Domains May Disappear After Search

Ponca City, We Love You writes "Daily Domainer has a story alleging that there may be a leak that allows domain tasters to intercept, analyze and register your domain ideas in minutes. 'Every time you do a whois search with any service, you run a risk of losing your domain,' says one industry insider. ICANN's Security and Stability Advisory Committee (SSAC ) has not been able to find hard evidence of Domain Name Front Running but they have issued an advisory (pdf) for people to come forward with hard evidence it is happening. Here is how domain name research theft crimes can occur and some tips to avoiding being a victim."

never use the web for such queries

[jacquesm (154384)]

Always use a command line tool. The webservices are notorious for such sniffing, I've never seen or heard about it happening from the unix command line.
Better still, simply use your registrar to do a registration, if that works then it was free :)

http://rndpic.com/ [rndpic.com]

Re:never use the web for such queries

[Pyrion (525584)]

SysInternals (now Microsoft) has a whois CLI tool for Windows as well.

http://technet.microsoft.com/en-us/sysinternals/bb897435.aspx [microsoft.com]

Re:never use the web for such queries

[by Anonymous Coward]

I am positive this happened to me, and I only used the whois command from the OpenBSD command line to look the domain up. It was not a domain name that I can imagine anyone else wanting, but it was fairly short. Two days later (after checking with my client) I went to register it and it had been taken. I became immediately suspicious. Three days after that, I see this story...

Would it help anyone to know who took the domain? I can't seem to get to the article yet.

Data mining

[karl.auerbach (157250)]

It has long been rumored that domain name registries snap up names when they see signs of interest. Unfortunately ICANN's committees don't have the tools to really open up the clamshell and see what is really going on deep inside registries and registrars.

However, there is another matter - that of data mining of the query packets that arrive at root and top level domain servers.

ICANN's contracts do not prohibit data mining of the query stream, in fact they openly permit it. Thus Verisign has the right to look at incoming queries and generate a body of information about what domain names are being uttered by users. It's not a big step from that to come up with a list of names that would be nice things to have if one wants to spatter up a bunch of Google Adsense ads and collect click revenue.

(Also, because the entire domain name, not just the top level parts, hits root and top level domain servers, through a bit of statistical reduction, one can produce a data stream that is of interest not only to paying marketeers but, perhaps, to certain national intelligence agencies.)

This has been happening a long time

[jafiwam (310805)]

Though, not on the "in minutes" time scale.

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

Sure enough, two days later some squatter had them.

I think the leak is in the registrars themselves. Imagine the money someone could get from the squatters by simply setting up a script to automatically email these queries somewhere.

"Never a more wretched den of scum and villany" describes the whole domain registration process pretty well I think.

Re:This has been happening a long time

[Shotgun (30919)]

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

So there's the answer to the problem. Bombard the servers with requests for random names. The sleazoids will be forced to either go through the names manually, looking for likely candidates, OR they'll have to register everything...which might tend to get a tad expensive. A script that would hit the whois server with a single randomly generated name every time someone logged into a linux box would probably not put undue hardship on the root servers, but still generate way to many names to feasibly register.

The way to break a scam is to make it expensive to continue. A similar scheme could work for spam. Go through the filtered emails, making a list of URLs. Wait for slow network usage, and do a throttled wget to /dev/null on the websites. Once they can't sell Viagra from their DDOSed site, they'll stop. Someone will eventually try spamming with a URL of a big corporation. The big CEO will sit down with the Pres, explain their problem, the finally the FBI, CIA, NSA, MADD, and AARP will all be called out, and the spam problem will finally be brought to an end. (Heh, I jest...but only slightly).

Re:This has been happening a long time

[orclevegam (940336)]

As some have pointed out it costs the squatter nothing. They have a loophole because many registrars allow a 30 day trial period on a domain in which you can have it and if you decide you don't want it you can get rid of it for no cost. The squatters can then play a shell game by having a set of dummy companies swap the domain between themselves without ever passing the 30 day mark. With only 3 companies a squatter could tie a domain up for just under 3 months, and never have to pay a penny.

nope, they dont pay

[asv108 (141455)]

Amusing. Increase the scale of that operation a bit and you could quickly bankrupt a careless squatter.

Actually most of bigger squatting operations don't pay a dime on a per name basis. They hold the name for 30 days, then release it at no cost.

Re:nope, they dont pay

[liquidpele (663430)]

Exactly. That's the real problem... squatters can register a domain for 30 days to see if it would be profitable, then release it and get a refund if it's not. It's literally no-risk for them, and it creates a horrible situation for the rest of us.

Re:nope, they dont pay

[gmack (197796)]

Actually most of bigger squatting operations don't pay a dime on a per name basis. They hold the name for 30 days, then release it at no cost.

They don't need to release it. They just get another shell company to snap it up.

Domain tasting is causing nothing but headaches for the internet at large and they need to abolish it.

Re:nope, they dont pay

[Some_Llama (763766)]

actually it's not a dupe, i went to submit this article but then checked two days later this was posted by someone else. I think i got article tasted :(

"domain tasting"

[TheWoozle (984500)]

Over the years, the Internet and its resulting commercialization have lead to some truly awful buzzwords and mangling of the language (may the person who first coined "blog" rot in hell)...

But ye gods! "domain tasting"?!

I can see it now... "The slashdot.org '97 was a superb one; It had a playful nose, a full, rich body and a piquant aftertaste. The digg.com '07, however, can only be described in scatalogical terms."

Re:"domain tasting"

[B3ryllium (571199)]

"Don't register me, Bro!"

Does this apply to me?

[InvisblePinkUnicorn (1126837)]

How does this apply to me? I make it a point whenever entering my credit card number and personal information into an order form, to do a Google search first to make sure someone else doesn't have the same information, so they don't get confused and send my order to them instead.

Theft? Crimes?

[mi (197448)]

Here is how domain name research theft crimes [emphasis mine -mi] can occur

Theft? Crimes? Does Slashdot now think, an idea can be "property" and/or "stolen"?

MD5 lookup as defence

[zakeria (1031430)]

perhaps whois should provide Md5 lookup for a domain instead so people cant snoop at the domain being queried.. so instead of for example whois: somedomain.tld its whois: a79f888f1c2dc50c6b354c0d816f5bf5 simple and effective.

https://www.easywhois.com/

[Simon Carr (1788)]

I'm more than just not surprised by this, I've known it without proof for years. Doing queries for total junk domains, and then three or four days later finding out that those domains had been registered? Too weird. And that was years ago.

One of the problems stem from the fact that any whois query can be sniffed (or SNORTed) if it passes over the wrong network hop anyway, so there isn't much you can do unless you're ready on the trigger to register the domain almost immediately. One thing you CAN do if you're going to do web queries (because not everybody has a whois command line installed) is query via;

https://www.easywhois.com/ [easywhois.com]

Note httpS. I can certify that Mark J doesn't do domain tasting [privateworld.com], that's not the business EasyDNS is in [www.cnw.ca]. So if you do do a query via EasyWhois it's not going to get snagged after 24 hours (at least not from our end).

[ Disclaimer: Yeah I work for EasyDNS :) ]

Domain tasting is wrong and evil

[rickb928 (945187)]

Period.

Much of not most of the spam I'm deflecting nowadays seems to come from 'tasted' domains. Or just made up. I almost don't care about the difference.

The last time I read about this, more than a month ago, one snarky idea was to script a tool to randomly taste domains, constantly. If the registrars are forwarding the requests to squatters, they would go crazy with the surge in requests. The squatters would fritter away resources keeping up with these random searches, and eventually the WHOIS functionality of the registrars would have to change. And the script would change, and so on.

I think domain tasting ought to go away, or cost something. $2 for a 14 day taste would wreck the economics, maybe, certainly if random search scripts got going. My server could probably do 100,000 searches a day. I know it can send out 3-4 million spams a weekend, sadly.

Of course, the registrars could block my IP after a while. And blocks of IPs. So we need a Seti@Home-type script that hammers these things out, and let them block every dialup/dsl/cable/sat block. Hehe.

No, it's not devious enough.

Trial garbage

[Dan East (318230)]

Can anyone give one legitimate reason why anyone would need to "trial" a domain? Is that to see how it looks in the browser's address bar?

Wouldn't doing away with that stupidity make things a lot harder for these losers that park / squat domains?

Dan East

Google it first..?

[garatheus (993376)]

When thinking of potential domain names, I usually use the inurl: function in Google. I generally only use part of the name too - that way you're able to see all the potential variations of the domain name you're thinking of working with (and possibly giving you some inspiration too)...

Domains come up too fast

[Animats (122034)]

There's been some concern about this over at the Anti-Phishing Working Group. Much phishing seems to come from domains held for very short periods. But it turns out that's not "domain tasting". It's phishers buying domains with stolen credit card numbers, using retail domain registrars. After a few days, the credit card number is detected as stolen, the transaction is reversed by the bank, and the registrar deletes the domain.

This seems to be a separate problem from "domain tasting". But the "grace period" loophole that makes "domain tasting" possible also enables this scam. If registrars couldn't return domains to the TLD registry without paying, they'd have to raise their standards of customer validation.

Why is This So Hard to Verify?

[Nom du Keyboard (633989)]

Why is this so hard to verify. Use each registrar to test availability of domain xyzzyplugh99.com, changing the index number "99" for each test. Try back the next day and see which ones are sudden unavailable, then complain LOUDLY!

Re:Poison the NXD data?

[jandrese (485)]

No, because they get to sit on the domain name for free for 30 days and then drop it if they want. Domain Name registration is an amazingly shady part of the internet for being such an important piece. I have long suspected that the registrars (especially the no-name ones) and the domain squatters are one in the same.

Re:its actually pretty common

[liquidpele (663430)]

A lot of "disreputable" operations indeed.

This happened with me on godaddy, one of the biggest.
My advice is NEVER EVER EVER use a web-based whois. EVER.

Instead, Download the sysinternals tool mentioned in an above post, or use Sam Spade (or just command line if on *nix). And even then, if you find one you might want - register it!! It's only $9 or so, and not worth loosing if it's a good one.

Omg don't do that!

[sakdoctor (1087155)]

From the page linked from TFA:

"It is such a strong urge to type the domain name into the address bar and see what website comes up. Most users think perhaps there is already a company using the name and this will be a quick end to the question. Wrong! This is the most dangerous thing to do. Internet Service Providers (ISP) sell NXD (Non-eXistent Domain) data."