As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program

More effective than a botnet, more sweeping than a Denial-of-Service attack, ICANN has devised a deadly Weapon of Mass Destruction that can instantly render a entire online presence persona-non-grata regardless of how much redundancy, mitigation muscle-power or firewalls a hapless defender has deployed, this latest attack vector can take it all away, not with one click, but for lack of one….

The weapon is called Section 2 of ICANN’s new  “Whois Accuracy Data Specification” which is part of the new 2013 Registrar Accreditation Agreement:

Except as provided in Section 3 below, within fifteen (15) calendar days after receiving any changes to contact information in Whois or the corresponding customer account contact information related to any Registered Name sponsored by Registrar (whether or not Registrar was previously required to perform the validation and verification requirements set forth in this Specification in respect of such Registered Name), Registrar will validate and, to the extent required by Section 1, verify the changed fields in the manner specified in Section 1 above. If Registrar does not receive an affirmative response from the Registered Name Holder providing the required verification, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information.

What this means in plain english, is that any time you register a domain, transfer a domain or even update the whois contact info in a domain name, you now have to validate the contact info. If the registrant doesn’t do this within 15 days then the registrar must suspend the domain name.

We’ve seen perhaps the first high profile instance of this occurring today, with one of the largest football betting sites in the world, having been suspended for failing to validate their contact info:

no_domain_for_you This policy is mandatory for any registrars who have executed the 2013 ICANN RAA, so far Godaddy, Tucows and (apparently) 123Reg have done so.

NOTE: easyDNS has not yet executed the 2013 RAA, but we will later this year (we have to) so obviously, we’ll try to come up with a humane way of killing your websites when you dismiss the “verify your contact details” emails as obvious phishing attempts or spam.


The “suspended domain” page now says…

“This domain has been verified. It may take 24-48 hours to come back online.”

Nice! Imagine if this happens to Amazon. Or Google. Think anybody will mind?

 Update #2

This article was just reposted on HackerNews with some vigorous discussion. If I can sum up the problems with this in three broad points:

Number #1) It may not be a big deal to require a verification step in order for something to start working, however introducing a verification step out of the blue as a requirement for something to continue working is another matter entirely and almost setup to lose.

Number #2) People well versed in “internet stuff” train themselves and their clients to not click on links sent via email. Especially those purporting to be “contact verification emails”. Kind of like this Paypal phish I received moments ago:

We are writing you this email in regards to your PayPal account. In accordance with our “Terms and Conditions”, article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TSM6GI0DA54A

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.



Which came with a nice .zip attachment, I wonder what’s in that?

Further, those who are not versed in internet stuff will just go “dummy mode on” when these emails come and will probably ignore the the real ones and click on the fake ones.

This is an attack vector served up on a silver platter. All one has to do now is mine the whois database for domains recently updated and send them a fake “verification required” email with whatever payload you want.

Number #3) Like most attempts at regulations which (fail to) solve non-existent problems, they only make matters worse. Criminals don’t keep their whois records up to date. Forcing them to click on a link to verify a throw-away email address won’t eliminate cybercrime. So as usual, the people who will be most affected by this are honest rule followers who will find themselves suddenly cut off from the internet (see the experiences of Carl and Catherine in the comments section below to see how this actually plays out.)

Anybody familiar with the backstory behind this knows that policies like this were more about ICANN appeasing the Intellectual Property lobbies so they could roll out their precious new cashcows^w^w new TLDs than stopping cybercrime or holding anybody accountable for anything.


Further Reading:

14 thoughts on “As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program”

  1. Kevin Murphy says:

    In what sense is this an “attack vector”? Who’s carrying out the attack?

    • Mark Jeftovic says:

      Hey Kevin,

      Maybe I need to put <sarcasm> tags around the DOS part.

      What got me thinking along the DOS-analogy was that this first (of many to come, no doubt) victim was a sports betting site.

      If you look at the history of hosted DDoS mitigation, the entire sector was practically invented by the online gambling industry.

      So these guys spend vast amounts of money on redundancy, firewalls and mitigation, none of which does you any good if you’re down anyway because some new byzantine clerical procedure of highly questionable value can pull the plug on your entire business.

      Who needs a botnet? Just send somebody a forged WDRP notice and then sit back and wait.

      • W says:

        The title is link bait trash. The way you used it isn’t even sarcastic, it’s just wrong.

      • abestic9 says:

        @W, I don’t see it as link bait, or wrong. Anyone who would be willing to DDoS you would be willing to send a forged update, easily disabling your website at a fraction of the cost. “As Deadly as a DDoS” is an understatement, if anything.

  2. Jo says:

    Will this requirement kick in after any renewals as well?

    There really should be (proxy) Admin emails on domains that are set to whitelist only truly administrative and select senders, and forward them to the underlying Admin contact.

    It would be a great ‘gateway’ service into other secure email and identity products, once the domain administration ‘proof of concept’ aspect could demonstrate an effective use scenario…methinks

  3. Liam says:

    I bet they are completely unaware of how much distress they have caused to owners of web sites.

    This is an appallingly heavy handed response to a non-existent problem.

  4. Carl says:

    This is so annoying. I have lost my main email now, which my domain was using as the contact details.

    I though the email was a scam, so I ignored it. Now my website is down, along with my email so I cant send verification again. So I have been forced to get a stupid gmail account JUST to verifiy my domain.

    What a stupid policy. There are already plenty of tools one can use to recover a domain if they lose it for any reason.

    The internet needs to be decentralized and not at the mercy of ICANN. 48 hours with no email, I get job specs sent to me via email, I have friends and family email me. I have all my acocunts to my email, now I cant access any of it.

  5. Catherine says:

    I am so mad at this whole scheme. I got an email from 123-reg on 21 Jan 14 saying some businesses would be affected by ICANN changes, but you would receive an email to verify your website. I have definitely not received any further emails from 123 reg or ICANN, but my businesses website today went offline, along with all the office emails – hitting the ceiling with stress, frustration and anger would be an understatement. In 24 hrs I am travelling to a major industry exhibition where my website is promoted hugely as all further info is online- – it’s cost me into five figures for our pitch and staffing and just as I’m about to leave (and I’m busy enough getting ready for a major show) my website is chucked out by some idiots who didn’t even give me a chance to do anything before they did this… How are they allowed to get away with it!!! Running a business is hard enough – these stresses are not welcome!

  6. Peter okwach says:

    Hi call on ddos awareness.

  7. Guess says:

    This will teach any dumbass here to use 123reg and other shady sites like that. Use NameCheap if you don’t want to have issues.

    • Mark Jeftovic says:

      This is pretty independent of which registrar you use, any RAR who has signed the 2013 ICANN RAA is subject to this.

      Also, when it comes to Namecheap you should be aware that while they are ICANN accredited, they do all of their registrations via their eNom reseller credentials – so it’s actually eNom you have to look at to figure out if this policy affects your domains on Namecheap or not (has eNom signed the 2013 RAA? I don’t know offhand).

      But eventually it applies across the board, because all RARs have to sign it as their current RAA’s come up for renewal.

      • Yes, eNom are on the 2013 RAA. Pretty much all the North American registrars have signed on. Some, but far from all, of the European registrars have signed, but there are legal concerns there due to data privacy and ICANN’s inability to process waiver requests so that European registrars can safely sign the new RAA while being compliant with local data privacy law.

  8. jul says:

    Well, I have been seeing the process of legal claim from the inside of an ISP and also reading the RIPE ML on the topic.

    What makes you whine is an internet where people are accountable for what they do.

    Actual inaccuracy result in the cover of illegal activities of gvt and criminals. Resulting in the disruption of internet through activities such as spam, botnet, cyber attacks. So far, legitimate users are the victims of the inaccuracy, resulting in the excessive scaling of architecture to face the constant activities of inadequate behaviours of few actors not accountable. Customers pay 50% of their ISP connection to distribute spams, scams, malwares and being potentially harmed or spied by gvt.

    Lack of valid abuse address makes it also impossible to tell incompetent sysadmins they have openrelay, compromised servers… thus leveraging even more criminal and non legal gvt activities.

    Plus, it results in the fragmentation of BGP routing.

    So what you blatantly admit in this rant, is that it you are yourself pretty incompetent…

    • Mark Jeftovic says:

      This is possibly the first time in my life I’ve been accused of being against personal accountability for one’s actions. Most people think I’m too extreme on the personal responsibility side of things.

      What we are opposed to are byzantine regulations that not only do.not.solve the problem they are attempting to, but actually make things worse.

      Like most regulations (especially those imposed by governments and governing bodies) – they do nothing to address the bad actors and inflict poor consequences on those who are otherwise doing things by the book. (Do you think an actual cyber-criminal is actually going to update their whois record?)

Leave a Reply

Your email address will not be published. Required fields are marked *