WHOIS, how does it work, how is it harvested? Why is it a data breach under the GDPR?

Ever wondered why you get emails like the ones below?

  • Domain Notification for whatever.com : This is your Final Notice of Domain Listing
  • Or cheap hosting offers out of nowhere
  • Or tons of other spam?

That is because you registered a domain name and your Registrar has to publish your personal information through the so-called Port 43 WHOIS server.

A WHOIS server listens on TCP port 43 for requests from WHOIS clients. The WHOIS client makes a text request to the WHOIS server, then the WHOIS server replies with text content. All requests are terminated with ASCII CR and then ASCII LF. The response might contain more than one line of text, so the presence of ASCII CR or ASCII LF characters does not indicate the end of the response. The WHOIS server closes its connection as soon as the output is finished. The closed TCP connection is the indication to the client that the response has been received.

So basically it is a server that listens on port 43, in retrospect port 666 would have been more fitting. Every Registry and Registrar runs one.

How does it work? If you use MacOS open up the terminal and do a whois command for thehelper.net

Et voila, you have all the information for the domain name as mandated by ICANN contractual obligations.

Thick WHOIS vs. Thin WHOIS
Still the same WHOIS server listening on port 43. Except the output is different.
A thick WHOIS server also outputs contact data including your personal information.
A thin WHOIS server outputs only the domain name and a few more fields but not contact data as the Registry does not have it and as such cannot display it.

Web interface vs. Whois Port 43 server.
Still, the same server, except you do not use a command line on your MacBook you use a website to look it up. Like http://who.is or check at your Registrars website where the link is. They all have one!

Harvester of data
Every domain name that gets registered is published in a so-called zone file.
Sure enough, ICANN makes those available for everyone who can create an account.

Now those spammers know which domain names are registered, now they simply do an automated form of WHOIS requests and hey presto they got all your personal information.
Put it in a bulk mailer and you are good to go to spam the hell out of everyone.

But why stop there? Sell that information! Monitor it! Use big data to come up with more information.
Information enrichment they call it I think.
Step it up, use it for identity theft! With so much information provided by ICANN, you can easily tap into social media like Facebook and be more creative and set up some more fraudulent schemes.

Some more information on WHOIS, check this blog post, it’s pretty good.



Theo Geurts  ICANN WG RDS member.