Legend: new window outside link tools page glossary link
If you’re being bombarded with a steady stream of spam that advertises a particular domain, and reports to ISPs and hosting providers haven’t helped, you may have one more trick up your sleeve: reporting abuse to the domain registrar that sold the domain. This is not something you’d want to do in every case, since the domain registrars’ responsibilites are somewhat limited when it comes to spam.
By “spam domain,” I mean mainly a domain name that is used in a spam operation. Typically, such domains are used only for websites set up by the spammer. On the other hand, if a given spam message refers to e-mail addresses in a domain that seems to have been set up just for the spam, or if such a domain is used for a mail host that sent the spam (and the host name doesn't seem to be forged), then these, too can be treated as “spam domains.”
We’ll look at how to find a domain registrar abuse contact later on, but first here’s some background info to help you decide on which occasions such reporting might (or might not) be a good idea.
A domain registrar is a company that has been accredited by ICANN (the Internet Corporation for Assigned Names and Numbers) to register unique domain names for use on the internet. In other words, a registrar is the firm that helps you stake your claim on “ratcakes.org,” “pluto-is-still-a-planet.net,” “decreptitu.de,” or other names you might want to use for your internet presence.
A “domain name” is the text string (like yahoo.com, whitehouse.gov, telegraph.co.uk, etc.) that serves as a sort of family name for a group of internet hosts and services. Domain names are very useful and important because they not only provide handy nicknames for internet businesses and sites (much punchier and more memorable than raw IP addresses), but they also allow the domains to be set up, maintained, and promoted without reference to the underlying IP network. That is, even if you change the IP addresses of your servers several times a year (e.g., if you change network providers), your visitors will be able to keep up with your wanderings by using your domain name.
Everyone who wants to set up a domain name on the internet (from google.com down to yours truly at rickconner.net) must register this name with a domain registrar, in order to establish ownership the name, and to have information about the domain entered into the proper internet databases (i.e., whois and DNS) so that the domain can be used.
Normally, the domain registrar’s duties are limited to (1) collecting info from you (as a domain registrant) to put into whois and DNS, and (2) seeing that these data (particularly the DNS data) get entered properly so that you (and more importantly others) can use your domain. After that, you may never hear from your registrar again until it’s time to renew your registration, or to confirm or update your whois information.
Some registrars may also sell web hosting or other net services on the side (to provide “turnkey” domain services), but these are really distinct from their services as registrars.
Not much, in most cases; it simply isn't their job. As I said, their basic task is just to register domain names; it’s debatable whether they should also be held responsible for what their customers choose to do with their new domains. Unlike ISPs (whose profitability and connectivity can be directly threatened by uncontrolled spammers in their midst), domain registrars really don’t have a horse in the spam-suppression race.
If they can be convinced to act, however, the registrars do have a very powerful means to deal with a spamming customer: they can suspend or cancel his domain registration. This would entail removing the domain from the DNS, which would have the effect of removing the domain from the internet.
There are at least four cases in which a domain registar might choose to investigate, suspend, or cancel a spam domain:
Let’s look at these in a bit more detail.
Domain registrars are not police. As I noted, their responsibility pretty much starts and ends with setting up domains, and many of them no doubt feel that adding anti-spam enforcement to their burden would simply be volunteering for trouble.
For this reason, some registrars (like Network Solutions, to name a prominent example) don’t really mention customer spamming in their service agreements, while others (like Joker.com) actively disclaim any responsibility for policing routine spamming behavior by their customers. On the other hand, there are now many “white hat” registrars that have adopted comprehensive no-spam policies for the domains they sell (for example, there’s gkg.net, the registrar for the rickconner.net domain).
Once you’ve found out who was the registrar for a particular spam domain (using the techniques described below), you can visit that registrar’s website and inspect its service agreements; if the registrar has posted a blanket no-spam policy, then you have grounds to report the spam to them. Whether or how they choose to enforce these policies is beyond your control, but by posting such policies, they’ve invited reports of their violation.
Many registrars offer “cloaked” or “proxy” registration services to their customers. Still other businesses (such as Domains By Proxy), or sometimes attorneys, will stand between the true domain owner and the registrar to act as agents or “proxy registrants” for folks who do not want their personal info exposed to the world in whois databases. Under ICANN policies, these proxies are treated as the actual registrants even though they are only acting on behalf of others.
You can spot such proxy registrations because they will contain the address and contact info for the registrar or proxy service itself, and not those of the actual registrant. Any communications directed to these numbers and addresses may or may not be forwarded to the true registrant depending upon the nature of the contact and the policies of the proxy service.
Because the proxy services are really putting their own reputations on the line when they agree to hold a proxy registration, they usually impose strict requirements on their customers’ behavior; these usually include pretty comprehensive prohibitions regarding spamming.
Should you find such a proxy registration in the whois data for a spam domain, you should check the with the specific proxy provider or registrar to see if they have an anti-spam policy; if so, then you should report spam to the service directly (and not through the e-mail address given in the registrant data, which may lead directly to the spammer).
Many registrars offer hosting, e-commerce setups, web design, and other services to suppliement their revenue and to provide “one-stop shopping” for internet aspirants. Even if the registrar keeps a lassiez-faire policy with regard to domain registrations, its policies with regard to these net-access services are probably a good deal stricter, and likely prohibit spamming.
In such cases, since you’re already reporting the abuse of web or mail services, you probably don’t need to double-dip and report the spam domain to the same outfit, although you should note in your report that they provided the domain name as well as the network support.
Registrars’ agreements with ICANN require them to ensure that they collect “accurate and reliable contact details” for inclusion in the whois database. ICANN gives the registrar grounds for cancelling any registration in case of “...willful provision of inaccurate or unreliable information” by the registrant. The registrar therefore passes this requirement for accurate whois data on to its customers by means of its standard service agreement.
Therefore, whenever you run across whois information for a spam domain that appears to be inaccurate or unreliable, you can send a report to this effect to the registrar that sold the domain, pointing out that it appears to violate their service agreement and their responsibilities to ICANN. Even if the registrant otherwise doesn’t care what its customers do, this is one case in which they had better respond to your report.
The trick, however, lies in proving that the whois information is inaccurate or unreliable; just claiming that the info is wrong is not enough. Generally, you have three kinds of information to look at in any given domain registration record: e-mail addresses, telephone (and fax) numbers, and postal addresses. If these all seem to be valid (i.e., it looks like you could call the phone number, or send to the e-mail or postal address), you’ll have a hard time proving that they aren’t actually correct contacts for the registrar. If, however, you can prove that the contact data are not valid, (i.e., they are non-existent or cannot be used to contact anyone) you will have the basis for a report to the registrar. Let’s look now at how we might prove the non-validity of whois contact info.
It is pretty nearly impossible these days to determine authoritatively who (if anyone) is the user of an e-mail address, or even that the address works and is monitored. It is, however, a great deal easier to determine that it would be impossible to send mail to the address. We can do this by looking up the mail exchanger (MX) hosts for the contact e-mail address using a dig mx command. If there’s no MX, then the address is undeliverable, and it is therefore “inaccurate and unreliable.”
For example, suppose we’re being pestered by lots of spam promoting a website in the domain captaincrunch.tv (which I have made up for purposes of illustration). We use domain-whois to lookup the registrant data and get something like this (ignore all of the fake info for the moment except for the e-mail address at the bottom of the readout):
alu-g4pb:~ rconner$ whois captaincrunch.tv
Somebody's Whois Server Version 1.3
Phony Baloney productions
123 Main Street
Anytown, USA 12345
firstname.lastname@example.org << is this a deliverable address?
Now, we want to find out whether email@example.com is a deliverable address, so we look up the MX for the nucleargum.info domain using dig mx:
alu-g4pb:~ rconner$ dig mx nucleargum.info
; <<>> DiG 9.2.2 <<>> mx nucleargum.info
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27571
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nucleargum.info. IN MX
;; AUTHORITY SECTION:
info. 7200 IN SOA tld1.ultradns.net. domadmin.ultradns.net. 2006051185 3600 1800 604800 3600
;; Query time: 72 msec
;; SERVER: 220.127.116.11#53(18.104.22.168)
;; WHEN: Fri Feb 17 20:15:20 2006
;; MSG SIZE rcvd: 95
Here, there’s no “ANSWER SECTION” in the dig output, which means that there’s no MX server for the domain nucleargum.info (in fact, the domain doesn’t even exist, as shown by the highlighted “status: NXDOMAIN” in the header of the dig output). In other words, we could not send any e-mail to any address in this domain even if we wanted to, because there is no MX host to receive it. Clearly, this is not “accurate and reliable” information about the registrant.
One obvious way to check on a phone number is to use a reverse phone lookup tool, which can give us the name and address associated with a phone number (the “reverse” of the usual task of looking up a phone number given the name and address). You can find many such web-based services using a Google lookup. Unfortunately, you won’t always get an answer from these tools, particularly if the number is unlisted, unassigned, or belongs to a cell phone. Also, few of these services provide detailed information for free; you are usually pestered to pay a premium for a more comprehensive report (which may or may not contain the information you want). Even if you do get a result, you can’t really prove (without further investigation) that the phone number isn’t a correct contact number for the domain, even if appears to be in the wrong part of the world or to belong to the wrong parties.
As in the case of e-mail addresses, we may have an easier time simply figuring out that a phone number is invalid, rather than proving it doesn’t belong to the spammer. To do this, we must parse the phone number to see whether it is one that can actually be dialed (i.e., it is in the “numbering plan” for the particular phone carrier in the given country).
In most countries, a telephone number consists of a country code (e.g., +1 for the U.S. and Canada, +506 for Costa Rica), followed by an area code, followed by a subscriber number (which may consist of an exchange number plus some additional digits to identify the specific line). The country codes, area codes, and (frequently) exchange numbers used around the world are published on the web, and are available for checking the phone numbers you find in whois queries.
For example, the phone number +12029546263 can be parsed as follows: +1 (country code for US & Canada), 202 (area code for Washington, D.C.), 954 (exchange number) and 6263 (line number). This seems to be a valid number, because it follows the numbering plan for the U.S., although we don’t know right now to whom (if anyone) it belongs.
Let’s look at some other possible phone numbers:
Parsing phone numbers may take a bit of extra work, but if you find that the phone number given in the whois entry for a spam domain is invalid (cannot be assigned or called), you can report this to the registrar.
As with the e-mail addresses and telephone numbers, our objective with a postal address would be to prove that the address does not (and cannot) exist. While we do have some tools at our disposal for working with postal addresses, it may be more difficult to determine their (in)validity than for e-mail addresses and phone numbers.
The first thing to try might be a simple map search with Mapquest, Yahoo! Maps or similar; if the street can’t be found within the city (or perhaps even the city within the state/province or country), then you may be looking at an invalid postal address.
Postal codes, which are used by most countries, can also often be verified online. For U.S. addresses, you can use the USPS’s Zip Code lookup tool to determine whether the zip code reported by USPS for the street address actually matches the one given in the whois data; if they don’t match, you may be looking at an invalid postal address. In the case of other countries, you may find some help at the website for the post offices in those countries.
Here’s a “live” example of the whois data from an actual spam domain; it contains an obviously bogus postal address:
alu-g4pb:~ rconner$ whois tabutfk.com
Whois Server Version 1.3
[ snipped... ]
Domain Name : tabutfk.com (TABUTF2-BMN-DOM)
Registrar : BookMyName
Whois Server : whois.bookmyname.com
Referral URL : https://www.bookmyname.com
Registrant / Admin Contact :
Nick SILBERSTEIN (SILBER7-BMN-PE)
phone : (49)203-379-3543
e-mail : firstname.lastname@example.org
[ snipped... ]
In this case, we see that the address is identifed as being in the “UNITED STATES,” but has a German postal code (D-40878 for the city of Ratingen in northwest Germany). The telephone number +492033793543 appears to be valid for this area according to FoneFinder. The registrar (www.bookmyname.com, in Paris) does have a policy prohibiting the use of spam, and their website lists a contact address of email@example.com. We could contact this address to report domain registration sevice agreement violations on two counts (i.e., postal address falsification and spamming).
Fortunately, perhaps, tracking down registrar contacts is usually easier than figuring out whether or not to report to them. For this, you just need to do a whois lookup on the domain to identify the registrar, and then figure out how that registrar wants to have reports submitted. For example, here’s a lookup on the (non-spammy) domain io.com (which belongs to the provider that hosts this site):
alu-g4pb:~ rconner$ whois io.com
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: IO.COM
Registrar: GKG.NET, INC.
Whois Server: whois.gkg.net
Referral URL: http://www.gkg.net
Name Server: NS2.PRISMNET.COM
Name Server: NS1.PRISMNET.COM
Updated Date: 16-oct-2004
Creation Date: 17-aug-1993
Expiration Date: 16-aug-2010
[ rest of output snipped... ]
Here, we see that we could direct any inquiries (or spam reports) about this domain to the registrar GKG.net.
It is important to use the registrar's preferred method of reporting so that your report will be properly treated. The best way to find the specific reporting procedure is to visit the registrar’s website; in the case of gkg.net, we see in their service agreement that they provide one webmail form for reporting spam, and another for reporting invalid whois data. We should use these webmail forms, even though they aren't always the ideal means for sending detailed reporting info.