Updated: It's still easy to try to steal an identity with false whois information. There are rules against it and ICANN pretends to enforce them, but I personally know that it doesn't really happen.
[Editor's note: On Jan. 26, ICANN and Enom finally followed through and resolved the issues described in this column. For details, see this entry in my blog Cheap Hack.]
How would you react if you found out that someone was trying to impersonate
you in order to defraud and the authorities ignored your complaints about it?
I've been in this position; the authorities are varied and numerous, and they
include
ICANN, the Internet Corporation for
Assigned Names and Numbers. All of them, including ICANN, let me down.
ICANN has fixed some problems in domain name abuse in recent months. It
couldn't have been easy to put the huge dent in domain tasting that ICANN has
put. No doubt VeriSign was unhappy with this, having made zillions on tasting,
although it couldn't protest too publicly. And ICANN could and should have gone
farther against tasting, but it went pretty far. But other policy lapses by
ICANN have not been addressed.
I have been the owner, for many years now, of the domain larryseltzer.com.
Go check
the
whois on this domain and what you see there is me.
In May of 2007, some person registered larryseltzer.net in order to
impersonate me. The person basically didn't get away with it, but that's not
what matters. I think I know who this person is, but that doesn't really matter
either, because nobody in a position to help is interested in doing so.
Check
the
whois for larryseltzer.net. Looks a lot like mine. The name is slightly
different (instead of "Larry Seltzer" it's "Larry Seltzer
Astroturfing LLC"-ho ho). And the e-mail for the contacts is different.
The mailing addresses and phone numbers are the same, and this is an important
point.
My identity thief made two uses of this domain to my knowledge. He posted
some e-mails to mailing lists, including
this one on Full
Disclosure. He also contacted eWEEK and tried to get control of the log-on
credentials for my blog and to have my Ziff Davis e-mail forwarded to
larry@larryseltzer.net. eWEEK didn't fall for it. As far as I can tell, the
impersonation efforts ended around then.
It's time to hunt down weak passwords. Click here to read more.
I filed formal complaints with his domain registrar, ruskyhost.ru, an eNom
reseller, and with eNom itself. I got no response, not that I expected any
(honestly, "ruskyhost"!) I also complained to his hosting service,
DreamHost, which also didn't give a damn.
I then suggested to eWEEK Corporate Counsel that a threatening letter or two
might be in order. They never followed up. Thanks, guys. (At the time eWEEK was
owned by Ziff Davis Media; it now is owned by Ziff Davis Enterprise, a
different company.)
Finally, I also complained to ICANN through a formal process called the
WDPR or Whois Data Problem Reporting system.
ICANN rules, specifically the Registrar Accreditation Agreement, state that
whois information must be accurate and that
registrars
are obligated to take action when informed of false whois information. The
WDPR is a one-stop complaint site for this. Since I don't own larryseltzer.net
and the whois for it has my address and phone number, that information is
inaccurate. When I made the complaint back in the Spring of 2007 I got an
acknowledgement e-mail for the complaint, and that was the end of it. ICANN
ignored me too.
Then on Dec. 19, 2008,
ICANN
announced that the WDPR system had been revamped and improved and I figured
that it was time to give it another shot. Guess what? I got the same
acknowledgement e-mail, but weeks later still had received no information about
the problem. And in fact the rules for the WDPR state that I won't necessarily
get any contact.
The confirmation e-mail I received when I submitted the complaint says the
complaint will be forwarded to the sponsoring registrar of the domain, which
will be told to investigate.
If you have reason to believe that the sponsoring
registrar may not be fulfilling its obligations, please forward your copy of
this e-mail, along with any other relevant information, to ICANN's Registrar
Liaison Contractual Compliance department at
registrar-infocompliance@icann.org. ICANN will review your submission and work
with the registrar to ensure compliance.
So I forwarded the complaint on to that address and said I
hadn't heard back. The e-mail was kicked back with an unspecific message about
the e-mail being undeliverable. I'd just about had enough.
Finally, I decided to go through normal press channels to see if anything
more would be done. The ICANN press person, who really is a nice guy and
helpful, promptly passed it on to someone who worked in that area and said they
would get back to me. Two weeks later and guess what? Nobody got back to me.
My wild guess is that the confirmation, if there really is any at all, goes
no further than e-mailing the e-mail addresses on the whois contact, and those
do not belong to me. Obviously nobody calls the phone numbers or mails the
mailing addresses because I would know about that.
I'll keep trying to do something about this particular problem, but I won't
go nuts about it. I won't make the mistake of assuming that there is justice to
be had on the Internet. That way lies madness.
Security Center
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on
security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry
Seltzer's blog Cheap Hack.
Email
Print
