Evidence of a possibly dodgy deal between XYZ.com and Network Solutions has emerged.
Court documents filed last week by Verisign suggest that the .xyz registry may have purchased $3 million in advertising in exchange for $3 million of .xyz domain names.
Among them are these two:
- Email from Negari to Andrew Gorrin re EPP Feed and billing directly for $3,000,000 in domains
- Credit Memo to Andrew from Negari “We have elected to pay for our $3MM Q2 advertising insertion order, which was dated May 20th with a credit…….” (5/31/14)
Gorrin is Web.com’s senior VP of marketing and Negari is Daniel Negari, XYZ.com’s CEO.
The documents these headings refer to are not public information, and are not likely to be any time soon, but they appear to refer to on the one hand XYZ billing NetSol for $3 million in domain names and on the other NetSol billing XYZ for $3 million in advertising.
Only one of the two document headings is dated, so we don’t know how closely they coincided.
Other headings, among the 446 documents Verisign wants to use at trial, suggest that they happened at pretty much the same time:
- Email from Andrew Gorrin to Ashley Henning (web.com) re Bulk Purchase of .xyz domains (5/29/14)
- Email from Andrew Gorrin to Negari re XYZ.Com Advertising IO and Marketing Agreement attaching signed agreements (5/20/14)
- Email string Ashley Henning to Christine Nagey, Andrew Gorrin, Edward Angstadt re Bulk Purchase of .XYZ Domains (5/30/14)
The emails Verisign cites were dated May 2014, shortly before .xyz went into general availability June 2.
What we seem to be looking at here — and I’m getting into speculative territory here — are references to two more or less simultaneous transactions, both valued at exactly $3 million, between the two parties.
Both companies have consistently refused to address the nature of their deal, citing NDAs.
As you recall, the vast majority of .xyz’s early registrations were provided by NetSol, which pushed hundreds of thousands of free .xyz domains into its customers’ accounts without their explicit consent.
The number of freebies is believed to be about 350,000, based on comments Negari recently made to The Telegraph, in which he stated that .xyz, which had about 850,000 domains in its zone at the time, would have 500,000 registrations if the freebies were excluded.
With a registry fee roughly equivalent to .com’s (.xyz’s is believed to be a little lower), 350,000 names would work out to roughly $3 million.
Negari has stated previously that every .xyz registration was revenue-generating, even the freebies.
Is it possible that NetSol paid XYZ’s registry fees using money XYZ paid it for advertising? Is it possible no money changed hands at all?
I’m not saying either company has done anything illegal, and it’s completely possible I’m completely misunderstanding the situation, but it does rather put me in mind of the old “round-trip” deals that tech firms used to dishonestly prop up their tumbling revenue at the turn of the century.
Back in 2000, the dot-com bubble was on the verge of popping, taking the US economy with it, and companies facing the decline of their businesses came up with “creative” ways to show investors that they were still growing.
AOL Time Warner, for example, “effectively funded its own online advertising revenue by giving the counterparties the means to pay for advertising that they would not otherwise have purchased”.
Regulators exercised their legal options in these cases only where there appeared to be dishonest accounting, and I’ve seen no evidence to suggest that XYZ or Web.com unit NetSol have failed to adhere to anything but the highest accounting standards.
Again, I’m not saying we’re looking at a “round-trip” deal here, and there’s not a great deal of evidence to go on, but it sure smells familiar.
Certainly, questions have been raised that Verisign did not raise in its initial complaint.
On a personal note, I’d like to disclose that among the documents Verisign demanded from XYZ are dozens of pages of previously confidential emails exchanged between myself and Negari.
I’ve read them, and they’re mostly heated arguments about a) his refusal to give details about the NetSol deal and b) my purported lack of journalistic integrity whenever I published a post about .xyz with an even slightly negative angle.
XYZ had no choice but to supply these emails. I can’t blame it for complying with its legal requirements.
I wasn’t the only affected blogger. Mike Berkens, Konstantinos Zournas, Rick Schwartz and Morgan Linton also had their private correspondence compromised by Verisign.
I don’t know how they feel about this violation, but in my view this shows Verisign’s contempt for the media and its disregard for the sanctity of off-the-record conversations between reporters and their sources.
And that’s what I have to say about that.
The registries behind .pro and .cat have agreed to new ICANN contracts with changes that, among other things, would bring the Uniform Rapid Suspension policy to the two gTLDs.
Both gTLD Registry Agreements expire this year. Proposed replacement contracts, based heavily on the base New gTLD Registry Agreement, have been published by ICANN for public comment.
They’re the second and third pre-2012 gTLDs to agree to use URS, which gives trademark owners a simpler, cheaper way to have infringing domains yanked.
Two weeks ago, .travel agreed to the same changes, which drew criticisms from the organization that represents big domain investors.
Phil Corwin of the Internet Commerce Association is worried that ICANN is trying to make URS a de facto consensus policy and thereby bring it to .com, which is still where most domainers have most of their assets.
Following DI’s report about .travel, Corwin wrote last week:
this proposed Registry Agreement (RA) contains a provision through which staff is trying to preempt community discussion and decide a major policy issue through a contract with a private party. And that very big issue is whether Uniform Rapid Suspension (URS) should be a consensus policy applicable to all gTLDs, including incumbents like .Com and .Net.
ICANN needs to hear from the global Internet community, in significant volume, that imposing the URS on an incumbent gTLD is unacceptable because it would mean that ICANN staff, not the community, is determining that URS should be a consensus policy and thereby undermining the entire bottom-up policy process. Domain suspensions are serious business – in fact they were at the heart of the SOPA proposal that inspired millions of emails to the US Congress in opposition.
The concern about .com may be a bit over-stated.
Verisign’s current .com contract is presumptively renewed November 2018 provided that it adopts terms similar to those in place at the five next-largest gTLDs.
Given that .net is the second-largest gTLD, and that .net does not have URS, we’d have to either see .net’s volume plummet or at least five new gTLDs break through the 15 million domains mark in the next three years, both of which seem extraordinarily unlikely, for .com to be forced to adopt URS.
However, if URS has become an industry standard by then, political pressure could be brought to bear regardless.
Other changes to .pro and .cat contracts include a change in ICANN fees.
While .pro appears to have been on the standard new gTLD fee scheme since 2012, .cat is currently paying ICANN $1 per transaction.
Under the new contract, .cat would pay $0.25 per transaction instead, but its annual fixed fee would increase from $10,000 to $25,000.
New gTLDs are not yet being widely used to carry out phishing runs, but most such attacks are concentrated in .xyz.
That’s one of the conclusions of the Anti-Phishing Working Group, which today published its report for the second half of 2014.
Phishing was basically flat in the second half of the year, with 123,972 recorded attacks.
The number of domains used to phish was 95,321, up 8.4% from the first half of the year.
However, the number of domains that were registered maliciously in order to phish (as opposed to compromised domains) was up sharply — by 20% to 27,253 names.
In the period, 272 TLDs were used, but almost 54% of the attacks used .com domains. In terms of maliciously registered domains, .com fared worse, with over 62% share.
According to APWG, 75% of maliciously registered domains were in .com, .tk, .pw, .cf and .net.
Both .tk and .cf are Freenom-administered free ccTLDs (for Tokelau and the Central African Republic) while low-cost .pw — “plagued” by Chinese phishers — is run by Radix for Palau.
New gTLDs accounted for just 335 of the maliciously registered domains — 1.2% of the total.
That’s about half of what you’d expect given new gTLDs’ share of the overall domain name industry.
Twenty-four new gTLDs had malicious registrations, but .xyz saw most of them. APWG said:
Almost two-thirds of the phishing in the new gTLDs — 288 domains — was concentrated in the .XYZ registry. (Of the 335 maliciously registered domains, 274 were in .XYZ.) This is the first example of malicious registrations clustering in one new gTLD, and we are seeing more examples in early 2015.
XYZ.com aggressively promoted cheap or free .xyz names during the period, but APWG said that only four .xyz phishing names were registered via freebie partner Network Solutions.
In fact, APWG found that most of its phishing names were registered via Xin Net and used to attack Chinese brands.
But, normalizing the numbers to take account of different market shares, .xyz shapes up poorly when compared to .com and other TLDs, in terms of maliciously registered domains. APWG said:
XYZ had a phishing-per-10,000-domains score of 3.6, which was just slightly above the average of 3.4 for all TLDs, and lower than .COM’s score of 4.7. Since most phishing domains in .XYZ were fraudulently registered and most in .COM compromised, .XYZ had a significantly higher incidence of malicious domain registrations per 10,000 coming in at 3.4 versus 1.4 for .COM.
APWG said that it expects the amount of phishing to increase in new gTLDs as registries, finding themselves in a crowded marketplace, compete aggressively on price.
It also noted that the amount of non-phishing abuse in new gTLDs is “much higher” than the phishing numbers would suggest:
Tens of thousands of domains in the new gTLDs are being consumed by spammers, and are being blocklisted by providers such as Spamhaus and SURBL. So while relatively few new gTLD domains have been used for phishing, the total number of them being used maliciously is much higher.
The number of maliciously registered domains containing a variation on the targeted brand was more or less flat, up from 6.6% to 6.8%.
APWG found that 84% of all phishing attacks target Chinese brands and Chinese internet users.
The APWG report can be downloaded here.
UPDATE: XYZ.com CEO Daniel Negari responded to the report by pointing out that phishing attacks using .xyz have a much shorter duration compared to other TLDs, including .com.
According to the APWG report, the average uptime of an attack using .xyz is just shy of 12 hours, compared to almost 28 hours in .com. The median uptime was a little over six hours in .xyz, compared to 10 hours in .com.
Negari said that this was due to the registry’s “aggressive detection and takedowns”. He said XYZ has three full-time employees devoted to handling abuse.
The vast majority of top-level domain registries could soon be banned from selling domains into China due to a reported crackdown under a decade-old law.
That’s according to Allegravita, a company that helps registries with their go-to-market strategies in the country.
Allegravita released a report last week claiming that Chinese registrars will be forbidden to sell domains in TLDs that are not on a government-approved list.
The crackdown could come as early as July, the report says:
Foreign registries which have not applied for Chinese market approval are advised to do so in the near term, as unapproved Top-Level Domains are likely to be taken off the market from July this year.
As of April 30, there were only only 14 TLDs on the approved list. All of them are run by Chinese registries and only five do not use Chinese script.
Not on the list: every legacy gTLD, including .com, as well as every ccTLD apart from .cn.
The Draconian move is actually the implementation of regulations introduced by China’s Ministry of Industry and Information Technology over a decade ago but not really enforced since.
As I reported in December, Donuts was facing problems launching its Chinese-script gTLDs due to this red tape.
MIIT announced in 2012 that new gTLD applicants would need licenses to sell into China.
According to Allegrevita, which until recently was working heavily with TLD Registry (“.chinesewebsite”) on its entry into the country, it’s “no longer ambiguous” that MIIT has asserted full oversight of the domain industry in China.
MIIT’s crackdown appears to be focused on the 93 Chinese registrars it has approved to do business.
Allegravita says these companies will not be allowed to sell unapproved TLD domains to Chinese registrants, but that existing registrations will be grandfathered:
by sometime in July 2015, the MIIT will not permit unapproved registries to operate or offer their domains for sale in China. The MIIT will not interfere with existing domain registrations for unapproved registries; however, new registrations will not be permitted to be sold by Chinese registrars to Chinese registrants.
Presumably, non-Chinese registrars will reap the benefits of this as Chinese would-be registrants look elsewhere to buy their domains.
China is an important market for many registries, particularly the low-cost ones.
Judging by MIIT’s web site, getting approval to sell your TLD in China involves a fairly stringent set of requirements, including having a local presence.
MIIT said in a press release last month that the “special action” is designed “to promote the healthy development of the Internet, to protect China’s Internet domain name system safe and reliable operation
Verisign has boosted its reportable .com domain count by almost 750,000 by starting to count expired and suspended names.
The change in methodology, which is a by-product of ICANN’s much more stringent Whois accuracy regime, happened on Friday afternoon.
Before the change, the company reported on its web site that there were 116,788,107 domains in the .com zone file, with another 167,788 names that were registered but not configured.
That’s a total of 116,955,895 domains.
But just a few hours later, the same web page said .com had a total of 117,704,800 names in its “Domain Name Base”.
That’s a leap of 748,905 pretty much instantly; the number of names in the zone file did not move.
.net jumped 111,110 names to 15,143,356.
The reason for the sudden spikes is that Verisign is now including two types of domain in its count that it did not previously. The web page states:
Beginning with the first quarter, 2015, the domain name base on this website and in subsequent filings found in the Investor Relations site includes domains that are in a client or server hold status.
I suspect that the bulk of the 750,000 newly reported names are on clientHold status, which I believe is used much more often than serverHold.
The clientHold EPP code is often applied by registrars to domains that have expired.
However, registrars signed up to the year-old 2013 Registrar Accreditation Agreement are obliged by ICANN to place domains on clientHold status if registrants fail to respond within 15 days to a Whois verification email.
The 2013 RAA reads (my emphasis):
Upon the occurrence of a Registered Name Holder’s willful provision of inaccurate or unreliable WHOIS information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen (15) calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder’s registration, Registrar shall either terminate or suspend the Registered Name Holder’s Registered Name or place such registration on clientHold and clientTransferProhibited, until such time as Registrar has validated the information provided by the Registered Name Holder.
Last June, registrars claimed that the new policy — which came after pressure from law enforcement — had resulted in over 800,000 domains being suspended.
It’s an ongoing point of contention between ICANN, its registrars, and cops.
Verisign changing its reporting methodology may well be a reaction to this increase in the number of clientHold domains.
While its top-line figure has taken a sharp one-off boost, it will still permit daily apples-to-apples comparisons on an ongoing basis.
My assumption about the link to the 2013 RAA was correct.
Verisign CFO George Kilguss told analysts on February 5.
Over the last several years, the average amount of names in the on-hold status category has been approximately 400,000 names and the net change year-over-year has been very small.
While still immaterial, during 2014, we saw an increase in the amount of names registrars have placed on hold status, which appears to be a result of these registrars complying with the new mandated compliance mechanisms in ICANN’s 2013 Registrar Accreditation Agreement or RAA.
In 2014, we saw an increase in domain names placed on hold status from roughly 394,000 names at the end of 2013 to about 870,000 at the end of 2014.