≡ Menu

Anti-Spam Method: Checking Links Before You Click with WHOIS Protocol

Received these very well designed spam/phish attempt in my yahoo mail in the last week:

A screen shot of a spam phish attempt that looks like it came from Yahoo.

Branding, typeface and coloring all are used in the attempt to trick us into following links. (click to embiggen)

Here’s the text (with the bad link stripped):

Your two incoming mails were placed on pending status due to the recent upgrade to our database,
In order to receive the messages Click here to login and wait for responds from Yahoo.
We apologies for any inconvenience and appreciate your understanding.

Regards, Yahoo Group.

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.
If you received this in Spam, please kindly move it to inbox.

The second phish attempt, same URL (stripped again):

In the last few days, our security Team observed multiple logons to your account, from Different Blacklisted I.P addresses, therefore we are Issuing this security warning. To prevent further unauthorized access for your safety, we have decided to put an extra verification process to ensure your account security.You are therefore required to verify your account.


Customer Care Team
Case number: 1097654

Yahoo!Copyright © 2011 Yahoo! Inc. All Rights Reserved.



I have to admit, I was almost fooled. Both phish attempts are pretty convincing.

(By the way, I love the first spam’s last line in the small print that tells us to “kindly move it to inbox.” The unusual grammar sprinkled throughout, notably with odd use of  “to inbox” instead of “to your inbox,” plus the capitalization of “Spam” and not “inbox,” are other hints that this message is spam.)

But why didn’t I click? And how can you learn to stay safer in the midst of dangerous links, too? I’m going to let you in on some insider geek info and tell you how you can identify these scams immediately.


I didn’t click on the link for two reasons:

  1. I’m not tired, and I was able to take a pause instead of automatically clicking push through another task before taking a break.
  2. I’ve worked to develop and maintain healthy browsing habits.

If you are tired or have harmful email habits, you will click on these spammy links every time.

You can see my other post about How To Avoid Getting Hacked for the healthy browsing habits you need to establish.

Today we’re going to talk about how you can use a small trick to ascertain whether or not a link is legitimate. This is an investigative strategy that only geeks know about, but it’s something you can learn to use too.


The “Whois” (pronounced Who Is) command is one of the original Internet commands. Back in the day (and I mean, BACK… like before the 80’s!), when a geek wanted to know who owned a nickname or who owned an Internet site, she would go up to her terminal screen and type in “whois [nickname].” The little electric protocol signals would travel to the [nickname] profile, pull back all the information stored there and then display it to the geek. When the World Wide Web was built on top of existing Internet structures, geeks used the WHOIS protocol to lookup owners of WWW sites. Nowadays we don’t need terminal windows or unix commands to run a whois lookup anymore. We can just find a reliable web-enabled service to do it for free.

So. You have a suspicious link that isn’t too obviously a spammy link. We’ll use a WHOIS lookup to find out more information in order to make our decision on whether or not to click on the link. Pull up that pesky link and follow these steps:

  1. Hover over the suspicious link. Your browser probably has some sort of window that will display the link’s hidden URL. Does the URL look strange? Does it have the company’s site in it or is the link pointing to something totally spammy? e.g., the link text (usually in blue) says “Yahoo Mail” or “Click HERE” but the actual URL is garblygook.madeupstringofnumbers.spammylinks.com/yahoocom. This is a dead giveaway. Forward the email to the fraud department of the company being spoofed. You’re done.
  2. If in doubt but you can’t quell your curiosity, have no fear! You’re thinking just like us geeks. We can’t let crap go, either. We like to dig around the to see what we can find out. We hover over the URL or right-click on it to copy it (making sure not to click on the link). Then we go to a search engine and type in “WHOIS” or we go to our favorite lookup service. Then you paste in the URL (you may have to whittle it down to the word-just-before-the-dot.the-domain-just-after-the-dot, e.g. spammylinks.com instead of garblygook.madeupstringofnumbers.spammylinks.com) and click “search.” All sorts of good information comes up.

Here’s a screenshot of Internic.net’s whois page (click image to be taken to the site):

a screenshot of Internic.net's whois page

The place to paste the suspicious URL is tiny but it will have enough room.


The information you find will probably tip the scales in the right direction if you were wondering whether or not a URL was safe.

Another insider tip: any [VeryHeavilyAdvertisedRegistrar] isn’t usually the go-to registrar for big legit businesses. Big outfits like banks, credit card companies, mega-sites like Yahoo, Hotmail, etc., do NOT use [VeryHeavilyAdvertisedRegistrar]; they have their own registrar companies or they use little-known, private professional registrars. Maybe some small mom-and-pop click-n-mortars registered at [VeryHeavilyAdvertisedRegistrar] because they didn’t know any better, but be suspicious of any spammy link that has [VeryHeavilyAdvertisedRegistrar] as the registrar. In combo with a suspicious-looking link, any [VeryHeavilyAdvertisedRegistrar] reference is just a bad sign in that instance. In other words, if you’ve seen a commercial for or have heard of the registrar, assume the URL registered there is spammy and perhaps dangerous.

OK, there ya go. New geek insider info that will have you wasting time for hours looking up who is listed as owners and registrars for famous websites. Have fun!

And stay safe, y’all.