Automated Short Term Rental Accommodation Licence Integrity Checking System (ASTRALICS)


City of Vancouver recently regulated Airbnb and other short term rentals. Hosts are required to obtain a licence from the city and platforms are required to deactivate hosts without a valid licence. Recent news reports indicate that hosts have been getting away with fake numbers as there’s currently no mechanism for platforms to validate licence number.


Automated Short Term Rental Accommodation Licence Integrity Checking System (ASTRALICS ) is a proposed application programming interface (API) intended for City of Vancouver to publish, which Airbnb can use to validate licence numbers.

  1. Upon a host entering the licence number, Airbnb sends licence number, street number, street name, and unit number (in the case of strata units) to ASTRALICS.
  2. ASTRALICS checks the City of Vancouver licence database to see if an entry matching the request data exists in the system.
  3. If an entry is found, ASTRALICS responds with “valid”. Airbnb will accept the licence number
  4. If an entry is not found, ASTRALICS responds with “invalid”. Airbnb will reject the licence number.


I have created a fully functional ASTRALICS prototype as 65-line Azure function in Java. It can be easily ported to other languages.


I have created an example licence database as follows:


555-1000 Robertson Street 2002
555-1001 Gregor Drive 1001 111

If you access ASTRALICS API with a valid licence number, as in the request below, you will get “valid” as the response.

If you access ASTRALICS API with a invalid licence, as in the request below, you will get “invalid” as the response.

Source Code

package ca.rezel.astralics;

import java.sql.*;
import java.util.*;

 * Automated Short Term Rental Accommodation Licence Integrity Checking System (ASTRALICS).
 * Author: Rohana Rezel
 * Licence: MIT Licence

public class Function {
    public HttpResponseMessage<String> hello(
            @HttpTrigger(name = "req", methods = {"get"}, authLevel = AuthorizationLevel.ANONYMOUS) HttpRequestMessage<Optional<String>> request,
            final ExecutionContext context) {
        context.getLogger().info("Java HTTP trigger processed a request.");

        String licenceNumber = request.getQueryParameters().get("licencenumber");
        String unitNumber = request.getQueryParameters().get("unitnumber");
        String streetNumber = request.getQueryParameters().get("streetnumber");
        String streetName = request.getQueryParameters().get("streetname");
        HttpResponseMessage<String> returnValue = request.createResponse(500, "Server error");
        if (licenceNumber==null || streetNumber == null || streetName == null) {
            return request.createResponse(400, "licencenumber, streetnumber and streetname are required");
        } else {
            Connection connection;
            try {
                String url = "jdbc:sqlserver:YOUR_CONNECTION_STRING_HERE";
                connection = DriverManager.getConnection(url);

                String selectSql = "SELECT * from Licence WHERE licenceNumber=? AND streetNumber=? AND streetName=?";
                if (unitNumber != null) {
                    selectSql += " AND unitNumber=?";

                try {
                    PreparedStatement statement = connection.prepareStatement(selectSql);
                    statement.setString(1, licenceNumber);
                    statement.setString(2, streetNumber);
                    statement.setString(3, streetName);
                    if (unitNumber != null) {
                        statement.setString(4, unitNumber);
                    ResultSet resultSet = statement.executeQuery();
                    if ( {
                        returnValue = request.createResponse(200, "valid");
                    } else {
                        returnValue = request.createResponse(200, "invalid");
                } catch (Exception e) {
            } catch (Exception e) {
        return returnValue;

Canada Post Scam

Here’s a new scam. You will get an email from “Canada Post” asking you to download a “notice card” to collect a package that “Canada Post” has been trying to deliver.

Do not click on that link. It’s a zip file containing a .vbs malware scrip.

The script itself is encoded, with the decoding logic built in. I re-wrote the decoding logic in Python to figure out what the script really does, and here’s what I found out.

The script will disable “Security Center” and call another URL and download and execute another piece of malware from a third URL on the domain

The domain is registered by an organization called Clueup India in Ahmedabad, India.

I have reported this incident to Canada Anti-fraud Centre with all the information I have and hopefully, they can get that website shutdown to prevent the malware from spreading.

If you have already clicked through to the link, shutdown your device immediately, and you might need to talk to someone who knows how to properly clean up malware.