As Deadly as a DDoS: ICANN Unleashes the Whois Accuracy Program

More effective than a botnet, more sweeping than a Denial-of-Service attack, ICANN has devised a deadly Weapon of Mass Destruction that can instantly render a entire online presence persona-non-grata regardless of how much redundancy, mitigation muscle-power or firewalls a hapless defender has deployed, this latest attack vector can take it all away, not with one click, but for lack of one….

The weapon is called Section 2 of ICANN’s new  “Whois Accuracy Data Specification” which is part of the new 2013 Registrar Accreditation Agreement:

Except as provided in Section 3 below, within fifteen (15) calendar days after receiving any changes to contact information in Whois or the corresponding customer account contact information related to any Registered Name sponsored by Registrar (whether or not Registrar was previously required to perform the validation and verification requirements set forth in this Specification in respect of such Registered Name), Registrar will validate and, to the extent required by Section 1, verify the changed fields in the manner specified in Section 1 above. If Registrar does not receive an affirmative response from the Registered Name Holder providing the required verification, Registrar shall either verify the applicable contact information manually or suspend the registration, until such time as Registrar has verified the applicable contact information.

What this means in plain english, is that any time you register a domain, transfer a domain or even update the whois contact info in a domain name, you now have to validate the contact info. If the registrant doesn’t do this within 15 days then the registrar must suspend the domain name.

We’ve seen perhaps the first high profile instance of this occurring today, with one of the largest football betting sites in the world, having been suspended for failing to validate their contact info:

This policy is mandatory for any registrars who have executed the 2013 ICANN RAA, so far Godaddy, Tucows and (apparently) 123Reg have done so.

NOTE: easyDNS has not yet executed the 2013 RAA, but we will later this year (we have to) so obviously, we’ll try to come up with a humane way of killing your websites when you dismiss the “verify your contact details” emails as obvious phishing attempts or spam.


The “suspended domain” page now says…

“This domain has been verified. It may take 24-48 hours to come back online.”

Nice! Imagine if this happens to Amazon. Or Google. Think anybody will mind?

 Update #2

This article was just reposted on HackerNews with some vigorous discussion. If I can sum up the problems with this in three broad points:

Number #1) It may not be a big deal to require a verification step in order for something to start working, however introducing a verification step out of the blue as a requirement for something to continue working is another matter entirely and almost setup to lose.

Number #2) People well versed in “internet stuff” train themselves and their clients to not click on links sent via email. Especially those purporting to be “contact verification emails”. Kind of like this Paypal phish I received moments ago:

We are writing you this email in regards to your PayPal account. In accordance with our “Terms and Conditions”, article 3.2., we would like to kindly ask you to confirm your identity by completing the attached form.

Please print this form and fill in the requested information. Once you have filled out all the information on the form please send it to along with a personal identification document (identity card, driving license or international passport) and a proof of address submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TSM6GI0DA54A

For your protection, we might limit your account access. We apologize for any inconvenience this may cause.



Which came with a nice .zip attachment, I wonder what’s in that?

Further, those who are not versed in internet stuff will just go “dummy mode on” when these emails come and will probably ignore the the real ones and click on the fake ones.

This is an attack vector served up on a silver platter. All one has to do now is mine the whois database for domains recently updated and send them a fake “verification required” email with whatever payload you want.

Number #3) Like most attempts at regulations which (fail to) solve non-existent problems, they only make matters worse. Criminals don’t keep their whois records up to date. Forcing them to click on a link to verify a throw-away email address won’t eliminate cybercrime. So as usual, the people who will be most affected by this are honest rule followers who will find themselves suddenly cut off from the internet (see the experiences of Carl and Catherine in the comments section below to see how this actually plays out.)

Anybody familiar with the backstory behind this knows that policies like this were more about ICANN appeasing the Intellectual Property lobbies so they could roll out their precious new cashcows^w^w new TLDs than stopping cybercrime or holding anybody accountable for anything.


Further Reading: