NOTE: operational content here is marginal; replies in email may be best In message <20040929014242.GD5188(a)stateless>, Nicholas Lee writes:
How about restricting access to whois information via a registration-required web interface, rate limit access dependant on GeoIP location, and make it difficult for scripts.
The New Zealand whois interface is already rate limited (as David mentioned). Taking away the traditional whois interface again (Domainz didn't provide it for a long time) and replacing it with a web interface will reduce the ability for legitimate users to use the traditional tools to look up information (which may be integrated into their workflow). But it won't make it any more difficult for someone who is determined to extract the information from the whois database; HTTP libraries are just as available as TCP/IP connection libraries these days. If you put in a registration step, then again you make it more difficult for someone who is legitimately trying to look up information without really making it more difficult for a scripted solution. If you add a "type in the text from this distorted image" step (eg, a captcha), then there is a proven workaround for such things -- you offer free pr0n to anyone that decodes one of those images, then feed the result back into the system. It's unlikely there'll ever be a short supply of people wanting free pr0n. If you "randomize" the output of the whois information, then you make the service more difficult for legitmate users to use, but again nothing that's particularly hard for a scraping script to work around (if the output is programatically generated then it's almost always programatically parsable, particularly if you only want a subset of the information and aren't too concerned about false parsing). Besides which only one scammer (or enterprising supplier of scammers) needs to extract this information; it can be sold or reused for quite a while after it's extracted. The "useful lifetime" of the information is probably in the order of 6-12 months, and if you get a few "good" scams through in that time, the effort to extract it easily pays off. Since most of the scams that have been effective have been paper-based, and since the main operational need is for an email contact or a phone number contact, possibly the most productive thing to do is review whether the physical address information is made available (by default). But ultimately I think that so long as there's money to be made (and gullible people available to be scammed), such things will continue to happen almost irrespective of how difficult one tries to make it to obtain the information -- at least up to the point where legitimate users have long since given up trying to use the service. And it's not always a good idea to substantially interfere with legitimate use just because of a small amount of illegitimate use. Ewen