<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">This is another new doc that is not on our current list, but should be added.<o:p></o:p></p>
<p class="MsoNormal">--Greg<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">"Advisory on Utilization of Whois Data For Phishing Site Take Down." Anti-Phishing Working Group. March 2008<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a href="http://docs.apwg.org/reports/apwg-ipc_Advisory_WhoisDataForPhishingSiteTakeDown200803.pdf">http://docs.apwg.org/reports/apwg-ipc_Advisory_WhoisDataForPhishingSiteTakeDown200803.pdf</a>
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">"Given fundamental policy changes regarding accessibility of both domain and IP Whois data currently under consideration by ICANN, RIPE and others, and the evolving environment surrounding the Whois system, the APWG Internet Policy Committee
(IPC) has updated this industrial advisory, comprised of a set of real-world case studies in which Whois data has been instrumental in neutralizing phishing sites in order to help ICANN, RIPE and others comprehensively inform their policy deliberations. The
intent is to better inform the broader internet policy community of the invaluable assistance the full range of Whois data provides in shutting down nearly 1,000 phishing sites per day (and climbing) at current rates....<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In a majority of phishing cases, published Whois data of the domain name(s) and Internet Protocol (IP) network addresses involved have been irreplaceable components of the take down process -- invaluable resources, in fact, necessary to
the resolution of most of the cited cases. For cases in which legitimate machines or services have been hacked or defrauded, published domain name or IP network address Whois information is an important tool used to quickly locate and communicate with site
owners and service providers. For cases in which domain names are fraudulently registered, the published domain name Whois information can often be tied to other bogus registrations or proven false to allow for quick shut down....<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It is the hope of the APWG’s IPC that exposure to this information and the following case studies will allow the relevant committees of ICANN, RIPE and other governance bodies to make better informed decisions on Whois policy and promote
policy modifications that will not result in reduced access to Whois data for those who use it to respond to phishing events....<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">In all, over 80% of phishing site take-downs involve using the domain name Whois system to find a contact for assistance via e-mail, phone and/or fax, or to prove the registration to be fraudulent through any or all portions of the available
Whois information."<o:p></o:p></p>
</div>
</body>
</html>