[anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")

In message <d11c5891-60aa-6581-88c1-35623b8eb2bf at key-systems.net>, 
Volker Greimann <vgreimann at key-systems.net> wrote:

>As the abuse using domains registered through us usually does not happen 
>on our networks, we have zero ability to detect it in advance, all we 
>can do is take care of them after the fact, which we do dilligently. We 
>have a team tasked exclusively with reviewing abuse complaints and 
>taking appropriate action.

You already clarified what your idea of "appropriate action" is, i.e.
ratting out the "troublemaker/complainer" to your spammer customer's
reseller, so that that company can in turn rat out the "complainer"
to the spammer, so that the spammer can then launch a DDoS or other
type of attack.  (And for the record, I have myself been DDoS'd
*twice* in the past 20 years, since I have been working on network
abuse issues.)

I'm sorry, sir, but this is *not* my idea of "appropriate action".  Far
from it in fact.

>Clearly you have never looked at what normal end users put in the Org 
>fields.

I have *actually* looked at more domain name WHOIS records, and carefully
studied them, that you will likely even glance at in your entire lifetime.

>In our experience, they put anything in there, not just org names.

That is not my problem and it is also not your problem.

The fact that some tiny percentage of the world's population are perfect
imbecils who are unable to grasp the simple and obvious concept of an
"organization" as something other than a natural person is not a fact
which either can or should drive global policy as it relates to the
overall health and safety of the entire Internet.

More to the point, how many natural persons have names that end with
", LLC" or ", Inc." or ", Ltd." or ", S.A.R.L." ?  Could your company
and your entire industry at least display in public WHOIS records the
Organization fields that contain these suffixes?  Of course you could!
Will you do so?  Of course not, because as I have said, you folks who
are in the domain registration business are not interested at all in
either transparency *or* in the health of the Internet.  Your only goals
are to helpfully hide the details of your crooked and wicked primary
revenue-generating customers, i.e. spammers and phishers, and maximizing
your own revenue at the expense of everyone else.

Ladies and gentlemen, for those of you who may think that I have just gone
off the deep end, and that I am just ranting against the domain name
registration industry without any basis, I ask you to just consider this:

There exists a domain name registrar company, NameSilo, here in the U.S.
and on its web site it proudly displays the details of its bulk discount
policies for domain name buyers:

    https://www.namesilo.com/Support/Discount-Program

As you can all see, the discount schedule for bulk purchases maxes out
and yields the highest level of discounts for buyers at the level where a
single buyer is purchasing FIVE THOUSAND DOMAIN NAMES IN A SINGLE SITTING.

So now, everyone, ask yourselves:  Who needs to buy FIVE THOUSAND domain
names in a single transaction?  Who even WANTS to buy FIVE THOUSAND domain
unique names in a single transaction?  And whoever wants that, would you
trust them to hold your wallet?

The entire scam that is the modern domain name business is an open secret.
The domain name registrars don't even hide what they are up to anymore.
They display it right out in the open and on their web sites, almost as
if it were something to be proud of, rather than something that they should
be ashamed to tell their mothers about.

I have talked to a senior official at ICANN about this practice of ICANN's
accredited registrars offering discounts for bulk purchases... which are
clearly and unambiguously intended to draw in the Internet criminal
element... and this ICANN official said to me point blank "Yea, we know.
There is nothing we can do about it."

Why can't ICANN control this outrageous behavior of the part of its own
contractually bound accredited registrars?  The answer is as simple as
it is obvious:  The problem isn't that ICANN actually "can't" do anything
about this explicit catering to the criminal element.  The real problem is
that ICANN has no incentive to put a stop to this, and in fact makes lots
of money itself by the perpetuation of this sordid trade, which they and
everyone else who has been paying attention all know about.

>If you have the perfect method of 
>differentiating between personal data and non-personal data, you could 
>do a lot of good by sharing that instead of mouthing off.

See above.  This isn't rocket science.  But you are now displaying, on
behalf of your entire crooked industry, your willful and self-serving
blindness to the obvious.

If the value in the Organization: field ends in "Inc." or "LLC" or "Ltd."
or "Limited" or "Co.", or "Company" or  "OOO" or "SRL" or "S.R.L." or
"SARL" or "S.A.R.L." then guess what?  That is NOT the name of a natural
person.  and therfroe the infomation in that field is clearly NOT covered
under or by GDPR.

If I thought that it would help any, then I would happily arrange to have
the above comment translated for you into braille.

>Not all law enforcement is Seargant Plodder.

I never said they all were.

I said that they don't have the time, resources, training, or even the
interest or clear legal authority to persue -any- of the tens of thousands
of small-time criminals and spammers who your industry and its overriding
greed have saddled the rest of us with.

I also said that your whole industry is well and truly aware of this fact,
which is well known to anyone and everyone who as dealt with network abuse
issues on the Internet at any time within the past ten+ years, and that
this is why your industry is so happy to "compromise" on the WHOIS issue
by screwing the public, insuring your own near-total unaccountability,
and converting the entire WHOIS system from an open and transparent system...
as it was from the start of the Internet... into a closed and secret world
that can only be viewed by harried, uninterested and untrained law enforcement.

This is NOT acceptable.

I don't like to blow my own horn too much, but I am forced to ask this
question now:  Who broke the case and who broke the story of the massive
corruption inside AFRINIC?  Was that law enforcement?  Did *anybody* in
law enforcement have even the first clue about *or* even give a crap
about what was going on in that case?  No.  It was a private sector
non-law-enforcement researcher who got to the bottom of that case.

You and your whole industry are deliberately screwing all private sector
security researchers.  And why?  Just so that you can all keep your whole
ponzi scheme of an industry going a little bit longer, and just so that
you can all make just a little bit more money by being the paid stooges
and front men for the kind of folks who buy five thousand domain names at
a single sitting.

>And access would be granted to anyone who can demonstrate a legitimate 
>interest...

Yes.  I have already discussed your industry's "cover story" for your
ongoing campaign to destroy the entire WHOIS system as we know it, and
have known it, for more than 30 years.

Your plan is to have some paid lacky bureaucrat sitting in some dusty
office somewhere with a desk piled high with waiting applications from
"legitimate interest" researchers and a huge red rubber stamp that just
says "Application Denied".

Proove that this is NOT the exact outcome that you and your fellow domain
name registrars are hoping for.  Prove that this is NOT what you all have
all been scheming to achieve, ever since even before GDPR came into effect,
thus giving you all a convenient excuse for doing what you had all wanted
and planned to do all along, i.e. converting WHOIS from a an open, public,
and transparent system into a closed and proprietary one.

QUESTION:  Do *I* have a "legitimate" interest in seeing WHOIS records?

ANSWER: You're goddamn right I do!  Can I prove that fact?  No, I can't.
Can any party who *isn't* litigating, and who *isn't* law enforcement
and who *isn't* a trademark holder actually *prove* that they have a
"legitimate interest" in looking at otherwise secret WHOIS records?
No they can't.  You know it, I know it everybody knows it.

The truth is that your whole wicked industry just doesn't want to be in
any sense accoutable.  You want as few people as possible looking over
your shoulders and watching what you are doing.

And I can assure you that I am *not* the only one who thinks so:

http://www.circleid.com/posts/20100728_taking_back_the_dns/

>Actually, when it comes to whois, we mainly care about protecting the 
>privacy rights of our customers. Not the abusers though.

Oh!  Right!  So you are telling us all, here and now, that Namesilo...
one of your bretheren in the domain name industry... has absolutely
-zero- direct financial interest in protecting their customers who
came to them to register FIVE THOUSAND domain names.

And you really expect people to believe this obvious and transparent lie?

If so, I think that there are some job openings in the White House press
office, here in the U.S., that you might be well suited for.


Regards,
rfg