Colleagues, The registrar dynadot, IANA #472, on December 17th, associated the address 64.64.12.170 with the A record for wikileaks.org At some point prior to December 17th, the A record had a different value. Who authorized or performed the update of 17-Dec-2010 01:57:59 UTC is a reasonable question to ask, by ICANN Compliance, of the registrar of record, IANA #472. This morning (EST) a GET / HTTP/1.1 sent to 64.64.12.170 returns a 302 (redirect) to http://mirror.wikileaks.info/. This afternoon (EST) the same query returns a 400 (bad request). IANA #472 should be able to document each change to the A record, and NS records, and demonstrate that only the registrant caused the series of changes to the RRset in December, or, an act for which no liability is incurred by the registrar, due to any one of a number of specific, enumerated circumstances. What a reasonable inquiry should not find is a denial of service to a registrant by an accredited registrar under any but that very specific, enumerated set of circumstances. It is not infrequent for an address block to be recovered and reallocated by an RIR, without third-party coordination. Therefore the association by Spamhaus to the address at which wikileaks.info was associated could have been an artifact of prior, not present, practice that resulted in Spamhaus' characterization of the address as problematic. However, it is more likely that the characterization is "current", not an artifact of recovery & reallocation by the RIR and lack of notice to third-parties such as Spamhaus or a lack of prompt reaction by Spamhaus upon timely notice by the RIR. If, in addition, the effect of redirection, initiated by parties as yet unknown, was to cause browsers to connect to an address, for which other resources are associated, other questions reasonably arise. While synchronous behavior by statistically significant numbers of informed and consenting adults manifests similar to synchronous behavior by distributed systems, including those constructed from assets acquired through latent defects in operating system products or applications, aka "botnets", just as rapid changes to NS records (aka "fast flux hosting") may be implemented to avoid suppression of content by political censors or to avoid suppression by anti-fraud law enforcement, the wisdom of reducing the ability of Spamhaus to conduct its daily operations as an email quality enabler is open to criticism. I look forward to comments from PIR, and from IANA #472, and ICANN Compliance on the issues around wikileaks.org in mid-December. Eric
I see there's some follow up on http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row... including a response from wikileaks.info We find it very disturbing that Spamhaus labels a site as dangerous without
even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That's it.
While we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care. Just listing whole IP blocks as 'bad' may be quick and easy for the blacklist editors, but will harm hosters and web site users.
Wikileaks has been pulled from big hosters like Amazon. That's why we are using a 'bulletproof' hoster that does not just kick a site when it gets a letter from government or a big company. Our hoster is giving home to many political sites like castor-schottern.org and should not be blocked just because they might have hosted some malware sites.
Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser, for example), don't list us. We do hope that Spamhaus hasn't issued this statement due to political pressure.
-- --------------------------------------------------------------- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org ---------------------------------------------------------------
I see there's some follow up on http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row... including a response from wikileaks.info
In case it's not clear already, there appears to be no connection between wikileaks.info and the actual Wikileaks. Look at one of the real mirrors like the one at www.wikileaks.is and you'll see a well designed web site. Look at the "mirror" at wikileaks.info, and you'll see a hack job put together in Mediawiki. I don't know who's behind wikileaks.info, but given that they're hosted in a well known malware farm, I see no reason to give them the benefit of the doubt. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
participants (3)
-
Eric Brunner-Williams -
John R. Levine -
Joly MacFie