[ppml] Draft for proposal for Whois AUP (fwd)

william at elan.net william at elan.net
Tue Mar 4 14:27:49 EST 2003 

I'v received permission from author of this email to post it on the mailing
list. He has important comments regarding the proposal which I think must 
be mentioned on ppml. I'll see forward my response in next next email.

---------- Forwarded message ----------
Date: Mon, 03 Mar 2003 11:49:48 -0700
From: spammaster <spammaster at spamx.com>
To: william at elan.net
Subject: Re: [ppml] Draft for proposal for Whois AUP

Please see comments below...
--
Jeff
SpamX support 
support at spamx.com 

{
  NoList(); 
  NoSPAM();
}


> From: william at elan.net
> Date: Mon, 3 Mar 2003 06:57:46 -0800 (PST)
> To: ppml at arin.net
> Cc: dbwg at arin.net
> Subject: [ppml] Draft for proposal for Whois AUP
> 
> I have draft read for my last proposal - this is to change current bulk
> whois data only AUP to general Whois AUP. It requires for all whois
> queries (no matter what protocol - which is meant to include rwhois, ldap,
> protocol developed by crisp WG or any other protocal that ARIN may want to
> use) to include a link to whois aup and for those that need access to
> entire data (including through ftp but also including other means such as
> cdrom, etc) to have to sign bulk whois aup agreement (as is done already)
> but does allow that once signed same access can be used more then one
> time with new agreement having to be signed after one month.
> 
> The draft is available at:
> http://www.elan.net/~william/arin_proposal_whois_aup.htm
> 
> Please comment what needs to be included in AUP, what needs to be changed
> in the draft, etc. etc. I'll submit this as actual proposal no later then
> Friday and if no substantial comments are received then on Wednesday.
> 
> Here is a text version of the current draft:
> ---------------------------------------------------------------------
> 
> This proposal changes current Bulk Whois Acceptable Use Policy to become
> general Whois Acceptable Use policy that would apply to all whois queries.
> 
> In particular:
> 
> 1. A new acceptable use policy called "Whois Acceptable Use Policy" is to
> be published on ARIN website as follows:
> 
> "The ARIN Whois Data is for Internet operations and technical research
> purposes pertaining to Internet Operations only. It may not be used for
> advertising, direct marketing, marketing research or similar purposes. Use
> of ARIN whois date for these activities is explicitly forbidden. ARIN
> requests to be notified
> of any such activities or suspicions thereof.
To this I can agree in principle however, the "suspicions thereof" part
makes me rather nervous lest we enter another "McCarthy" era...

> ARIN reserves the right to restrict access to the whois database in its
> sole discretion to ensure operational stability. ARIN may may restrict or
> terminate your access to the whois database for failure to abide by these
> terms of use."

Same as above.

> 
> 2. Access to whois data with individual queries (such as by using whois
> protocol) must in the output either include entire 'ARIN Whois Acceptable
> Use Policy' in the comments

Please put them at THE BOTTOM of the output

> or provide a one-line statement that data is
> provided and can only be used according to 'ARIN Whois Acceptable Use
> Policy' with a link to where the policy is published on ARIN website.

This would be more acceptable as the ENTIRE policy is going to chew up
bandwidth and whois access needs to be relatively instantaneous in some
cases - particularly mine as described in further detail below.

> 
> 3. High frequency individual query access

This needs to be defined in excruciating detail - I run an ANTI-spam program
that accesses the arin database regularly [every 5 minutes is the default
check interval, it only accesses arin data when spam is detected, however,
there may be more than one spam during any given check as this junk seems to
come in waves, as it were].  What you are saying, if implemented, may
disable what I am trying to do which is to eliminate spam.  My program uses
arin data to determine contact addresses to which to email spam reports and
does it on the inbound side to speed the user interface - Your proposal, in
this particular regard, stands to eliminate my ability [my program's
ability] to properly determine reporting addresses.  I already implemented a
caching feature in the software over a year ago to reduce the number of
accesses to the various whois servers of which arin is one however, as
spammers jump from IP to IP on a regular basis, there is NO caching scheme
that can possibly guarantee the software will not be required to access
whois data at some sort of the "high frequency" to which you allude.  Check
http://www.spamx.com for additional details on the software.

> and access to either entire
> whois database or large portion of it must be provided with authentication
> to persons and organizations authorized by ARIN. These organizations

JUST organizations or PERSONS as well!?  If each and every PERSON who wishes
to perform a whois query needs to SIGN some form of agreement the paperwork
load will be indescribable.  We cannot keep the Internet running with such
draconian measures and let us NOT make arin and the other RIRs like the IRS
in the U.S., please and thank you very much.

> must 
> sign 'Acceptable Use Policy for Bulk Copies of ARIN Whois Data' agreement
> which shall include 'Whois Acceptable Use Policy' and additional statement
> that
> 
> "Redistributing bulk ARIN Whois Data is explicitly forbidden. It is
> permissible to publish data on an individual query or small number of
> queries at a time basis as long as reasonable precautions are taken to
> prevent automated querying by database harvesters"

This requires some strict definition with regard to "automated querying".
It is, at best, extremely problematic.

> 
> Organizations that need access to ARIN whois data on regular basis maybe
> required to resubmit the agreement on monthly basis at which time
> authentication settings may need to be changed.
Once again, just WHO is going to handle the paperwork and WHO is going to
$PAY$ for it!?

> 
Bear in mind as well that spammers also harvest email addresses from mailto:
links on websites, make up addresses from domain names, get them from a
number of other sources, don't care whether they bounce or not and this
proposal will do little to stop any of that, little to stop spammers
harvesting addresses from whois data and, most likely, do a great deal to
eliminate legitimate use of whois data by the rest of us who are trying to
use the Internet in a proper manner.

How about we devote our energies in the spamfighting arena to raising the
awareness level of ISPs to their open relays and, particularly, OPEN
PROXIES, which have become so popular to the spammers recently?  My program
relies on access to whois data in order to do exactly that!

Thanks for listening.

More information about the ARIN-PPML mailing list