As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program

[ Sorry about the original title - I probably should have given it a second thought - markjr ]

More effective than a botnet, more sweeping than a Denial-of-Service attack, ICANN has devised a deadly Weapon of Mass Destruction that can instantly render a entire online presence persona-non-grata regardless of how much redundancy, mitigation muscle-power or firewalls a hapless defender has deployed, this latest attack vector can take it all away, not with one click, but for lack of one….

The weapon is called Section 2 of ICANN's new  "Whois Accuracy Data Specification" which is part of the new 2013 Registrar Accreditation Agreement:

Except as provided in Section 3 below, within fifteen (15) calendar days after receiving any changes to contact information in Whois or the corresponding customer account contact information related to any Registered Name sponsored by Registrar (whether or not Registrar was previously required to perform the validation and verification requirements set forth in this Specification in respect of such Registered Name), Registrar will validate and, to the extent required by Section 1, verify the changed fields in the manner specified in Section 1 above. If Registrar does not receive an affirmative response from the Registered Name Holder providing the required verification, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information.

What this means in plain english, is that any time you register a domain, transfer a domain or even update the whois contact info in a domain name, you now have to validate the contact info. If the registrant doesn't do this within 15 days then the registrar must suspend the domain name.

We've seen perhaps the first high profile instance of this occurring today, with one of the largest football betting sites in the world, having been suspended for failing to validate their contact info:

no_domain_for_you This policy is mandatory for any registrars who have executed the 2013 ICANN RAA, so far Godaddy, Tucows and (apparently) 123Reg have done so.

NOTE: easyDNS has not yet executed the 2013 RAA, but we will later this year (we have to) so obviously, we'll try to come up with a humane way of killing your websites when you dismiss the "verify your contact details" emails as obvious phishing attempts or spam.


The "suspended domain" page now says…

"This domain has been verified. It may take 24-48 hours to come back online."

Nice! Imagine if this happens to Amazon. Or Google. Think anybody will mind?

 Update #2

This article was just reposted on HackerNews with some vigorous discussion. If I can sum up the problems with this in three broad points:

Number #1) It may not be a big deal to require a verification step in order for something to start working, however introducing a verification step out of the blue as a requirement for something to continue working is another matter entirely and almost setup to lose.

Number #2) People well versed in "internet stuff" train themselves and their clients to not click on links sent via email. Especially those purporting to be "contact verification emails". Kind of like this Paypal phish I received moments ago:

We are writing you this email in regards to your PayPal account. In accordance with our "Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.
Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TSM6GI0DA54A

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.



Which came with a nice .zip attachment, I wonder what's in that?

Further, those who are not versed in internet stuff will just go "dummy mode on" when these emails come and will probably ignore the the real ones and click on the fake ones.

This is an attack vector served up on a silver platter. All one has to do now is mine the whois database for domains recently updated and send them a fake "verification required" email with whatever payload you want.

Number #3) Like most attempts at regulations which (fail to) solve non-existent problems, they only make matters worse. Criminals don't keep their whois records up to date. Forcing them to click on a link to verify a throw-away email address won't eliminate cybercrime. So as usual, the people who will be most affected by this are honest rule followers who will find themselves suddenly cut off from the internet (see the experiences of Carl and Catherine in the comments section below to see how this actually plays out.)

Anybody familiar with the backstory behind this knows that policies like this were more about ICANN appeasing the Intellectual Property lobbies so they could roll out their precious new cashcows^w^w new TLDs than stopping cybercrime or holding anybody accountable for anything.

14 Comments to As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program

  1. January 21, 2014 at 7:46 pm | Permalink

    In what sense is this an "attack vector"? Who's carrying out the attack?

  2. Jo's Gravatar Jo
    January 22, 2014 at 1:56 am | Permalink

    Will this requirement kick in after any renewals as well?

    There really should be (proxy) Admin emails on domains that are set to whitelist only truly administrative and select senders, and forward them to the underlying Admin contact.

    It would be a great 'gateway' service into other secure email and identity products, once the domain administration 'proof of concept' aspect could demonstrate an effective use scenario…methinks

  3. January 22, 2014 at 2:27 pm | Permalink

    I bet they are completely unaware of how much distress they have caused to owners of web sites.

    This is an appallingly heavy handed response to a non-existent problem.

  4. January 24, 2014 at 8:05 pm | Permalink

    This is so annoying. I have lost my main email now, which my domain was using as the contact details.
    I though the email was a scam, so I ignored it. Now my website is down, along with my email so I cant send verification again. So I have been forced to get a stupid gmail account JUST to verifiy my domain.
    What a stupid policy. There are already plenty of tools one can use to recover a domain if they lose it for any reason.
    The internet needs to be decentralized and not at the mercy of ICANN. 48 hours with no email, I get job specs sent to me via email, I have friends and family email me. I have all my acocunts to my email, now I cant access any of it.

  5. February 1, 2014 at 4:21 pm | Permalink

    I am so mad at this whole scheme. I got an email from 123-reg on 21 Jan 14 saying some businesses would be affected by ICANN changes, but you would receive an email to verify your website. I have definitely not received any further emails from 123 reg or ICANN, but my businesses website today went offline, along with all the office emails – hitting the ceiling with stress, frustration and anger would be an understatement. In 24 hrs I am travelling to a major industry exhibition where my website is promoted hugely as all further info is online- – it's cost me into five figures for our pitch and staffing and just as I'm about to leave (and I'm busy enough getting ready for a major show) my website is chucked out by some idiots who didn't even give me a chance to do anything before they did this… How are they allowed to get away with it!!! Running a business is hard enough – these stresses are not welcome!

  6. Peter okwach's Gravatar Peter okwach
    February 10, 2014 at 12:10 am | Permalink

    Hi call on ddos awareness.

  7. Guess's Gravatar Guess
    March 16, 2014 at 9:29 pm | Permalink

    This will teach any dumbass here to use 123reg and other shady sites like that. Use NameCheap if you don't want to have issues.

  8. jul's Gravatar jul
    March 16, 2014 at 11:07 pm | Permalink

    Well, I have been seeing the process of legal claim from the inside of an ISP and also reading the RIPE ML on the topic.

    What makes you whine is an internet where people are accountable for what they do.

    Actual inaccuracy result in the cover of illegal activities of gvt and criminals. Resulting in the disruption of internet through activities such as spam, botnet, cyber attacks. So far, legitimate users are the victims of the inaccuracy, resulting in the excessive scaling of architecture to face the constant activities of inadequate behaviours of few actors not accountable. Customers pay 50% of their ISP connection to distribute spams, scams, malwares and being potentially harmed or spied by gvt.

    Lack of valid abuse address makes it also impossible to tell incompetent sysadmins they have openrelay, compromised servers… thus leveraging even more criminal and non legal gvt activities.

    Plus, it results in the fragmentation of BGP routing.

    So what you blatantly admit in this rant, is that it you are yourself pretty incompetent…

Status Updates

Receive new posts via email


Introducing: Managed WordPress Hosting
Fully Managed
WordPress Hosting, eh