Whois Field Trip Investigations
By Ryan on Saturday 1 September 2007, 09:40 - Permalink
The most interesting part about
investigating any abuse claim is looking at the Whois information. While
registrars can suspend domains if they are used for spamming, botnets, etc.,
there is of course the stage where the registrant details are examined for
accuracy. Sometims the information is random, sometimes hilarious, but other
times it is stolen from real people, or made to look genuine (see
the wiki about this). When this is the case, it is often best to contact
someone in the area and have them investigate, or go there yourself. Here is a
story sent to Spamtrackers by Gandi.net's
Abuse Department:I take great pleasure in investigating whois information when it appears to be correct, because other than being a challenge, it means that there is also the possibility of involving law enforcement.
Sometimes it so happens that a spammer uses an address in France, which to Gandi's abuse department means one thing: field trip!
Going to the address of a registrant address as listed in the whois to verify its validity is always an interesting because you are never sure just what the story will be at the end of the day. Riding the public transportation on the way to the listed address, we talk about ordinary things: "what is better, plasma or LCD?", "...I used to get off at this stop for practice", etc. Invariably though, as we near the final stop, someone takes out the file and flips through the printouts, reading out loud the incredible aspects of the spam.
After arriving at the destination of the registrant, there is only two things that will happen: the address is fake, or stolen. A criminal never gives his real address, because he would be arrested before our whois team would arrive.
Once, we arrived at the address, and called the number from a public pay phone just outsite the front door. In that case, the person used his parent's address! It was oh so very tempting to tell his folks just what activities their nice little son was involved with these days....
But usually, the address is simply false - like the recent case of Reliable Pharmacy - which does not exist. In such instances, I make it a point of interviewing local residents to see what they have to say about the case, or to confirm that the address and registrant are indeed incorrect. It is not only a way to assure that the whois information is deliberately false, but also a nice way to meet new people in a neighbourhood that I would otherwise never visit, and to hear people's stories...
Going out on field investigations like this are a nice experience for abuse teams as it puts a real face on the problem of spam. Actually meeting someone that has been listed as the registrant of a pharmacy spam domain by having their information stolen, or seeing that the address listed for a pharmacy is actually a take-out pizza joint is the best way to keep it real for the team.
Spam is not just a technical problem - there is a real human behind the operation, and real people are involved. I recommend all abuse departments to go on Whois field trips as often as possible - it helps remind us that behind the cat-and-mouse game between spammers and registrars is real criminal activity, in the real world, involving real people - not just IP addresses.
You might even solve the problem of LCD versus plasma... ;)
Comments
I know what you are going thru when you go on these field trips to no where. I too have been there and it can sometimes be interesting. If we only had more people around the world go out and verify these names and address's, so that the whois info can be properly updated, then the spammers would be out of biz. In my area there is not much that can be verified, haven't found a spam domain yet that I can easily travel to, unless I want to go more than 1000 Km. Anyways, keep up the great work you are doing. Perhaps, maybe we can collaborate on info.
Michael