Fraud Reports Wiki

Brief Description[]

When a domain name is registered, the registrant must provide the registrar of the domain name with valid and up-to-date contact information.

In theory, by looking up the domain name in any public whois database, anyone is supposed to be able to view this registration information, and thus contact the person or company that owns it.

Detailed description[]

Whois Information[]

The Whois Export and Exchange Format memo presents details about what elements of a domain must be able to be queried in the whois database as required by ICANN. Note that this memo only applies to TLDs under ICANN control.

required information for EPP domains under ICANN jurisdiction[]

1. Registrar objects.[]

The registrar object corresponds to a single registrar. It includes the following data:

Registrar ID (conforming to the IANA registrar-ids registry)
Contact ID of Registrar
Registrar Administrative Contacts
Registrar Technical Contacts
Registrar Billing Contacts
Registrar URL
Registrar Creation Date
Registrar Last Updated Date

2. Contact objects.[]

The contact object corresponds to a single contact (whether registrant, administrative, technical or billing contact). The contact object includes the following data:

Contact ID
Contact Name
Contact Organization
Contact Address, City, State/Province, Country
Contact Postal Code
Contact Phone, Fax, E-mail

3. Nameserver (host) objects.[]

A nameserver object corresponds to a single registered nameserver. The nameserver object includes the following data:

Name Server ID
Name Server Host Name
Name Server IP Addresses if applicable
Current Registrar
Name Server Creation Date
Name Server Last Updated Date

4. Domain objects.[]

The domain object corresponds to a single Registered Name. Each domain object includes the following data:

Domain ID
Domain Name
Sponsoring Registrar
Domain Status
All contact information (including all details) with at least one each of:

   * Registrant
   * Administrative
   * Technical
   * Billing

All nameservers associated with this domain
Domain Registration Date
Domain Expiration Date
Domain Last Updated Date

Whois query protocols[]

The whois data must be made visible by clients (registrars) both via the web, and via a Port 43 Whois service.

Port 43 Whois service look-up options

Option Description
-- Indicate the end of options. A subsequent string that begins with a hyphen on the command line is taken as a query string.
-a, --raw Do not rewrite query according to configuration before sending to server.
-c file, --config=file Specify a configuration file to use instead of the default /etc/jwhois.conf.
-d, --disable-cache Disable reading and writing to the cache.
-f, --force-lookup Force the lookup query to go to the host, even if it is available from the cache.
-h host, --host=host Query the whois server on the specified host. Same as host on the command line. By default, queries the server in the environment variable NICNAMESERVER or WHOISSERVER if either is set; otherwise queries
--help Print help message and exit.
-i, --display-redirections Display every step in a redirection. The default is to display only the last step.
-n, --no-redirect Disable redirection from one server to the next.
-p port, --port=port Connect to the specified port. Same as port on the command line. Default is 43.
-r, --rwhois Force use of the rwhois protocol, instead of HTTP or whois.
--rwhois-display=display Request receiving rwhois servers to display the results in the specified display instead of the default.
--rwhois-limit=limit Request receiving rwhois servers to limit the number of matches to the specified limit.
-s, --no-whoisservers Disable built-in support for
-v Verbose. Display the query before sending it to the server.
--version Print version information and exit.

Where to look up whois information[]

Open-source whois clients[]

Downloadable whois clients[]

If you use a version of Unix, you can query directly with the whois command. That will thwart those spammers that thought they were clever and made their nameservers reject connections by DNS Stuff. You can also install a command-line version of whois and dig under Windows, or a window-based GUI option Sam Spade for Windows.

Locate more whois clients in Spam Links' whois proxy tools list.

Online whois look-up websites[]

  • DNS Stuff - this is a widely-used tool, which includes a whois look-up function (among many others).

Once on their web page, scroll down to get to the whois search engine. It is not necessary to join to use it, but joining offers additional benefits.

  • iWhois - performs whois look-ups and returns summary or detailed information. It is more limited in range, because it covers very few country level domains (.hk .cd .au .fr etc)

More whois sites are listed in Spam Links' whois tools list.

International WHOIS sites[]

Use one of these if the whois information doesn't show up using the above methods



In some instances the contact information of the registrant is hidden. This can happen if:

  • The domain name is managed by a registry that has a policy against the public disclosure of contact information if the registrant is a private person. This is notably the case with .eu and .fr ccTLD.
  • The domain name is registered to a company that in turn grants a license of use to the domain name to their customer. In this case, the contact information of the company is visible in the whois, and not their customer.

Examining Whois Information[]

Understanding contact details[]

There are two different types of whois contact types:

  • Person
  • Organization (company, association...)

This difference is known to the registrar, as the whois information is attributed a type. Usually, if the contact is a person, then the fullname field will appear on top, otherwise it will be the orgname field. You may be able to see this as either the "organization name" or "person" in the whois. As there is not necessarily any standard with regards to this, you may need to contact the registrar to request verification.

If the whois contact type is an organization, then the organization is the legal title holder. The name that accompanies this is simply the contact person at that organization. The contact person does not have any legal rights to the domain per se, they are just required to perform the function of being an identified contact person. Changing the contact in this event then is not like an owner change and may be done at any time and freely.

In privacy-protected whois databases (ex. EURID, AFNIC), if the whois information for a contact is a person, then the information will be hidden. If the information is that of an organization then it will be public.

Spammer whois profiles[]

Spammers almost always provide fake registrant information, mainly to avoid prosecution and to hide their real identities. They do this in three ways:

  • Using randomly-generated contact information that appears to be correct, but is not
  • Using the contact information of real people or companies, that they have no relation to
  • Using totally fake information