Re: [weirds] Domain Reputation in RDAP

Andrew Newton <andy@hxr.us> Wed, 02 December 2015 16:47 UTC

Return-Path: <andy@hxr.us>
X-Original-To: weirds@ietfa.amsl.com
Delivered-To: weirds@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77DD21B2C04 for <weirds@ietfa.amsl.com>; Wed, 2 Dec 2015 08:47:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czS3xi20s0r9 for <weirds@ietfa.amsl.com>; Wed, 2 Dec 2015 08:47:01 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02FF81B2C02 for <weirds@ietf.org>; Wed, 2 Dec 2015 08:47:00 -0800 (PST)
Received: by wmww144 with SMTP id w144so64975226wmw.0 for <weirds@ietf.org>; Wed, 02 Dec 2015 08:46:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hxr-us.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Q5DHxr+E2g3udIWhRg52Ics8jsnfBH7HglnM+/W71qg=; b=I9uk6DKlO95yJipbH5M5fAb+g5dwxM1h6/31GO8G+VhjH/N/pwa6H6juxfss64HQTC UlABsTZOwotnfCDwkOiwqmQnuMhyEpR7J2AlgkU85mX3C+IUD+nuGH/6nbU6e3qxp9A9 sgNTKL0u0n8LOJV4WATnHsprkFviPswPDgOg2QyIReqcgoQYmPW5lDkPacl8cXF2in0n IXGy4t/aICh45fwYImM7bbQsy7pEuhSrFi3GRMKkzDDfO+8c9FkpdkF57Kfflf/tnYoh HAG6ujnxTjxgIpdmpc9eRh/iD+S/fR01xngF+31yLA/NLkecZKGgrljTu/nwZxO8in2Y Od3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Q5DHxr+E2g3udIWhRg52Ics8jsnfBH7HglnM+/W71qg=; b=hl0ZKYkvMIRrodwS1AmdgoAdxDeRJbVXAPHW87jBs5h4E/8DS2XuFByGE7mivulv3z 6KcibV5d9VE7qQQr0F3Ii9WknP1WNS+oWIVW5Y7u6jjM7xyGtrBxD3t+WSxIahMD7/GK 6AOTw92LxQs6/ebzztbhPRSFegyVAVTALOl9nhmKx8nOeM5Ltp9xuv1gbnsM+dUa/+mt wbhkcAaKrJfhnAL2kliOm3cn/SXcgaw4496W9EawP8tnTc1NuW7PQOJI7BViA5h+Tiih fj0qxOvF2+puSteE/zWSDCpJDSiUZDldjc1i5WdNe0AHqZA+x8pSyl8B2XlNhmBEoj85 +oBg==
X-Gm-Message-State: ALoCoQmX2YUMXn/ftUzZU6Z2sigmseM56kKG19B6PwEl6S/ovLTk+l8/4bvRLjFVDxOweDAYzEBc
MIME-Version: 1.0
X-Received: by 10.28.7.138 with SMTP id 132mr48001120wmh.100.1449074819535; Wed, 02 Dec 2015 08:46:59 -0800 (PST)
Received: by 10.194.91.203 with HTTP; Wed, 2 Dec 2015 08:46:59 -0800 (PST)
X-Originating-IP: [2001:500:4:15:5058:2ca2:b5cf:28ee]
In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A103357@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
References: <831693C2CDA2E849A7D7A712B24E257F4A103357@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Date: Wed, 2 Dec 2015 11:46:59 -0500
Message-ID: <CAAQiQRdMCUn1UNeNhB3XukBpnNMiCWLdyijgtytp91WsNEx07w@mail.gmail.com>
From: Andrew Newton <andy@hxr.us>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/weirds/nSQuIdmUZQieJ7yZhc1NcFJXmGs>
Cc: "weirds@ietf.org" <weirds@ietf.org>
Subject: Re: [weirds] Domain Reputation in RDAP
X-BeenThere: weirds@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "WHOIS-based Extensible Internet Registration Data Service \(WEIRDS\)" <weirds.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/weirds>, <mailto:weirds-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/weirds/>
List-Post: <mailto:weirds@ietf.org>
List-Help: <mailto:weirds-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/weirds>, <mailto:weirds-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:47:02 -0000

Hmm... that depends. Is the idea to provide meta-data so a reputation
can be determined, or is the idea to actually provide a reputation?

The latter idea is subjective and could be dangerous. But providing
meta-data can be fact based and put reputation in the eye of the
beholder.

It seems like a simple thing to do with existing RDAP would be to
provide a history of registrations and expirations using events. That
way a long held domain changing hands is something an observer can
draw their own conclusions about. Just an idea.

-andy

On Wed, Dec 2, 2015 at 11:07 AM, Hollenbeck, Scott
<shollenbeck@verisign.com> wrote:
> Someone recently asked me to read this article and consider if or how RDAP might be helpful in identifying bogus academic journal web sites:
>
> http://news.sciencemag.org/scientific-community/2015/11/feature-how-hijack-journal
>
> The author uses the word "hijack" to describe what's happening with domains (based on the title I thought it would be about bogus transfers), but I read it as more of a problem with two scenarios:
>
> 1. A domain expires and is re-registered by someone who does bad things with it.
>
> 2. A domain is registered and used to impersonate or appear to function as a "legitimate" journal.
>
> Does anyone see value in adding something to RDAP that could be used as a measure of domain stability or reputation? The article describes how WHOIS data can be used to detect suspicious activity ("If the registration date is recent but the journal has been around for years, that's the first clue."). Might we do something more explicit?
>
> Scott
>
> _______________________________________________
> weirds mailing list
> weirds@ietf.org
> https://www.ietf.org/mailman/listinfo/weirds