Hi Bruce,

thanks for clarifying those issues; greatly appreciated.

There may be another area which you could help.  I have a pile of letters
sitting around from last week, including a swag of them from Internet
Registrations Australia (I got two for each domain name which lists my
address - lucky me) which are the ones that include the following:

"Yes, please include my domain.
I authorise the domain management and submission of details to the
businesses.com.au directory for listing."

Now, if I tick the yes box on the Internet Registrations Australia offer and
send it back to them - or if I were to accept the ING or some other offer to
renew my domain name registration - could you perhaps clarify the process at
Melbourne IT when they're approached by IRA or ING or whoever?

When ING or whoever approaches Melbourne IT and says "we want to renew this
domain name" does Melbourne IT try and authenticate them in any way?  Or do
you take the (quite reasonable, I think) assumption that if they have the
money for the renewal, then they've most likely received payment from me for
this purpose, and its therefore OK to process the renewal?

If they wanted the domain name registry key, what would be the Melbourne IT
procedure?  Would you direct them to ask me, as I'm the Admin & Tech
contact?  Or are there circumstances in which Melbourne IT would provide the
domain name registry key to the entity paying for the domain name renewal?



Regards, Mark

Mark Hughes
Effective Business Applications Pty Ltd
effectivebusiness§pplications.com.au
www.pplications.com.au
+61 4 1374 3959



> -----Original Message-----
> From: Bruce Tonkin [mailto:Bruce.Tonkin§melbourneit.com.au]
> Sent: Thursday, 22 November 2001 17:58
> To: 'effectivebusiness§pplications.com.au'
> Cc: 'dns§auda.org.au'
> Subject: RE: [DNS] fresh bulk AUNIC data is out in the wild
>
>
> Hello Mark,
>
> >
> > 1. 'At any time in the past, (or at the present time), could
> > Melbourne IT's
> > authorised re-sellers access the expiry dates of domain names
> > for which they
> > were not the contact?'
>
> Yes, in the past resellers could access information about a domain name
> which included both the creation date and the expiry date.
>
> In May 2001 Melbourne IT implemented a policy and systems change requiring
> all expiry
> dates be obtained with a registry key. This was introduced to stop
> unauthorised access and improve security.
> All Resellers were advised and the change was made public through
> the media.
>
>
> In September 2001, we also removed access to the creation date (from which
> the expiry date is often deduced).
>
> >
> > 2. 'At any time in the past, (or at the present time), could
> > Melbourne IT's
> > authorised re-sellers access the address details in bulk
> > (i.e. download the
> > database or do unrestricted queries of the database to
> > collate the data) of
> > domain names for which they were not the contact?'
> >
>
> As far as I am aware, bulk access to the data has never been provided.
>
>
> At this stage the Creation Date available on AUNIC can allow an
> organisation
> to deduce the expiry date.  I recommend that the creation date be removed
> from the standard on-line query on AUNIC.  Where there is a legitimate
> reason (e.g a trademark attorney) for knowing the creation date
> of a domain
> name, this can be handled with a separate request to auDA
> (possibly with an
> administration fee associated with it to discourage data mining).
>
> In response to the general question of where resellers are obtaining their
> data, they can find the details of a domain name owner by sending single
> queries to either Melbourne IT or AUNIC.  In the case of AUNIC they can
> deduce the expiry date from the creation date (although these are
> not always
> synchronized).  Bulk information that was obtained last year via
> AUNIC, can
> at least give an organisation the list of domain names in
> existence at that
> time, and from there they can query the on-line databases to get
> more recent
> information.  More recent security breaches in AUNIC data earlier
> this year,
> may have allowed a more recent copy of the bulk information.
>
> I am interested to know of cases where new domain names that have been
> created say since July 2001 are subject to the unsolicited offers
> of domain
> name registration.
>
> Organisations can also obtain information about the existence of domain
> names by searching for ".com.au" websites using search engines,
> or reviewing
> publications such as yellow pages etc.  Once an organisation knows that a
> domain name exists, it can then query the AUNIC database to find
> details of
> the domain name registrant.  In the case of resellers, they can also query
> the Melbourne IT database for the same WHOIS information, but won't have
> access to creation or expiry dates without the registry key.
>
> Basically it is not hard to obtain sufficient information from a range of
> on-line databases to launch unsolicited email, fax, telephone etc
> campaigns.
> The restriction of bulk data can make it more difficult (ie the databases
> need to be data mined over time), but doesn't in the end stop the
> practice.
> At present the prices charged by those that use these types of approaches
> and the number of people that respond to these approaches, more
> than covers
> the costs of sending lots of notices.  We can at least limit access to
> creation and expiry information.
>
> Regards,
> Bruce Tonkin
>
> --
> This article is not to be reproduced or quoted beyond this forum without
> express permission of the author. 319 subscribers.
> Archived at http://listmaster.iinet.net.au/list/dns (user: dns, pass: dns)
> Email "unsubscribe" to dns-request§auda.org.au to be removed.
>
>

--
This article is not to be reproduced or quoted beyond this forum without
express permission of the author. 319 subscribers. 
Archived at http://listmaster.iinet.net.au/list/dns (user: dns, pass: dns)
Email "unsubscribe" to dns-request§auda.org.au to be removed.