[ppml] Draft for proposal for Whois AUP (fwd)

william at elan.net william at elan.net
Tue Mar 4 14:36:28 EST 2003 

My response to previously posted email.

---------- Forwarded message ----------
Date: Mon, 3 Mar 2003 09:32:08 -0800 (PST)
From: william at elan.net
To: spammaster <spammaster at spamx.com>
Subject: Re: [ppml] Draft for proposal for Whois AUP

This email went to me directly. Do you want me to post your comments on 
the email list and answer them there as well? 

I did think of most of what you said when creating this proposal, and as 
a matter of fact I also run whoius redirection service that does very 
frequent queries to ARIN and that is also used fairly often for anti-spam 
reports, so I'v pretty good idea what its all about. 

Everything else is inline:

> > "The ARIN Whois Data is for Internet operations and technical research
> > purposes pertaining to Internet Operations only. It may not be used for
> > advertising, direct marketing, marketing research or similar purposes. Use
> > of ARIN whois date for these activities is explicitly forbidden. ARIN
> > requests to be notified
> > of any such activities or suspicions thereof.
> To this I can agree in principle however, the "suspicions thereof" part
> makes me rather nervous lest we enter another "McCarthy" era...
The above text was taken word-word from current ARIN bulk whois AUP. I 
have some suspicions about what you call "McCarthy" era, but did not think 
its that important to change currently accepted AUP. I did think its 
strange that AUP only applied to those who got arin database as a whole 
and nobody else could even find what it is.
 
> > ARIN reserves the right to restrict access to the whois database in its
> > sole discretion to ensure operational stability. ARIN may may restrict or
> > terminate your access to the whois database for failure to abide by these
> > terms of use."
> 
> Same as above.
This text was taken from Verisign AUP for .com/.net/.org registry. It does 
not represent anything different than what ARIN already does - they limit 
access when you query it too much.
 
> > 2. Access to whois data with individual queries (such as by using whois
> > protocol) must in the output either include entire 'ARIN Whois Acceptable
> > Use Policy' in the comments
> 
> Please put them at THE BOTTOM of the output
The above was meant to be used for protocols other then whois where it 
has special field for sending out AUP comments as part of the output. For 
general whois  maximum that ARIN community would accept is one line with 
a link to policy. This was already slightly discussed on last ARIN 
meeting where I first mentioned need for whois AUP.

> > or provide a one-line statement that data is
> > provided and can only be used according to 'ARIN Whois Acceptable Use
> > Policy' with a link to where the policy is published on ARIN website.
> 
> This would be more acceptable as the ENTIRE policy is going to chew up
> bandwidth and whois access needs to be relatively instantaneous in some
> cases - particularly mine as described in further detail below.
See above.

> > 
> > 3. High frequency individual query access
> 
> This needs to be defined in excruciating detail - I run an ANTI-spam program
> that accesses the arin database regularly [every 5 minutes is the default
> check interval, it only accesses arin data when spam is detected, however,
> there may be more than one spam during any given check as this junk seems to
> come in waves, as it were].  What you are saying, if implemented, may
> disable what I am trying to do which is to eliminate spam.  My program uses
> arin data to determine contact addresses to which to email spam reports and
> does it on the inbound side to speed the user interface - Your proposal, in
> this particular regard, stands to eliminate my ability [my program's
> ability] to properly determine reporting addresses.  I already implemented a
> caching feature in the software over a year ago to reduce the number of
> accesses to the various whois servers of which arin is one however, as
> spammers jump from IP to IP on a regular basis, there is NO caching scheme
> that can possibly guarantee the software will not be required to access
> whois data at some sort of the "high frequency" to which you allude.  Check
> http://www.spamx.com for additional details on the software.
Perhaps I should explain. What I meant is that if ARIN feels that access
to their database from particular source is too often and they begin
to put limits (and this happened to my service actually - before change 
to new ARIN database, old whois was slower and I was hitting their 
limits) and you do not like those limits and want unrestricted access, 
then you need to go to arin and sign AUP and you get unrestricted access 
same as you would if you were to get their entire database from time-time.

One of the ideas is to try to move some of the services like yours or mine 
into working with ARIN and actually getting their entire database as bulk 
form, this is either on ARIN and puts less strain on their whois servers.
This has not been popupar before because ARIN required to sign their 
agreement each time you want to get bulk copy of the database, so doing so 
on regular basis was impossible.

> > and access to either entire
> > whois database or large portion of it must be provided with authentication
> > to persons and organizations authorized by ARIN. These organizations
> 
> JUST organizations or PERSONS as well!?
Good point. I'll modify the draft. 

> If each and every PERSON who wishes
> to perform a whois query needs to SIGN some form of agreement the paperwork
> load will be indescribable.  We cannot keep the Internet running with such
> draconian measures and let us NOT make arin and the other RIRs like the IRS
> in the U.S., please and thank you very much.
Only people who do queries so often that they hit ARIN's limits would be 
effected. See comments above. Everybody else is still bound by the AUP but 
need not sign it.

> > must 
> > sign 'Acceptable Use Policy for Bulk Copies of ARIN Whois Data' agreement
> > which shall include 'Whois Acceptable Use Policy' and additional statement
> > that
> > 
> > "Redistributing bulk ARIN Whois Data is explicitly forbidden. It is
> > permissible to publish data on an individual query or small number of
> > queries at a time basis as long as reasonable precautions are taken to
> > prevent automated querying by database harvesters"
> 
> This requires some strict definition with regard to "automated querying".
> It is, at best, extremely problematic.
The above text was taken word-word from ARIN bulk-whois agreement, so 
again its generally acceptable to current community. This text may not be 
perfect but idea is that you would use the same precautions as ARIN to 
prevent grabbing of entire database without agreeing on AUP. 

I also considered adding there that access to ARIN database on other 
website must be in accordance with ARIN AUP. I.E. If you have your own AUP 
it must be similar to ARIN's one and specific that use of information for 
marketing, etc is not allowed.

> > Organizations that need access to ARIN whois data on regular basis maybe
> > required to resubmit the agreement on monthly basis at which time
> > authentication settings may need to be changed.
> Once again, just WHO is going to handle the paperwork and WHO is going to
> $PAY$ for it!?
You're going to handle paperwork if you need unrestricted access. On ARIN 
side, it maybe more work for them, but I don't think expense is too high 
and will not be noticable compared to everything else they do.

> Bear in mind as well that spammers also harvest email addresses from mailto:
> links on websites, make up addresses from domain names, get them from a
> number of other sources, don't care whether they bounce or not and this
> proposal will do little to stop any of that, little to stop spammers
> harvesting addresses from whois data and, most likely, do a great deal to
> eliminate legitimate use of whois data by the rest of us who are trying to
> use the Internet in a proper manner.
I'm aware of all that. I'm also aware that there are spammers, that don't 
care about laws and they are  "marketing organizations" that seems to 
operate on legitamete basis and would not violate AUP if it exists. And 
to this day, quite a number of these organizations, particular those 
targetting ISPs and selling lists of ISPs to vendors would go to ARIN, 
get the data (by single queries, but they could get entire database in 
2-3 days) and then sell the info to a vendor. I'v directly correlated some 
calls from vendors with data published at ARIN.
 
> How about we devote our energies in the spamfighting arena to raising the
> awareness level of ISPs to their open relays and, particularly, OPEN
> PROXIES, which have become so popular to the spammers recently?  My program
> relies on access to whois data in order to do exactly that!
The above are really not things ARIN should or can do anything about.
I would however suggest you join asrg at ietf.org email list which was just 
setup to discuss ways to stop spam, but that list is meant to work on 
technical solutions and your comment is more of operational one and would 
need to be discussed possibly at nanog or other lists that ISPs participate in.

> Thanks for listening.
Sure. I'm on so may anti-spam mailing list that I'v heard this all before.
But this proposal is for ARIN and I have to think about what would be 
acceptable to ARIN community.

-- 
William Leibzon
Elan Communications Inc. 
william at elan.net

More information about the ARIN-PPML mailing list