ICANN Investigates Insider Domain Name Snatching

Tech.Luver sends us word that, hot on the heels of reports that Verisign may be planning to sell DNS root server lookup data, ICANN has opened an investigation into a suspected practice by registrars it calls "domain name front running." The suspicion is that insiders at some registrars are using information from whois searches to snatch up desirable domain names before interested customers can register them. Here is ICANN's announcement of the investigation (PDF). ICANN asks that anyone who suspects they have been victimized by domain name front running to email them with details.

Some proof

I have proof of this happening and I'm sure others do too. We have two different customers that looked up domains to see if they were available, asked us to register them and before we could register them, they were already registered by places in China and the Carribian. Both domains where somewhat obscure and I didn't see any reason why they should have normally been bought. In both cases, the domain was released after the 5 day period that ICANN allows (which I think was a mistake on ICANN's part to have that policy). But in some cases it might not be released if it turns out to be popular. As I said about the Verisign thing, this is an invasion of privacy.

One of our customers (who allowed me to mention in this post that his domain in question was psysci.net) that had this happen said that he only used the command line whois and networksolutions.com to lookup the domain, so it might not just be small registrars involved in this scam. But that's a pretty serious accusation to bring against Network Solutions so take that with a grain of salt. THe company that tasted psysci.net had a name of Wan-Fu China, Ltd. The company that tasted the other domain had a name of (MAISON TROPICALE S.A.), which you can find a little more information about here [domainstatute.com]

Use DNS to look up domains.

Have you tried:

host -t NS domain.com

instead? If it says NXDOMAIN (no such domain), the domain does not exist.

Re:Use DNS to look up domains.

Have you tried:

        host -t NS domain.com

instead? If it says NXDOMAIN (no such domain), the domain does not exist.

Well of course I can do that but now even that is in danger of being snooped [slashdot.org]. But I can't expect a customer to do that every time, but they deserve better treatment than to have their domain snatched before they can even buy it. I think once this whole Verisign thing gets resolved, I'll setup a domain checker on our website so that they have someplace more trustworthy to check.

Re:Some proof

I just tried checking a random domain on the networksolutions whois. ( 21laforest.com ) It's available so I'll check it a month from now to see if its snatched.

ha ha! Not a very controlled experiment.

• find an available name
• post it on slashdot
• check a month later to see if it's taken.

There are enough ass-tunnels out there (like me) who'd pay $8.95 just to screw up your experiment!

Re:

"There are enough ass-tunnels out there (like me)"

Thank you for that brilliant word. Ass-tunnel. Now I will forever associate you with Goatse (which I think is a visual representation of such).

Not the Point

When a domain is snatched, usually it doesn't matter if the original owner gets it back or not. That's not the point, in most cases. Thieves will use the domain to drive traffic to their astroturfing/spam network and drive their PR up in the process. That stays in memory indefinitely and has a beneficial impact on any site like that.

If the owner gets their network back, they still have the stigma of the bad activity associated with the domain.

Preventing domain theft is going to only get increasingly more difficult as technology becomes more complicated.

*That's* Not the Point

This isn't about snatching domain names from previous owners. It's about improper use of search records from the whois databases, using this information to automatically grab new, currently unregistered domains when other people check the domain names' reg

I believe it happened to me....

A year ago I searched on a domain I had spent 2 weeks thinking up. It was available but I waited 3 days. When I went to purchase, it was registered 1 or 2 days before. At the time I chalked it up to bad luck.

I only wish I could remember the domain name. I might have it in my notes but I have pages and pages of notes.

Re:

You spent two weeks thinking up a domain name and now can't remember it?

Man, you must have a terrible memory. Did you spend the entire two weeks going "I need a good domain name... how about awesome.net? Nah, that's no good. How about awesome.net? Yes, th

Re:

I believe you're a big fat turd with sausage fingers

No match for "BIGFATTURD.COM".
>>> Last update of whois database: Thu, 25 Oct 2007 15:54:43 UTC <<<

Just in case ...

How to buy a domain in this day and age

Say you want domain xyz.com and you have no idea whether anyone else owns xyz.com or if it's in use.

1. DO NOT go to xyz.com. If it is being squatted then the squatters now have a hit on it, they have one more reason to keep it if they're just testing out the ICANN 5 day snatch and release policy.

2. Go to a registrar site and do a search on xyz.com

3. If no one owns it, buy it NOW. The first hour after your search could very well be the only time it is ever available ever again. There is a very high probability of this. If you do not buy it right away, by the time you come back it will be gone. A squatter will have bought the site to abuse the ICANN 5 day policy. If it gets enough hits, they will keep it, if not, they will release it and by the act of releasing some other squatter will probably pick it up. This will keep on repeating itself until you pay enough money for some just as evil company to grab it and sell it to you.

There's your guide to buying a domain name in three obnoxious steps.

Re:

Now you tell us. :D

Couldn't one start "poisioning" the hit database?

Why not just start a bot that makes random DNS queries? This would eventually make it unprofitable for the squatters to squat.

--
This space for rent

Re:Couldn't one start "poisioning" the hit databas

This is undoubtedly going on. People like us are doing it to screw with all squatters, and squatters are probably doing it to other squatters to get them to buy and keep crap domains. Doesn't seem to be helping much though.

Re:Couldn't one start "poisioning" the hit databas

I don't think it'd work. It'd be very easy to load them into a table, filter them against dictionary words, and sort them by # of hits.

Human eyeballs could pull the top 1000, do a quick spot check on the list, remove garbage names, and register the rest

wow

I am so very glad that ICANN has quickly come forth at the first signs of such a horrible problem, to think that the registrars would abuse their positions like this.

I think we all can rest since ICANN is going to fix this before it even becomes a problem.

oh wait ...

Dear ICANN:

I have been the victim of Internet-related Terminology Front Running (tm). It began innocently enough with "trolling" borrowed from fishing terminology. But when "phishing" itself became a term, as well as "blog", "AJAX", "spidering", etc., I realized I was in a strange world where tech writers invent terms for phenomena most people aren't even aware exists yet. Usually the phenomena is out there for awhile first, and as it gradually trickles into common knowledge, terminology gradually evolves. But here we have terminology existing even before awareness of the phenomenon. Which brings us to "front running"...

Oh, wait, we're talking about a different kind of front running? It means what again?

See what I mean ICANN? I can't even keep track anymore. I thought I was tech savvy, but if I blink, these crazy kids are using words I don't even understand.

Wait... ICANN is the wrong organization to complain to about this?

I give up.

I've never used whois for this exact reason

I've *never* used whois for probing novel domain-names for this exact reason. I just use the URL and see if it hits. If it and it's adjacent ones on other tlds of interest don't hit and I want it, I order it.

Being a little paranoid allways helps.

Re:

Of course it does. Any IP communications which uses a name rather than an IP number is using some type of name resolution. Since the real question posed by this situation is "has this domain name been registered", you can't answer it without consulting wit

I'm kind of sensitive to this stuff right now.

I failed to renew my free dyndns.com domain on time and on Saturday someone using the U.K. host "Real International Business Corp." (which Google shows to be a host for all kinds of scam websites) stole the domain. It wasn't just someone grabbing an unused domain - they put up a copy of my front page (though the links led nowhere).

They were even loading images, like I do, from my ISP's webspace. For a while I had changed the image to a big "WARNING!", but they noticed that yesterday and removed all links and images from their copy. A DMCA takedown won't work since they're in the U.K. and from what I've read of the hosting service, ethics aren't exactly their strong suit. So I've got to just learn from experience here. Oy.

ICANN needs to put registrars out of speculation

One of the provisions of the ICANN Registrar Agreement is this: [icann.org]

• 3.7.9 Registrar shall abide by any ICANN adopted specifications or policies prohibiting or restricting warehousing of or speculation in domain names by registrars.

So ICANN has the authority to insist that registrars get out of the domain speculation business. They don't have to ask the registrars; they can simply order it.

Currently, most of the "registrars" [icann.org] are fronts for domain speculators. Take a look at the list. There are whole families of phony registrars (Enom1, Inc., Enom2, Inc., Enom3, Inc., ... Enom371, Inc., ... Enom469, Inc.) There are ones who admit they're domain speculators (NameJumper.com, Inc., "!!BBB Bulk Inc"). There are ones that are fronts for "Club Drop".

Most of these "registrars" are so phony they don't even have a business address.

This registrar information is useful for filtering junk sites. If a site is registered with one of the bogus registrars, it's probably desirable to block its e-mail (which is probably spam), and throw it out of search engines.

I'd rather see a crackdown on typos...

As much as front-running is annoying (at the very least), I think registering typo'd domains is actually worse. Considering how many domains are registered simply for the purpose of catching people who misspell the domain they want to visit, it may be a larger problem.

And from my experiences, it seems like the typo squatters usually bombard you with pop-ups and other annoying crapola on their sites when you accidentally wander into them. The front-runners at least seem kind enough to just tell you "this domain could be yours for only $1M". Bastardly, sure, but less of an annoyance than 4 pop-ups that trigger more pop-ups on being closed.

I think this happened to me, but with a twist..

I was going to buy Squandered.org, .com, .net to release some original music and essays. Squandered.org was to be the band name, with the .org in the name to emphasize the "new media" thing.

So I checked via godaddy.com, and it was available, but I didn't purchase it because my checking account was overdrawn. A while later(2 weeks to a month), I went to buy it, and it was taken. Whois said it was taken shortly after my availability check, by a company in Maine. It was cash-parked at Network Solutions.

Anyway, a few months later(the dates are vague, I didn't mark my calender) I checked it to see what the people from Maine were doing with the title of my life's work. It was still just cash-parked at Network Solutions. So I checked WHOIS again, to refresh my memory about the name of the company, and it was now owned by an individual in Maryland instead of a company in Maine, but here's the scariest part: the registration date had *magically* moved backwards to 2005!

I had personal reasons to remember very specifically that the location of the owner was in Maine. I didn't remember the company name, but I definitely remembered that the date of registration was just after I had checked it.

And it's still just cash-parked. When it first happened, because of "Maine" and some personal events, I suspected a certain person I knew from certain forums had taken it for basically spiteful reasons. But when the date was altered, I was mystified and paranoid. "Why would the CIA and time-traveling lizard-people from Sirius conspire to keep me from doing my little project under that name?" Now, I'm relieved to find a more plausible explanation. A scammer or scammers with access to official registration data. Makes sense, I also own several other domains, so I might pop up as a high-probability purchaser. But I never contacted the owner, and in the intervening time I've reworked things to release soon under another name that I've owned for years.

I did, however, pop off an email to ICANN detailing the events.

Let me reiterate what's been said by others on this thread: don't check a domain unless you're ready to purchase it immediately.

Re:

OK, I know yours was a joke post, but something pissed me off for YEARS that I don't think should be allowed. I wanted to register mcgrew.org or alternately mcgrew.com back when com, org, and net (and ones you can't get like gov and edu) were the only root

Re:Some probabilistic inference

What do you mean, extremely unlikely?

The first one is obviously used by The King of Siam's Major Order of Worried Lemurs Acting Perfectly or Xylophone Needing Vampires Being Wheedled Like Queens of Another Nice Monarchy In Utah's Tasteless Kingdom, Looking at Everyone's Hiney

The other two are equally obvious