Re: [policy] When Tech Meets Policy...
> > On 8/15/07, Barry Shein <[EMAIL PROTECTED]> wrote: > > > > I am not sure tasting is criminal or fraud. ... > Well, not all of us agree that these ad-only pages are particularly a > problem. They're certainly not necessarily criminal or fraudulent > except by some stretch. There are different applications for domain tasting out there, with different levels of legitimacy. Some of them will go away if you reduce the amount of refund they get for returning the name; some won't. -- Actual mistakes - probably not many of these, and in a corporate environment it's ok if a company has to pay $6 for their mistake; they're going to end up spending more money handling the invoice in most cases. As other people have pointed out, for individuals, getting stuck paying the current $6 fee is a lot less annoying than the old $35 fee if you've made a mistake, but it's possibly useful to have some incentive for the user to return the name if they genuinely made a mistake, such as being one letter away from a popular web site in a country whose language the user doesn't speak or violating a trademark they'd never heard before. -- Ad-banner tasters - They're hoping to make money by littering the domain name space with content-free material, which is not criminal or fraudulent, just rude. Ostensibly you could get rid of them by requiring web pages to have real content, but not only would that require enforcement by humans (yeah, right), but it's trivially easy to generate pages with Not Much Content as opposed to no content at all, if nothing else by putting a boilerplate wiki page there and pretending that you've got real users who just haven't shown up yet. The way to get rid of these guys is to charge money for the pages, i.e. don't force the registrars to return their entire registration fee, and possibly have ICANN keep their US$0.20 cut of the funds even if the customer returns the name. That won't get rid of all of them - some will even be willing to pay the whole $6 - but it'll cut down on most of the ankle-biters. -- Phishers trying to hide - They're not providing ad-banner-only pages, they're providing web forms that look very much like Example-Bank.Com's web site, or are Cyrillic-font variants on Paypal, etc., and they use domain tasting so they can collect hits from suckers for a couple of days and then make their records disappear by returning the name. Charging a restocking fee is less important here - if the phisher's succesful they'll make more than enough to pay for it, unlike the typo-squatters - but there ought to be some requirement to keep the registration information around in case anybody wants to investigate it later, even if it turns out to be bogus information registered from a random zombie's IP address. -- Fast-flux spammers trying to hide _and_ save money - They're also playing the game of keeping a domain name up for a short time so that mail gets delivered and then shutting it down to cover their tracks, as well as serving the DNS and web page information from a bunch of different zombies. (Not all of them do domain tasting - depends on the state of the anti-spammer arms race - but it does let them save $6 for a name they're only going to need for a couple of days before the spam filters cut their response rates down.) According to the Council for Made-Up Statistical Information, getting rid of free domain tasting will get rid of 90-98% of the ad-banner domain tasters, making it easier to track the actual bad guys and laugh at the couple of people who made legitimate mistakes. It also makes it a bit easier to provide reliable alternatives to standard DNS transmission - a back-of-the-envelope estimate I did a couple of years ago said you could multicast all of the DNS root/.com/.net/.org information in near-real-time in about 56kbps, except for the domain tasters, which would make it easy for ISPs and possibly end users to maintain reliable caching servers even if the main DNS root servers were under attack. You'd need a bit more than that today, but it wouldn't be that hard if you could eliminate the tasters (I suppose only transmitting information for domains that were registered for more than a week would do that, and you might need to limit TLDs to weekly, so sites that wanted to use DNS load-balancers would need to put them in www.example.tld instead of just example.tld.) Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: [policy] When Tech Meets Policy...
On Aug 15, 2007, at 2:55 PM, Barry Shein wrote: Then my next question is, what reasons are there where it'd be wise/useful/non-criminal to do it on a large scale? It's a relatively passive activity when used for ad pages, no one forces anyone to look at them. I'm not sure what the problem is with that except it seems to offend some people's sensibilities. If the behavior is used to hide illegal activity such as spamming (e.g., botnet use) then that should be more of a reputation issue. This 'almost' hits the nail on the head. While domain tasting may not intend to obfuscate various nefarious activities related to domain names, it does. Domain assessments are impeded by a vast amount of domain name chaff caused by domain tasting. Domain tasting represents a significant burden in both assessment costs and performance. An unnecessary expense, an unnecessary overhead, and an unnecessary risk. As IPv6 is introduced, reliance upon IPv4 address assessment must transition to greater reliance on domain name assessment. There are too many IPv6 addresses and too many translators and proxies. Attempting to retain an open system makes domain assessment essential, and an open system seems like the "right thing." -Doug To quote Benjamin Franklin, "Sell not virtue to purchase wealth, nor Liberty to purchase power."
Re: [policy] When Tech Meets Policy...
On Aug 15, 2007, at 2:55 PM, Barry Shein wrote: It seems to me that this should be an issue between the domain registrars and their customers, but maybe some over-arching policy is making it difficult to do the right thing? Charging a "re-stocking fee" sounded perfectly reasonable. I don't think anyone has any *right* to "domain tasting", that is, to any particular pricing structure. But I don't see why it requires anything beyond some pricing solution as suggested. Then my next question is, what reasons are there where it'd be wise/useful/non-criminal to do it on a large scale? I'm not sure what the problem is with that except it seems to offend some people's sensibilities. It costs the registry some money in terms of order entry and all that, and there are opportunity costs - if one registrar has a name checked out and being tasted by one of his clients, another registrar can't sell it to one of his. PIR (.org) instituted an "excess deletion fee" in late May, which is at this point somewhat experimental. The fee is five cents per deleted domain if the total number of domains deleted within the 5 day grace period in a month is greater than 90%. The idea is that there is still a grace period where an individual can correct a mistake.
Re: [policy] When Tech Meets Policy...
On August 15, 2007 at 14:38 [EMAIL PROTECTED] (Al Iverson) wrote: > > On 8/15/07, Barry Shein <[EMAIL PROTECTED]> wrote: > > > I am not sure tasting is criminal or fraud. > > > > Neither am I, we agree. I meant if there's subsequent criminality or > > fraud that should be dealt with separately. > > Dumb question, not necessarily looking to call you or anyone out, but > I'm curious: What valid, legitimate, or likely to be used non-criminal > reasons are there for domain tasting? Well, not all of us agree that these ad-only pages are particularly a problem. They're certainly not necessarily criminal or fraudulent except by some stretch. It seems to me that this should be an issue between the domain registrars and their customers, but maybe some over-arching policy is making it difficult to do the right thing? Charging a "re-stocking fee" sounded perfectly reasonable. I don't think anyone has any *right* to "domain tasting", that is, to any particular pricing structure. But I don't see why it requires anything beyond some pricing solution as suggested. > Then my next question is, what reasons are there where it'd be > wise/useful/non-criminal to do it on a large scale? It's a relatively passive activity when used for ad pages, no one forces anyone to look at them. I'm not sure what the problem is with that except it seems to offend some people's sensibilities. If the behavior is used to hide illegal activity such as spamming (e.g., botnet use) then that should be more of a reputation issue. The example which came to mind was ordering a couple of hundred phone lines. In the early days of the internet people like myself did that for modem banks (there was a time it was a lot cheaper to punch up 256 1MBs than to try to demux T1s or T3s or PRIs, I think I still have 66-block punch tool scars in my palm.) A friend who ran an ISP did that and the police showed up thinking he might be setting up a boiler room (telephone stock scam.) He was amused. They weren't sure what he was doing (internet? modems? WTF?) but decided it wasn't a boiler room so left. But that's what a lot of this reminds me of, except of course that ordering hundreds of phone lines required some sort of credit relationship with your local telco which seems to be what's lacking here. But obviously boiler room ops got away with it, that's why they were a problem. I assume the telcos got better at screening such criminals, they probably never paid their phone bills anyhow. But the concept of ordering hundreds of phone lines wasn't at issue, just some borderline criminal behavior and how to suppress it. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: [policy] When Tech Meets Policy...
On Aug 15, 2007, at 12:38 PM, Al Iverson wrote: Dumb question, not necessarily looking to call you or anyone out, but I'm curious: What valid, legitimate, or likely to be used non- criminal reasons are there for domain tasting? This article describes the motivation leading to domain tasting. http://www.circleid.com/posts/historical_analysis_domain_tasting/ -Doug
Re: [policy] When Tech Meets Policy...
On Wed, Aug 15, 2007 at 02:38:48PM -0500, Al Iverson wrote: > I'm curious: What valid, legitimate, or likely to be used non-criminal > reasons are there for domain tasting? Making money on the basis of the published policies of a registry? If this were some sort of "Web 2.0" application, everybody would be impressed with the "mash up" the "domainers" had managed to spot: you take a bit of capital, a grace period without any clear rules for its application, and another application on the web (Google, in this case), and in one go you produce revenue out of some domains and none out of others. By learning which ones are poor earners, you learn things about which kinds of names are (at least currently) likely to attract web traffic. You therefore learn which pool of names _do_ attract traffic, and which will therefore be profitable. It isn't plain to me that all this speculation is even bad. When people do it with land or stocks, we don't seem to mind too much. >From my point of view, it's too bad that the registries have to carry the cost without getting any benefit from it. Some registries have introduced methods to try to recover some of their costs when dealing with this sort of behaviour. But I don't believe that there's anything criminal, or even "invalid" or "illegitimate" (whatever those would mean in respect of domain names) going on. A -- Andrew Sullivan 204-4141 Yonge Street Afilias CanadaToronto, Ontario Canada <[EMAIL PROTECTED]> M2P 2A8 jabber: [EMAIL PROTECTED] +1 416 646 3304 x4110
Re: [policy] When Tech Meets Policy...
On 8/15/07, Barry Shein <[EMAIL PROTECTED]> wrote: > > I am not sure tasting is criminal or fraud. > > Neither am I, we agree. I meant if there's subsequent criminality or > fraud that should be dealt with separately. Dumb question, not necessarily looking to call you or anyone out, but I'm curious: What valid, legitimate, or likely to be used non-criminal reasons are there for domain tasting? Then my next question is, what reasons are there where it'd be wise/useful/non-criminal to do it on a large scale? Regards, Al Iverson -- Al Iverson on Spam and Deliverability, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA
Re: [policy] When Tech Meets Policy...
On Aug 14, 2007, at 11:00 PM, Chris L. Morrow wrote: On Wed, 15 Aug 2007, Paul Ferguson wrote: More than ~85% of all spam is being generated by spambots. yes, that relates to my question how though? I asked: "Do spammers monitor the domain system in order to spam from the domains in flux as tastinng domains?" I asked this specifically because that behavior was being used as a 'resaon to stop tasting', or to clamp down on it atleast. Links to pornography in spam could be used as an example of where use of throw-away domains for this purpose is obscured by millions of tasting domains. A reference to pornography is a category of threat heavily blocked by domain in various products that extend beyond just email. Most might not view pornography as a serious threat, but this endeavor benefits from domain tasting chaff. Spammers are gaming the domain registry system, not for MX record manipulation, but to install their own nameservers on compromised hosts, round-robin and fast-flux their ability to avoid detection, and inevitably hide behind various layers of obfuscation. Sure, they are being bad, they are doing what akamai does (or other CDNs) only for illegal end reasons... That's not relevant to my question, but I agree it's a dirty trick still. Blocking by domain name would be the response needed to dealing with a DNS abuse problem. It can not be done by IP address. When there are millions of domains continuously in flux, any database attempting to address this issue will be inundated with nonsense. Over a few weeks, this nonsense represents more information than that used by all existing domains. They are manipulating both the (legitimate) process of obtaining IP addresses, registering domain names (and all the cruft that it brings along with it, given the loopholes in the processes), and manipulating the ability to move their nameservers around at-will. That's not a manipulation so much as using the system as designed. Agreed. However, domain tasting makes any response to abuse of the domain system much slower and far more expensive. It's pretty much a mess -- these guys use the system to succeed. agreed, they are a mess (spammers and their current business) If this were just limited to spammers, it would be less of a concern. Honestly, I don't have any answers -- only questions at this point. :-/ me too, I just don't want to see the issue sidetracked on: 1) spammers using tasting to their benefit 2) phishers are tasters/use tasting to their benefit neither of which is, near as I can tell, true or real fears. Tasting is, in and of itself, a completely different problem with a completely different set of issues... Conflating the 3 (or parts of the 2 sets) is just as wrong as saying that 'tasting lets the terrorists win'. This should be stated somewhat differently. 1) spammers benefit by domain tasting 2) phishers benefit by domain tasting _Any_ protective measure to combat phishing, undesired or malicious links will need to be done by domain name. Bots tend to thwart reliance upon IP addresses. Assessment by domain name is made far less effective by the very large amount of noise generated by domain tasting. Domain tasting provides cover for the abusive criminal activity. While domain tasting itself is not criminal, the harm it permits could easily be seen as the result of a negligent policy. -Doug
Re: [policy] When Tech Meets Policy...
On August 13, 2007 at 16:01 [EMAIL PROTECTED] (Carl Karsten) wrote: > > Barry Shein wrote: > > > > That is, if you extend domains on credit w/o any useful accountability > > of the buyer and this results in a pattern of criminality then the > > liability for that fraud should be shared by the seller. > > I am not sure tasting is criminal or fraud. Neither am I, we agree. I meant if there's subsequent criminality or fraud that should be dealt with separately. For example if someone were registering thousands of domains to use in a spam throwaway scheme and the spamming behavior is criminal and/or fraudulent, e.g., use of zombie botnets, then I'd hope there were some way to encourage registrars to stop extending that spammer throwaway domains, as one measure. I don't know if it's still true but as of a couple of years ago the average useful lifetime of a spammer's throwaway domain was about two hours. Set it up, send out 100M spams, take the hits, abandon it. Lather, rinse, repeat. It's not the act, per se, it's the resultant criminality which should disqualify the individual or company. Much like abusing credit in the finance world. Effective enforcement of that platitude is, of course, yet another kettle of fish. -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool & Die| Public Access Internet | SINCE 1989 *oo*
Re: [policy] When Tech Meets Policy...
On Tue, 14 Aug 2007, Al Iverson wrote: > On 8/14/07, Douglas Otis <[EMAIL PROTECTED]> wrote: > > > This comment was added as a follow-on note. Sorry for not being clear. > > > > Accepting messages from a domain lacking MX records might be risky > > due to the high rate of domain turnovers. Within a few weeks, more > > than the number of existing domains will have been added and deleted > > by then. Spammers take advantage of this flux. Unfortunately SMTP > > server discovery via A records is permitted and should be > > deprecated. > > Should be (perhaps) but clearly isn't. When you run it through a > standards body and/or obtain broad acceptance; great! Until then, it's > pipe dreaming. Okay I wasn't reading this thread but the last few posts have gone a little over the edge. I don't know where this whole "Must have MX record to send email" thing came from but I would have thought domains that don't want to send email can easily mark this fact with a simple SPF record: v=spf1 -all Trying to overload the MX record is pointless when there is a simple method that the domain owners, registrars can choose to use or not. -- Simon Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
Re: [policy] When Tech Meets Policy...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: >> More than ~85% of all spam is being generated by spambots. > >yes, that relates to my question how though? I asked: "Do spammers monitor >the domain system in order to spam from the domains in flux as tastinng >domains?" I asked this specifically because that behavior was being used >as a 'resaon to stop tasting', or to clamp down on it atleast. > The answer to your question is "Yes, sometimes." But that's not the explicit reasoning behind the motivations behind tasting. >Conflating the 3 (or parts of the 2 sets) is >just as wrong as saying that 'tasting lets the terrorists win'. Completely agree, and would not want to paint this problem in that light. Again, this problem is multi-fold: bad actors gaming the system for illicit (and illegal) purposes. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwqFfq1pz9mNUZTMRAm59AKD2iwDGNA+hBOu7RPNunp16PvC+AQCcD67x k31lq1G9F6wqjIkbqELucto= =RtK2 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
On Wed, 15 Aug 2007, Paul Ferguson wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > - -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: > > >On Tue, 14 Aug 2007, Douglas Otis wrote: > > > >> That point forward, spammers would be less able to take advantage > >> of domains in flux, and policy schemes would be far less perilous for > > > >are spammers really doing this? do they mine the domain system for changes > >and utilze those for their purposes? I ask because i don't see that in my > >data, which is small admittedly... I see lots of existing well known > >domains in the 'from'. Unless you have some data showing otherwise (or > >someone else has data to share) I think this is a specious arguement. > > > > More than ~85% of all spam is being generated by spambots. yes, that relates to my question how though? I asked: "Do spammers monitor the domain system in order to spam from the domains in flux as tastinng domains?" I asked this specifically because that behavior was being used as a 'resaon to stop tasting', or to clamp down on it atleast. > > Spammers are gaming the domain registry system, not for MX record > manipulation, but to install their own nameservers on compromised > hosts, round-robin and fast-flux their ability to avoid detection, > and inevitably hide behind various layers of obfuscation. Sure, they are being bad, they are doing what akamai does (or other CDNs) only for illegal end reasons... That's not relevant to my question, but I agree it's a dirty trick stil. > > They are manipulating both the (legitimate) process of obtaining > IP addresses, registering domain names (and all the cruft that > it brings along with it, given the loopholes in the processes), > and manipulating the ability to move their nameservers around > at-will. That's not a manipulation so much as using the system as designed. > > It's pretty much a mess -- these guys use the system to succeed. > agreed, they are a mess (spammers and their current business) > Honestly, I don't have any answers -- only questions at this > point. :-/ me too, I just don't want to see the issue sidetracked on: 1) spammers using tasting to their benefit 2) phishers are tasters/use tasting to their benefit neither of which is, near as I can tell, true or real fears. Tasting is, in and of itself, a completely different problem with a completely different set of issues... Conflating the 3 (or parts of the 2 sets) is just as wrong as saying that 'tasting lets the terrorists win'. -Chris
Re: [policy] When Tech Meets Policy...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- "Chris L. Morrow" <[EMAIL PROTECTED]> wrote: >On Tue, 14 Aug 2007, Douglas Otis wrote: > >> That point forward, spammers would be less able to take advantage >> of domains in flux, and policy schemes would be far less perilous for > >are spammers really doing this? do they mine the domain system for changes >and utilze those for their purposes? I ask because i don't see that in my >data, which is small admittedly... I see lots of existing well known >domains in the 'from'. Unless you have some data showing otherwise (or >someone else has data to share) I think this is a specious arguement. > More than ~85% of all spam is being generated by spambots. Spammers are gaming the domain registry system, not for MX record manipulation, but to install their own nameservers on compromised hosts, round-robin and fast-flux their ability to avoid detection, and inevitably hide behind various layers of obfuscation. They are manipulating both the (legitimate) process of obtaining IP addresses, registering domain names (and all the cruft that it brings along with it, given the loopholes in the processes), and manipulating the ability to move their nameservers around at-will. It's pretty much a mess -- these guys use the system to succeed. Honestly, I don't have any answers -- only questions at this point. :-/ - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwpOtq1pz9mNUZTMRAgwMAJ9tANe2A4jlH5rx9WG+RddhHJwHcgCgrO2B dVaFMZF1Lp87F0vygsvbvJM= =qyM6 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
> On Wed, 2007-08-15 at 11:58 +1000, Mark Andrews wrote: > > > > Accepting messages from a domain lacking MX records might be risky > > > due to the high rate of domain turnovers. Within a few weeks, > > > more than the number of existing domains will have been added and > > > deleted by then. Spammers take advantage of this flux. SMTP > > > server discovery via A records is permitted and should be > > > deprecated. > > > > All it would require is a couple of large ISP's to adopt > > such a policy. "MX 0 " really is not hard and benefits > > the remote caches. > > Agreed. While some suggest deprecating A record discovery requires > adoption by a standards body, it really only requires a few ISPs to make > their intentions public. A small minority of domains lacking an MX > record are likely to comply quickly. At that point, adoption by a > standards body becomes possible. It is rare to find a standards body > willing impose additional requirements on email, but this is a case > where such a requirement is clearly necessary. > > That point forward, spammers would be less able to take advantage > of domains in flux, and policy schemes would be far less perilous for > roots or second level domains. > > > > Once MX records are adopted as an _acceptance_ > > > requisite, domains not intended to receive or send email would be > > > clearly denoted by the absence of MX records. SMTP policy > > > published adjacent to MX records also eliminates a need for email > > > policy "discovery" as well. Another looming problem. > > > > Better yet use MX records to signal that you don't want to > > receive email e.g. "MX 0 .". It has a additional benefits > > in that it is *much* smaller to cache than a negative > > response. It's also smaller to cache than a A record. > > > > Since all valid email domains are required to have a working > > postmaster you can safely drop any email from such domains. > > Use of root "." as a name for a target may create undesired non-cached > traffic when applications unaware of this convention then attempt to > resolve an address for servers named root. All modern iterative resolvers are required to support negative caching. > The use of root as a convention will complicate a general strategy > identifying adoption of a protocol by publication of a discovery > record. The use of root as a target name in SRV records has been > problematic, although this convention was defined for SRV records at the > outset. > Using an MX record to mean "no email is accepted" by naming the > target 'root' changes the meaning of the MX record. Not really. It's entirely consistant with existing DNS usage where "." is a domain name / hostname place holder. Lots of RR types use "." to indicate non-existance. > It is also not clear > whether the root target would mean "no email is sent" as well. That is, I'll agree, more of a issue but no one can reasonably expect people to accept non-repliable email. > A clearer and safer strategy would be to insist that anyone who cares > about their email delivery, publish a valid MX record. Especially when > the domain is that of a government agency dealing with emergencies. At > least FEMA now publishes an MX record. This requirement should have > been imposed long ago. : ) I much prefer positive data vs the absence of data to make a decision. "MX 0 ." is a definative response saying you don't want email. > -Doug -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
Re: [policy] When Tech Meets Policy...
On Tue, 14 Aug 2007, Douglas Otis wrote: > That point forward, spammers would be less able to take advantage > of domains in flux, and policy schemes would be far less perilous for are spammers really doing this? do they mine the domain system for changes and utilze those for their purposes? I ask because i don't see that in my data, which is small admittedly... I see lots of existing well known domains in the 'from'. Unless you have some data showing otherwise (or someone else has data to share) I think this is a specious arguement.
Re: [policy] When Tech Meets Policy...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Douglas Otis <[EMAIL PROTECTED]> wrote: >A clearer and safer strategy would be to insist that anyone who cares >about their email delivery, publish a valid MX record. Especially when >the domain is that of a government agency dealing with emergencies. At >least FEMA now publishes an MX record. This requirement should have >been imposed long ago. : ) Let's be clear here -- the fact that a particular domain does, or does not have an MX associated with it, is a separate issue from what this thread originally began: domain tasting, and the "gaming" of the domain registry system for bad actors. Now, while these issues may indeed be related, the whole MX record thing relates specifically to the issue of spamming -- and there are even larger issues involved here (aside from spamming). :-) Not to demean your point, but just wanted to clarify a couple of talking points. There are completely valid reason why domains can be registered which do not have associated MX records. I can think of several right off of the top-of-my-head. Gaming the domain registry system for illegitimate uses -- that's my main sticking point. Cheers, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwoxUq1pz9mNUZTMRAiNmAJ9M4vhP2Nh4zQbBsMiF3RAJCS8yWgCgrKjf P/FRS+0SNyE59NK2KrfcnUo= =Aegb -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
On Wed, 2007-08-15 at 11:58 +1000, Mark Andrews wrote: > > Accepting messages from a domain lacking MX records might be risky > > due to the high rate of domain turnovers. Within a few weeks, > > more than the number of existing domains will have been added and > > deleted by then. Spammers take advantage of this flux. SMTP > > server discovery via A records is permitted and should be > > deprecated. > > All it would require is a couple of large ISP's to adopt > such a policy. "MX 0 " really is not hard and benefits > the remote caches. Agreed. While some suggest deprecating A record discovery requires adoption by a standards body, it really only requires a few ISPs to make their intentions public. A small minority of domains lacking an MX record are likely to comply quickly. At that point, adoption by a standards body becomes possible. It is rare to find a standards body willing impose additional requirements on email, but this is a case where such a requirement is clearly necessary. That point forward, spammers would be less able to take advantage of domains in flux, and policy schemes would be far less perilous for roots or second level domains. > > Once MX records are adopted as an _acceptance_ > > requisite, domains not intended to receive or send email would be > > clearly denoted by the absence of MX records. SMTP policy > > published adjacent to MX records also eliminates a need for email > > policy "discovery" as well. Another looming problem. > > Better yet use MX records to signal that you don't want to > receive email e.g. "MX 0 .". It has a additional benefits > in that it is *much* smaller to cache than a negative > response. It's also smaller to cache than a A record. > > Since all valid email domains are required to have a working > postmaster you can safely drop any email from such domains. Use of root "." as a name for a target may create undesired non-cached traffic when applications unaware of this convention then attempt to resolve an address for servers named root. The use of root as a convention will complicate a general strategy identifying adoption of a protocol by publication of a discovery record. The use of root as a target name in SRV records has been problematic, although this convention was defined for SRV records at the outset. Using an MX record to mean "no email is accepted" by naming the target 'root' changes the meaning of the MX record. It is also not clear whether the root target would mean "no email is sent" as well. A clearer and safer strategy would be to insist that anyone who cares about their email delivery, publish a valid MX record. Especially when the domain is that of a government agency dealing with emergencies. At least FEMA now publishes an MX record. This requirement should have been imposed long ago. : ) -Doug
Re: [policy] When Tech Meets Policy...
>This comment was added as a follow-on note. Sorry for not being clear. > >Accepting messages from a domain lacking MX records might be risky >due to the high rate of domain turnovers. Within a few weeks, more >than the number of existing domains will have been added and deleted >by then. Spammers take advantage of this flux. Unfortunately SMTP >server discovery via A records is permitted and should be >deprecated. All it would require is a couple of large ISP's to adopt such a policy. "MX 0 " really is not hard and benefits the remote caches. >Once MX records are adopted as an _acceptance_ >requisite, domains not intended to receive or send email would be >clearly denoted by the absence of MX records. SMTP policy published >adjacent to MX records also eliminates a need for email policy >"discovery" as well. Another looming problem. Better yet us MX records to signal that you don't want to receive email e.g. "MX 0 .". It has a additional benefits in that it is *much* smaller to cache than a negative response. It's also smaller to cache than a A record. Since all valid email domains are required to have a working postmaster you can safely drop any email from such domains. >Don't accept a message from a domain without MX records. When there >is no policy record adjacent to the MX record, there is no policy, >and don't go looking. > >-Doug >
Re: [policy] When Tech Meets Policy...
On 8/14/07, Douglas Otis <[EMAIL PROTECTED]> wrote: > This comment was added as a follow-on note. Sorry for not being clear. > > Accepting messages from a domain lacking MX records might be risky > due to the high rate of domain turnovers. Within a few weeks, more > than the number of existing domains will have been added and deleted > by then. Spammers take advantage of this flux. Unfortunately SMTP > server discovery via A records is permitted and should be > deprecated. Should be (perhaps) but clearly isn't. When you run it through a standards body and/or obtain broad acceptance; great! Until then, it's pipe dreaming. Regards, Al Iverson -- Al Iverson on Spam and Deliverability, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA
Re: [policy] When Tech Meets Policy...
On Aug 14, 2007, at 9:29 AM, Al Iverson wrote: On 8/14/07, Tim Franklin <[EMAIL PROTECTED]> wrote: On Tue, August 14, 2007 1:48 am, Douglas Otis wrote: For domains to play any role in securing email, a published MX record should become a necessary acceptance requirement. Using MX records also consolidates policy locales which mitigates some DDoS concerns. What if there's no intention to use the domain for email? I've become annoyed enough in the other direction, owning domains *only* used for email and dealing with irate people insisting I'm domain-squatting and must sell them the domain cheaply right now because there's no A record for www.what.ever. I'm annoyed enough in the original direction. I, like many thousands of people, have some domains that I don't use for email, so they don't have an MX record. How do you enforce this new requirement? Who chases it down? How does it stop domain tasting? If this is ultimately to stop domain tasting abuse, why not instead stop domain tasting? It seems like this simply add rules that somebody has to figure out to who enforce, and I'm not exactly inspired to think that it'll be enforced regularly or properly. All registrations MUST incur a nominal charge applied uniformly. Remove the option permitting domain registration at little or no cost. End of problem. This seems like creating a requirement that people must implement mosquito nets to solve the mosquito problem, instead of focusing on removing the mosquitos. This comment was added as a follow-on note. Sorry for not being clear. Accepting messages from a domain lacking MX records might be risky due to the high rate of domain turnovers. Within a few weeks, more than the number of existing domains will have been added and deleted by then. Spammers take advantage of this flux. Unfortunately SMTP server discovery via A records is permitted and should be deprecated. Once MX records are adopted as an _acceptance_ requisite, domains not intended to receive or send email would be clearly denoted by the absence of MX records. SMTP policy published adjacent to MX records also eliminates a need for email policy "discovery" as well. Another looming problem. Don't accept a message from a domain without MX records. When there is no policy record adjacent to the MX record, there is no policy, and don't go looking. -Doug
Re: [policy] When Tech Meets Policy...
On 8/14/07, Roger Marquis <[EMAIL PROTECTED]> wrote: > > Carl Karsten wrote: > > I am not saying tasting is a free speech thing, but I do see it > > as something currently legal, and don't see a way to make it a > > crime without adversely effecting the rest of the system. > > It is perfectly legal, and no viable remedies are known other than making it > illegal. Attaching a cost seemingly could add a deterrent without needing to make it illegal. Regards, Al -- Al Iverson on Spam and Deliverability, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA
Re: [policy] When Tech Meets Policy...
On Tue, 14 Aug 2007, Chris L. Morrow wrote: > > maybe I'm just thick, but how exactly does tastinng inhibit anti-phishing > efforts? Domain names are used as loookup keys in anti-phishing blacklists. Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
Re: [policy] When Tech Meets Policy...
On 8/14/07, Tim Franklin <[EMAIL PROTECTED]> wrote: > > On Tue, August 14, 2007 1:48 am, Douglas Otis wrote: > > > For domains to play any role in securing email, a published MX record > > should become a necessary acceptance requirement. Using MX records > > also consolidates policy locales which mitigates some DDoS concerns. > > What if there's no intention to use the domain for email? > > I've become annoyed enough in the other direction, owning domains *only* > used for email and dealing with irate people insisting I'm > domain-squatting and must sell them the domain cheaply right now because > there's no A record for www.what.ever. I'm annoyed enough in the original direction. I, like many thousands of people, have some domains that I don't use for email, so they don't have an MX record. How do you enforce this new requirement? Who chases it down? How does it stop domain tasting? If this is ultimately to stop domain tasting abuse, why not instead stop domain tasting? It seems like this simply add rules that somebody has to figure out to who enforce, and I'm not exactly inspired to think that it'll be enforced regularly or properly. This seems like creating a requirement that people must implement mosquito nets to solve the mosquito problem, instead of focusing on removing the mosquitos. Al -- Al Iverson on Spam and Deliverability, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA
RE: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Justin Scott wrote: > > Perhaps it would be better to allow for domain returns, but shorten the > time limit to 24 hours. That should be long enough to catch a typo, but > too short to be much use for traffic tasting. Still long enough to be useful for spammers :-( Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
Re: [policy] When Tech Meets Policy...
Carl Karsten wrote: I am not sure tasting is criminal or fraud. You got what you ordered. You used it. You pay for it. It's that simple. That doesn't make anything criminal or fraud any more than free samples. If a registrar wants to give a refund, I don't see anything wrong with that. It is not even close to that simple, And I'm saying that it can be. Even you have already made a couple of good suggestions to that effect. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [policy] When Tech Meets Policy...
On Aug 14, 2007, at 3:50 AM, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Marshall Eubanks <[EMAIL PROTECTED]> wrote: On Aug 14, 2007, at 12:19 AM, Paul Ferguson wrote: I was just struck by a couple of statistics: [snip] In January 2007, according to PIR five registrars deleted 1,773,910 domain names during the grace period and retained 10,862. That same month, VeriSign reported that among top ten registrars, 95% of all deleted .COM and .Net domain names were the result of domain tasting. So, if they charged a $ 1 "return fee," they would either - produce revenues of several million USD per month (unlikely) or - cut domain tasting by about 2 orders of magnitude. ... or both. I think I could live with that, all things being equal. - - ferg It's not uncommon for companies to not charge good customers for minor incidental things, like fixing a typo; I think that most would reconsider that policy if they were hit with 8 million "minor" changes in a day, which it seems is where we are. That has to cost something. I haven't heard a good reason why not to do this. If IANA can't use the money the IETF can. Regards Marshall -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwSaBq1pz9mNUZTMRAoxDAKCUZ8s/Q/tRF6NC0T7jC6SRFy1zVACgplR4 NZVluA1bG+T0JiZuZrsrVGQ= =Ey48 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
John Levine wrote: I am assuming that A. a registrar would get less business being "less forgiving" than others. Do you know what your current registrar's refund policy is? Do you know what other registrars' policies are? Why haven't you switched to the registrar that offers the cheapest refunds? Don't care, because I don't do the kinds of transactions where it would matter. I have a lot of criteria for what makes a good registar, and in my case, which I think is not atypical, refund policy is so far down the list as to be invisible. ditto. That doesn't mean there aren't people who care: the tasters. No, I am not trying to protect them. I am looking out for the registrar. Carl K
Re: [policy] When Tech Meets Policy...
> From [EMAIL PROTECTED] Mon Aug 13 20:15:50 2007 > Date: Mon, 13 Aug 2007 19:37:09 -0500 > From: Carl Karsten <[EMAIL PROTECTED]> > To: nanog@merit.edu > Subject: Re: [policy] When Tech Meets Policy... > > > J Bacher wrote: > > > > Carl Karsten wrote: > > > >>> That is, if you extend domains on credit w/o any useful accountability > >>> of the buyer and this results in a pattern of criminality then the > >>> liability for that fraud should be shared by the seller. > >> > >> I am not sure tasting is criminal or fraud. > > > > You got what you ordered. You used it. You pay for it. It's that simple. > > That doesn't make anything criminal or fraud any more than free samples. If > a > registrar wants to give a refund, I don't see anything wrong with that. > > It is not even close to that simple, In and of itself, 'tasting' is neither criminal, nor fraudulent. *HOWEVER*, available evidence suggests that a large proportion of 'tasting' _is_ done "in furtherance/support of" criminal/fraudulent activities. Registry operator data indicates that less than _six-tenths of one perecent_ of 'tasted' domains are kept by the taster. Analysis of data from another registry operator suggests that that operator is now processing roughly 3.25 _million_ *unpalatable* (i.e., _will_ be returned) 'tasting' domain registrations =per=day=. IF we postulate there are 100 million registered names with that operator, then the annualized number of _returned_ 'tasting' registrations is around TEN TIMES the total number of registered domain names. _IF_ the registry operator is at least breaking even on the entire registration process -- 'real domains' plug 'tasting' -- then it would seem that the registry-operator fee for registration of a domain registration could be reduced _by_a_factor_of_ten_, if tasting was the same price as a real registration. On the other hand, if the free tasting is 'out of hand' to the point where registry operators are 'in the red' due to the 'incremental' costs thereof, *that* problem also needs to be addressed. Life could be _really_ interesting if a registry operator contract came up for renewal, and _nobody_ bid. Anybody with _reasonable_ "plan ahead" skills can live with a week between name registration submission, and the name going 'live' -- given that they do know, _immediately_ that the registration is successful. Those who have 'urgent' need should pay a premium for 'expidited' service -- and those who have a _legitimate_ need for such service will not balk at paying a significant premium for that service. It _IS_ worth 'big bucks' to them, because, even at that price, it is '_much_ cheaper than the alternative'. I'd suggest: 1) one week latency between registration and entry into the TLD nameservers. 2) 50% (of 1-year registration fee) 'penalty' for cancelling the registration before it hits the TLD servers. 3) $250 'surcharge' (to registrant) for 'immediate' _irrevocable_ recording in the TLD nameservers, 25% of that surcharge to be retained by the registrar, 25% to the registry operator, and 50% to IANA.
Re: [policy] When Tech Meets Policy...
On Tue, August 14, 2007 1:48 am, Douglas Otis wrote: > For domains to play any role in securing email, a published MX record > should become a necessary acceptance requirement. Using MX records > also consolidates policy locales which mitigates some DDoS concerns. What if there's no intention to use the domain for email? I've become annoyed enough in the other direction, owning domains *only* used for email and dealing with irate people insisting I'm domain-squatting and must sell them the domain cheaply right now because there's no A record for www.what.ever. Functioning, correct and coherent DNS prior to registration, now that I support whole-heartedly. Regards, Tim.
Re: [policy] When Tech Meets Policy...
On Mon, August 13, 2007 11:27 pm, Roland Dobbins wrote: > 2.People tend to be much more careful about punching numbers into a > telephone than typing words on a keyboard, I think. There's also not > a conceptual conflation of common typo mistakes with common telephone > number transpositions, I don't think (i.e., I'm unsure there's any > such thing as a common number transposition, while there certainly is > with linguistic constructs such as letters). Having a home land line with the last two digits transposed from that of a local fast food establishment, I beg to differ :) Regards, Tim.
RE: [policy] When Tech Meets Policy...
> Maybe marketing would learn to spell after a few costly mistakes. Any policy strategy that relies on marketing people learning to spell is flawed from the outset. Domain tasting is a real problem. 1 year domain registrations are very cheap. Who then does the waiting period benefit? (hint: not grandma) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Eddings Sent: Tuesday, 14 August 2007 7:46 AM To: nanog@merit.edu Subject: RE: [policy] When Tech Meets Policy... At 4:32 PM -0400 8/13/07, Justin Scott wrote: > > Do people really not plan that far ahead, that they >> need brand new domain names to be active (not just >> reserved) within seconds? > >I can say from my experience working in a web development environment, >yes. I can recall several cases where we needed to get a domain online >quickly for one reason or another. Usually it revolves around the >marketing department not being in-touch with the rest of the company >and the wrong/misspelled domain name ends up in a print/radio/tv ad >that is about to go to thousands of people and cannot be changed. We >end up having to go get the name that is in the ad and get it active as >quickly as possible. Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes. Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars. And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone. >Personally I'm all for things working as quickly as possible, and I'm >all for being able to "return" a domain within a reasonable time if >needed. Perhaps it would be better to allow for domain returns, but >shorten the time limit to 24 hours. That should be long enough to >catch a typo, but too short to be much use for traffic tasting. > > >-Justin Scott | GravityFree > Network Administrator > >1960 Stickney Point Road, Suite 210 >Sarasota | FL | 34231 | 800.207.4431 >941.927.7674 x115 | f 941.923.5429 >www.GravityFree.com -- Ken Eddings, Hostmaster, IS&T, [EMAIL PROTECTED], [EMAIL PROTECTED] Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103 Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014 The Prudent Mariner never relies solely on any single aid to navigation.
Re: [policy] When Tech Meets Policy...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Carl Karsten <[EMAIL PROTECTED]> wrote: >Oddly enough I am in possession of 20+ fee samples that were the left >overs from a hand out, and I was cleaning up the place. pretty sure I did not break any laws. I know that isn't what you meant, but it is what you said. One of the tricky parts about law is defining it. If you can't define it, it is really hard to make it illegal. > It's called "gaming the system". While not expressly illegal (IANAL), it damned well should be. - - ferg p.s. I realize that "closing the loop" on this behavior could be result in more badness, and in fact a certain "tragedy of the commons". This is where we find ourselves, apparently. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwUixq1pz9mNUZTMRArm8AKDPqGvx25L9ZcsypwA4rQ7uoS+hHwCeO0A7 XuP7TEUbDQWzxrPxJamK9cc= =8sf9 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
RE: [policy] When Tech Meets Policy...
> Maybe marketing would learn to spell after a few costly mistakes. Any policy strategy that relies on marketing people learning to spell is flawed from the outset. Domain tasting is a real problem. 1 year domain registrations are cheap. Who then does the waiting period benefit? (hint: not grandma) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Eddings Sent: Tuesday, 14 August 2007 7:46 AM To: nanog@merit.edu Subject: RE: [policy] When Tech Meets Policy... At 4:32 PM -0400 8/13/07, Justin Scott wrote: > > Do people really not plan that far ahead, that they >> need brand new domain names to be active (not just >> reserved) within seconds? > >I can say from my experience working in a web development environment, >yes. I can recall several cases where we needed to get a domain online >quickly for one reason or another. Usually it revolves around the >marketing department not being in-touch with the rest of the company >and the wrong/misspelled domain name ends up in a print/radio/tv ad >that is about to go to thousands of people and cannot be changed. We >end up having to go get the name that is in the ad and get it active as >quickly as possible. Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes. Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars. And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone. >Personally I'm all for things working as quickly as possible, and I'm >all for being able to "return" a domain within a reasonable time if >needed. Perhaps it would be better to allow for domain returns, but >shorten the time limit to 24 hours. That should be long enough to >catch a typo, but too short to be much use for traffic tasting. > > >-Justin Scott | GravityFree > Network Administrator > >1960 Stickney Point Road, Suite 210 >Sarasota | FL | 34231 | 800.207.4431 >941.927.7674 x115 | f 941.923.5429 >www.GravityFree.com -- Ken Eddings, Hostmaster, IS&T, [EMAIL PROTECTED], [EMAIL PROTECTED] Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103 Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014 The Prudent Mariner never relies solely on any single aid to navigation.
Re: [policy] When Tech Meets Policy...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Marshall Eubanks <[EMAIL PROTECTED]> wrote: >On Aug 14, 2007, at 12:19 AM, Paul Ferguson wrote: > >> >> I was just struck by a couple of statistics: >> >> [snip] >> >> In January 2007, according to PIR five registrars deleted 1,773,910 >> domain >> names during the grace period and retained 10,862. That same month, >> VeriSign reported that among top ten registrars, 95% of all >> deleted .COM >> and .Net domain names were the result of domain tasting. > > >So, if they charged a $ 1 "return fee," they would either > >- produce revenues of several million USD per month (unlikely) or >- cut domain tasting by about 2 orders of magnitude. ... or both. I think I could live with that, all things being equal. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwSaBq1pz9mNUZTMRAoxDAKCUZ8s/Q/tRF6NC0T7jC6SRFy1zVACgplR4 NZVluA1bG+T0JiZuZrsrVGQ= =Ey48 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
At 6:45 PM -0500 8/13/07, Carl Karsten wrote: >Ken Eddings wrote: >>At 4:32 PM -0400 8/13/07, Justin Scott wrote: Do people really not plan that far ahead, that they need brand new domain names to be active (not just reserved) within seconds? >>>I can say from my experience working in a web development environment, >>>yes. I can recall several cases where we needed to get a domain online >>>quickly for one reason or another. Usually it revolves around the >>>marketing department not being in-touch with the rest of the company and >>>the wrong/misspelled domain name ends up in a print/radio/tv ad that is >>>about to go to thousands of people and cannot be changed. We end up >>>having to go get the name that is in the ad and get it active as quickly >>>as possible. >> >>Been there. But it's rare enough in real life that I'd happily waive the >>right for full refund return for immediate domain publishing. Maybe >>marketing would learn to spell after a few costly mistakes. >> >>Any other domain registrations getting a 3 day wait before publishing can >>have a more lenient return policy, maybe with a small processing fee. That's >>not unreasonable, and has something for the registrars. >> >>And grandma would be able to correct her typo, and the regstrars would have >>time to check grandma's credit card, since she's so typo-prone. > >I am not sure if this is what you are saying, but here is what just came to >mind: > >2 choices, same price: > >1. instant, no refund. >2. 3 day hold, not active, but refundable till the point it goes live. > >I also just noticed something that doesn't seem to have been brought up: by >registering, wait, refund, repeat - you can sit on a name for free. (under >both current and my proposed.) To prevent this we need a small processing fee. > >Carl K Correct. People that make mistakes can be accomodated. People that make lots of mistakes start covering the costs of lots of corrections, and legitimate rush registrations can be paid for mistakes here would cost more. I remember NetSol charging rush fees and that was before private registrations would let quick domain launches happen in a more controlled manner. -- Ken Eddings, Hostmaster, IS&T, [EMAIL PROTECTED], [EMAIL PROTECTED] Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103 Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014 The Prudent Mariner never relies solely on any single aid to navigation.
Re: [policy] When Tech Meets Policy...
David Schwartz wrote: That doesn't make anything criminal or fraud any more than free samples. If a registrar wants to give a refund, I don't see anything wrong with that. It is certainly fraud to take an entire pile of free samples. can you cite how that law reads? Oddly enough I am in possession of 20+ fee samples that were the left overs from a hand out, and I was cleaning up the place. pretty sure I did not break any laws. I know that isn't what you meant, but it is what you said. One of the tricky parts about law is defining it. If you can't define it, it is really hard to make it illegal. > Domain tasting is more like buying a plasma TV to watch the big game and then returning it to the store on Monday. Which is also like buying a TV and not being satisfied with it and making use of the sores generous return policy. pretty sure not fraud. However, when it's as blatant and obvious as it is now (more tasted domains than legitimate registrations), and no policies are made to stop it despite it being so easy to do so I don't think it is "so easy." (simply limit the number of refunded domains to 10% of registrations I don't know what you mean. > or charge a 20 cent fee for refunded domains), Didn't someone already shoot this down? something about consumer protection. you can argue that it's now an understood and accepted practice. don't have to. It's not fraud if both parties know it's going to happen, can easily act to stop it, and neither one chooses to. um, not fraud?
RE: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, David Schwartz wrote: > > > > That doesn't make anything criminal or fraud any more than free > > samples. If a > > registrar wants to give a refund, I don't see anything wrong with that. > > It is certainly fraud to take an entire pile of free samples. Domain tasting > is more like buying a plasma TV to watch the big game and then returning it > to the store on Monday. and there's a way stores that care fix this problem: restock fee. Also, this is a store-by-store policy, not 'all stores world wide, despite their laws in-country' policy. The difference is more than subtle. > > However, when it's as blatant and obvious as it is now (more tasted domains > than legitimate registrations), and no policies are made to stop it despite > it being so easy to do so (simply limit the number of refunded domains to > 10% of registrations or charge a 20 cent fee for refunded domains), you can > argue that it's now an understood and accepted practice. > I think that this won't get fixed unless ICANN changes the policy...Registries don't have any incentive to fix things until then, and registrars aren't going to get to changing something that's making them money are they? -Chris
Re: [policy] When Tech Meets Policy...
On Aug 14, 2007, at 12:19 AM, Paul Ferguson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was just struck by a couple of statistics: [snip] In January 2007, according to PIR five registrars deleted 1,773,910 domain names during the grace period and retained 10,862. That same month, VeriSign reported that among top ten registrars, 95% of all deleted .COM and .Net domain names were the result of domain tasting. So, if they charged a $ 1 "return fee," they would either - produce revenues of several million USD per month (unlikely) or - cut domain tasting by about 2 orders of magnitude. This seems like one problem with a simple solution. I am sure that someone will rapidly tell me why it won't work, but in an era when an airline will charge you $ 40 to $ 200 USD to correct a typo, I don't see why this is excessive. Regard Marshall [snip] http://www.informationweek.com/management/showArticle.jhtml? articleID=20150 0223 Having said that, Jay Westerdal mentioned on Sunday that: [snip] Today was the largest Domain Tasting day ever. We recorded over 8 Million Transactions today. This is a new high. We have never seen 8 Million transactions on one day before. That would be either an add or delete. Over 99 percent of these transactions are completely free and use the 5 day grace period to test domain names for traffic before they are purchase for a long term buy. [snip] http://blog.domaintools.com/2007/08/biggest-domain-tasting-day-ever/ Although I'm not sure all of that 8M+ were actual "tasted", it does represent an astronomical number of registrations. Just a couple of data points. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwPUBq1pz9mNUZTMRAlumAKD6t0AQS050YRaaxCqYomMWPDP6NgCgmSFO Frvz42ZtnHXYaRQ8hgXK4LA= =bvP6 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Douglas Otis wrote: > > > On Aug 13, 2007, at 2:01 PM, Carl Karsten wrote: > > > I am not sure tasting is criminal or fraud. > > Tracking domain related crime is hindered by the millions of domains > registered daily for "domain tasting." Unregistered domains likely > to attract errant lookups will not vary greatly from unregistered > domains useful for phishing. The large flux in domain names > significantly inhibits anti-phishing efforts. maybe I'm just thick, but how exactly does tastinng inhibit anti-phishing efforts? There are several studies that show no matter the content of the URL or displayed URL people still click on the links in email... So, whether its 'bankofamerica.com' or 'banksofamericas.com' isn't really relevant to the clickers :( Phishing seems like the current 'bad thing' that people want to use as a hammer against all perceived badness, even where it doesn't seem to fit. > > Although some may see delays in publishing as problematic, often > domain facilitated crime depends upon the milli-second publishing > rapidity used to evade protective strategies. A publishing process > that offers notification will allow protection services a means to > stay ahead of criminals. Exceptions could be granted on an exigent > or emergency basis, where of course additional fees might be required. > I agree that some sort of 'expedite' fee would be fine, I'm not sure I like the 'notification service' though... what if I have a new product launch I need to protect PR-wise? why would I want to release that anytime before the launch date/time? -Chris
Re: [policy] When Tech Meets Policy...
Douglas Otis wrote: On Aug 13, 2007, at 2:01 PM, Carl Karsten wrote: I am not sure tasting is criminal or fraud. Tracking domain related crime is hindered by the millions of domains registered daily for "domain tasting." Unregistered domains likely to attract errant lookups will not vary greatly from unregistered domains useful for phishing. The large flux in domain names significantly inhibits anti-phishing efforts. doesn't make it criminal or fraud, unless you can prove the intent was to hinder law enforcement. good luck with that. Although some may see delays in publishing as problematic, often domain facilitated crime depends upon the milli-second publishing rapidity used to evade protective strategies. A publishing process that offers notification will allow protection services a means to stay ahead of criminals. Exceptions could be granted on an exigent or emergency basis, where of course additional fees might be required. "exigent or emergency" sounds like someone would have to approve/deny the request. One of 2 things will have to happen: 1) spikes in number of requests per day will overwhelm the staff, and "emergency" requests will go unanswered for days. 2) a huge staff will have to be paid to be standing by and normally not doing anything, just to cover the spikes. and the chance of only having just enough to cover the spikes is slim to none, so either #1 will happen anyway, (just not as often) or the staff will be extra huge such that it is always underulitized, even during the highest spikes. Just as background checks are normally part of the hand gun trade, a background check should be normally part of the domain trade. see my other post (doesn't scale) Many are deceived by "cousin" domains frequently used in crimes netting billions in losses. Money garnered by capturing errant domain entries can not justify criminal losses that are likely to have been otherwise prevented. Domain tasting is worse than a disgrace. you lost me on this one. This is sounding like "People Vs Larry Flint" where he says "you don't have to like my magazine, but you do have to let me publish it." I am not saying tasting is a free speech thing, but I do see it as something currently legal, and don't see a way to make it a crime without adversely effecting the rest of the system. For domains to play any role in securing email, a published MX record should become a necessary acceptance requirement. Using MX records also consolidates policy locales which mitigates some DDoS concerns. I think it is too late to try to reform e-mail. but I am curious how you think this would be implemented in the existing system. Carl K
RE: [policy] When Tech Meets Policy...
> That doesn't make anything criminal or fraud any more than free > samples. If a > registrar wants to give a refund, I don't see anything wrong with that. It is certainly fraud to take an entire pile of free samples. Domain tasting is more like buying a plasma TV to watch the big game and then returning it to the store on Monday. However, when it's as blatant and obvious as it is now (more tasted domains than legitimate registrations), and no policies are made to stop it despite it being so easy to do so (simply limit the number of refunded domains to 10% of registrations or charge a 20 cent fee for refunded domains), you can argue that it's now an understood and accepted practice. It's not fraud if both parties know it's going to happen, can easily act to stop it, and neither one chooses to. DS
Re: [policy] When Tech Meets Policy...
On 8/14/07, Carl Karsten <[EMAIL PROTECTED]> wrote: > > That doesn't make anything criminal or fraud any more than free samples. If a > registrar wants to give a refund, I don't see anything wrong with that. > As John Levine once said - its like running a wholesale ketchup business by picking up all the tiny plastic packets of ketchup at fast food stores .. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: [policy] When Tech Meets Policy...
On Aug 13, 2007, at 2:01 PM, Carl Karsten wrote: I am not sure tasting is criminal or fraud. Tracking domain related crime is hindered by the millions of domains registered daily for "domain tasting." Unregistered domains likely to attract errant lookups will not vary greatly from unregistered domains useful for phishing. The large flux in domain names significantly inhibits anti-phishing efforts. Although some may see delays in publishing as problematic, often domain facilitated crime depends upon the milli-second publishing rapidity used to evade protective strategies. A publishing process that offers notification will allow protection services a means to stay ahead of criminals. Exceptions could be granted on an exigent or emergency basis, where of course additional fees might be required. Just as background checks are normally part of the hand gun trade, a background check should be normally part of the domain trade. Many are deceived by "cousin" domains frequently used in crimes netting billions in losses. Money garnered by capturing errant domain entries can not justify criminal losses that are likely to have been otherwise prevented. Domain tasting is worse than a disgrace. For domains to play any role in securing email, a published MX record should become a necessary acceptance requirement. Using MX records also consolidates policy locales which mitigates some DDoS concerns. -Doug
Re: [policy] When Tech Meets Policy...
J Bacher wrote: Carl Karsten wrote: That is, if you extend domains on credit w/o any useful accountability of the buyer and this results in a pattern of criminality then the liability for that fraud should be shared by the seller. I am not sure tasting is criminal or fraud. You got what you ordered. You used it. You pay for it. It's that simple. That doesn't make anything criminal or fraud any more than free samples. If a registrar wants to give a refund, I don't see anything wrong with that. It is not even close to that simple, Carl K
Re: [policy] When Tech Meets Policy...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was just struck by a couple of statistics: [snip] In January 2007, according to PIR five registrars deleted 1,773,910 domain names during the grace period and retained 10,862. That same month, VeriSign reported that among top ten registrars, 95% of all deleted .COM and .Net domain names were the result of domain tasting. [snip] http://www.informationweek.com/management/showArticle.jhtml?articleID=20150 0223 Having said that, Jay Westerdal mentioned on Sunday that: [snip] Today was the largest Domain Tasting day ever. We recorded over 8 Million Transactions today. This is a new high. We have never seen 8 Million transactions on one day before. That would be either an add or delete. Over 99 percent of these transactions are completely free and use the 5 day grace period to test domain names for traffic before they are purchase for a long term buy. [snip] http://blog.domaintools.com/2007/08/biggest-domain-tasting-day-ever/ Although I'm not sure all of that 8M+ were actual "tasted", it does represent an astronomical number of registrations. Just a couple of data points. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwPUBq1pz9mNUZTMRAlumAKD6t0AQS050YRaaxCqYomMWPDP6NgCgmSFO Frvz42ZtnHXYaRQ8hgXK4LA= =bvP6 -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
Ken Eddings wrote: At 4:32 PM -0400 8/13/07, Justin Scott wrote: Do people really not plan that far ahead, that they need brand new domain names to be active (not just reserved) within seconds? I can say from my experience working in a web development environment, yes. I can recall several cases where we needed to get a domain online quickly for one reason or another. Usually it revolves around the marketing department not being in-touch with the rest of the company and the wrong/misspelled domain name ends up in a print/radio/tv ad that is about to go to thousands of people and cannot be changed. We end up having to go get the name that is in the ad and get it active as quickly as possible. Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes. Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars. And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone. I am not sure if this is what you are saying, but here is what just came to mind: 2 choices, same price: 1. instant, no refund. 2. 3 day hold, not active, but refundable till the point it goes live. I also just noticed something that doesn't seem to have been brought up: by registering, wait, refund, repeat - you can sit on a name for free. (under both current and my proposed.) To prevent this we need a small processing fee. Carl K
Re: [policy] When Tech Meets Policy...
Carl Karsten wrote: That is, if you extend domains on credit w/o any useful accountability of the buyer and this results in a pattern of criminality then the liability for that fraud should be shared by the seller. I am not sure tasting is criminal or fraud. You got what you ordered. You used it. You pay for it. It's that simple. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [policy] When Tech Meets Policy...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Roland Dobbins <[EMAIL PROTECTED]> wrote: >There's a case to be made that a policy which results in organizations registering and owning domain names which are close to the intended domain anme but represent a common typographical transition is desirable from a security standpoint . . . > I don't think anyone could reasonably question the legitimacy for someone like, say, Google, registering "gogle.com" or "goggle.com". It should raise eyebrows, however, if "goggle.com" was registered to RBusiness Network. Or "allitalia.org", etc. You get the idea. - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.2 (Build 2014) wj8DBQFGwOB3q1pz9mNUZTMRAtaCAKCKJPbiGqAAYeaUHnWL5aFxzKjrhgCgkY4W ruSoXSTqVYbpLarBVmSXgbE= =kB6m -END PGP SIGNATURE- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: [policy] When Tech Meets Policy...
On Aug 13, 2007, at 4:58 PM, [EMAIL PROTECTED] wrote: On Mon, 13 Aug 2007 19:52:37 -, "Chris L. Morrow" said: I'm really not sure, but I can imagine a slew of issues where 'marketting' doesn't plan properly and corp-ID/corp-branding end up trying to register and make-live a domain at the 11th hour... "Failure to plan ahead on your part doesn't mean a crisis on my part". What happened to suits who failed to plan ahead *before* we had the Internet? I suspect that most of the suits from the late 1960's have retired or worse by this point, regardless of their foresight-fulness. Regards Marshall
Re: [policy] When Tech Meets Policy...
On Aug 13, 2007, at 2:06 PM, Chris L. Morrow wrote: why don't the equivalent 'domain tasters' on the phone side exploit the ability to sign up 1-8XX numbers like mad and send the calls to their ad-music call centers? 1. Maybe they do. ;> 2. People tend to be much more careful about punching numbers into a telephone than typing words on a keyboard, I think. There's also not a conceptual conflation of common typo mistakes with common telephone number transpositions, I don't think (i.e., I'm unsure there's any such thing as a common number transposition, while there certainly is with linguistic constructs such as letters). --- Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company
RE: [policy] When Tech Meets Policy...
At 4:32 PM -0400 8/13/07, Justin Scott wrote: > > Do people really not plan that far ahead, that they >> need brand new domain names to be active (not just >> reserved) within seconds? > >I can say from my experience working in a web development environment, >yes. I can recall several cases where we needed to get a domain online >quickly for one reason or another. Usually it revolves around the >marketing department not being in-touch with the rest of the company and >the wrong/misspelled domain name ends up in a print/radio/tv ad that is >about to go to thousands of people and cannot be changed. We end up >having to go get the name that is in the ad and get it active as quickly >as possible. Been there. But it's rare enough in real life that I'd happily waive the right for full refund return for immediate domain publishing. Maybe marketing would learn to spell after a few costly mistakes. Any other domain registrations getting a 3 day wait before publishing can have a more lenient return policy, maybe with a small processing fee. That's not unreasonable, and has something for the registrars. And grandma would be able to correct her typo, and the regstrars would have time to check grandma's credit card, since she's so typo-prone. >Personally I'm all for things working as quickly as possible, and I'm >all for being able to "return" a domain within a reasonable time if >needed. Perhaps it would be better to allow for domain returns, but >shorten the time limit to 24 hours. That should be long enough to catch >a typo, but too short to be much use for traffic tasting. > > >-Justin Scott | GravityFree > Network Administrator > >1960 Stickney Point Road, Suite 210 >Sarasota | FL | 34231 | 800.207.4431 >941.927.7674 x115 | f 941.923.5429 >www.GravityFree.com -- Ken Eddings, Hostmaster, IS&T, [EMAIL PROTECTED], [EMAIL PROTECTED] Work:+1 408 974-4286, Cell: +1 408 425-3639, Fax: +1 408 974-3103 Apple Computer, Inc., 1 Infinite Loop, M/S 60-MS Cupertino, CA 95014 The Prudent Mariner never relies solely on any single aid to navigation.
Re: [policy] When Tech Meets Policy...
Or perhaps domains can be on-line instantly for a $100 non-refundable "rush" fee, or be cheaper and more refundable if you don't mind waiting longer (long enough to fix the tasting issues) And yes, I suppose ICANN or similar would have to collect or mandate the costs for it to affect all areas of the problem? On 8/13/07, Dorn Hetzel <[EMAIL PROTECTED]> wrote: > > Yes, if grandma ordered a sign printed one way, and proofread it, and > agreed to pay for it, and the printer printed it, then the printer is > normally going to want money to make another different sign. If grandma, or > anyone else, orders a domain, and confirms that's the domain they want, and > get's it activated, then they should pay at least the first years fee, no > matter what... > > On 8/13/07, Carl Karsten <[EMAIL PROTECTED]> wrote: > > > > > > > > > > The real way to get rid of tasting would be to persuade Google and > > > Yahoo/Overture to stop paying for clicks on pages with no content > > > other than ads, but that would be far too reasonable. > > > > I don't see a practical way to enforce it. > > > > I believe the Net is an unstable system that will eventually be rendered > > useless > > by spam/etc. It is a cheap unlimited resource - you pay for your > > connection, > > and you get access to things you are in no way paying for. I don't see > > a way to > > fix it. > > > > Carl K > > > >
Re: [policy] When Tech Meets Policy...
Yes, if grandma ordered a sign printed one way, and proofread it, and agreed to pay for it, and the printer printed it, then the printer is normally going to want money to make another different sign. If grandma, or anyone else, orders a domain, and confirms that's the domain they want, and get's it activated, then they should pay at least the first years fee, no matter what... On 8/13/07, Carl Karsten <[EMAIL PROTECTED]> wrote: > > > > > > The real way to get rid of tasting would be to persuade Google and > > Yahoo/Overture to stop paying for clicks on pages with no content > > other than ads, but that would be far too reasonable. > > I don't see a practical way to enforce it. > > I believe the Net is an unstable system that will eventually be rendered > useless > by spam/etc. It is a cheap unlimited resource - you pay for your > connection, > and you get access to things you are in no way paying for. I don't see a > way to > fix it. > > Carl K >
Re: [policy] When Tech Meets Policy...
On Aug 13, 2007, at 1:32 PM, Justin Scott wrote: Usually it revolves around the marketing department not being in-touch with the rest of the company and the wrong/misspelled domain name ends up in a print/radio/tv ad that is about to go to thousands of people and cannot be changed. There's a case to be made that a policy which results in organizations registering and owning domain names which are close to the intended domain anme but represent a common typographical transition is desirable from a security standpoint . . . --- Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Carl Karsten wrote: > Assuming a change takes place (which I doubt, but will ignore) I bet a > small non refundable fee (like $1) would drastically reduce the problem. A agree that somehow you have to increase the cost to the 'tasters' without hurting joe-six-pack. I think I've said that from the beginning. So, there have been several options discussed do we add that to the ICANN discussion as options for them to pursue? -Chris
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007 [EMAIL PROTECTED] wrote: > On Mon, 13 Aug 2007 19:52:37 -, "Chris L. Morrow" said: > > I'm really not sure, but I can imagine a slew of issues where 'marketting' > > doesn't plan properly and corp-ID/corp-branding end up trying to register > > and make-live a domain at the 11th hour... > > "Failure to plan ahead on your part doesn't mean a crisis on my part". that's fine in theory, in practice it just doesn't work so well :( > > What happened to suits who failed to plan ahead *before* we had the Internet? less spectacular failure? :) I really don't know, I imagine this sort of thing happened with 1-800 numbers for customer support type things. Say, speaking of 1-800 things, how does that system work? why don't the equivalent 'domain tasters' on the phone side exploit the ability to sign up 1-8XX numbers like mad and send the calls to their ad-music call centers?
Re: [policy] When Tech Meets Policy...
Barry Shein wrote: On August 13, 2007 at 10:11 [EMAIL PROTECTED] (Douglas Otis) wrote: > > > On Aug 12, 2007, at 6:41 AM, John Levine wrote: > > > The problems with domain tasting more affect web users, with vast > > number of typosquat parking pages flickering in and out of existence. > > Domain tasting clearly affects assessments based upon domains. With > millions added and removed daily as part of "no cost" domain tasting > programs, the number of transitioning domains has been increased by > an order of magnitude. Many of these new domains often appear as > possible phishing domains. The high number of tasting domains > obscures which are involved in criminal activities. This high number > also makes timely notification of possible threats far less practical. This sort of chain of reasoning, one behavior for one purpose might sometimes be a more insidious behavior for other purposes, makes me nervous. I just think it's a treacherous way to make policy, except in extreme cases. Then again I'm not particularly bugged by people who run these ad-only sites. Seems to me that's between them and the advertisers who pay them so long as it's not inherently criminal. And where it is criminal that should be dealt with, take any advertising medium in existence and you'll find a percentage of fraud. The real sin here is indicated by the terminology, "domain tasting". Domains should be paid for in advance, not necessarily "by law", but by liability. That is, if you extend domains on credit w/o any useful accountability of the buyer and this results in a pattern of criminality then the liability for that fraud should be shared by the seller. I am not sure tasting is criminal or fraud. > This would not be unique, there are lots of real world examples (e.g., if you rented cars for cash and asked for no id's and they were often used in crimes...) The car rental example falls apart: no ID = no way to track you down if you don't return the car. I don't believe there are any real world examples, where "real world" deals with anything physical. I think this problem only exists in the electronic world, where what is being bought and sold is just a few bytes in a database. Carl K
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007 19:52:37 -, "Chris L. Morrow" said: > I'm really not sure, but I can imagine a slew of issues where 'marketting' > doesn't plan properly and corp-ID/corp-branding end up trying to register > and make-live a domain at the 11th hour... "Failure to plan ahead on your part doesn't mean a crisis on my part". What happened to suits who failed to plan ahead *before* we had the Internet? pgpFQ278HeNX7.pgp Description: PGP signature
RE: [policy] When Tech Meets Policy...
> Do people really not plan that far ahead, that they > need brand new domain names to be active (not just > reserved) within seconds? I can say from my experience working in a web development environment, yes. I can recall several cases where we needed to get a domain online quickly for one reason or another. Usually it revolves around the marketing department not being in-touch with the rest of the company and the wrong/misspelled domain name ends up in a print/radio/tv ad that is about to go to thousands of people and cannot be changed. We end up having to go get the name that is in the ad and get it active as quickly as possible. Personally I'm all for things working as quickly as possible, and I'm all for being able to "return" a domain within a reasonable time if needed. Perhaps it would be better to allow for domain returns, but shorten the time limit to 24 hours. That should be long enough to catch a typo, but too short to be much use for traffic tasting. -Justin Scott | GravityFree Network Administrator 1960 Stickney Point Road, Suite 210 Sarasota | FL | 34231 | 800.207.4431 941.927.7674 x115 | f 941.923.5429 www.GravityFree.com
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, William Herrin wrote: > Chris, > > Suggestion B in ICANN's information request was: > > "making the ICANN annual transaction fee (currently 0.20 USD per year) > apply to names deleted during the [5-day Add Grace Period]," > > Wouldn't this essentially end the bad-behavior domain tasting without > hurting grandma-jones with her typo? This would incur a 20 cent/domain fee for return of the domain inside the grace period, yes? that would add a slow drain to the taster's pocketbooks, is that slow-drain enough to make tasting less profitable? or 'not profitable'? If so, then yes probably it'd slow tasting or end it. I don't think that a 'processing fee' is abnormal on returned items so that might even sit well enough with grandma-jones (in my example). > And if it was still profitable to taste domain names, wouldn't it pump > so much money into ICANN that they could lower the annual fees for the > rest of us? hey lookie, a nice side effect :)
Re: [policy] When Tech Meets Policy...
Chris L. Morrow wrote: On Mon, 13 Aug 2007, Steve Atkins wrote: On Aug 13, 2007, at 11:03 AM, Chris L. Morrow wrote: So, to be clear folks want to make it much more difficult for grandma-jones to return the typo'd: mygramdkids.com for mygrandkids.com right? If grandma-jones orders custom stationery and doesn't manage to spell her name correctly, she'll end up with misspelled stationery. The main difference is that a misspelled domain name is likely to be a much cheaper mistake than misspelled stationery. I picked on example, there have been plenty of examples in the past of folks just barely able to come up with 7$/yr for domain registration and using donated hosting for their non-profit thing. I think the root isue is: there is consumer protection today in the purchase system, do we want to remove that in the future. Or do we want to find another method to crack down on this problem without hurting consumers? Assuming a change takes place (which I doubt, but will ignore) I bet a small non refundable fee (like $1) would drastically reduce the problem. Carl K
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Sean Donelan wrote: > Do people really not plan that far ahead, that they need brand new domain > names to be active (not just reserved) within seconds? I'm really not sure, but I can imagine a slew of issues where 'marketting' doesn't plan properly and corp-ID/corp-branding end up trying to register and make-live a domain at the 11th hour... This also seems like the quick/easy fix. I'm not against any particular fix, but people need to understand (and Sean you probably do, as does Doug I suspect) what the implications of these design changes are and who'd be affected. -Chris
Re: [policy] When Tech Meets Policy...
> but today that provision is: If you buy a domain you have 5 days to > 'return' it. The reason behind the return could be: "oops, I typo'd" Fine, I don't recall that being the case previously so somone thought to introduce it > "hurray, please refund me for the 1M domains I bought 4.99 days ago!". The > 'protect the consumer' problem is what's enabling tasting. but it's not rocket science to see this simple abuse nor to stop it "one mistake, fine. N mistakes? better take more care, sorry" Sounds like poor management, they can easily redeem the situation by changing the rules again. Why haven't they? This is now sounding like willful negligence brandon
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Chris L. Morrow wrote: but today that provision is: If you buy a domain you have 5 days to 'return' it. The reason behind the return could be: "oops, I typo'd" or "hurray, please refund me for the 1M domains I bought 4.99 days ago!". The 'protect the consumer' problem is what's enabling tasting. So combine these ideas with the possibility that someone will claim various consumer protection laws apply to these transactions and want to cancel the contract within three days. Instead, why don't we have a three day waiting period when the domain is "reserved" but not active. Grandma could notice her typo, credit card processor's could notice fake card numbers, and so on and rescind the registration. After three days the sale is "final." Only then the name is made active in the zone files. Do people really not plan that far ahead, that they need brand new domain names to be active (not just reserved) within seconds?
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Steve Atkins wrote: > On Aug 13, 2007, at 11:03 AM, Chris L. Morrow wrote: > > So, to be clear folks want to make it much more difficult for > > grandma-jones to return the typo'd: mygramdkids.com for > > mygrandkids.com > > right? > > If grandma-jones orders custom stationery and doesn't > manage to spell her name correctly, she'll end up with > misspelled stationery. The main difference is that > a misspelled domain name is likely to be a much cheaper > mistake than misspelled stationery. I picked on example, there have been plenty of examples in the past of folks just barely able to come up with 7$/yr for domain registration and using donated hosting for their non-profit thing. I think the root isue is: there is consumer protection today in the purchase system, do we want to remove that in the future. Or do we want to find another method to crack down on this problem without hurting consumers? > > A question to the registrars here: What fraction of legitimate > domain registrations are reversed because the customer > didn't know how to spell, and noticed that within the five > day "dictionary time"? I know that I've made one reversal... but maybe I was being picky :)
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Carl Karsten wrote: > > So, to be clear folks want to make it much more difficult for > > grandma-jones to return the typo'd: mygramdkids.com for mygrandkids.com > > right? > > Not just that, they want registrars to take a revenue cut. > > I am assuming that > A. a registrar would get less business being "less forgiving" than others. > B. a registrar gets revenue from tasted domains that taste good. I think the policy change would most likely be at the ICANN level or perhaps at the registry level. I got the impression that the current policy 'loophole' was at the registry or ICANN level already. So, this would probably > > I see no finical incentive for a registrar to change their policy. > because they are often part of the tasting ... so they don't want to cut off their revenue stream, which in no way touches grandma-jones and her typo'd domain purchase, fyi.
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, Douglas Otis wrote: > > On Aug 13, 2007, at 11:03 AM, Chris L. Morrow wrote: > > > So, to be clear folks want to make it much more difficult for > > grandma-jones to return the typo'd: mygramdkids.com for > > mygrandkids.com right? > > Grandma will still need to make a payment for the domain. Grandma is > also unlikely to find a clause in her contract which removes a > payment obligation after a few days. Provisions that enable domain > tasting are unlikely to benefit individuals. but today that provision is: If you buy a domain you have 5 days to 'return' it. The reason behind the return could be: "oops, I typo'd" or "hurray, please refund me for the 1M domains I bought 4.99 days ago!". The 'protect the consumer' problem is what's enabling tasting.
Re: [policy] When Tech Meets Policy...
On Aug 13, 2007, at 11:03 AM, Chris L. Morrow wrote: On Mon, 13 Aug 2007, John C. A. Bambenek wrote: That's exactly the problem "the goal of tasting is to collect pay per click ad revenue"... Ten years ago the internet was for porn, now it's for MLM/Affiliate/PPC scams. As long as we put up with companies abusing the Internet as long as they are making a buck, they'll keep doing it. to be very clear, this 'domain tasting' (no matter if you like it or not) is just using a 'loophole' in the policy/purchase that's there for the safe guarding of normal folks. It just happens that you can decide within 5 days that you don't want a domain or 1 million domains... So, to be clear folks want to make it much more difficult for grandma-jones to return the typo'd: mygramdkids.com for mygrandkids.com right? If grandma-jones orders custom stationery and doesn't manage to spell her name correctly, she'll end up with misspelled stationery. The main difference is that a misspelled domain name is likely to be a much cheaper mistake than misspelled stationery. A question to the registrars here: What fraction of legitimate domain registrations are reversed because the customer didn't know how to spell, and noticed that within the five day "dictionary time"? Cheers, Steve
Re: [policy] When Tech Meets Policy...
Chris L. Morrow wrote: On Mon, 13 Aug 2007, John C. A. Bambenek wrote: That's exactly the problem "the goal of tasting is to collect pay per click ad revenue"... Ten years ago the internet was for porn, now it's for MLM/Affiliate/PPC scams. As long as we put up with companies abusing the Internet as long as they are making a buck, they'll keep doing it. to be very clear, this 'domain tasting' (no matter if you like it or not) is just using a 'loophole' in the policy/purchase that's there for the safe guarding of normal folks. It just happens that you can decide within 5 days that you don't want a domain or 1 million domains... So, to be clear folks want to make it much more difficult for grandma-jones to return the typo'd: mygramdkids.com for mygrandkids.com right? Not just that, they want registrars to take a revenue cut. I am assuming that A. a registrar would get less business being "less forgiving" than others. B. a registrar gets revenue from tasted domains that taste good. I see no finical incentive for a registrar to change their policy. Carl K
Re: [policy] When Tech Meets Policy...
On Aug 13, 2007, at 11:03 AM, Chris L. Morrow wrote: So, to be clear folks want to make it much more difficult for grandma-jones to return the typo'd: mygramdkids.com for mygrandkids.com right? Grandma will still need to make a payment for the domain. Grandma is also unlikely to find a clause in her contract which removes a payment obligation after a few days. Provisions that enable domain tasting are unlikely to benefit individuals. -Doug
Re: [policy] When Tech Meets Policy...
The real way to get rid of tasting would be to persuade Google and Yahoo/Overture to stop paying for clicks on pages with no content other than ads, but that would be far too reasonable. I don't see a practical way to enforce it. I believe the Net is an unstable system that will eventually be rendered useless by spam/etc. It is a cheap unlimited resource - you pay for your connection, and you get access to things you are in no way paying for. I don't see a way to fix it. Carl K
Re: [policy] When Tech Meets Policy...
On Mon, 13 Aug 2007, John C. A. Bambenek wrote: > > That's exactly the problem "the goal of tasting is to collect pay > per click ad revenue"... > > Ten years ago the internet was for porn, now it's for > MLM/Affiliate/PPC scams. As long as we put up with companies abusing > the Internet as long as they are making a buck, they'll keep doing it. to be very clear, this 'domain tasting' (no matter if you like it or not) is just using a 'loophole' in the policy/purchase that's there for the safe guarding of normal folks. It just happens that you can decide within 5 days that you don't want a domain or 1 million domains... So, to be clear folks want to make it much more difficult for grandma-jones to return the typo'd: mygramdkids.com for mygrandkids.com right? -Chris (yes, domain tasting is unlikeable)
Re: [policy] When Tech Meets Policy...
That's exactly the problem "the goal of tasting is to collect pay per click ad revenue"... Ten years ago the internet was for porn, now it's for MLM/Affiliate/PPC scams. As long as we put up with companies abusing the Internet as long as they are making a buck, they'll keep doing it. The scams will change, but they'll still be scaming. On 12 Aug 2007 13:41:17 -, John Levine <[EMAIL PROTECTED]> wrote: > > > I'd like to but I don't know of a practical way to measure the > > impact of domain tasting on my services: how can I do 6 million > > whois lookups to analyse a day's logs to find what proportion of our > > email comes "from" tasty domains? > > Probably not much. Domain tasting requires a registrar who is willing > to handle millions of AGP refunds without charging the registrant, > which effectively rules out anyone who isn't a registrar himself. The > goal of tasting is to collect pay per click ad revenue, which requires > that one have a stable enough identity to have Adsense et al pay you. > Spam these days all comes from zombies with real but irrelevant return > addresses, and the target URLs are more likely to be bought with > stolen credit cards. > > The problems with domain tasting more affect web users, with vast > number of typosquat parking pages flickering in and out of existence. > > The real way to get rid of tasting would be to persuade Google and > Yahoo/Overture to stop paying for clicks on pages with no content > other than ads, but that would be far too reasonable. > > R's, > John > >