[weirds] Domain Reputation in RDAP

"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 02 December 2015 16:07 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: weirds@ietfa.amsl.com
Delivered-To: weirds@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E5811AD0CB for <weirds@ietfa.amsl.com>; Wed, 2 Dec 2015 08:07:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id criUhXP4ABLJ for <weirds@ietfa.amsl.com>; Wed, 2 Dec 2015 08:07:40 -0800 (PST)
Received: from mail-oi0-x262.google.com (mail-oi0-x262.google.com [IPv6:2607:f8b0:4003:c06::262]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403801ACDD0 for <weirds@ietf.org>; Wed, 2 Dec 2015 08:07:38 -0800 (PST)
Received: by oiww189 with SMTP id w189so2914400oiw.2 for <weirds@ietf.org>; Wed, 02 Dec 2015 08:07:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:thread-topic:thread-index:date:message-id :accept-language:content-language:content-type :content-transfer-encoding:mime-version; bh=RtuCVRc2wUC0mDnMYGcUUF5FUIJr4f4NVdRSwNg/Oeg=; b=UuLhhaOlztOIelPvDOLFWPoSN8iZtaE68OlypkGofVihdSh4WoNHuckB7x5hkX1tMm G4yQPw/Rqyfeuho1U7wDBtOXO2ISbMFWJgA0U42X3urkJ+vmooByGi6X2ERb6ZfJdvRj 2m7ogxLH28jmEEHWe0FmBThtFHUf9p5orSQSI3yJGQOsFr7dY4WlZQ+jqCwr8x30PZhR k1Q72uZOqdJ+yto1UuQbLWNzAbvPLA7DEvW5L9n76et8QoUwDuEDG6INcj6DSfPWDmpH B3WUPvLBrvI3rOAn/tuOcm/Og8lP0DDILsk5sI/DJWMv5EpDU+/70vQVgkucrZTFUmJi o0Mg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:content-type :content-transfer-encoding:mime-version; bh=RtuCVRc2wUC0mDnMYGcUUF5FUIJr4f4NVdRSwNg/Oeg=; b=h1pI56ui9N+eWIpvtW+A7UxPyf3eIEnFcIbdJMbrq7i+5TfT+KbaMhmy5UkEM6XKHU G5xq4vRRGUS65LJLdKHu5kJG79IlMWYMmmdt643GBXRxeHas3JI8F9inCU3UAweNfZ+C 3PHvfTe1JgIqFbLhQJkVt5XiQKPOk+wxGeN4RHsU53H4pfC3pVSTYpiYYovq6JaFUJ0E igObnwRk/7hzrM3UEw3t6OoM4sUFIPSmlBeLc+/ADY/uSN1zeQ/DHIUAFOYUnFoB3+3X E1qgHptVxFtLuI7yZ56TMU6u7tgQKZCOU+rlDfyuw61Td+9M5nb2LMKAh+oDEn8oAv84 7YNw==
X-Gm-Message-State: ALoCoQkoRGlCYekn2zM4Pj3H6Lw3j3Wi3X/UD7AoHukFsuiPUGbPA/bJqvLE4EImLtLeak7lFHadHngsN4i4wPS1gORMKFLFOA==
X-Received: by 10.140.233.67 with SMTP id e64mr5209527qhc.42.1449072457657; Wed, 02 Dec 2015 08:07:37 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id d68sm515448qkb.7.2015.12.02.08.07.37 for <weirds@ietf.org> (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 02 Dec 2015 08:07:37 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id tB2G7bWS003049 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <weirds@ietf.org>; Wed, 2 Dec 2015 11:07:37 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 2 Dec 2015 11:07:36 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "weirds@ietf.org" <weirds@ietf.org>
Thread-Topic: Domain Reputation in RDAP
Thread-Index: AdEtG45Y/Eguxg6XRvqNNe39ahP/Cw==
Date: Wed, 2 Dec 2015 16:07:35 +0000
Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A103357@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/weirds/B3wKCug-i_n9EtnUSsUF37t6hGQ>
Subject: [weirds] Domain Reputation in RDAP
X-BeenThere: weirds@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "WHOIS-based Extensible Internet Registration Data Service \(WEIRDS\)" <weirds.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/weirds>, <mailto:weirds-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/weirds/>
List-Post: <mailto:weirds@ietf.org>
List-Help: <mailto:weirds-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/weirds>, <mailto:weirds-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:07:42 -0000

Someone recently asked me to read this article and consider if or how RDAP might be helpful in identifying bogus academic journal web sites:

http://news.sciencemag.org/scientific-community/2015/11/feature-how-hijack-journal

The author uses the word "hijack" to describe what's happening with domains (based on the title I thought it would be about bogus transfers), but I read it as more of a problem with two scenarios:

1. A domain expires and is re-registered by someone who does bad things with it.

2. A domain is registered and used to impersonate or appear to function as a "legitimate" journal.

Does anyone see value in adding something to RDAP that could be used as a measure of domain stability or reputation? The article describes how WHOIS data can be used to detect suspicious activity ("If the registration date is recent but the journal has been around for years, that's the first clue."). Might we do something more explicit?

Scott