Latest news of the domain name industry

Recent Posts

.music update: I’m calling it for Costa

Kevin Murphy, April 10, 2019, Domain Registries

Amazon has pulled out of the fight for the .music gTLD, and I’m ready to call the race.

In full knowledge that this could be my “Dewey Defeats Truman” moment, it seems to me the balance of evidence right now is strongly pointing to a win for DotMusic over sole remaining rival bidder MMX.

The contention set originally had eight applicants, but six — Google, Donuts, Radix, Far Further, Domain Venture Partners and last night Amazon — have withdrawn over the last week or so.

This is a sure sign that the battle is over, and that the rights to .music have been auctioned off.

The two remaining applicants yet to withdraw are DotMusic Ltd, the Cyprus-based company founded and managed by music enthusiast and entrepreneur Constantinos Roussos, and Entertainment Names Inc, a joint venture managed by MMX (aka Minds + Machines).

One of them will withdraw its application soon, and my money’s on MMX.

Neither company will talk to me about the result.

But, as I observed Monday, DotMusic has recently substantially revamped its web site, and appears to be accepting “pre-registrations” for .music domains. These are not the actions of a loser.

MMX, on the other hand, has never shared Roussos’ public enthusiasm for .music and has never been particularly enthusiastic about winning private gTLD auctions, usually preferring instead to enjoy the proceeds of losing.

There are only two wildcard factors at play here that may soon make me look foolish.

First, the joint venture partner for Entertainment Names is an unknown quantity. Its two directors, listed in its .music application, are a pair of Hollywood entertainment lawyers with no previous strong connection to the ICANN ecosystem. I’ve no idea what their agenda is.

Second, MMX did not mention .music once in the “Post Period Highlights” of its recently filed 2018 financial results statement. It did mention the resolution of the .gay and .cpa contention sets, but not .music.

That filing came out April 3, at least a few days after the contention set had been won, but I’m assuming that the tight timing and/or non-disclosure agreements are probably to blame for the lack of a mention for .music.

So, on balance, I’m calling it for Roussos.

With a bit of luck we’ll have confirmation and maybe a bit of detail about potential launch dates before the week is out.

Did Roussos pull off the impossible? Google, Donuts, Radix all drop out of .music race

Google won’t be the registry for the .music gTLD.

The company, along with pure-play registries Donuts and Radix, late last week withdrew their respective applications from the .music contention set, leaving just three possible winners in the running.

Those are Amazon, MMX, and DotMusic, the company run by long-time .music fanboy Constantinos Roussos.

As I blogged last week, applications from Domain Venture Partners and Far Further have also been withdrawn.

I suspect, but do not know for a fact, that the contention was settled with a private deal, likely an auction, recently.

The logical guess for a winner would be Amazon, if only because of the nexus of its business to the music industry and the amount of money it could throw at an auction.

But I’m beginning to suspect that DotMusic might have prevailed.

The company appears to have recently revamped its web site, almost as if it’s gearing up for a launch.

Comparing the current version of music.us to versions in Google’s cache, it appears that the site has been recently given a new look, new copy and even a new logo.

It’s even added a prominent header link inviting prospective resellers to sign up, using a form that also appears to have been added in the last few weeks.

These changes all seem to have been made after the crucial ICANN vote that threw out the last of DotMusic’s appeals, March 14.

Are those the actions of an applicant resigned to defeat, or has Roussos pulled off the apparently impossible, defeating two of the internet’s biggest companies to one of the industry’s most coveted and controversial strings?

Participants in gTLD auctions typically sign NDAs, so we’re going to have to wait a bit longer (probably no more than a few days) to find out which of the remaining three applicants actually won.

Looks like .music is finally on its way

The hard-fought battle for .music appears to be over.

I’m not yet in a position to tell you which of the eight applicants for the new gTLD has been successful, but I can tell you some of those who were not.

Two applicants have this week withdrawn their bids, an almost certain sign that the contention set has been privately settled.

The first applicant to ditch its bid was dot Music Ltd, an application vehicle of Domain Venture Partners (we used to call this outfit Famous Four Media, but that’s changed).

The other is .music LLC, also known as Far Further.

We can almost certainly expect all but one of the remaining applicants to withdraw their applications over the coming days.

Applicants typically sign NDAs when they settle contention privately, usually via an auction.

Far Further was one of two unsuccessful “community” applicants for .music. It had the backing of dozens of music trade groups, including the influential Recording Industry Association of America. Even Radiohead’s guitarist chipped in with his support.

Evidently, none of these groups were prepared to fund Far Further to the extent it could win the .music contention set.

The .music contention set has been held up by the continuing protestations of the other community applicant, DotMusic Limited, the company run by long-time .music cheerleader Constantinos Roussos.

After DotMusic lost its Community Priority Evaluation in 2016, on the basis that the “community” was pretty much illusory under ICANN rules, it started to complain that the process was unfair.

The applicant immediately filed a Request for Reconsideration with ICANN.

.music then found itself one of several proposed gTLDs frozen while ICANN conducted an outside review of alleged irregularities in the CPE process.

That review found no impropriety in early 2018, a verdict DotMusic’s lawyer dismissed as a “whitewash”.

It has since stalled the process several times with requests for information under ICANN’s Documentary Information Disclosure Policy, and more RfRs when those requests were denied.

But this series of appeals finally came to an end March 14, when ICANN’s board of directors finally ruled against DotMusic’s 2016 RfR.

That appears to have opened up the .music set for private resolution.

So who won? I don’t know yet, but the remaining applicants are: DotMusic itself, Google, Amazon, MMX, Donuts and Radix.

There are certainly two very deep-pocketed companies on that list. Could we be looking at Google or Amazon as the new proprietors of .music?

If either of those companies has won, prospective registrants might find they have a long wait before they can pick up a .music domain. Neither of these giants has a track record of rushing its new gTLDs to market.

If the victor is a conventional gTLD registry, we’d very probably be looking at a launch in 2019.

Radix sees revenue up 30%

Kevin Murphy, March 12, 2019, Domain Registries

New gTLD registry Radix said today that its revenue increased by 30% in 2018, largely due to an end-of-year boost.

The company, which runs nine gTLDs including .online and .site, said that gross revenue was $16.95 million last year.

It added that net profit was up 45.6%, but the privately held company does not actually disclose the dollar value of its bottom line.

Radix said that the fourth quarter of the year, which presumably saw the benefits of Operation September Thrust, was its strongest quarter.

The company said that 27% of its revenue came from standard-price new registrations and 60% from renewals.

Its premiums brought in $1.9 million, 56% of which were premium renewals.

Phishing still on the decline, despite Whois privacy

Kevin Murphy, March 5, 2019, Domain Policy

The number of detected phishing attacks almost halved last year, despite the fact that new Whois privacy rules have made it cheaper for attackers to hide their identities.

There were 138,328 attacks in the fourth quarter of 2018, according to the Anti-Phishing Working Group, down from 151,014 in Q3, 233,040 in Q2, and 263,538 in Q1.

That’s a huge decline from the start of the year, which does not seem to have been slowed up by the introduction in May of the General Data Protection Regulation and ICANN’s Temp Spec, which together force the redaction of most personal data from public Whois records.

The findings could be used by privacy advocates to demonstrate that Whois redaction has not lead to an increase in cybercrime, as their opponents had predicted.

But the data may be slightly misleading.

APWG notes that it can only count the attacks it can find, and that phishers are becoming increasingly sophisticated in how they attempt to avoid detection. The group said in a press release:

There is growing concern that the decline may be due to under-detection. The detection and documentation of some phishing URLs has been complicated by phishers obfuscating phishing URLs with techniques such as Web-spider deflection schemes – and by employing multiple redirects in spam-based phishing campaigns, which take users (and automated detectors) from an email lure through multiple URLs on multiple domains before depositing the potential victim at the actual phishing site.

It also speculates that criminals once involved in phishing may have moved on to “more specialized and lucrative forms of e-crime”.

The Q4 report (pdf) also breaks down phishing attacks by TLD, though comparisons here are difficult because APWG doesn’t always release this data.

The group found .com to still have the most phishing domains — 2,098 of the 4,485 unique domains used in attacks, or about 47%. According to Verisign’s own data, .com only has 40% market share of total registered domains.

But new, 2012-round gTLDs had phishing levels below their market share — 4.95% of phishing on a 6.83% share. This is actually up compared to the 3% recorded by APWG in Q3 2017, the most recent available data I could find.

Only two of the top 20 most-abused TLDs were new gTLDs — .xyz and .online, which had just 70 attack domains between them. That’s good news for .xyz, which in its early days saw 10 times as much phishing abuse.

After .com, the most-abused TLD was .pw, the ccTLD for Palau run by Radix as an unrestricted pseudo-gTLD. It had 374 attack domains in Q4, APWG said.

Other ccTLDs with relatively high numbers included several African zones run as freebies by Freenom, as well as the United Kingdom’s .uk and Brazil’s .br.

Phishing is only one form of cybercrime, of course, and ICANN’s own data shows that when you take into account spam, new gTLDs are actually hugely over-represented.

According to ICANN’s inaugural Domain Abuse Activity Reporting report (pdf), which covers January, over half of cybercrime domains are in the new gTLDs.

That’s almost entirely due to spam. One in 10 of the threats ICANN analyzed were spam, as identified by the likes of SpamHaus and SURBL. DAAR does not include ccTLD data.

The takeaway here appears to be that spammers love new gTLDs, but phishers are far less keen.

ICANN did not break down which gTLDs were the biggest offenders, but it did say that 52% of threats found in new gTLDs were found in just 10 new gTLDs.

This reluctance to name and shame the worst offenders prompted one APWG director, former ICANN senior security technologist Dave Piscitello, to harshly criticize his former employer in a personal blog post last month.