Annual Whois POC Validation Emails from ARIN
In the second half of 2010 the American Registry for Internet Numbers (ARIN) started sending emails to all Points Of Contact (POCs) registered in the ARIN Whois database. Since then, I have been seeing more and more chatter about these emails – including increased traffic here on my blog. Because I am at least partially responsible for these emails going out, I figured I would put up a sort of public service announcement, and hope that folks see it.
First off: Yes, this is a valid request from a legitimate organization.
Second: There is very good reason for ARIN to conduct this annual validation.
Valid and Legitimate
ARIN is the American Registry for Internet Numbers. They are the organization responsible for all IP addresses and AS numbers in the North American region. ARIN was established in 1997 and Applying the principles of stewardship, ARIN, a nonprofit corporation, allocates Internet Protocol resources; develops consensus-based policies; and facilitates the advancement of the Internet through information and educational outreach.
If ARIN is contacting you to validate your POC record, it is because your email address is listed in their Whois database. This is likely because you are now, or where at some point responsible for an Internet number resource or an organization which holds Internet number resources in some capacity. That’s the only way ARIN got your address; if it was given to them for this purpose.
Great, ARIN is for real but how can you be sure that the annual Whois POC validation email you received is actually from ARIN?
Well, it will be sent to the email address included in your Whois POC record and it will come from a do-not-reply address at arin.net. The subject will be:
Annual Whois POC Validation: ####-ARIN
Where ####-ARIN is your POC handle. It will include instructions on how to validate (confirm or correct) your Whois POC information as well as instructions to review your Organizations information in Whois as well. All of the included links will utilize HTTPS and point to the arin.net domain.
A couple examples have already been posted to mailing lists by folks who were taken by surprise, here is a generic version of what you will see:
From: American Registry for Internet Numbers <do-not-re…@arin.net>
To: [email protected]
Subject: Annual Whois POC Validation: ####-ARIN
This message is being sent in accordance with ARIN Policy 3.6.1, “Annual Whois POC Validation”. This policy requires POCs to validate their Whois contact information annually.
The following is your current POC Whois registration record. To validate, please take one of the three actions listed below. If no action is taken within 60 days, your POC record will be marked invalid in ARIN’s Whois.
Your POC information in Whois is:
<your POC info here>
1) If the information above is correct, please click on the following URL to indicate the information is accurate:
https://www.arin.net/public/pocValidation.xhtml?validationCode=<your code here>
2) If the information is incorrect, and you already have an ARIN Online web account, please log in to your account and modify the POC information:
3) If the information is incorrect, and you do not have an ARIN Online web account, please create an account by going to https://www.arin.net/public and selecting ‘new user’ on the left ‘ARIN Online’ panel.
Once you have created your account, please log in to your account and modify the POC information.
After validating your POC information, please take a few minutes to review your Organization data in ARIN’s Whois to ensure it, too, is up-to-date. If your company sub-delegates IP address blocks to downstream customers, your organization is responsible for ensuring the accuracy of all downstream organization and POC information. Maintaining accurate Whois data is contractually required for all resources registered under ARIN’s Registration Services Agreement.
If you have any questions, please contact the ARIN Registration Services Help Desk.
Ask ARIN via your ARIN Online web account: https://www.arin.net/public/communication/message/beginQuestion.xhtml
E-mail: [email protected]
Registration Services Department
American Registry for Internet Numbers
OK, so ARIN is legit and they are the one sending these annual Whois POC validation emails, but why should you answer?
The Internet community (myself included) has instructed ARIN to conduct this annual validation. A group of us worked to create draft policy 2008-7 which was adopted by the ARIN board mid-2009 and then implemented this July as NRPM section 3.6. While I can not speak for everyone who worked to create this policy, let alone all those who supported it, I can tell you my rational for doing so:
One of the most important resources when dealing with Internet abuse (including hijacking, spam, dos/ddos, phishing, child pornography, illegal drug sales, etc) is Whois. The Whois database is THE goto resource for security professionals and law enforcement alike when investigating abuse of the Internet. It records ‘who is’ responsible for each Internet number resource and provides contact information to facilitate quick responses to ever-evolving threats.
But ARIN’s Whois data is only useful if it is known to be valid.
The annual Whois POC validation focuses on email addresses because this is the contact method of choice for most in the Internet community when dealing with abuse, hijacking or other issues. It has the added benefit of being easy to validate. Legitimate POCs must be able to receive email at their registered address and, if your information is correct, it only takes a second or two to click the validation link. If your information needs updating, then it is still only a few minute process to get logged in and update your data.
Whois data that is valid and up-to-date is worth far more than the few minutes it may take each of us to update our info. For this reason, I implore you to respond to your annual Whois POC validation emails and update any out of date information for yourself or your organization. The Internet thanks you!