Domains May Disappear After Search

Ponca City, We Love You writes "Daily Domainer has a story alleging that there may be a leak that allows domain tasters to intercept, analyze and register your domain ideas in minutes. 'Every time you do a whois search with any service, you run a risk of losing your domain,' says one industry insider. ICANN's Security and Stability Advisory Committee (SSAC ) has not been able to find hard evidence of Domain Name Front Running but they have issued an advisory (pdf) for people to come forward with hard evidence it is happening. Here is how domain name research theft crimes can occur and some tips to avoiding being a victim."

never use the web for such queries

Always use a command line tool. The webservices are notorious for such sniffing, I've never seen or heard about it happening from the unix command line.
Better still, simply use your registrar to do a registration, if that works then it was free :)

http://rndpic.com/ [rndpic.com]

Re:never use the web for such queries

SysInternals (now Microsoft) has a whois CLI tool for Windows as well.

http://technet.microsoft.com/en-us/sysinternals/bb897435.aspx [microsoft.com]

Re:never use the web for such queries

I am positive this happened to me, and I only used the whois command from the OpenBSD command line to look the domain up. It was not a domain name that I can imagine anyone else wanting, but it was fairly short. Two days later (after checking with my client) I went to register it and it had been taken. I became immediately suspicious. Three days after that, I see this story...

Would it help anyone to know who took the domain? I can't seem to get to the article yet.

Easier solution

Beat the scammers at their own game. Set up an automated script that does whois lookups for random combinations of words. More or less just flood them with requests and they won't be able to tell which ones are legit lookups. Whoever the douchebag is, will either eventually run out of money, or have to expend more time to improve his algorithm, or just blacklist your ip.

What registrar registers a domain for $2?

What registrar registers a domain for $2?

Re:What registrar registers a domain for $2?

none that I know of, but I do my whois for domain prospecting from my ISP's registration tool, thus once I find one not taken I'm already registering it. I did some work for a client, and as I had her write down everything she could think of wanting for a domain with her line of business. I ended up registering 10 different domains, figuring I would park those she didn't want with some basic advertisements and an offer to sell for a reasonable price. At first she was leary of having "so many different websites" Till I explained domain forwarding and all she had to do was pick her favorite for the main site and then the rest would point to it. She ended up buying all of them ($500 w/ a 3 year domain support agreement).
-nB

Re:What registrar registers a domain for $2?

Above, the textbook definition of a domain squatter.

Re:never use the web for such queries

Happened to me too. Same exact story. Domain was good, but not something anyone else would be interested in. I did a search on a web service, and the domain was registered out from under me within an hour.

The perpetrator, in this case, was one Hank Ceigler, who, it turns out, was working for GoDaddy at the time. I'm not sure if he was a contractor or a full-time employee, but he was definitely involved in the domain business. I contacted him to see if he was interested in selling the domain, and he quoted a price over twice the appraised value of the domain.

I would love to know why GoDaddy is still allowed to register domains. They're scum.

Re:never use the web for such queries

I am positive this happened to me, and I only used the whois command from the OpenBSD command line to look the domain up. It was not a domain name that I can imagine anyone else wanting, but it was fairly short. Two days later (after checking with my client) I went to register it and it had been taken. I became immediately suspicious. Three days after that, I see this story...

Just to present a counterpoint: a couple of years ago, the opposite happened to me. I registered a domain name based on the name of my character in an online game. It was certainly an unusual name that I had never run into.

A few days later, I got a somewhat angry email from someone wanting to know why I had taken that name, because it was their surname, and they had planned on registering it. Once I explained the situation the guy calmed down and all was well.

But the moral is that it is quite possible that someone, completely innocently, took the domain you were researching, within a day or so you doing it, because that's exactly what happened with my domain. In my case, I just got lucky... 2 days later, the domain would have been gone.

Re:never use the web for such queries

According to one of the articles linked, the command line is actually a worse alternative. NSLookup requests go through your ISP's domain name server, which logs the NXD (Non-eXistent Domain) responses. Many ISPs augment their revenue by selling this information.

Doing a whois request at a reliable registrar's web-site doesn't go through your ISP's DNS. The larger registrars are probably more trustworthy than your run-of-the-mill ISP. For example, I believe GoDaddy and Network Solutions have stated that they would never provide such information to third parties.

Re:never use the web for such queries

Several years ago, I mentioned to my roommate at the time that it would be cool to register thinkoutsidethebox.com. Before I knew it, he had typed the name into some website that supposedly lets you know if the name is taken or not. I was like "Dude, why would you do that? They'll just end up registering the name themselves!".

The domain wasn't registered when he queried it. But since he didn't buy it right then and there, it WAS registered an hour or so later, by the very site he typed it into.

This has been going on for years, but now the scammers don't even have to rely on roommate stupidity.

Data mining

It has long been rumored that domain name registries snap up names when they see signs of interest. Unfortunately ICANN's committees don't have the tools to really open up the clamshell and see what is really going on deep inside registries and registrars.

However, there is another matter - that of data mining of the query packets that arrive at root and top level domain servers.

ICANN's contracts do not prohibit data mining of the query stream, in fact they openly permit it. Thus Verisign has the right to look at incoming queries and generate a body of information about what domain names are being uttered by users. It's not a big step from that to come up with a list of names that would be nice things to have if one wants to spatter up a bunch of Google Adsense ads and collect click revenue.

(Also, because the entire domain name, not just the top level parts, hits root and top level domain servers, through a bit of statistical reduction, one can produce a data stream that is of interest not only to paying marketeers but, perhaps, to certain national intelligence agencies.)

Re:Data mining

The trick is to set up a web site that supplies the list of domains to be searched. That way people could set up a small utility to automatically grab the list and search. This would indicate that lots of people are interested in the domain name. By making the lookups randomize over a week or two and randomizing the time that the search is done, the system would make it much more difficult to filter out.

Now, the squatters COULD start developing a list of IP addresses that are doing lookups, and filtering them out of their results. Of course, this would be all right as it would mean you were protected from someone sneaking in and squatting the name you looked up. Even if the squatters filtered on both IP address AND multiple hits, this could be resolved by allowing real name lookups to be submitted into the random name lookup web site. Then if you wanted to lookup ihatedomainnamesquatters.com, not only you but everyone else that has been looking up random names, will look up ihatedomainnamesquatters.com also. It would be virtually impossible to tell the difference between real interest, and fake.

Plus, if you wanted to both fund the site AND be ironic, you could put advertising on the web page.

Re:Data mining

There have been articles about it before, and I know for a fact that some registrars reserve a domain as soon as someone uses their site to do an availability/whois search for it. Several days later the reservation is released. During this period only that registrar can be used to register the domain. For the customer, this has both an advantage and a disadvantage.

The obvious disadvantage is that they can't use one registrar to determine that a domain is available and then shop around and use a cheaper registrar to actually buy the domain.

The advantage is that no third party squatter will be able to snipe the domain for themselves - unless of course they use the same registrar.

Re:Data mining

Scenario: you go to your fav registrar, regme.com, and test for bluetulipsandmore.com and it's available. regme.com locks it and sits on it for a few days. They see another query for it on their site 2 days later, probably from you as a followup test. This taste moves bluetulipsandmore.com to a second list they are keeping. They sell this second list to some scum they do business with, including bluetulipsandmore.com and about 8,000 other addresses that have been "tasted" in the last few weeks. The scum looks over the list of interesting unregistered (but reserved) domains, and cherry picks 100 of them to actually register, including your beloved bluetulipsandmore.com. Now you go to register it and poof, it's already registered. You go to that site and find it's been parked and has a convenient link to email gimmebackmydomain@gmail.com where you can purchase the domain after they do a background check on you to find out how much they can squeeze out of you. Instead of registering the link for $7 or so, you fork over $200 for it since you don't have any other choice. regme.com sees a $20 cut of that a month later.

THIS is one of the things they are trying to prevent.

Re:Data mining

They could stop the domain tasters in one minute by ... making all registrations irreversible.

The stated reason for allowing retraction of registrations is to allow mistakes to be corrected. But with domains costing just a few dollars to register for a year, how much harm is done by making the customer pay for such mistakes? Answer - none at all. Meanwhile unscrupulous domain tasters are registering, and then returning, millions of domains a day for free.

The DNS marketplace has probably the most widespread corruption of any economy in the world today.

This has been happening a long time

Though, not on the "in minutes" time scale.

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

Sure enough, two days later some squatter had them.

I think the leak is in the registrars themselves. Imagine the money someone could get from the squatters by simply setting up a script to automatically email these queries somewhere.

"Never a more wretched den of scum and villany" describes the whole domain registration process pretty well I think.

nope, they dont pay

Amusing. Increase the scale of that operation a bit and you could quickly bankrupt a careless squatter.

Actually most of bigger squatting operations don't pay a dime on a per name basis. They hold the name for 30 days, then release it at no cost.

Re:nope, they dont pay

Exactly. That's the real problem... squatters can register a domain for 30 days to see if it would be profitable, then release it and get a refund if it's not. It's literally no-risk for them, and it creates a horrible situation for the rest of us.

Re:nope, they dont pay

Actually most of bigger squatting operations don't pay a dime on a per name basis. They hold the name for 30 days, then release it at no cost.

They don't need to release it. They just get another shell company to snap it up.

Domain tasting is causing nothing but headaches for the internet at large and they need to abolish it.

Re:nope, they dont pay

Actually most of bigger squatting operations don't pay a dime on a per name basis. They hold the name for 30 days, then release it at no cost.

Well, there's your solution. Don't just search for availability: register with presumption of availability and hold onto it for 30 days instead, and if you decide you don't want it, release it at no cost.

Re:nope, they dont pay

Oh, and by the way, this article is a dupe.

Re:nope, they dont pay

actually it's not a dupe, i went to submit this article but then checked two days later this was posted by someone else. I think i got article tasted :(

Re:This has been happening a long time

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

So there's the answer to the problem. Bombard the servers with requests for random names. The sleazoids will be forced to either go through the names manually, looking for likely candidates, OR they'll have to register everything...which might tend to get a tad expensive. A script that would hit the whois server with a single randomly generated name every time someone logged into a linux box would probably not put undue hardship on the root servers, but still generate way to many names to feasibly register.

The way to break a scam is to make it expensive to continue. A similar scheme could work for spam. Go through the filtered emails, making a list of URLs. Wait for slow network usage, and do a throttled wget to /dev/null on the websites. Once they can't sell Viagra from their DDOSed site, they'll stop. Someone will eventually try spamming with a URL of a big corporation. The big CEO will sit down with the Pres, explain their problem, the finally the FBI, CIA, NSA, MADD, and AARP will all be called out, and the spam problem will finally be brought to an end. (Heh, I jest...but only slightly).

Re:This has been happening a long time

ahhhh however....

if a concerted effort were made to cause them to truely jam up the system with this. We could potentially cause them to have a cost. you see...they can taste and taste but realize that there is a bigger fish who is letting them taste his waters.... the registrar that allows tasting.

So... right now, domain squatting is a headache for us, but overall, a minor one, and an even more minor one for the resgitrar. If we could hit them with enough queries, that they truely "taste up" the system... you do two things....

1) You decrease their profit per domain
2) You cause headaches for the registrar as you turn up the volume and jam things up for everyone else

thus... you make their bottom line a small bit worst, and their cost to the tit they are feeding off of go up.

Do it enough and they will either have to stop using whois, or the registrars will stop letting them taste.

Either way, its a win for everyone else. This is totally one of those things where the situation needs to get worst so it can be made better, there is currently just no real pressure on the registrars.

I say.... jam up whois with queries!

-Steve

Re:This has been happening a long time

Oh yah...alternately....

if one of these guys was found in his home, dead, his lifeless body hanging by a rope attached to his testicles, blood completely drained, and the word "SQUATTER" carved into his flesh (with forensics reporting it was carved in before he died).... well that would make the news.

If it then happened to one more of these guys every week... we might see a decrease in this buisness model.

Not encouraging anyone...just... planting seeds.... maybe some will take root....

Re:This has been happening a long time

Please report to central maintenance. Your humor filter is defective.

Tho is domain squatting really a "petty crime"? I agree... it is petty to squat on a domain, as it is petty to jay walk, or spit on the sidewalk etc.

However, is it really so petty when it is systematic? Is it really so petty when it is repeated over and over to the point of the denial of others of their fair use of publically accessable services?

Surely it is petty to fill water bottles from park drinking fountains and turn around and sell the full bottles. Is it still petty when you have expanded the operation such that your organization has people at 90% of the fountains, constanatly filling water so that all the thirsty people who don't want to pay your extortionist prices need to stand in long lines and wait for their water? How about when you have taken all of the public fountains, and nobody can even get their water?

We are not talking about petty crime here, we are talking about organized crime.

-Steve

Re:This has been happening a long time

As some have pointed out it costs the squatter nothing. They have a loophole because many registrars allow a 30 day trial period on a domain in which you can have it and if you decide you don't want it you can get rid of it for no cost. The squatters can then play a shell game by having a set of dummy companies swap the domain between themselves without ever passing the 30 day mark. With only 3 companies a squatter could tie a domain up for just under 3 months, and never have to pay a penny.

Re:This has been happening a long time

If you want to be 100% safe, you can do the following...

1) Join the zone file program of the TLD provider of the TLD (top level domain for non-geeks) you're interested in. For .com and .net, you can join here for free: zone file access program [verisign.com]

2) Search the zone file for the domain you want. You can even import it into a database like I did, but that takes a loooong time (1.5 days on my 800 mhz pc, inserting using perl into mysql without any indexes at all). Grep would serve you much better for simple searches.

The only bad thing is it takes time and bandwidth to download the giant zipped files...

Re:This has been happening a long time

Yea, I originally found it about a year ago by trying to get a list of all registered domains so I could crawl them and create a filter for all domains my script would label as squatted. Then I planned to write a firefox plugin to warn you before you hit a squatted domain so they don't get any hits.

But turns out, the number of domains is too large - so the bandwidth usage would be so high that crawling would require a sizable expense on my part. So that project's on the back burner unfortunately....

Re:This has been happening a long time

TLD (top level domain for non-geeks)

Sir, Have you seen this site's masthead? Do you have any idea where you are?

Re:This has been happening a long time

That's the exact "offense" needed to fight this.

These are the steps that should be taken:

• Identify domain squatters. Should be easy, they're the ones holding the domains.
• Become a "taste tester." Use the squatters' DNS servers to taste thousands of random names daily, both directly and via unethical ISPs or search engines.
• Exchange your list of random names with other taste testers.
• Attempt to access all the random names from everyone's lists, at least daily for the next 91 days.
• Once the domain squatters identify the taste testers, the squatters will be forced to exclude the taste testers from their automated harvesting, or will be spending millions of dollars registering utter crap.
• The taste tester network could offer "safe testing services" for legitimate searchers.

This could all be automated in a series of fairly simple scripts. What would be needed would be the widespread distribution and coordination of the random lists.

The nice thing about the scheme is that squatters could be aware of and even secretly participate in it and it would still work. They'd have no better chance of identifying legitimate queries from random queries. And they can't exactly poison random data.

Re:This has been happening a long time

A company already tried that one. Blue Frog [wikipedia.org] maintained a list of "do not spam" email addresses. Every time a user got a spam message, it would go to the websites being spammed and submit all the web forms with "do not spam me" spam, linking back to bluefrog. Basically a DDOS. There was a lot of backlash for that one and bluefrog is no longer in the anti-spam crusade business.

"domain tasting"

Over the years, the Internet and its resulting commercialization have lead to some truly awful buzzwords and mangling of the language (may the person who first coined "blog" rot in hell)...

But ye gods! "domain tasting"?!

I can see it now... "The slashdot.org '97 was a superb one; It had a playful nose, a full, rich body and a piquant aftertaste. The digg.com '07, however, can only be described in scatalogical terms."

Re:"domain tasting"

"Don't register me, Bro!"

Re:"domain tasting"

Come on, it should at least be "Don't taste me, Bro!"

Does this apply to me?

How does this apply to me? I make it a point whenever entering my credit card number and personal information into an order form, to do a Google search first to make sure someone else doesn't have the same information, so they don't get confused and send my order to them instead.

Theft? Crimes?

Here is how domain name research theft crimes [emphasis mine -mi] can occur

Theft? Crimes? Does Slashdot now think, an idea can be "property" and/or "stolen"?

Not a new trend.

I'll swear this has been happening for years. I've taken to the habit of not searching for a new domain until I'm ready to buy it, right then and there. In the past, I've seen cases where customers have searched for a domain, found it to be available, and by the time they had a meeting the next morning to discuss buying it have it be registered by someone else (usually a squatter). In a sense, it's just common sense that a lot of the domain search "services" would engage in a competitive practice like this. I'm not saying it's ethical, but it's been going on for a long time.

Maybe the community can come up with a list of guaranteed reputable domain search services that take measures to prevent this sort of activity, and support those organizations.

Don't use Godaddy

I've heard rumors of GD domain "tasting" for the past 18 months, maybe longer. If true, it's pretty pathetic that they need to do that in order to make money.

its actually pretty common

I've executed many whois domain searches in the past, only to find the domain I looked at registered the next day. There are a few ways to avoid this problem:

• Register a domain as soon as you search for it
• Avoid using registry based WHOIS tools.

The ICANN requirements for becoming a registrar are VERY weak. There are a lot of disreputable operations out there who could be colluding with domain prospectors. Even with the bigger registry operations, its still possible for people to get access to the whois queries. You have no idea what that web whois box is actually querying, and there is no privacy guarantee.