Whois Stealing My Whois

By Larry Seltzer  |  Posted 2006-07-19 Print this article Print

?"> At this point, its worth saying a little about the process of checking a domain. There is a protocol and software called Whois, which is used for querying the databases of domain names, ultimately maintained for each top-level domain (or TLD, such as .com, .org, etc.) by the "registry" for that TLD. Verisign maintains the registry for the .com and .net TLDs.

Whois used to be exclusively a UNIX-based command-line affair, but these days most people get their whois information from web-based interfaces which perform the whois query on the back-end. My favorite service is Completewhois. When hosting services like web.com tell you that a domain is or is not available they first perform a whois query in order to determine if it is.

"Domain Tasting" is the hot new business for domain abusers. Click here to read more.

Theres a lot wrong with whois. For example, anyone can set up a whois server, theres no master list of them, and different servers return data in different formats. And when a hosting service, APLus.net for example, performs a back-end whois, its impossible to tell exactly what they are doing and to whom they are talking.

Anyway, my next step in testing was to go to the four hosting services meta-searched by CNet and search them directly with new domain names also picked out of thin air. Two days later they havent been taken.

At this point I have to say I dont know exactly whats happening, but something fishy is going on. With a whole lot more testing, I think I could figure out the source of Chestertons domain name feed, but I decided it was time to get the story out first.

The reader who brought all this to my attention called aplus.net, which told her that Chesterton Holdings monitors whois requests, and thats how they learn which domains to register. This would be a great explanation if it were possible, as a general matter. But its not generally possible to monitor whois requests.

Here is whats possible, based on what I know:
  • CNet, or someone at CNet, could be passing the requests on to Chesterton. I dont believe this for a second.
  • One of the hosting services that CNet is checking with (and there could be more than they indicate) could be passing data on to Chesterton. This seems unlikely to me.
  • Chesterton could have compromised one of the servers involved in the process, for instance the whois server used by one of the hosting services. This seems possible to me. There are a number of other hacking techniques, DNS cache poisoning for example, that could indirectly give Chesterton access to data from these queries.
  • Verisign could be passing the data on to Chesterton. I dont believe this, either.
Ive been in touch with CNet about this matter as I have investigated it. They dont really have an explanation, nor would I expect them to if their meta-search was doing what it was supposed to do. I also attempted to contact Chesterton, without success.

Even though Ive speculated on possibilities that are more or less likely than others, I dont think Im close to a definitive explanation. All I really know is that theres no legitimate way to do what Chesterton Holdings is doing, and I hope they finally get called for it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel