[ppml] Draft for proposal for Whois AUP (fwd)

[william at elan.net]

> 
> Too bad it's impractical to allow exceptions for frequent use.  I
> certainly understand what the author is trying to accomplish, yet I see
> yours and other valid uses.
That is exactly what proposal is trying to address. The idea is to 
establish procedures to allow those wo do very frequent queries to be able 
to do it without limits (by signing bulk whois aup and then ARIN would 
setup special whois server for that "frequent" use and that special 
server would only answer queries from specific ips - so ip would server 
as authentication, plus ARIN would get good statistical data on what 
these queries are about and from which of the services run by others) or 
better yet to move them to just getting entire database as bulk on 
regular basis. I'll move to the latter category if I could get bulk whois 
data at least twice a week and did not have to sign a bulk whois 
agreement each time.
 
> It seems to me that despite all the evil that can be done with the
> information it's only asking for trouble to limit access to the data.
Proposal does not put additional limits (other then use its if its against 
AUP) it lists what ARIN does already - that if load on ARIN's whois 
servers is too high, ARIN mayu refuse the queries.

> I also see it as a losing cause trying to enforce an AUP on a regular
> basis.  It certainly doesn't hurt to have one, but except in some rare
> cases where there are serious repeat offenders it's not going to
> accomplish much.
First of all I think that even if 10% of marketing is stopped by AUP its 
already is not a lost cause. And I think there is quite a bit more then 
10% that would be accoplished. Email addresses are not taken from ARIN's 
whois quite as often as from regular domain whois or other places (this is 
based on amount of spam I receive), on the other hand they are used by ISP 
directed marketing a lot more often (because its easy to establish which 
contacts are for ISPs - those that are allocated and may have its own 
assignments), most companies involved in ISP marketing are not hit-run 
companies and would not intentionally violate an AUP if it existed. In 
addition to that some competitor ISPs are also known to have used ARIN's 
data to market their services to customers of ISP that may have problem in 
particular area or just when then establish a POP in new area and are 
trying to get new customers there; these kind of marketing would be 
stopped by AUP almost completely as these companies are ISPs, often 
members of ARIN and are least likely to want to violate its AUP.

> Mury
> 
> On Tue, 4 Mar 2003 william at elan.net wrote:
> 
> > I'v received permission from author of this email to post it on the mailing
> > list. He has important comments regarding the proposal which I think must
> > be mentioned on ppml. I'll see forward my response in next next email.
> >
> > ---------- Forwarded message ----------
> > Date: Mon, 03 Mar 2003 11:49:48 -0700
> > From: spammaster <spammaster at spamx.com>
> > To: william at elan.net
> > Subject: Re: [ppml] Draft for proposal for Whois AUP
> >
> > Please see comments below...
> > --
> > Jeff
> > SpamX support
> > support at spamx.com
> >
> > {
> >   NoList();
> >   NoSPAM();
> > }
> >
> >
> > > From: william at elan.net
> > > Date: Mon, 3 Mar 2003 06:57:46 -0800 (PST)
> > > To: ppml at arin.net
> > > Cc: dbwg at arin.net
> > > Subject: [ppml] Draft for proposal for Whois AUP
> > >
> > > I have draft read for my last proposal - this is to change current bulk
> > > whois data only AUP to general Whois AUP. It requires for all whois
> > > queries (no matter what protocol - which is meant to include rwhois, ldap,
> > > protocol developed by crisp WG or any other protocal that ARIN may want to
> > > use) to include a link to whois aup and for those that need access to
> > > entire data (including through ftp but also including other means such as
> > > cdrom, etc) to have to sign bulk whois aup agreement (as is done already)
> > > but does allow that once signed same access can be used more then one
> > > time with new agreement having to be signed after one month.
> > >
> > > The draft is available at:
> > > http://www.elan.net/~william/arin_proposal_whois_aup.htm
> > >
> > > Please comment what needs to be included in AUP, what needs to be changed
> > > in the draft, etc. etc. I'll submit this as actual proposal no later then
> > > Friday and if no substantial comments are received then on Wednesday.
> > >
> > > Here is a text version of the current draft:
> > > ---------------------------------------------------------------------
> > >
> > > This proposal changes current Bulk Whois Acceptable Use Policy to become
> > > general Whois Acceptable Use policy that would apply to all whois queries.
> > >
> > > In particular:
> > >
> > > 1. A new acceptable use policy called "Whois Acceptable Use Policy" is to
> > > be published on ARIN website as follows:
> > >
> > > "The ARIN Whois Data is for Internet operations and technical research
> > > purposes pertaining to Internet Operations only. It may not be used for
> > > advertising, direct marketing, marketing research or similar purposes. Use
> > > of ARIN whois date for these activities is explicitly forbidden. ARIN
> > > requests to be notified
> > > of any such activities or suspicions thereof.
> > To this I can agree in principle however, the "suspicions thereof" part
> > makes me rather nervous lest we enter another "McCarthy" era...
> >
> > > ARIN reserves the right to restrict access to the whois database in its
> > > sole discretion to ensure operational stability. ARIN may may restrict or
> > > terminate your access to the whois database for failure to abide by these
> > > terms of use."
> >
> > Same as above.
> >
> > >
> > > 2. Access to whois data with individual queries (such as by using whois
> > > protocol) must in the output either include entire 'ARIN Whois Acceptable
> > > Use Policy' in the comments
> >
> > Please put them at THE BOTTOM of the output
> >
> > > or provide a one-line statement that data is
> > > provided and can only be used according to 'ARIN Whois Acceptable Use
> > > Policy' with a link to where the policy is published on ARIN website.
> >
> > This would be more acceptable as the ENTIRE policy is going to chew up
> > bandwidth and whois access needs to be relatively instantaneous in some
> > cases - particularly mine as described in further detail below.
> >
> > >
> > > 3. High frequency individual query access
> >
> > This needs to be defined in excruciating detail - I run an ANTI-spam program
> > that accesses the arin database regularly [every 5 minutes is the default
> > check interval, it only accesses arin data when spam is detected, however,
> > there may be more than one spam during any given check as this junk seems to
> > come in waves, as it were].  What you are saying, if implemented, may
> > disable what I am trying to do which is to eliminate spam.  My program uses
> > arin data to determine contact addresses to which to email spam reports and
> > does it on the inbound side to speed the user interface - Your proposal, in
> > this particular regard, stands to eliminate my ability [my program's
> > ability] to properly determine reporting addresses.  I already implemented a
> > caching feature in the software over a year ago to reduce the number of
> > accesses to the various whois servers of which arin is one however, as
> > spammers jump from IP to IP on a regular basis, there is NO caching scheme
> > that can possibly guarantee the software will not be required to access
> > whois data at some sort of the "high frequency" to which you allude.  Check
> > http://www.spamx.com for additional details on the software.
> >
> > > and access to either entire
> > > whois database or large portion of it must be provided with authentication
> > > to persons and organizations authorized by ARIN. These organizations
> >
> > JUST organizations or PERSONS as well!?  If each and every PERSON who wishes
> > to perform a whois query needs to SIGN some form of agreement the paperwork
> > load will be indescribable.  We cannot keep the Internet running with such
> > draconian measures and let us NOT make arin and the other RIRs like the IRS
> > in the U.S., please and thank you very much.
> >
> > > must
> > > sign 'Acceptable Use Policy for Bulk Copies of ARIN Whois Data' agreement
> > > which shall include 'Whois Acceptable Use Policy' and additional statement
> > > that
> > >
> > > "Redistributing bulk ARIN Whois Data is explicitly forbidden. It is
> > > permissible to publish data on an individual query or small number of
> > > queries at a time basis as long as reasonable precautions are taken to
> > > prevent automated querying by database harvesters"
> >
> > This requires some strict definition with regard to "automated querying".
> > It is, at best, extremely problematic.
> >
> > >
> > > Organizations that need access to ARIN whois data on regular basis maybe
> > > required to resubmit the agreement on monthly basis at which time
> > > authentication settings may need to be changed.
> > Once again, just WHO is going to handle the paperwork and WHO is going to
> > $PAY$ for it!?
> >
> > >
> > Bear in mind as well that spammers also harvest email addresses from mailto:
> > links on websites, make up addresses from domain names, get them from a
> > number of other sources, don't care whether they bounce or not and this
> > proposal will do little to stop any of that, little to stop spammers
> > harvesting addresses from whois data and, most likely, do a great deal to
> > eliminate legitimate use of whois data by the rest of us who are trying to
> > use the Internet in a proper manner.
> >
> > How about we devote our energies in the spamfighting arena to raising the
> > awareness level of ISPs to their open relays and, particularly, OPEN
> > PROXIES, which have become so popular to the spammers recently?  My program
> > relies on access to whois data in order to do exactly that!
> >
> > Thanks for listening.
> >
> >