Domains May Disappear After Search

Ponca City, We Love You writes "Daily Domainer has a story alleging that there may be a leak that allows domain tasters to intercept, analyze and register your domain ideas in minutes. 'Every time you do a whois search with any service, you run a risk of losing your domain,' says one industry insider. ICANN's Security and Stability Advisory Committee (SSAC ) has not been able to find hard evidence of Domain Name Front Running but they have issued an advisory (pdf) for people to come forward with hard evidence it is happening. Here is how domain name research theft crimes can occur and some tips to avoiding being a victim."

This has been happening a long time

[jafiwam]

Though, not on the "in minutes" time scale.

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

Sure enough, two days later some squatter had them.

I think the leak is in the registrars themselves. Imagine the money someone could get from the squatters by simply setting up a script to automatically email these queries somewhere.

"Never a more wretched den of scum and villany" describes the whole domain registration process pretty well I think.

Re:This has been happening a long time

[Anonymous Coward]

Amusing. Increase the scale of that operation a bit and you could quickly bankrupt a careless squatter.
One would think that in a predatory environment like that, the squatters are doing that to each other already.
Surprised random strings worked.

Don't use Godaddy

[teknopurge]

I've heard rumors of GD domain "tasting" for the past 18 months, maybe longer. If true, it's pretty pathetic that they need to do that in order to make money.

MD5 lookup as defence

[zakeria]

perhaps whois should provide Md5 lookup for a domain instead so people cant snoop at the domain being queried.. so instead of for example whois: somedomain.tld its whois: a79f888f1c2dc50c6b354c0d816f5bf5 simple and effective.

Domain tasting is wrong and evil

[rickb928]

Period.

Much of not most of the spam I'm deflecting nowadays seems to come from 'tasted' domains. Or just made up. I almost don't care about the difference.

The last time I read about this, more than a month ago, one snarky idea was to script a tool to randomly taste domains, constantly. If the registrars are forwarding the requests to squatters, they would go crazy with the surge in requests. The squatters would fritter away resources keeping up with these random searches, and eventually the WHOIS functionality of the registrars would have to change. And the script would change, and so on.

I think domain tasting ought to go away, or cost something. $2 for a 14 day taste would wreck the economics, maybe, certainly if random search scripts got going. My server could probably do 100,000 searches a day. I know it can send out 3-4 million spams a weekend, sadly.

Of course, the registrars could block my IP after a while. And blocks of IPs. So we need a Seti@Home-type script that hammers these things out, and let them block every dialup/dsl/cable/sat block. Hehe.

No, it's not devious enough.

Common sense

[huckamania]

Packets are being sniffed as they traverse thru the tubes. Try this, do a google search for something made up. Try to get a page result of 0. Do this a few times and write down each time you get a 0 result. Come back in a few days and do a google search and you will probably find some custom pages. Is this google tasting?

I'm thinking that I'm not liking the direction this is going...

Sniffing, tasting, hmmm, what comes next, digesting? Excreting?

Re:never use the web for such queries

[Anonymous Coward]

I am positive this happened to me, and I only used the whois command from the OpenBSD command line to look the domain up. It was not a domain name that I can imagine anyone else wanting, but it was fairly short. Two days later (after checking with my client) I went to register it and it had been taken. I became immediately suspicious. Three days after that, I see this story...

Would it help anyone to know who took the domain? I can't seem to get to the article yet.

Re:never use the web for such queries

[jacquesm]

Interesting! What provider where you using ? Which whois server and can you figure out the hops that your request passed through ? Chances are that your packets have been 'sniffed' at some hop in between your BSD machine and the whois registry server. That chance exists but is significantly smaller than having it happen when you use a web based service.

The best protection is to keep the 'window' between testing and registering as short as you can manage, preferably no more than a few *minutes* !

Re:This has been happening a long time

[Shotgun]

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

So there's the answer to the problem. Bombard the servers with requests for random names. The sleazoids will be forced to either go through the names manually, looking for likely candidates, OR they'll have to register everything...which might tend to get a tad expensive. A script that would hit the whois server with a single randomly generated name every time someone logged into a linux box would probably not put undue hardship on the root servers, but still generate way to many names to feasibly register.

The way to break a scam is to make it expensive to continue. A similar scheme could work for spam. Go through the filtered emails, making a list of URLs. Wait for slow network usage, and do a throttled wget to /dev/null on the websites. Once they can't sell Viagra from their DDOSed site, they'll stop. Someone will eventually try spamming with a URL of a big corporation. The big CEO will sit down with the Pres, explain their problem, the finally the FBI, CIA, NSA, MADD, and AARP will all be called out, and the spam problem will finally be brought to an end. (Heh, I jest...but only slightly).

it HAS been happening for years.

[killmofasta]

This type of domain name sniffing and squatting has been happening for years. I 'tested' registration of a domain name on ICANNs biggest contractor. They havent changed their page. and the next morning, as I was paying for the registration, the registration record came up 'owned' by someone else. ( Purchased the following day. Since I tested the name at about 11:15 p.m. It was an automated system, in place and doing its dirty work.) A squatting company in Pasadena, who sold it to someone in Oregon. Nothing has appeared on the site EVER, and that was a way back in 1999, but it kinda angered me that it happened, and I never understood the mechanism, but now see clearly that ICANNs contractors were behind it. There is a domain-name squatters magazine, and a domain-name squatters trade show!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:MD5 lookup as defence

[Skapare]

They have the list of the domain names. They only need to calculate a forward MD5 checksum on each domain, and build an index with the MD5 checksum as the key. As new domains are added, checksum them and add them.

Re:This has been happening a long time

[TheCarp]

ahhhh however....

if a concerted effort were made to cause them to truely jam up the system with this. We could potentially cause them to have a cost. you see...they can taste and taste but realize that there is a bigger fish who is letting them taste his waters.... the registrar that allows tasting.

So... right now, domain squatting is a headache for us, but overall, a minor one, and an even more minor one for the resgitrar. If we could hit them with enough queries, that they truely "taste up" the system... you do two things....

1) You decrease their profit per domain
2) You cause headaches for the registrar as you turn up the volume and jam things up for everyone else

thus... you make their bottom line a small bit worst, and their cost to the tit they are feeding off of go up.

Do it enough and they will either have to stop using whois, or the registrars will stop letting them taste.

Either way, its a win for everyone else. This is totally one of those things where the situation needs to get worst so it can be made better, there is currently just no real pressure on the registrars.

I say.... jam up whois with queries!

-Steve

This is old news

[LM741N]

Its happened to me several times and the domain names were not very common words- or words at all for that matter.

Re:This has been happening a long time

[vimh42]

No doubt. A number of years ago I wanted to register a domain name so I did a lookup and found that it was available. I wasn't sure who I was going to use to host so I didn't register right away. Two days later a domain squatting company registered it for a year. I waited till that year was up and did another whois. The domain was available. I made the mistake of not registering it then and there. A day later, the domain was registered for the period of five years. In this six years, never has the domain been put to use. At one point I checked the company and they were asking $100 for the domain name. Well I had really written off the idea of using that domain name but then I read this article. That five years is up in just a few months. I've set myself a reminder to check the moment that registration is up and if that company doesn't have an auto renew set up for the domain (they seem to like pissing money away though) I will register it and put up a site. If nothing else, I'm going to put up a big 'Fuck You' sign for domain squatters. On another note, a client of mine has an on line store for their business and they bought up a number of different domains that related to their businesses. Well they somehow missed the .net one for one of the domains. I was going to register it for them and simply bill they the cost of the registration. As it turns out some random person bought up the name while I was waiting for the go ahead. That person went so far as to email my clients company and offered to sell them the domain. I explained to my client exactly what this person had done and exactly how much they stood to profit off their little scheme and how much they stood to lose if my client didn't bite. The day the squatters registration is up I will register the domain for my client (or tell their web person to get off their butt and do it). A little patience is worth saying screw you to the squatters.

Re:This has been happening a long time

[Se7enLC]

A company already tried that one. Blue Frog [wikipedia.org] maintained a list of "do not spam" email addresses. Every time a user got a spam message, it would go to the websites being spammed and submit all the web forms with "do not spam me" spam, linking back to bluefrog. Basically a DDOS. There was a lot of backlash for that one and bluefrog is no longer in the anti-spam crusade business.

Re:Data mining

[kalirion]

There have been articles about it before, and I know for a fact that some registrars reserve a domain as soon as someone uses their site to do an availability/whois search for it. Several days later the reservation is released. During this period only that registrar can be used to register the domain. For the customer, this has both an advantage and a disadvantage.

The obvious disadvantage is that they can't use one registrar to determine that a domain is available and then shop around and use a cheaper registrar to actually buy the domain.

The advantage is that no third party squatter will be able to snipe the domain for themselves - unless of course they use the same registrar.

Re:never use the web for such queries

[ardent99]

According to one of the articles linked, the command line is actually a worse alternative. NSLookup requests go through your ISP's domain name server, which logs the NXD (Non-eXistent Domain) responses. Many ISPs augment their revenue by selling this information.

Doing a whois request at a reliable registrar's web-site doesn't go through your ISP's DNS. The larger registrars are probably more trustworthy than your run-of-the-mill ISP. For example, I believe GoDaddy and Network Solutions have stated that they would never provide such information to third parties.

You sure about that?

[JacksBrokenCode]

Actually, Bob Parsons (CEO of GoDaddy) has been complaining about "domain tasting" and "domain kiting" for years. Google Bob Parsons domain tasting [google.com] and look at the results. I wouldn't be surprised if it's happening upstream from Godaddy, but I'd be shocked to find Godaddy is in any way willingly facilitating the practise.

What registrar registers a domain for $2?

[Futurepower(R)]

What registrar registers a domain for $2?

Re:never use the web for such queries

[thecountryofmike]

Several years ago, I mentioned to my roommate at the time that it would be cool to register thinkoutsidethebox.com. Before I knew it, he had typed the name into some website that supposedly lets you know if the name is taken or not. I was like "Dude, why would you do that? They'll just end up registering the name themselves!".

The domain wasn't registered when he queried it. But since he didn't buy it right then and there, it WAS registered an hour or so later, by the very site he typed it into.

This has been going on for years, but now the scammers don't even have to rely on roommate stupidity.

Re:never use the web for such queries

[eh2o]

Whois terms of use are for information lookups only to find the owner of a domain. Sniffing queries and buying up the non-taken names that someone has expressed interest in is, at the very least, a commercial application of the data, which is forbidden. The crime is contract breach.

Re:its actually pretty common

[zyzko]

If you got Unix shell access what's wrong with dig soa yourdomain.com? No need to use whois, and the only one who knows you did the query is the TLD operator, and if they (for .com Verisign) are corrupt and sell this data you are screwed.

Re:Data mining

[Belial6]

The trick is to set up a web site that supplies the list of domains to be searched. That way people could set up a small utility to automatically grab the list and search. This would indicate that lots of people are interested in the domain name. By making the lookups randomize over a week or two and randomizing the time that the search is done, the system would make it much more difficult to filter out.

Now, the squatters COULD start developing a list of IP addresses that are doing lookups, and filtering them out of their results. Of course, this would be all right as it would mean you were protected from someone sneaking in and squatting the name you looked up. Even if the squatters filtered on both IP address AND multiple hits, this could be resolved by allowing real name lookups to be submitted into the random name lookup web site. Then if you wanted to lookup ihatedomainnamesquatters.com, not only you but everyone else that has been looking up random names, will look up ihatedomainnamesquatters.com also. It would be virtually impossible to tell the difference between real interest, and fake.

Plus, if you wanted to both fund the site AND be ironic, you could put advertising on the web page.

Re:never use the web for such queries

[Anonymous Coward]

For example, I believe GoDaddy and Network Solutions have stated that they would never provide such information to third parties.

Keep on believing that, but both of them either sell that info or buy the domains directly (through some shell companies) or they have malicious employees selling that data.

I've done whois lookups at both of them using some pretty obscure domain names, only to have the domains purchased by someone 2 days later. It appears who ever bought them was just tasting them because the domains because available again few weeks later. But it does show that someone is sharing/selling data.

I've never trusted Network Solutions, I use to trust GoDaddy, but after that I've switched everything over to PairNIC. The one and only web host I trust running the now one and only registrar I trust.

Re:Data mining

[elronxenu]

They could stop the domain tasters in one minute by ... making all registrations irreversible.

The stated reason for allowing retraction of registrations is to allow mistakes to be corrected. But with domains costing just a few dollars to register for a year, how much harm is done by making the customer pay for such mistakes? Answer - none at all. Meanwhile unscrupulous domain tasters are registering, and then returning, millions of domains a day for free.

The DNS marketplace has probably the most widespread corruption of any economy in the world today.

Easier solution

[suggsjc]

Beat the scammers at their own game. Set up an automated script that does whois lookups for random combinations of words. More or less just flood them with requests and they won't be able to tell which ones are legit lookups. Whoever the douchebag is, will either eventually run out of money, or have to expend more time to improve his algorithm, or just blacklist your ip.

Re:never use the web for such queries

[murdocj]

I am positive this happened to me, and I only used the whois command from the OpenBSD command line to look the domain up. It was not a domain name that I can imagine anyone else wanting, but it was fairly short. Two days later (after checking with my client) I went to register it and it had been taken. I became immediately suspicious. Three days after that, I see this story...

Just to present a counterpoint: a couple of years ago, the opposite happened to me. I registered a domain name based on the name of my character in an online game. It was certainly an unusual name that I had never run into.

A few days later, I got a somewhat angry email from someone wanting to know why I had taken that name, because it was their surname, and they had planned on registering it. Once I explained the situation the guy calmed down and all was well.

But the moral is that it is quite possible that someone, completely innocently, took the domain you were researching, within a day or so you doing it, because that's exactly what happened with my domain. In my case, I just got lucky... 2 days later, the domain would have been gone.

Re:This has been happening a long time

[plover]

That's the exact "offense" needed to fight this.

These are the steps that should be taken:

• Identify domain squatters. Should be easy, they're the ones holding the domains.
• Become a "taste tester." Use the squatters' DNS servers to taste thousands of random names daily, both directly and via unethical ISPs or search engines.
• Exchange your list of random names with other taste testers.
• Attempt to access all the random names from everyone's lists, at least daily for the next 91 days.
• Once the domain squatters identify the taste testers, the squatters will be forced to exclude the taste testers from their automated harvesting, or will be spending millions of dollars registering utter crap.
• The taste tester network could offer "safe testing services" for legitimate searchers.

This could all be automated in a series of fairly simple scripts. What would be needed would be the widespread distribution and coordination of the random lists.

The nice thing about the scheme is that squatters could be aware of and even secretly participate in it and it would still work. They'd have no better chance of identifying legitimate queries from random queries. And they can't exactly poison random data.

Re:Data mining

[v1]

Scenario: you go to your fav registrar, regme.com, and test for bluetulipsandmore.com and it's available. regme.com locks it and sits on it for a few days. They see another query for it on their site 2 days later, probably from you as a followup test. This taste moves bluetulipsandmore.com to a second list they are keeping. They sell this second list to some scum they do business with, including bluetulipsandmore.com and about 8,000 other addresses that have been "tasted" in the last few weeks. The scum looks over the list of interesting unregistered (but reserved) domains, and cherry picks 100 of them to actually register, including your beloved bluetulipsandmore.com. Now you go to register it and poof, it's already registered. You go to that site and find it's been parked and has a convenient link to email gimmebackmydomain@gmail.com where you can purchase the domain after they do a background check on you to find out how much they can squeeze out of you. Instead of registering the link for $7 or so, you fork over $200 for it since you don't have any other choice. regme.com sees a $20 cut of that a month later.

THIS is one of the things they are trying to prevent.

Re:we got tasted..

[Frank T. Lofaro Jr.]

Bogus whois is cause for domain cancellation.