Latest news of the domain name industry

Recent Posts

Pop-ups boost most-popular new gTLD domains, and it’s not just .xyz any more

Kevin Murphy, January 26, 2015, Domain Registries

The .xyz and .country gTLDs are currently dominating the league table of most-popular new gTLDs, but massive pop-up advertising campaigns using junk domains can account for the majority of their leading sites.

Today, Amazon’s Alexa site popularity tool sees 2,425 new gTLD domains in its top one million. Of those, 163 are in the top 50,000 sites.

But almost two thirds of those 163 domains appear to be throwaways that receive traffic not because they’re attracting visitors, but because they’re used to serve pop-up advertising, in some cases via adware.

The trend has been visible for a few months now, restricted almost exclusively to .xyz, but over the last two weeks .country has also started to be used in this way.

That’s interesting because, unlike .xyz, .country is not a low-cost gTLD. Go Daddy currently sells it for $39.95 per year.

(UPDATE: As Andrew points out in the comments, Uniregistry is selling .country names for $1 for the first year, which almost certainly explains the .country bump.)

Almost 100 of the top 163 new gTLD domains comprise two unrelated dictionary words put together to make something nonsensical.

Domains such as iciclecellar.country, laborervolcano.country, classkitten.country, sweepstakesglove.country, rewardmen.country, installationdesk.country have recently joined have joined the likes of vasegiraffe.xyz, cactusstew.xyz, bedcrow.xyz, notebookwrist.xyz, wishgrass.xyz, pencilkite.xyz and basketriver.xyz on this list.

As far as I can tell, they’re all registered via Uniregistry and using its free Whois privacy service to mask the identities of the registrants.

Visiting these domains in your browser will either result in an error — where I suspect the site is checking the referrer before deciding whether to show a page — or will send you on a merry redirect chain that terminates in an affiliate marketing sign-up page.

Some of the domains have been discussed in online forums as serving up pop-up ads, which would account for large amounts of traffic and high popularity.

Some have alleged that they’ve seen adware serve up ads from some of these domains.

Pop-up ads may be annoying, but they’re legal and — unlike spam and malware — not usually a violation of gTLD registries’ terms of service.

Whether benefiting from adware would leave a registrant in violation of a registrar or registry’s ToS is also a fuzzy area.

But for the new gTLD industry, which is currently in a mindshare-building mode, this kind of use does not make for great optics. If internet users see new gTLDs most often in an unwanted context, it could impair their trust in the new gTLD environment.

4 Comments Tagged: , , , , , ,

Jeff Neuman quits Neustar for Valideus

Kevin Murphy, January 23, 2015, Domain Registries

Neustar’s top domain name guy is moving to UK new gTLD consultancy Valideus.

Jeff Neuman, who’s been with Neustar for over 15 years, will become Valideus’ senior vice president for North America, starting this coming Monday, according to Valideus managing director Nick Wood.

I don’t know who’s replacing him at Neustar, where he’s been in charge of the company’s domain name business for the last couple of years, overseeing the company’s business as a registry back-end provider and registry for New York’s .nyc new gTLD.

Neuman was previously Neustar’s longstanding VP of policy, a role which also saw him heavily involved in ICANN’s GNSO Council and Neustar’s application for and launch of .biz, back in 2000.

He’s been quite a pivotal and sometimes outspoken figure over the years.

Valideus is the new gTLD service provider sister company to Com Laude, the brand-focused registrar. It provides application consulting and ongoing registry/registrar management for dot-brand gTLD applicants and registries, Amazon among them.

I gather that Neuman will remain based in the US, as his new job title implies.

11 Comments Tagged: , , , ,

.gay is gay enough after all? ICANN overturns community panel decision

Kevin Murphy, January 22, 2015, Domain Registries

One of the applicants for .gay has won a significant battle in the fight for the controversial new gTLD.

In a shock move, a committee of ICANN’s board of directors has overturned the rejection of dotgay LLC’s Community Priority Evaluation, ordering that the case should be re-examined by a new panel of experts.

As you may recall, dotgay’s CPE was kicked out in October after the Economist Intelligence Unit panel decided that the company’s defined community was too broad to be described by “gay” as it included a lot of people who aren’t gay, such as straight people.

The decision — which I thought was probably correct — caused an uproar from dotgay’s myriad supporters, which include dozens of international equal rights and gay community organizations.

dotgay filed a Request for Reconsideration, ICANN’s cheapest but least reliable form of appeal, and today found out it actually won.

ICANN’s Board Governance Committee, which handles the RfR process, this week ruled (pdf):

The BGC concludes that, upon investigation of Requester’s claims, the CPE Panel inadvertently failed to verify 54 letters of support for the Application and that this failure contradicts an established procedure. The BGC further concludes that the CPE Panel’s failure to comply with this established CPE procedure warrants reconsideration. Accordingly, the BGC determines that the CPE Panel Report shall be set aside, and that the EIU shall identify two different evaluators to perform a new CPE for the Application

The successful RfR appears to be based on a technicality, and may have no lasting impact on the .gay contention set.

Under the EIU’s process rules: “With few exceptions, verification emails are sent to every entity that has sent a letter(s) of support or opposition to validate their identity and authority”.

It seems that the EIU was sent a bundle of 54 letters of support for dotgay, but did not email the senders to verify they were legit. The BCG wrote:

Over the course of investigating the claims made in Request 14-44, ICANN learned that the CPE Panel inadvertently did not verify 54 of the letters of support it reviewed. All 54 letters were sent by the Requester in one correspondence bundle, and they are publicly posted on ICANN’s correspondence page.36 The 54 letters were deemed to be relevant by the EIU, but the EIU inadvertently failed to verify them.

If an applicant wins a CPE it means all the other applicants are automatically excluded, and the door is now open for the EIU to rethink its earlier decision.

So do competing applicants Rightside, Minds + Machines and Top Level Design now have genuine cause for concern? Not necessarily.

CPE applicants need to score at least 14 out of 16 available points in order to win, and dotgay only scored 10 points in its original evaluation.

Crucially, the EIU panel said that because the “community” as defined by dotgay included transgender, intersex, asexual and straight “allies” of equal rights, it was too broad to score any of the available four points on the “Nexus” criteria.

The BCG could find no fault with the EIU’s determination on Nexus, so even if dotgay’s letters of support are verified according to procedure, it would not necessarily lead to dotgay picking up any more Nexus points.

The BCG wrote on Nexus: “Requester’s substantive disagreement with the CPE Panel’s conclusion does not support reconsideration”.

However, given that the EIU is going to do the entire CPE all over again with new panelists, it seems entirely possible that dotgay could win this time.

4 Comments Tagged: , , , , , , ,

Domain hijacking bug found in Go Daddy

Kevin Murphy, January 22, 2015, Domain Registrars

Go Daddy has rushed out a fix to a security bug in its web site that could have allowed attackers to steal valuable domain names.

Security engineer Dylan Saccomanni found several “cross site request forgery” holes January 17, which he said could be used to “edit nameservers, change auto-renew settings and edit the zone file entirely”.

He reported it to Go Daddy (evidently with some difficulty) and blogged it up, with attack code samples, January 18. Go Daddy reportedly patched its site the following day.

A CSRF vulnerability is where a web site fails to adequately validate data submitted via HTTP POST. Basically, in this case Go Daddy apparently wasn’t checking whether commands to edit name servers, for example, were being submitted via the correct web site.

Mitigating the risk substantially, attackers would have to trick the would-be victim domain owner into filling out a web form on a different site, while they were simultaneously logged into their Go Daddy accounts, in order to exploit the vulnerability, however.

In my experience, Go Daddy times out logged-in sessions after a period, reducing the potential attack window.

Being phishing-aware would also reduce your chance of being a victim.

I’m not aware of any reports of domains being lost to this attack.

Comment Tagged: , ,

NCC buys Open Registry for up to $22.6m — a gTLD registry now owns part of the TMCH

Kevin Murphy, January 20, 2015, Domain Registries

NCC Group has acquired registry back-end provider Open Registry in a deal that could be worth as much as £14.9 million ($22.6 million).

The deal means that NCC, which runs the new gTLD .trust via subsidiary Artemis Internet, now owns a back-end, a registrar and a piece of the Trademark Clearinghouse, in addition to its original core domain business of providing data escrow services to registries.

According to NCC, the acquisition is for a minimum of £7.9 million ($12 million), with the rest to be paid over three years if Open Registry meets performance targets.

Open Registry had revenue of €3.7 million ($4.3 million) in 2014, turning a profit of €15,000 ($17,300).

Its core business is as a back-end provider for new gTLD applicants. It has about 20 on its books, mostly European dot-brands and cities.

Part of the company’s business is CHIP, the Clearinghouse of Intellectual Property, which along with IBM and Deloitte runs the ICANN-sanctioned TMCH, which all new gTLD registries must use in their Sunrise and Trademark Claims launch periods.

It also owns a small registrar, Nexperteam, which has about 8,000 domains under management.

The Benelux company employs eight people.

Open Registry’s founding CEO Jean-Christophe Vignes joined Artemis as head of domain operations in 2013.

4 Comments Tagged: , , , , ,