This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
- Previous message (by thread): [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
- Next message (by thread): [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Jan 17 02:09:48 CET 2020
In message <d11c5891-60aa-6581-88c1-35623b8eb2bf at key-systems.net>, Volker Greimann <vgreimann at key-systems.net> wrote: >As the abuse using domains registered through us usually does not happen >on our networks, we have zero ability to detect it in advance, all we >can do is take care of them after the fact, which we do dilligently. We >have a team tasked exclusively with reviewing abuse complaints and >taking appropriate action. You already clarified what your idea of "appropriate action" is, i.e. ratting out the "troublemaker/complainer" to your spammer customer's reseller, so that that company can in turn rat out the "complainer" to the spammer, so that the spammer can then launch a DDoS or other type of attack. (And for the record, I have myself been DDoS'd *twice* in the past 20 years, since I have been working on network abuse issues.) I'm sorry, sir, but this is *not* my idea of "appropriate action". Far from it in fact. >Clearly you have never looked at what normal end users put in the Org >fields. I have *actually* looked at more domain name WHOIS records, and carefully studied them, that you will likely even glance at in your entire lifetime. >In our experience, they put anything in there, not just org names. That is not my problem and it is also not your problem. The fact that some tiny percentage of the world's population are perfect imbecils who are unable to grasp the simple and obvious concept of an "organization" as something other than a natural person is not a fact which either can or should drive global policy as it relates to the overall health and safety of the entire Internet. More to the point, how many natural persons have names that end with ", LLC" or ", Inc." or ", Ltd." or ", S.A.R.L." ? Could your company and your entire industry at least display in public WHOIS records the Organization fields that contain these suffixes? Of course you could! Will you do so? Of course not, because as I have said, you folks who are in the domain registration business are not interested at all in either transparency *or* in the health of the Internet. Your only goals are to helpfully hide the details of your crooked and wicked primary revenue-generating customers, i.e. spammers and phishers, and maximizing your own revenue at the expense of everyone else. Ladies and gentlemen, for those of you who may think that I have just gone off the deep end, and that I am just ranting against the domain name registration industry without any basis, I ask you to just consider this: There exists a domain name registrar company, NameSilo, here in the U.S. and on its web site it proudly displays the details of its bulk discount policies for domain name buyers: https://www.namesilo.com/Support/Discount-Program As you can all see, the discount schedule for bulk purchases maxes out and yields the highest level of discounts for buyers at the level where a single buyer is purchasing FIVE THOUSAND DOMAIN NAMES IN A SINGLE SITTING. So now, everyone, ask yourselves: Who needs to buy FIVE THOUSAND domain names in a single transaction? Who even WANTS to buy FIVE THOUSAND domain unique names in a single transaction? And whoever wants that, would you trust them to hold your wallet? The entire scam that is the modern domain name business is an open secret. The domain name registrars don't even hide what they are up to anymore. They display it right out in the open and on their web sites, almost as if it were something to be proud of, rather than something that they should be ashamed to tell their mothers about. I have talked to a senior official at ICANN about this practice of ICANN's accredited registrars offering discounts for bulk purchases... which are clearly and unambiguously intended to draw in the Internet criminal element... and this ICANN official said to me point blank "Yea, we know. There is nothing we can do about it." Why can't ICANN control this outrageous behavior of the part of its own contractually bound accredited registrars? The answer is as simple as it is obvious: The problem isn't that ICANN actually "can't" do anything about this explicit catering to the criminal element. The real problem is that ICANN has no incentive to put a stop to this, and in fact makes lots of money itself by the perpetuation of this sordid trade, which they and everyone else who has been paying attention all know about. >If you have the perfect method of >differentiating between personal data and non-personal data, you could >do a lot of good by sharing that instead of mouthing off. See above. This isn't rocket science. But you are now displaying, on behalf of your entire crooked industry, your willful and self-serving blindness to the obvious. If the value in the Organization: field ends in "Inc." or "LLC" or "Ltd." or "Limited" or "Co.", or "Company" or "OOO" or "SRL" or "S.R.L." or "SARL" or "S.A.R.L." then guess what? That is NOT the name of a natural person. and therfroe the infomation in that field is clearly NOT covered under or by GDPR. If I thought that it would help any, then I would happily arrange to have the above comment translated for you into braille. >Not all law enforcement is Seargant Plodder. I never said they all were. I said that they don't have the time, resources, training, or even the interest or clear legal authority to persue -any- of the tens of thousands of small-time criminals and spammers who your industry and its overriding greed have saddled the rest of us with. I also said that your whole industry is well and truly aware of this fact, which is well known to anyone and everyone who as dealt with network abuse issues on the Internet at any time within the past ten+ years, and that this is why your industry is so happy to "compromise" on the WHOIS issue by screwing the public, insuring your own near-total unaccountability, and converting the entire WHOIS system from an open and transparent system... as it was from the start of the Internet... into a closed and secret world that can only be viewed by harried, uninterested and untrained law enforcement. This is NOT acceptable. I don't like to blow my own horn too much, but I am forced to ask this question now: Who broke the case and who broke the story of the massive corruption inside AFRINIC? Was that law enforcement? Did *anybody* in law enforcement have even the first clue about *or* even give a crap about what was going on in that case? No. It was a private sector non-law-enforcement researcher who got to the bottom of that case. You and your whole industry are deliberately screwing all private sector security researchers. And why? Just so that you can all keep your whole ponzi scheme of an industry going a little bit longer, and just so that you can all make just a little bit more money by being the paid stooges and front men for the kind of folks who buy five thousand domain names at a single sitting. >And access would be granted to anyone who can demonstrate a legitimate >interest... Yes. I have already discussed your industry's "cover story" for your ongoing campaign to destroy the entire WHOIS system as we know it, and have known it, for more than 30 years. Your plan is to have some paid lacky bureaucrat sitting in some dusty office somewhere with a desk piled high with waiting applications from "legitimate interest" researchers and a huge red rubber stamp that just says "Application Denied". Proove that this is NOT the exact outcome that you and your fellow domain name registrars are hoping for. Prove that this is NOT what you all have all been scheming to achieve, ever since even before GDPR came into effect, thus giving you all a convenient excuse for doing what you had all wanted and planned to do all along, i.e. converting WHOIS from a an open, public, and transparent system into a closed and proprietary one. QUESTION: Do *I* have a "legitimate" interest in seeing WHOIS records? ANSWER: You're goddamn right I do! Can I prove that fact? No, I can't. Can any party who *isn't* litigating, and who *isn't* law enforcement and who *isn't* a trademark holder actually *prove* that they have a "legitimate interest" in looking at otherwise secret WHOIS records? No they can't. You know it, I know it everybody knows it. The truth is that your whole wicked industry just doesn't want to be in any sense accoutable. You want as few people as possible looking over your shoulders and watching what you are doing. And I can assure you that I am *not* the only one who thinks so: http://www.circleid.com/posts/20100728_taking_back_the_dns/ >Actually, when it comes to whois, we mainly care about protecting the >privacy rights of our customers. Not the abusers though. Oh! Right! So you are telling us all, here and now, that Namesilo... one of your bretheren in the domain name industry... has absolutely -zero- direct financial interest in protecting their customers who came to them to register FIVE THOUSAND domain names. And you really expect people to believe this obvious and transparent lie? If so, I think that there are some job openings in the White House press office, here in the U.S., that you might be well suited for. Regards, rfg
- Previous message (by thread): [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
- Next message (by thread): [anti-abuse-wg] @EXT: RE: working in new version of 2019-04 (Validation of "abuse-mailbox")
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]