easy Sender Compliance Guide: Click here

Identify anonymous domains with anonwhois.org


Check out this neat new project at anonwhois.org: It's domain data, published in a format similar to a URI DNSBL or RHSBL (right-hand side BL). Meaning, in short, it's a DNS-based list that you can check domains against. What does it tell you? Whether or not a domain is registered anonymously; that is to say, whether or not a domain is registered behind a "privacy protect"-like service. Like many other spam fighters, I've long considered it a bad idea to hide ownership of your domain in this manner. And now, if you, like me, think it's a bad idea, you could use the ANONWHOIS data to help score or otherwise identify messages that come from such domains or use such domains in images or links.

Project creator Blaine Fleming is quick to caution that this is not a blacklist and wasn't meant to be used for outright rejection of mail. If you use it for that purpose, you're likely to encounter false positives; as certainly, a non-zero amount of non-spam mail comes from anonymized domains.

Blaine mines the DNS query data to look for domains that require querying and categorization. I think that means that there could be a scenario wherein the first time somebody queries about a given domain, there may be no data, but if you come back later, ANONWHOIS may have figured out by then that the domain ownership info is obscured and that therefore, it merits listing. I'm sure that they need to ration and space out WHOIS lookup requests; they don't want to get blocked for running thousands of WHOIS lookups in batch.

With the recent court ruling that masking domain ownership issue constitutes material falsification under CAN-SPAM, using this data to vet marketers and other mail-sending entities strikes me an exceptionally good idea. It wouldn't surprise me to find blacklists declining to remove entities from domain or IP address-based blacklists if the domains being used don't have transparent ownership information attached to them in WHOIS.

Visit the ANONWHOIS website at anonwhois.org for more information.

Update: What do spamfighters think of anonymous whois? I asked a few, and here's what they told me.

Update: Before commenting, read my follow up post here, where I answer some commonly raised questions.

15 Comments

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.

  1. I'm the owner of an anonymous hosting company, InvisiHosting.com, and I'd like to comment briefly on your distaste for anonymous domain registration.

    1.) ICANN regulations require the listing of accurate data in a WHOIS record, with a threat of revocation if inaccurate data is not corrected. That means that anyone who has a domain name, who doesn't have a company to register it under, has to have their real name, address, email and phone number listed in the WHOIS record. While most registrars are pretty lax in enforcing this, it still leaves normal, good people faced with having to put information that they wouldn't necessarily want public. Anonymous registration makes this unnecessary.

    2.) Many people have very very good reasons for not wanting to be associated with a website. Whistleblowers, pranksters, bloggers, etc, all could face serious legal or social repercussions if they data they make public is attached back to them. Many of my non-American customers would be arrested or sued for exercising nothing more than the freedom of speech that the rest of us are accustomed to.

    3.) If this idea really takes hold, and ANONWHOIS lists are actually used to spam score email, real spammers will just find a registrar that doesn't enforce ICANN policy too strictly (Joker, GoDaddy, etc...), throw up fake data, and the list would be left penalizing honest people who simply don't want their name attached to their domain.

    ReplyDelete
  2. I don't want to do business with (or possibly even accept mail from) people who want to hide who they are.

    Honest people are not being penalized, here or elsewhere. Somehow I've managed to own multiple personal domains, for years, with legitimate contact information, without having to put my home address on them. Your business model is far from the only solution.

    ReplyDelete
  3. 1.) Why not? I can think of plenty of interactions where the identity of either party is completely irrelevant to the transaction. And what about people who expose themselves to serious real-world repercussions if they put their real name/contact info on the domain? What's necessarily untrustworthy about them?

    2.) The only way honest people wouldn't be penalized is if there are no honest people that take advantage of anonymous domain registration.

    3.) You have multiple valid addresses you can use, and a spare phone number. Not everyone does. Also, you still have to put your name on the domains.

    4.) Anonymous domain registration isn't the only soltuion, but it is the most universally accessible solution for people who want/need to have websites, but either don't want, or absolutely can't, have their identities associated with their domains.

    5.) What is it about anonymity that you find so problematic?

    ReplyDelete
  4. In anti-spam and online security, transparency and reliable identity are important bits of data to tell good mail from bad mail and good guys from bad guys. Look closer at the cited legal issue in the original post.

    You've made your point, Matthew. If you keep commenting, I'll just start nuking your comments. Don't confuse this with a democracy.

    ReplyDelete
  5. My problem with anonymity is that the domain privacy folks let spammers and abusers sit on their network and do nothing to stop the abuse. If the domain privacy services were to actually stop people from abusing their service, or use their service to hide their involvement in the abuse I'd have a lot less issue with it.

    Spammers are abusing domain privacy services and those companies are protecting them from the consequences of that abuse. So, people who are tired of the abuse are creating a way they don't have to continue dealing with the abuse.

    I am all for a list showing what domains are hiding behind privacy protection services. And I say that as someone who handles privacy protection for multiple domains, including one that is the target of lawsuit threats. I understand why people are angry when they can't find anyone to take responsibility for actions of a domain.

    This could have been stopped a long time ago if the privacy protection companies were more responsible for their customers. But they weren't, and in fact some of those privacy protection companies were started by spammers specifically to protect themselves and their customers and peers.

    ReplyDelete
  6. I can accept the manner in which CIRA has handled this in Canada: Individuals can have an anonymous domain, businesses cannot.

    I have heard the rationale along the lines of what Matthew Schiros has laid out many times, but have yet to hear of a plausible reason why activists and whistleblowers NEED an anonymous domain, when it is so simple to set up an anonymous blogger account, for example. And before you say it, a court injunction against Blogger (google) to disclose would be as quickly accepted by a company offering proxy services, if they know what is good for them. People who want to remain truly anonymous need far more than a mere domain name block to do so; IP anonymization being primary, I would think.

    The problem with anonymous domains, as Laura and Al have more than adequately explained, is that they do not garner trust on the part of the person who consults them, something that speaks to the domain owner's online reputation. Worse, if the owner is using the domain in email, or the associated website for commerce, it garners mistrust.

    Furthermore, (speaking with my CAUCE.org hat on) domain registrations allow for a 'big picture' view of an entity to be drawn together, for the purposes of online investigations. Requiring cops to get court orders to remove them is laborious, costly and timeconsuming; and prevents the majority of the investigative work done my grassroots anti-malware/spam organizations to do their work in their entirety, since they have no access to the legal tools to remove these inane blocks.

    At my workplace, Return Path's Certification services, we disallow proxy services in their entirety. If someone isn't willing to be 100% transparent as to who they are when sending mail, we aren't interested in certifying that email.

    Neil Schwartzman
    Director, Certification Security & Standards
    Return Path Inc.

    ReplyDelete
  7. Matthew Schiros says, "spammers will just find a registrar that doesn't enforce ICANN policy too strictly (Joker, GoDaddy, etc.)" Ironically, that's where he registered his domain:

    $ whois InvisiHosting.com
    [Querying whois.verisign-grs.com]
    [Redirected to whois.godaddy.com]
    [Querying whois.godaddy.com]
    [whois.godaddy.com]
    Registrant:
    InvisiHosting LLC

    YMMV but I find that GoDaddy does not allow spammer domains or false whois info. It was the first registrar to deny anonymity to spammers. So while it's an odd statement, I'm pretty sure that Matthew is no spammer.

    There are already spammer-oriented registrars. I strongly suspect that their customers experience significantly lower overall delivery rates than those of non-spammy registrars, and that the difference will become increasingly apparent over time.

    Aside, Joker hosts spam-engine domain send-safe.com, which in turn hosts its A RRs on fast-flux bot IPs, just as a data point.

    Obviously I appreciate anonymity but I don't need an anonymized domain to exercise it. I prefer not to receive any bulk e-mail from anonymized domains. My mailbox, my rules.

    ReplyDelete
  8. siteprotect.com is bad. While not all are bad i made provisions to ban all email from that domain after passing spf checks, and also its ip addresses.

    Certain registrars are also (a father that goes someplace) is also a bad pointer.

    ReplyDelete
  9. So what should honest people be using for personal domains where they prefer not to advertise their home address?

    ReplyDelete
  10. I'll second ElNija's last comment. I own a personal domain--as a one-man hobbyist programming operation, I use it for my personal website. I send mail from it, too. The thing is that mail's not even coming from the domain, but it's using the domain as an alias. I think that that's a reasonable scenario--I don't want my public address, snail-mail /or/ e-mail, on my public WHOIS record, even if it needs to be on the official WHOIS documentation. While I agree that spammers are a very large group that would never want to expose themselves why should I want to expose myself like that, either?

    ReplyDelete
  11. I have several domains registered for personal purposes. I do not want my home address and phone number in them, nor do I want to pay for a PO Box or create a holding company (for lack of a better term) to register them under. It actually bothers me that I cannot register .us domains via a proxy service. In any case, how am I suppose to not give my home address and phone (home or cell) if I don't use a proxy service or one of the tactics I already mentioned?

    ReplyDelete
  12. Nobody told you that you are now forbidden from registering a domain with privacy protect. What this is telling you is that if you use such services, not everybody is going to be happy with you doing so. It's your choice to do this or not. Similarly, it's their choice if they want to denote that mail comes from an anonymous domain or if they want to treat your mail differently or maybe not even reject it. That's the beauty of the internet -- it's all about choices. Nobody is forced to do anything they don't want to do.

    ReplyDelete
  13. No, no one told me I could continue that practice. Nor, did I mean to imply that I thought the service should not exist. My concern is that someone I know will end up with an email address hosted by one of these people that thinks all anonymous registration are bad, and then either outright rejects messages or puts a high modifier on the messages causing my message to be lost in the ether. Regardless of whether it was intended to my a blacklist or not, some hardliner will ultimately end up using it as such. I already have the occasional issue getting mail to certain ISPs because of their draconian spam filtering rules. One place I use to host my email with dropped a lot of list traffic for the same reason. This is just one more thing to make sure that email becomes useless. I see a possible future where no one will be able to send mail to anyone unless their servers have established a "trust".

    ReplyDelete
  14. That genie has already been long let out of the bottle. People already routinely reject mail from sites that have a neutral-to-negative reputation, aka how well they trust that mail from a site is desired by the recipient, safe, and legally compliant.

    ReplyDelete
Previous Post Next Post