Latest news of the domain name industry

Recent Posts

Namecheap and others banning coronavirus domains

Kevin Murphy, March 26, 2020, Domain Registrars

Anyone wanting to buy a coronavirus-related domain for scamming purposes won’t be able to do it via Namecheap, which has preemptively banned keyword domains on its storefront.

For the last several days, the registrar has rejiggered its web site to prevent customers adding domains containing certain keywords — such as “coronavirus” or “covid” or “vaccine” — to their shopping carts.

The company said today that customers wishing to register such domains for legitimate purposes can continue to do so by calling up Namecheap customer service and having the name registered manually.

CEO Richard Kirkendall said in an email to customers that Namecheap is also “actively working with authorities to both proactively prevent, and take down, any fraudulent or abusive domains or websites related to COVID19”.

A GoDaddy spokesperson told DI this week that it has also taken down domains when alerted to their usage as coronavirus scams.

Meanwhile, .uk registry Nominet said that it has added keywords such as “coronavirus” and “covid” to its Domain Watch initiative, the same semi-automated system it uses to flag and suspend phishing and “rape” domains preemptively at point of registration. Nominet said:

Those that look suspicious — based on our algorithm and then a manual check — are suspended until we see evidence of good intentions from the registrants.

So far, we have suspended over 180 domains while we conduct this extra due diligence. A small proportion responded to our satisfaction and had their domain names reactivated. It’s highly likely that those who did not respond were intending to use their domains to manipulate a public in need of information.

Another domain company taking action is aftermarket site Dan.com, which today said on Twitter that it will remove all coronavirus related domains from its marketplace.

Namecheap is also offering some customers payment flexibility when it comes to some products — largely non-domain products such as hosting — if they can convince customer service reps of their coronavirus-related financial hardship.

“I urge you not to abuse this offer, please allow it to be used by those who need it most, who are otherwise unable to pay,” Kirkendall wrote.

Verisign, the .com registry, yesterday hinted that it will be offering its registrars some similar flexibility, which one assumes could be passed on to registrants.

US officials gunning for coronavirus domains

Kevin Murphy, March 24, 2020, Domain Registrars

US state and federal law enforcement are pursuing domain names being used to push bogus products and misinformation related to coronavirus Covid-19.

In separate actions, the US Department of Justice forced Namecheap to take down a scam site that was allegedly using fear of coronivirus to hoodwink visitors out of their cash, while the New York Attorney General has written to registrars to demand they take action against similar domains.

The DoJ filed suit (pdf) against the anonymous “John Doe” registrant of coronavirusmedicalkit.com on Saturday and on Sunday obtained a temporary restraining order obliging Namecheap to remove the DNS from the domain and lock it down, which Namecheap seems to have done.

Namecheap is not named as a defendant, but the complaint notes that the DoJ had requested the domain be taken down on March 19 and no action had been taken by the evening of March 21.

The web site in question allegedly informed visitors that the World Health Organization was giving away free coronavirus vaccines to anyone prepared to pay a $4.95 shipping fee by handing over their credit card details.

This is an identity theft scam and wire fraud, the complaint says.

Meanwhile, NYAG Letitia James has sent letters, signed by IT chief Kim Berger, to several large US registrar groups — including GoDaddy, Dynadot, Name.com, Namecheap, Register.com, and Endurance — to ask them to “stop the registration and use of internet domain names by individuals trying to unlawfully and fraudulently profit off consumers’ fears around the coronavirus disease”.

In the letter to GoDaddy (pdf), Berger asks for a “dialogue” on the following preventative measures:

  • The use of automated and human review of domain name registration and traffic patterns to identify fraud;
  • Human review of complaints from the public and law enforcement about fraudulent or illegal use of coronavirus domains, including creating special channels for such complaints;
  • Revising your terms of service to reserve aggressive enforcement for the illegal use of coronavirus domains; and
  • De-registration of the domains cited in the articles identified above that were registered at GoDaddy, and any holds in place on registering new domains related to coronavirus, or similar blockers that prevent rapid registration of coronavirus-related domains.

In other words: try to stop these domains being registered, and take them down if they are.

No specific malicious sites are listed in the letter. Rather, Berger cites a study by Check Point Software that estimates that something like 3% of the more than 4,000 coronavirus-related domains registered between January and March 5 are “malicious” in nature.

More domain industry response to coronavirus

Kevin Murphy, March 18, 2020, Domain Registrars

It’s beginning to look like home-working has become the norm, rather than the exception, in the domain name industry.

Following on my post Monday, here are the latest companies and organizations to provide updates on their responses to the coronavirus pandemic.

  • ICANN has told its staff in Brussels, Geneva and Singapore to work from home, while recommending that its guys in Istanbul, LA and Washington DC do the same. Staff in Montevideo and Nairobi, where confirmed cases of the virus are pretty light, will carry on as normal for now. The edict will be in effect until March 31. One imagines there’s a good chance it could be renewed.
  • In the UK, Nominet said yesterday that it has “initiated home-working across all our teams from today” and expects “business as usual”. All in-person events through the end of May have been postponed.
  • In Ireland, registry IEDR said that it closed its offices in Dublin on Friday and may reopen March 30, pending further government guidance. Like other registries, IEDR said it’s already well-equipped for staff to work remotely.
  • Also in Ireland, registrar Blacknight Solutions tells me its team are also now working from home.
  • Canada-based registrar Tucows said: “On Sunday March 8, Tucows’ executive leadership announced that all employees who could conceivably work from home were encouraged to do so in the week that followed. On Monday, it looked like an overabundance of caution but by Thursday morning it seemed prescient.” While there is expected to be no impact to the registrar side of the house, the Ting Internet ISP arm has cancelled and rescheduled all home egineering visits, which obviously could cause customer disruption.
  • French registrar Gandi, operating under some of the world’s most stringent government guidelines, said yesterday its staff are naturally enough now all working from home.
  • Not strictly domain industry, but the World Intellectual Property Organization said yesterday it has limited access to its Geneva headquarters to only “essential” staff.
  • US-based registrar MarkMonitor said Monday it has implemented a remote-working regime for its staff.

Given how dog-bites-man such announcements have rapidly become, I doubt I’ll be following up this series of posts again, unless something truly extraordinary happens. It’s pretty safe to assume that before long almost everyone in the industry will be working from home.

GoDaddy cancels in-person investor day over coronavirus fears

Kevin Murphy, March 13, 2020, Domain Registrars

GoDaddy has followed in the footsteps of many other companies and organizations, cancelling a large in-person meeting to avoid exacerbating the coronavirus pandemic.

The market-leading registrar, listed on the New York Stock Exchange, announced this week that will host its investor day, scheduled for April 2, as a webcast only, out of “concern for the health and well-being of participants and attendees”.

There had been planned a face-to-face component in New York, but that will no longer go ahead.

New York’s mayor this week slapped a ban on public gatherings of over 500 people, but GoDaddy’s announcement predates that edict.

The news came as ICANN conducted its first-ever online-only public policy meeting.

Facebook WILL sue more registrars for cybersquatting

Kevin Murphy, March 13, 2020, Domain Registrars

Facebook has already sued two domain name registrars for alleged cybersquatting and said yesterday that it will sue again.

Last week, Namecheap became the second registrar in Facebook’s legal crosshairs, sued in in its native Arizona after allegedly failing to take down or reveal contact info for 45 domains that very much seem to infringe on its Facebook, Instagram and WhatsApp trademarks.

In the complaint (pdf), which also names Namecheap’s Panama-based proxy service Whoisguard as a defendant, the social media juggernaut claims that Whoisguard and therefore Namecheap is the legal registrant for dozens of clear-cut cases of cybersquatting including facebo0k-login.com, facebok-securty.com, facebokloginpage.site and facebooksupport.email.

In a brief statement, Facebook said these domains “aim to deceive people by pretending to be affiliated with Facebook apps” and “can trick people into believing they are legitimate and are often used for phishing, fraud and scams”.

Namecheap was asked to reveal the true registrants behind these Whoisguard domains between October 2018 and February 2020 but decline to do so, according to Facebook.

The complaint is very similar to one filed against OnlineNIC (pdf) in October.

And, according to Margie Milam, IP enforcement and DNS policy lead at Facebook, it won’t be the last such lawsuit.

Speaking at the second public forum at ICANN 67 yesterday, she said:

This is the second in a series of lawsuits Facebook will file to protect people from the harm caused by DNS abuse… While Facebook will continue to file lawsuits to protect people from harm, lawsuits are not the answer. Our preference is instead to have ICANN enforce and fully implement new policies, such as the proxy policy, and establish better rules for Whois.

Make no mistake, this is an open threat to fence-sitting registrars to either play ball with Facebook’s regular, often voluminous requests for private Whois data, or get taken to court. All the major registrars will have heard her comments.

Namecheap responded to its lawsuit by characterizing it as “just another attack on privacy and due process in order to strong-arm companies that have services like WhoisGuard”, according to a statement from CEO Richard Kirkendall.

The registrar has not yet had time to file its formal reply to the legal complaint, but its position appears to be that the domains in question were investigated, found to not be engaging in nefarious activity, and were therefore vanilla cases of trademark infringement best dealt with using the UDRP anti-cybersquatting process. Kirkendall said:

We actively remove any evidence-based abuse of our services on a daily basis. Where there is no clear evidence of abuse, or when it is purely a trademark claim, Namecheap will direct complainants, such as Facebook, to follow industry-standard protocol. Outside of said protocol, a legal court order is always required to provide private user information.

UDRP complaints usually take several weeks to process, which is not much of a tool to be used against phishing attacks, which emerge quickly and usually wind down in a matter of a few days.

Facebook’s legal campaign comes in the context of an ongoing fight about access to Whois data. The company has been complaining about registrars failing to hand over customer data ever since Europe’s GDPR privacy regulation came into effect, closely followed by a new, temporary ICANN Whois policy, in May 2018.

Back then, its requests showed clear signs of over-reach, though the company claims to have scaled-back its requests in the meantime.

The lawsuits also come in the context of renewed attacks at ICANN 67 on ICANN and the domain industry for failing to tackle so-called “DNS abuse”, which I will get to in a follow-up article.

Chinese registrars ask ICANN to waive fees due to Coronavirus

Almost 50 registries and registrars based in China have asked ICANN to temporarily waive its fees due to the economic impact they say Covid-19 — the new Coronavirus — is having on them.

They’ve all put their names to a February 21 letter (pdf) that ICANN published over the weekend, saying they “believe that it’s essential that ICANN provides immediate fee waiver to registries and registrars in China”.

The letter, signed by more than half of the currently accredited registrars in China, notes the cancellation of the Cancun public meeting, adding:

We highly respect and welcome ICANN’s approach to keep our community safe. Meanwhile, the contracted parties in China, including their staff, suppliers, and relevant business counterparts, are being hit and suffered by the 2019-nCoV in a much greater scale than in other countries and regions combined since January 2020. Many of the staff members have been restrained to perform sales and support functions at the level they are required to. There are significant delays in collections, payments and wire transfers. While we expect that the scale of 2019-nCoV could not go greater, the business growth estimate in 2020 has been jeopardized and the time of recovery can be very long.

While domestic aid on tax, rentals, etc. are being discussed and confirmed, we believe that it’s essential that ICANN provides immediate fee waiver to registries and registrars in China. The waiver of 2020 fees, including annual fees and transaction fees, will greatly help stabilize our business in the difficult time.

This is not a small ask. ICANN collects fees based on transaction volume, and many millions of transactions originate in China. That’s particularly true in the new gTLD space, where China dominates.

The Chinese companies say that ICANN could afford to waive the fees due to the money they say ICANN will save by cancelling Cancun and other international travel.

My hunch is that ICANN won’t agree to these demands. While China is currently undoubtedly disproportionately affected by Covid-19, that situation is rapidly changing.

In the coming weeks and months it’s quite possible — worst-case scenario — the rest of the world could be similarly affected. Is ICANN prepared to set a precedent that could see it sacrifice its entire annual budget? I doubt it.

All previous requests for ICANN to waive its fees for various other reasons have been denied.

Registrar terminated after what looks like domain hijacking

Kevin Murphy, January 10, 2020, Domain Registrars

ICANN has canned its first registrar of the year.

Los Angeles-based World Biz Domains will be going out of bizness after ICANN terminated its registrar contract earlier this week, following its non-responsiveness to what appears to be case of domain hijacking.

It’s a nothing registrar, with fewer than 100 domains under management, but it once had over 5,000.

The termination comes following the suspension I blogged about in October, which was related to the transfers to World Biz of 15 potentially valuable domains in late 2018.

The names were all either short numerics or the names of famous places in Singapore and Malaysia.

ICANN spent most of last year demanding records showing that the transfers were legit, but was ghosted.

World Biz allegedly also had failed to deliver Whois records in the proper format, and was behind on its ICANN accreditation fees.

The company will lose its accreditation officially on January 22.

GoDaddy girls often make more money than the men

Kevin Murphy, December 12, 2019, Domain Registrars

Women in some roles at GoDaddy are making more money than their male counterparts, according to data released by the registrar today.

In technical positions in the US, female employees are making on average $1.03 for every $1 men make, GoDaddy said. Women in leadership positions make two cents more than men.

But women in non-techie, non-leadership jobs make a penny less than males, the company said.

“The 2019 global salary data shows that GoDaddy is paying men and women at parity across the company, when comparing men and women in like roles,” GoDaddy said.

The new data also shows that 29% of GoDaddy employees globally are female, which is the same as last year.

But the proportion of women in technical jobs decreased by two points to 17%.

Meanwhile, 36% of non-technical roles are staffed by women, up one point from 2018.

In the US, the female contingent was a little higher — 30% overall, 19% of techies and 37% of non-techies.

The male-female mix at GoDaddy appears to be in the same ballpark as what we generally see with attendance statistics coming out of ICANN meetings — roughly 70/30.

GoDaddy started publishing this data five years ago as part of a plan to foster diversity, reduce unconscious bias, and generally get away from its roguish foundational image as a company that flogged millions of domains with “GoDaddy Girls” — usually busty spokesmodels in skimpy clothing.

AlpNames died months ago. Why is it still the “most-abused” registrar?

Kevin Murphy, December 6, 2019, Domain Registrars

Despite going out of business, being terminated by ICANN, and losing all its domains several months ago, defunct AlpNames is still being listed as the world’s most-abused registrar by a leading spam-fighting organization.

SpamHaus currently ranks the Gibraltar-based company as #1 on its list of the “The 10 Most Abused Domain Registrars”, saying 98.7% of its domains are being used to send spam.

But AlpNames customers and regular DI readers will recall that AlpNames mysteriously went titsup in March, then got terminated by ICANN, then had its entire customer base migrated over to CentralNic in April.

So what’s this about?

SpamHaus

I asked SpamHaus earlier this week, and it turns out that Whois query throttling is to blame.

It seems SpamHaus only pings Whois to update the registrar associated with a specific domain when the domain expires, or the name servers change, or where it’s a new registration with an unknown registrar.

I gather that when CentralNic took over AlpNames’ customer base, it did so with all the original name server information intact.

So, SpamHaus’ database still associates the domains with AlpNames even though it’s been out of business for the better part of a year.

A SpamHaus spokesperson said:

This is a very unusual situation, as a huge majority of the domains that contribute to the Top 10 list in question are created, abused, and burnt quickly; meaning a change of registrar is exceptionally rare. However, in the case of these particular domains registered with AlpNames we can only assume that the sheer volume of unused domains was too high for the owner to use in one single hit.

The actual number of “AlpNames” domains rated as spammy by SpamHaus is pretty low — 1,976 of the 2,002 domains it saw were rated as “bad”.

GMO, at #4 on the list, had over 40,000 “bad” domains, but a lower percentage given the larger number of total domains seen.

Web.com got pwned

Kevin Murphy, November 4, 2019, Domain Registrars

Web.com, which owns top 20 registrars Network Solutions and Register.com, got itself and millions of its customers hacked a few months ago.

The company disclosed last week that malicious hackers broke into its network in late August, making off with customer account information.

The attack was not discovered until October 16.

The compromised data included “name, address, phone numbers, email address and information about the services that we offer to a given account holder”, Web.com said.

“We encrypt credit card numbers and no credit card data was compromised as a result of this incident,” it added.

Customers are being told to change their password next time they log in to their services.

It’s not clear how many registrants were affected. The NetSol accreditation has over seven million domains in the gTLDs alone, while Register.com has almost 1.8 million.

Web.com said it brought on a private security firm to investigate the attack, and informed US law enforcement.