GAO Survey Finds 1 in 20 Domains Bogus

A survey by the U.S. Government Accountability Office finds 5 percent of .net, .org, and .com domain registrations are clearly fraudulent.

A new survey (PDF) of randomly selected domains in the .net, .org, and .com registries conducted by the U.S. Government Accountability Office found that the registry data for more than 5 percent of the domains was patently fake, raising concerns many of the domains are fronts for scammers, spammers, phishing gangs, or organized crime.

The report estimates that owner data published for some 2.31 million domains (5.14 percent of the domains registered in February 2005) used patently untrue information in its registration details, which can be obtained from registrars such as VeriSign via the WHOIS protocol or secured registration lookup services from online sites and other domain registrars. Many registrations use fake phone numbers (such as 999/999-9999), listed nonsense addresses, and invalid ZIP codes. The survey randomly pulled 300 domains each from the .net, .org zone files for inspection. As of February 2005, nearly 45 million domains were registered in those top-level domains.

An addition 1.64 million domain names (3.65 percent) are estimated to have incomplete information in one or more of the required fields.

ICANN and domain registrars are required to gather the following information from individuals or organizations registering domains in the .net, .org top-level domains:

• the names of the primary name server and any secondary name servers;
• the identity of the registrar
• the registrant’s name and postal address
• the name, postal address, electronic mail address, telephone number, and fax number (optional) for both the technical contact and the administrative contact for the domain name.

The GAO report, while careful to avoid incendiary and speculative language, nonetheless seems to overlook real-world reasons registrants might not provide complete or accurate lookup information. You don’t have to be running a phishing scam or be trying to hoodwink people into downloading your spyware: you might just want to sleep at night.

Currently, domain registrant information is made publicly available via the WHOIS mechanism. WHOIS was originally intended to enable site administrators to contact each other in the event of problems or technical difficulties; however, because there are very few checks on accessing the contact information, in recent years the WHOIS databases also become a frequently-exploited treasure-trove of contact information. If you register a domain and provide your real phone number, odds are good you’re going to receive phone calls