Empirically Measuring WHOIS Misuse

  • Nektarios Leontiadis
  • Nicolas Christin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8712)


WHOIS is a publicly-accessible online directory used to map domain names to the contact information of the people who registered them (registrants). Regrettably, registrants have anecdotally complained about their WHOIS information being misused, e.g., for spam, while there is also concrete evidence that maliciously registered domains often map to bogus or protected information. All of this has brought into question whether WHOIS is still needed. In this study, we empirically assess which factors, if any, lead to a measurable degree of misuse of WHOIS data. We register 400 domains spread over the five most popular global top level domains (gTLD), using unique artificial registrant identities linked to email addresses, postal addresses, and phone numbers under our control. We collect, over six months, instances of misuse targeting our artificial registrants, revealing quantitative insights on both the extent and the factors (gTLD, domain type, presence of anti-harvesting mechanisms) that appear to have statistically-significant impact on WHOIS misuse.


WHOIS misuse security privacy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Leontiadis, N., Christin, N.: WHOIS misuse study (March 2014), (last accessed July 3, 2014)
  2. 2.
    ICANN: 2013 Registrar Accreditation Agreement (2013), (last accessed July 3, 2014)
  3. 3.
    Clayton, R., Mansfield, T.: A study of Whois privacy and proxy service abuse. In: Proceedings of the 13th Workshop on Economics of Information Security, State College, PA (June 2014)Google Scholar
  4. 4.
    Newton, A., Piscitello, D., Fiorelli, B., Sheng, S.: A restful web service for internet names and address directory services, pp. 23–32. USENIX; login (2011)Google Scholar
  5. 5.
    Sullivan, A., Kucherawy, M.S.: Revisiting WHOIS: Coming to REST. IEEE Internet Computing 16(3) (2012)Google Scholar
  6. 6.
    Hollenbeck, S., Ranjbar, K., Servin, A., Newton, A., Kong, N., Sheng, S., Ellacott, B., Obispo, F., Arias, F.: Using HTTP for RESTful Whois services by Internet registries (2012)Google Scholar
  7. 7.
    Expert Working Group on gTLD Directory Services: A next generation registration directory service (2013), (last accessed July 3, 2014)
  8. 8.
    ICANN. Generic Names Supporting Organization: Motion to pursue WHOIS studies, (2010) (last accessed July 3, 2014)
  9. 9.
    ICANN. Security and Stability Advisory Committee: Advisory on registrar impersonation phishing attacks (2008), (last accessed July 3, 2014)
  10. 10.
    ICANN. Security and Stability Advisory Committee: Is the WHOIS service a source for email addresses for spammers (2007), (last accessed July 3, 2014)
  11. 11.
    ICANN: gTLD–specific monthly registry reports (February 2011),[gTLD]/[gTLD]-transactions-201102-en.csv (last accessed July 3, 2014)Google Scholar
  12. 12.
    Elliott, K.: The who, what, where, when, and why of WHOIS: Privacy and accuracy concerns of the WHOIS database. SMU Sci. & Tech. L. Rev. 12, 141 (2008)Google Scholar
  13. 13.
    Dave, V., Guha, S., Zhang, Y.: Measuring and fingerprinting click-spam in ad networks. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 175–186. ACM (2012)Google Scholar
  14. 14.
    Christin, N., Yanagihara, S., Kamataki, K.: Dissecting one click frauds. In: Proc. ACM CCS 2010, Chicago, IL, pp. 15–26 (October 2010)Google Scholar
  15. 15.
    Yarochkin, F., Kropotov, V., Huang, Y., Ni, G.K., Kuo, S.Y., Chen, I.Y.: Investigating dns traffic anomalies for malicious activities. In: 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 1–7. IEEE (2013)Google Scholar
  16. 16.
    Li, Z., Alrwais, S., Xie, Y., Yu, F., Valley, M.S., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: IEEE Symposium on Security and Privacy, pp. 112–126. IEEE (2013)Google Scholar
  17. 17.
    Leontiadis, N., Moore, T., Christin, N.: Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In: Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, pp. 281–298 (August 2011)Google Scholar
  18. 18.
    United States Congress. House Committee on the Judiciary. Subcommittee on Courts, the Internet, and Intellectual Property: Internet Domain Name Fraud: The U.S. Government’s Role in Ensuring Public Access to Accurate WHOIS Data. H. hrg. U.S. Government Printing Office (September 2003)Google Scholar
  19. 19.
    WHOIS Task Force 3: Improving accuracy of collected data (2003), (last accessed July 3, 2014)
  20. 20.
    NORC: Proposed design for a study of the accuracy of WHOIS registrant contact information (2009), (last accessed July 3, 2014)
  21. 21.
    Watters, P.A., Herps, A., Layton, R., McCombie, S.: Icann or icant: Is whois an enabler of cybercrime? In: 2013 Fourth Cybercrime and Trustworthy Computing Workshop (CTC), pp. 44–49. IEEE (2013)Google Scholar
  22. 22.
    Anti-Phishing Working Group: Phishing attack trends report - Q2 2010 (Janurary 2010)Google Scholar
  23. 23.
    Mockapetris, P.: Domain names – Implementation and specification (RFC 1035). Information Sciences Institute (1987)Google Scholar
  24. 24.
    The Spamhaus Project: The definition of spam, (last accessed July 3, 2014)
  25. 25.
    VirusTotal: Free online virus, malware and URL scanner, (last accessed July 3, 2014)
  26. 26.
    Hosmer Jr., D.W., Lemeshow, S.: Applied logistic regression. John Wiley & Sons (2004)Google Scholar
  27. 27.
    Nelder, J.A., Wedderburn, R.W.M.: Generalized linear models. Journal of the Royal Statistical Society. Series A 135(3), 370–384 (1972)CrossRefGoogle Scholar
  28. 28.
    Del Pino, G.: The unifying role of iterative generalized least squares in statistical algorithms. Statistical Science 4(4), 394–403 (1989)CrossRefMATHMathSciNetGoogle Scholar
  29. 29.
    Ye, F., Lord, D.: Comparing three commonly used crash severity models on sample size requirements: multinomial logit, ordered probit and mixed logit models. Analytic Methods in Accident Research 1, 72–85 (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Nektarios Leontiadis
    • 1
  • Nicolas Christin
    • 1
  1. 1.Carnegie Mellon UniversityUSA

Personalised recommendations