Whois Anti-Harvesting Techniques

Whois Anti-Harvesting Techniques are practices that registries or registrars can employ to defend against Whois Misuse. Listed below are some common forms of anti-harvesting practices.

Common Anti-Harvesting Techniques

 * Rate Limiting: this practice prevents bulk searching and data mining of the WHOIS database by limiting how many queries can be submitted within a certain period of time. After reaching the registrar mandated limit, search results are either not returned due to temporary blacklisting or in some cases, only select information is returned. For example, contact information may no longer be returned although other information is still retrieved. According to Carnegie Mellon University's recent Whois Misuse Study, rate limiting is one of the most common anti-harvesting techniques used by registrars. Donuts Inc., NetworkSolutions, and Nominet use rate limiting policies to guard against Whois abuse.
 * Note: if look-up limits are set "aggressively" low, they can create problems for well-intentioned users and ICANN's automatic Whois Monitoring Systems (WMS), resulting in notices from ICANN.
 * Read an example of Nominet's Whois Rate Limiting Policy
 * Privacy or Proxy Services: these services keep the registrant's personal contact data out of the WHOIS database by using the registar's or a third party's contact information instead; some services also screen spam before forwarding any messages received to the registrant. A Security and Stability Advisory Committee (SSAC) report revealed that using a privacy or proxy service decreased the number of spam messages a registrant received and found that it was more effective at reducing spam than using protective methods such as CAPTCHAs or rate limiting. Many popular registrars offer privacy or proxy services. Some provide the service at an additional charge such as Namecheap or refer the registrant to a partner service such as Godaddy. Additionally, some registrars provide privacy services free of charge, such as Public Domain Registry.
 * View a side by side comparison of contact information with or without privacy protection.
 * See an example of a free and simple privacy service used to reduce spam.
 * CAPTCHA or Completely Automated Public Turing Test To Tell Computers and Humans Apart: some registrars make users complete a CAPTCHA challenge before a Whois query can be entered in order to stop "automated collection of domain name records." Donuts Inc. and Namecheap incorporate CAPTCHAs in their Whois searches.
 * Examples and more information about CAPTCHAs can be found here.
 * Blacklisting: this practice permanently or temporarily stops users from searching a registrar's Whois database when using a certain IP address or domain name; permanent blacklisting is usually employed if the user is suspected of frequent Whois misuse.
 * Zone File Publication: according to an SSAC report, not publishing TLD zone files may decrease the risk of Whois abuse. However, ICANN contracts mandate that gTLDs publish their zone files, so this strategy can only be used by certain ccTLDs.

Public Perception
The Whois database has long been suspected of providing registrants' personal information to Internet scammers committing Whois Misuse. Recent studies tend to support this claim. The risk of providing personal information to what people may see as an insecure public database can lead to other types of Whois abuse such as using False Whois. Measures that can be taken by registrars or registries that seek to mitigate Whois abuse are generally supported, although more focused research should be done to see which methods of Whois protection are most effective.

Outcome
Whois anti-harvesting techniques seek to reduce Whois misuse, although their relative effectiveness has yet to be studied in depth except in regard to Spam.

Historical Use
Many registries utilize some type of Whois anti-harvesting technique, as exemplified above. Rate limiting seems to be common among registrars. However, the type of anti-harvesting mechanism used and its own specific parameters are set at the discretion of the registrar not by ICANN policy. So, some registrars' Whois data may be better protected than others. Of additional concern, some registrars that claim to use some form of Whois protection did not show any evidence of it during the recent Carnegie Mellon Whois Misuse Study. The study recognized that there are multiple possible explanations for this behavior.

ICANN Policy

 * 2013 Registry Agreement (RA): the updated RA specifies that registry operators provide "a WHOIS service available via port 43 in accordance with RFC 3912, and a web-­based Directory Service" that aligns with ICANN's specified format. This service should also include registrar who-is queries within the specified format. However, the RA does not specify any form of Whois protection.
 * 2013 Registrar Accreditation Agreement (RAA): the RAA also mandates that accredited registrars provide a Whois look-up service through port 43. It does not explicitly mention any endorsed Whois anti-harvesting techniques, although it does address the information that privacy or proxy services need to provide to satisfy Whois requirements.
 * A GNSO Consensus Policy could address the way registrars and registries combat Whois abuse problems; if such a policy was adopted by ICANN, it would become part of the RA and RAA.
 * An Expert Working Group (EWG) is also working on a proposal to replace the current Whois system with the Registration Directory System (RDS). The RDS may be able to better protect registrant data and could possibly make mining Whois data more difficult by creating a gated-access approach. This gating approach would make certain Whois information available to any query but would only give other more personal identifying information to those with authorization.

Legislation
At this time, there is no U.S. legislation addressing Whois Anti-Harvesting techniques or protection.

DNS Award
Awardees support the use of Whois anti-harvesting practices and other practices that protect registrants' privacy.

Additional Resources

 * Read the Carnegie Mellon Whois Misuse Study
 * View the SSAC's report: Is the WHOIS Service a Source for email Addresses for Spammers?
 * See an example of an ICANN Contractual Compliance Report on Port 43 Whois Access

Related Articles

 * Whois Misuse
 * Spam
 * False Whois