Did you come here from a search engine? Click here for my main page.

What it does

WHOIS ("who is...?") is a basic network service that is currently used for two important purposes: (1) to look up information on particular IP addresses on the public network, and (2) to look up information on particular internet domain names. Both capabilities are useful for spam investigation:

Originally, WHOIS was designed for much wider service, as a sort of general-purpose lookup tool for a variety of technical and personal information on the internet. Many of these uses have been supplanted by more advanced protocols (such as the web), while many more (like e-mail address queries) have simply evaporated in the face of abuse by spammers and others.

How to get it

If you use a Unix-like system (such as Linux, BSD, Solaris, Apple Mac OS X / Darwin, etc.), you more than likely already have a WHOIS client available on your system. You need only open a terminal window (or otherwise get access to command-line operation) and then type the command as shown below. Use the Unix whereis command (i.e., "whereis whois") to find whois if it isn't on your normal paths.

If you are using some other operating system on your computer (in particular, Mac OS 9 and earlier, and nearly all versions of Microsoft Windows), you may not have whois installed. In this case, you can either find a port of the whois command for your particluar system, or else (if you don't like command lines) use one of the GUI-based or web-based alternatives described at the bottom of this page.

How to use it

On this page, we'll deal with the command-line version of whois; web-based and GUI versions should also work in a similar fashion (they should, in particular, follow referrals to other whois databases and should allow you to specify a particular whois host if you need to do this).

The type of lookup (IP or domain) done by whois depends upon what you supply as an argument. If you give a domain name, you'll get domain-whois; if you give an IP address, you get IP-whois. The command you type is the same for both:

The whois command has a number of options, but generally only one of these is frequently useful for our purposes: the -h option, which allows you to specify which whois server you want to query. This option comes in very handy if whois doesn't follow referrals from one host to another as it should, and you have to query a particular database directly. We'll see how this works below.


Domain-whois queries a set of whois servers responsible for storing information about internet domains. The companies that sell domains (the "registrars") are responsible for seeing to it that all of this information is collected in the whois databases that they maintain. Using domain-whois, you can generally get information like the following about a domain of interest:

Basic domain-whois lookups

In its basic form, a whois command for domain-registry lookup looks like:

Here, [domain] is a domain name (e.g., rickconner.net), and not a host name or alias (e.g., orca.rickconner.net) or an IP address ( If you supply a host name, a URL, or some other argument, you will probably get no useful answer.

Based on the value given for [domain], whois will attempt to guess which of the many whois servers around the world it will use to get the answer. With luck, this basic call should get your answer right away. For example, here's a simple whois lookup for my current hosting provider prismnet.com:

[G4733:~] rconner% whois prismnet.com

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Updated Date: 27-jan-2005
Creation Date: 04-may-1995
Expiration Date: 05-may-2008

>>> Last update of whois database: Thu, 13 Oct 2005 14:12:27 EDT <<<

Lengthy NetSol legal boilerplate deleted...

Data from whois.networksolutions.com follows...

PrismNet, Inc.
11500 Metric Blvd Suite 280
Austin, TX 78758


Administrative Contact, Technical Contact:
PrismNet, Inc. support@PRISMNET.COM
PrismNet, Inc.
11500 Metric Blvd
Austin, TX 78758
(512)821-2991 fax: (512)821-2995

Record expires on 05-May-2008.
Record created on 04-May-1995.
Database last updated on 13-Oct-2005 17:05:11 EDT.

Domain servers in listed order:


In this case, Network Solutions was the registrar; whois found the referral to the Network Solutions server (the pink highlight near the top) and followed it to give me a complete report.

You may have to wade through a lot of legal disclaimers and warnings in the whois output (I deleted them here for clarity), but if you manage to get a block of info looking something like the latter half of this session, then you are probably done. Note that this information includes both administrative and technical contacts (giving the company name, postal and e-mail addresses, and telephone and fax numbers), as well as data on the age and expiration of the record (PrismNet has held this domain since May 1995, and will have to renew it by May, 2008 in order to keep it). The domain's authoritative name servers (i.e., the DNS hosts that know where everything is in this domain) are given at the end of the message.

The example above shows how my whois query was immediately and automatically redirected to the appropriate whois server (at Network Solutions, in this case) that held the records I wanted. This redirection seems to work better these days than in years past, but the chances are still pretty fair that you won't get the data you seek with a single basic whois lookup — particularly if the domain doesn't belong to the perennially-popular .com, .net, and .org top-level domains, or if the domain is very new (as is often the case with spam domains). This is because there are now many private companies that provide domain registry services, and their whois databases aren't always synchronized and linked together as effectively as one might want. Frequently, a basic whois lookup will give you nothing more than some sketchy information and may not even give you a referral to another whois server. For example, here's a lookup on a ".co.uk" domain:

[G4733:~] rconner% whois rover.co.uk

Domain Name:

MG Rover Group Limited

Registrant's Agent:
Namesco Limited [Tag = NAMESCO]
URL: http://www.names.co.uk

Relevant Dates:
Last updated: 07-Sep-2005

Name servers listed in order:

WHOIS database last updated at 22:20:00 13-Oct-2005

(c) Nominet UK 1996 - 2005

For further information and terms of use please see http://www.nic.uk/whois
Nominet reserves the right to withhold access to this service at any time.

This is a pretty poor response compared to what you typically get for a .com domain. We didn't get any real contact info for Rover, and we didn't even get a pointer to another whois host! Even when I went to the website of the "agent" (or proxy registrant, as we might say) at http://www.names.co.uk/ and thence to the .uk domain clearinghouse http://www.nominet.org.uk/, I still could not get any more detailed info on the domain. If you were being abused by spam connected with this domain (unlikely, in this case), you'd have little choice other than to find and pester a contact at names.co.uk (nominet.org.uk probably isn't a registrant in the normal sense, and may not handle abuse complaints).

Querying specific domain registrars
for whois data

If you happen to know which registrar sold the domain you want to track down (e.g., the default whois lookup provided this info but didn't pursue it fully for some reason), you can query that registrar's whois server directly to get the information by using the -h (host) option with whois:

Here, the -h option tells whois to go straight to the host (the whois server) you specify. Note that there must be a space after the -h and after the whois server name.

For example, here's a basic lookup on one of the more consequential websites of our times:

[G4733:~] rconner% whois gwenstefani.com

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Whois Server: whois.corporatedomains.com
Referral URL: http://www.corporatedomains.com
Updated Date: 19-apr-2005
Creation Date: 17-may-2003
Expiration Date: 17-may-2006

>>> Last update of whois database: Thu, 13 Oct 2005 14:12:27 EDT <<<

We don't have much detailed information here, but we do have a referral to another whois server (whois.corporatedomains.com) where full info can be found. If, for some reason, we did not get automatically redirected to this whois server, we can query it directly with another whois command:

[G4733:~] rconner% whois -h whois.corporatedomains.com gwenstefani.com
CSC Corporate Domains, Inc. - Domain Name Management for Corporations, Law Firms and IP Professionals

For Global Domain Consolidation, Brand Protection and Digital Certificates, go to: www.corporatedomains.com

The Data in CSC Corporate Domains, Inc.'s WHOIS database is provided by CSC Corporate Domains, Inc. for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. CSC Corporate Domains, Inc. does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to CSC Corporate Domains, Inc.(or its systems).

CSC Corporate Domains, Inc. reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.

Goldring, Hertz & Lichtenstein, L.L.P.
450 North Roxbury Drive, 8th Floor
Beverly Hills

Domain Name: gwenstefani.com

Registrar Name: CorporateDomains.com
Registrar Whois: whois.corporatedomains.com
Registrar Homepage: http://www.corporatedomains.com

Administrative Contact:
Seth Lichtenstein
Goldring, Hertz & Lichtenstein, L.L.P.
450 North Roxbury Drive, 8th Floor
Beverly Hills
Fax- +1.3102768310
Technical Contact, Zone Contact:
New Media Development
Interscope Geffen A&M Records
2220 Colorado Ave.
Santa Monica
Fax- +1.3108651000

Created on..............: 2003-May-17.
Expires on..............: 2006-May-17.
Record last updated on..: 2005-Jul-20 20:05:21.

Domain servers in listed order:


Now, we have more complete contact info, including the name of the registrant (not Gwen herself, alas, but a law firm probably retained for this purpose by her record company).

"Magic" and web-based proxy whois lookups
for domain info

Although the effectiveness of basic whois lookups seems to be improving of late, they still may not always work. And, if you can't find the registrar who sold the domain, you can't query it directly with whois -h.

Dead end? Maybe not. A few folks have taken the time and effort to develop "smart" whois tools that can find and query large numbers of whois databases with a single command. These tools are better able to navigate the dozens of registrars' whois databases to track down the domain. If the domain info can be found, they'll find it. All of these tools have web-based front ends, so you don't have to figure out how to use command lines in order to query them. You'll find a list of these services at the bottom of the page.

Problems with domain-whois information

OK, so you've persevered and gotten the complete registration data for a spam domain. Now you're ready to nuke the bastards, right? Well, no.

Before you go off half-cocked, I should point out some of current problems that plague domain-whois lookups. Over the last decade or so, with the expansion of the internet and the "privatization" of the domain registration process, the domain whois service has become much more unwieldy and tolerant of abuse at its margins. Here are three of the bigger problems you may run into when using whois for looking up domain info.

Limited access to whois service

The most valuable information in whois databases, at least to would-be spammers, are the numerous e-mail addresses given as administrative, technical, or abuse contacts. Because repeated whois lookups can be used by spammers to generate spam mailing lists (i.e., you can get lots of valid e-mail addresses simply by banging away at whois and fishing the addresses out of the output), registrars have tried to protect their whois databases from such harvesting. You may, for example, not be able to get full whois data with a command-line query; you might have to go to the registrar's website and complete a simple challenge-response exercise in order to get the full records.

Also, registrars often deny access to their whois databases from IP addresses that have shown excessive use; this stops the harvesting, but can also cripple well-meaning proxy whois servers (such as those described below), since they tend to be high-volume users of whois services. This "blacklisting" shouldn't affect you as an individual, occasional user of whois from your own computer via a command line lookup or a "private" GUI-based application.

Hidden or proxy whois data

Many people want to register internet domains for themselves, but are justifiably afraid of exposing their identities to the public via the whois databases. Such people will often use agents or attorneys (as in the Rover and Gwen Stefani examples above). In these cases, according to ICANN policy, the agent actually undertakes responsibility for the domain (even though he is only lending his identity and does not literally control the domain), so the agent is theoretically the correct target for reports of abuse involving the domain.

Less-well-heeled registrants who cannot afford to hire attorneys or other go-betweens will use their registrars' proxy registration services, or will contract with independent outfits (such as DomainsByProxy) that provide "stand-in" whois data, so that the user's own information is not exposed for harvesting. Of course, these services also provide an excellent way for spammers to hide their identities as well (at least for as long as the proxy service will tolerate the abuse).

If you're tracking down a spam domain and hit one of these proxy services, you may not be able to get the true registrant data even if you go to the proxy provider's website. On the other hand, you can report suspected abuse of a domain to an abuse contact for this service (but not to the "stand-in" e-mail address provided by whois, since it may be connected directly to the spammer). Most proxy registrants have a no-spam policy, and will withdraw their services from abusive domains.

Faked whois data

All parties who register domains are required by ICANN to provide valid contact information (name, postal address, e-mail, phone, fax, etc.) for inclusion in the public whois service. This is necessary, according to the ICANN FAQs, "...to allow rapid resolution of technical problems and to permit enforcement of consumer protection, trademark, and other laws."

The registrar companies are similarly required by their agreements with ICANN to ensure that this whois info is indeed valid for every domain they sell. Unfortunately, the registrars are not always proactive in verifying such information, and you will very frequently find that the whois entry for a spam domain is demonstrably incomplete or even bogus (e.g., a city that doesn't exist in the particular state, a zip code that doesn't match the city, a fishy phone number). If you run across such a whois entry, you can file a report with the registrar asking them to investigate, although this takes more work and might be something you'd want to do only in the case of very stubborn or long-lived spammers.

Even if the domain's whois contact info appears to be valid, it is very risky (given rule #1) to act upon the registrant contact information provided by whois for a suspected spam domain (since that information was probably planted by the spammers). I myself would not use such data for anything other than circumstantial evidence (possibly to link the domain to other spam operations), and I certainly would not send any e-mails or postal mails (or worse) based on such information (rule #3).

Looking up abuse contacts for domains at whois.abuse.net

One specialized domain-whois server is worthy of further discussion here: the folks at abuse.net run a whois server (at whois.abuse.net) that returns not the usual whois information, but a list of e-mail addresses that can be used to report abuse pertaining to the argument you supply. In this case, "abuse" might include anything from spam websites and e-mail addresses to malware, port scans, and cracker attacks. Also, unlike normal domain-whois, you can actually use the abuse.net server to look up contacts for fully-qualified host names and even e-mail addresses.

To run an abuse.net query, you type:

Note that listing domains with whois.abuse.net is strictly voluntary, so you may not always get back useful information from a whois.abuse.net inquiry. When you use this server, you should make sure that you get "real" addresses rather than the "default, no info" addresses that will be supplied if whois.abuse.net doesn't have any entries for the domain. You may not want to report to such default addresses, so as not to reveal your e-mail address to people who shouldn't see it.You would use whois.abuse.net

For example, here's a lookup for a domain that has entered info into the abuse.net database:

[G4733:~] rconner% whois -h whois.abuse.net hotmail.com
abuse@hotmail.com (for hotmail.com)

...and here's a domain that hasn't (oops!):

[G4733:] rconner% whois -h whois.abuse.net rickconner.net
postmaster@rickconner.net (default, no info)

For a company to file contact info with abuse.net doesn't necessarily mean that every valid complaint sent to these addresses will be promptly and completely resolved. However, appearing in abuse.net does at least indicate some good faith on a company's part in taking responsiblity for potential abuse of its services by its employees or customers (or even interlopers).


Another version for the whois command helps us to fill in some important details in a spam hunt: which entity "owns" (or, more properly, "controls the use and allocation of") a given IP address. This is commonly known as IP-whois. Although the command is the same, we're actually talking to a completely different set of whois databases that know about IP numbers (but not about domains).

You can use the default whois command to do IP-whois:

Here, [ip-address] is an IP address (e.g., and not a domain name, host name, or alias.

Like domain-whois, IP-whois starts its search at a specific top-level server (at ARIN). It will then (usually) follow any referrals to other whois servers until you have the answer you need. If the whois system is feeling well, then you may get your answer right away. Here's an example using the IP address of a US-based mail host from which I used to get a lot of spam (not so much now, thanks):

[G4733:~] rconner% whois

OrgName: Compass Communications, Inc.
Address: 2001 6th Avenue
Address: Suite 3205
City: Seattle
StateProv: WA
PostalCode: 98121
Country: US

ReferralServer: rwhois://rwhoisd.ccom.net:4321

NetRange: -
NetName: NETBLK-CCOM-1998
NetHandle: NET-216-145-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.CCOM.NET
NameServer: NS2.CCOM.NET
RegDate: 1998-12-10
Updated: 2002-08-07

TechHandle: IC122-ARIN
TechPhone: +1-206-777-9988
TechEmail: hostmaster@ccom.net

OrgTechHandle: IC122-ARIN
OrgTechPhone: +1-206-777-9988
OrgTechEmail: hostmaster@ccom.net

# ARIN WHOIS database, last updated 2005-10-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Here, we have complete contact info for this address, including phone numbers, postal addresses, and e-mail addresses.

When basic IP-whois fails:
querying regional internet registries
for IP-whois data

Although basic IP-whois now seems to do a better job of following referrals to the relevant whois server, this may not always happen. In such cases, you'll need to know how to find the correct whois server in order to get your answer.

First, let's back up a bit and look at how IP-whois works. There are almost 2^32 (4,300 million) possible addresses in the current IPv4 scheme (many of these aren't usable on the public internet, but that doesn't concern us at the moment). The allocation of these addresses is controlled by a group of regional internet registries (RIRs), each operating in a particular region of the globe. These RIRs are empowered with allocating blocks of IP addresses to various government agencies, universities, private wholesale ISPs, and other institutions in their region who can use such large "net blocks." The RIRs maintain databases that can be queried via IP-whois to provide the name and contact info of the business or institution to which an IP address has been allocated.

Here's a list showing the RIRs that are currently in operation, along with their website URLs and the names of their whois servers:

Region RIR whois server
Asia, Pacific Rim Asia-Pacific Network Information Centre (APNIC) (http://www.apnic.net/) whois.apnic.net
USA, Canada, Caribbean (partial), Africa (partial) American Registry for Internet Numbers (ARIN)
Europe Réseaux IP Européens (RIPE) NCC
Latin America, Caribbean (partial) Latin American and Caribbean Internet Addresses Registry (LACNIC)
Africa African Network Information Centre (AfriNic)

When you do a basic IP-whois lookup, whois will first try the whois server at ARIN (yes, US-centric, I know). If the address is within one of the blocks that ARIN has allocated (i.e., it belongs to an operation in ARIN's region), then you'll get your answer right away (as we did in the example above). Otherwise, ARIN may transfer you to the appropriate RIR's whois server. Or, it may not. In any case, ARIN usualy will tell you who the appropriate RIR is, so you can query that RIR's whois server directly using whois -h.

For example, here's a basic lookup on a spam mail host:

[G4733:~] rconner% whois

OrgName: Asia Pacific Network Information Centre
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: -
NetName: APNIC-60
NetHandle: NET-60-0-0-0-1
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2003-04-06
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2005-10-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

As it happens, ARIN did go on to transfer me to the correct whois server, but if it hadn't, this is probably all I would have gotten from them. There's no real contact info here; however it does contain a referral to the correct RIR for the address (APNIC). I can simply query APNIC's whois server with another command:

[G4733:~] rconner% whois -h whois.apnic.net
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: -
descr: Telekom Malaysia Berhad
descr: Network Strategy
descr: Wisma Telekom
descr: Jalan Pantai Baru
descr: 50672 Kuala Lumpur
country: MY
admin-c: DA5-AP
tech-c: NA16-AP
mnt-by: APNIC-HM
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20040607
source: APNIC

person: Darmataksiah Abai
nic-hdl: DA5-AP
e-mail: darma@telekom.com.my
address: Telekom Malaysia Berhad
address: Network Strategy
address: 5th Floor, North Wing
address: Menara Telekom
address: Jalan Pantai Baru
address: 50672 Kuala Lumpur
phone: +603-2240-7307
fax-no: +603-7958-2034
country: MY
changed: hm-changed@apnic.net 20031112
source: APNIC

person: Napizah Alang Jaafar
nic-hdl: NA16-AP
e-mail: napizah@telekom.com.my
address: Telekom Malaysia Berhad
address: Network Strategy
address: 5th Floor, North Wing
address: Menara Telekom
address: Jalan Pantai Baru
address: 50672 Kuala Lumpur
phone: +603-2240-7327
fax-no: +603-7958-2034
country: MY
changed: hm-changed@apnic.net 20031112
source: APNIC

Now, I have all the info I need to file a spam report with the ISP (Telekom Malaysia) that controls this spewing address (which seems to be part of a DSL subscriber pool).

Alternatives to command-line whois

If you don't have the whois command available on your system, or don't want to use it, you still have several alternatives. There are at least two websites that will be useful:

Since these sites see heavy usage, they are periodically denied access by some of the RIRs (who are trying to stop suspected spambot harvesting). If this happens when you're trying to trace an address, you might instead use the web-based IP-whois lookups offered by the RIR websites listed above.

You should also also find "GUI" software for your system that will do IP-whois lookups. Check out Sam Spade for Windows, a very useful (and free) general purpose tool; Mac OS X has a built-in application (in the Utilities subfolder of the Application folder) called, appropriately enough, "Network Utility." To use either of these, you will have to pick or type in the name of the whois server you want to use (whois.completewhois.com would be a good choice). You should refer to the instructions above if you're using one of these "semi-automated" whois tools.

 Legend:  new window    outside link    tools page  glossary link   

(c) 2003-2008, Richard C. Conner ( )

24845 hits since March 28 2009

Updated: Wed, 11 Jun 2008