Latest news of the domain name industry

Recent Posts

.xxx shows up in botnet top-five TLDs for the first time

Kevin Murphy, January 21, 2022, Domain Registries

It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.

SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.

From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.

.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.

SpamHaus said:

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.

But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.

While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.

New gTLD pioneer MMX to wind up

Kevin Murphy, January 14, 2022, Domain Registries

MMX, the new gTLD registry also known as Minds + Machines, has decided to close down and de-list.

The company said today that it plans to return its remaining cash to investors through a tender offer and then cancel its remaining shares, which are listed on London’s Alternative Investment Market.

The cancellation plan is subject to shareholder approval at a February 7 general meeting, but the tender does not require approval.

MMX will buy back shares to the tune of £19 million ($26 million) at 10.4 pence per share, a premium of 26.1% on yesterday’s closing price and 24.8% on the last month’s average price.

It follows an $80 million tender offer completed in October.

MMX sold off its major assets — 22 new gTLD registry contracts — to GoDaddy last year in a $120 million deal, and has wound down its legacy registrar businesses.

Now, all that remains is a transition services agreement with GoDaddy, which will soon end.

There had been talk of using the AIM listing as a reverse-takeover vehicle for an operating business seeking quick access to the public markets, but it appears that’s no longer on the table.

If everything goes according to plan, MMX will cease to exist as a public company on February 22. Shareholders have until January 28 to accept the tender offer.

It seems the remaining shareholders will be losing out — if the tender offer is fully subscribed, they’ll only get to sell one share for every 1.485 shares they currently own.

“National security” cited as registry says you have to ask its CEO if you want to register more than TWO domains

Kevin Murphy, January 10, 2022, Domain Registries

India, a country with some 2.2 million ccTLD domains, has implemented perhaps the strangest and most Draconian restrictions on bulk registration of modern times.

The local registry, NIXI, informed its registrars all over the world in late December that they will have to seek formal written permission directly from the CEO if a customer wishes to register more than two .in domains.

Registrars breaking the rules face losing their accreditation, NIXI said.

A terse notice (pdf) published on the registry’s web site, signed by CEO Anil Kumar Jain, reads:

It is decided that a written approval of CEO, NIXI is required if an individual Registrant submit a request for registering more than two domains.

In case a registered accredited company try to book domains more than 100 than also a written approval of CEO, NIXI is required.

In case any Registrar is booking domains violating the above norms NIXI has right to disallow/disconnect the domains booking under that category. A process may be initiated for de-accreditation of such Registrar.

Approval will be given within 24 hours of a request, regardless of weekends or holidays, the notice reads.

Asked for clarification, Jain told DI in an email that the “new procedure is drawn after reviewing national security concerns” and that “NIXI registry is not stopping any domain registration.”

“An individual can book up to 2 domains and a company can book up to 100 domains without permissions,” he wrote. “Permission sought is given within 24 hrs.”

The new rule has registrars scratching their heads, with one describing it as “crazy”, “very vague” and very difficult to enforce.

NIXI uses GoDaddy Registry as its back-end, but GoDaddy does not appear to be playing a role in the implementation of the new policy. A spokesperson said in a statement:

At this time, the responsibilities are on the registrars and it’s a discussion between NIXI and them. As the back-end provider, we work closely with .in on any changes they would like to make at the registry level.

GoDaddy gets another year to negotiate .xxx contract

Kevin Murphy, December 15, 2021, Domain Registries

ICANN and GoDaddy seem to have missed their deadline for long-term renewal of their .xxx registry agreement for a second time.

The contract was extended earlier this week until December 15, 2022, giving the parties another full year to bash out whatever amendments are needed.

The initial deal, signed in 2011, was due to expire March 31, but was extended until today to give more time for renegotiation.

.xxx was the last gTLD approved prior to the 2012 application round, and as such it has a few differences to the standard gTLD contract.

The fee structure is particularly complicated; originally, the registry had to pay ICANN $2 per domain, to stuff ICANN’s war chest for anticipated litigation, but that has been reduced through amendments over the years.

ICANN is always keen to bring older contracts into line with the standard Registry Agreement.

The .xxx contract, like legacy gTLDs before it, will be subject to public comment before approval.

GoDaddy is currently pushing renewals for its AdultBlock trademark-protection services.

GoDaddy wins .tv contract after Verisign blows off 20-year deal

Kevin Murphy, December 14, 2021, Domain Registries

GoDaddy is taking over the contract to run .tv from Verisign, after Verisign didn’t even bother to bid for renewal.

The deal brings to an end a relationship between Verisign and the tiny Pacific island nation of Tuvalu that has lasted 20 years and contributed millions to the country’s economy.

The country’s communications ministry said on its Facebook page that GoDaddy Registry was selected after a “competitive tender process”, but DI understands that Verisign did not participate.

While terms of the new GoDaddy deal have not been disclosed, it seems likely that Tuvalu was looking for a far bigger slice of the pie than the $5 million a year it was getting from Verisign, and for moneybags Verisign, with its .com cash-printing machine, it simply wasn’t worth the hassle.

Tuvalu has around 11,000 inhabitants and gross national income of around $60 million — its .tv money was a big deal for the country, even at the amount Verisign was paying.

With a likely bigger chunk of change coming from GoDaddy, it’s going to have more to invest in what it calls its “digital nation” strategy, which appears to involve investing heavily in blockchain-based technologies to compensate for the fact that it may well disappear beneath the waves over the next few decades.

.tv is a cornerstone of this strategy, the government says.

There’s thought to be at least half a million registered .tv domains, and the bog-standard non-premiums retail for about $50 a year, so it’s been a nice little earner for Verisign over the last two decades.

The company first took on .tv in 2001 when it acquired startup .tv Corp, which had inked the original deal with Tuvalu in 1998, for $45 million. The contract has been renewed a few times since then.

The ccTLD was the first example of a mainstream TLD offering tiered pricing, with premium strings carrying bigger price tags — controversial 20 years ago, almost standard practice today.

There have been reports over the years that the country thought it was getting short-changed by the deal, and the contract was put up for bidding earlier this year.

Despite reports that the tender seemed suspiciously tailored for a Donuts win, it seems GoDaddy has emerged the victor.

One can only assume it’s offered Tuvalu a bigger slice of the pie, which is what it had to do (under its previous incarnation as Neustar) to keep hold of the contract to run Colombia’s .co last year.

Neither Verisign nor GoDaddy has publicly released a statement about the switch. While it’s a lot of money, it’s not strictly material to either company’s already swollen top lines.

GoDaddy hack exposed a million customer passwords

Kevin Murphy, November 24, 2021, Domain Registrars

GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.

The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.

The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.

In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.

GoDaddy discovered the hack November 17 and disclosed it November 22.

It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.

Comes wrote in his blog post:

We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection

You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.

About 500 staff reportedly failed the test.

Virgin territory as GoDaddy pushes $30 million porn domain renewals

Kevin Murphy, November 16, 2021, Domain Registries

Brand owners big and small are in for a potential surprise December 1, as their 10-year-old .xxx domain blocks expire and registrars bill their customers to convert them into a new annually-renewing GoDaddy service.

GoDaddy confirmed to DI today that it will “auto-convert” the old Sunrise B blocks, first sold by ICM Registry in 2011, to its new AdultBlock service, which provides essentially the same functionality but across four TLDs rather than one.

Tony Kirsch, head of professional services at GoDaddy Registry, said:

Registrars have been contacting all the Sunrise B owners and advising them that as of December 1 they will be grandfathered and automatically converted into an AdultBlock service, but they have a choice to expire that or stop that happening prior to December 1.

And if it is that they don’t do that before December 1, we’ll still give them a grace period of at least 45 days. If that happens they can then, as you’d normally do, just turn around to the registrar and say “We don’t want that” and we will of course refund the money.

This means that GoDaddy, which acquired .xxx and ICM from MMX earlier this year, is billing its .xxx registrar partners to convert and renew what could be as many as 81,000 Sunrise B blocks.

While the registry fee for AdultBlock has not been published, retail registrars I checked have priced the service at $370 to $400 per year, which we can probably assume is low-end pricing. Most .xxx domains are sold via the specialist brand-protection registrars like CSC and Markmonitor, which sometimes have more complex pricing.

So that’s something in the ballpark of $30 million worth of renewal invoices being sent out in the coming weeks, for something in many cases brand owners may have institutionally forgot about.

Kirsch said that AdultBlock was introduced by MMX about 18 months ago and that registrars have been preparing their customers for the Sunrise B expiration for some time.

Sunrise B was a program, unprecedented in the industry at the time, whereby trademark owners could pay a one-off fee — ICM charged its registrars about $160 wholesale — to have their brands removed from the available pool.

The domains exist in the .xxx zone file and resolve to a black page bearing the words “This domain has been reserved from registration”, but they’re not registered and usable like normal defensive or sunrise registrations would be.

Companies got to avoid not only the potential embarrassment of being porn-squatted, but also the hassle of having to explain to a tabloid reporter why they “owned” the .xxx domain in question.

The term of the Sunrise B block was 10 years. ICM told me at the time that this was because the company’s initial registry contract with ICANN only lasted for 10 years, so it was legally unable to sell longer-term blocks, but I’ve never been sure how much I buy that explanation.

Regardless, that 10 year period comes to an end in two weeks.

Because Sunrise B was unprecedented, this first renewal phase is also unprecedented. We’re in virgin territory (pun, of course, very much intended) here.

Will we see the industry’s first public “block junk drop”?

There are a number of reasons to believe trademark owners, assuming they don’t just blindly pay their registrar’s invoices, would choose to allow their blocks to expire or to ask for a refund after the fact.

First, the price has gone up — a lot.

While ICM charged $160 for a 10-year Sunrise B block (maybe marked up by registrars to a few hundred bucks) brand owners can expect to pay something like $3,000 retail for a single string blocked for 10 years.

But buyers do get a bit more bang for their buck. Unlike Sunrise B, AdultBlock also blocks the trademark in three additional GoDaddy-owned TLDs — .porn, .sex and .adult — as standard.

Kirsch said he expects buyers to see a 40% to 50% saving compared to the cost of defensively registering each domain individually.

Second, the appetite for defensive registrations has waned over the past 10 years, with trademark owners employing more nuanced approaches to brand protection, largely due to the flood of new gTLDs since 2013.

When .adult, .sex and .porn launched, without the possibility of Sunrise B blocks, they got about 2,000 regular sunrise registrations each. And that’s extraordinarily high — for most new gTLDs a couple hundred was a good turnout.

Third, the .xxx launch attracted a whole lot of controversy and overreaction, and the .xxx zone file today contains a lot of Sunrise B crap.

When I scrolled a little through the zone, cherry-picking silly-looking blocks in 2019, I found these examples:

100percentwholewheatthatkidslovetoeat.xxx, 101waystoleaveagameshow.xxx, 1firstnationalmergersandacquisitions.xxx, 1stchoiceliquorsuperstore.xxx, 2bupushingalltherightbuttons.xxx, 247claimsservicethesupportyouneed30minutesguaranteed.xxx, 3pathpowerdeliverysystembypioneermagneticsinc.xxx

Is it worth $400 a year to block the trademark “100 Percent Whole Wheat That Kids Love To Eat”? Is there any real danger of a cybersquatter going after that particular brand (apart from the fact that I’ve now written about it twice)?

Kirsch said a “small percentage” of Sunrise B owners have already said they don’t want to convert, but given that the rest will auto-convert, and that the registrars are doing all the customer-facing stuff, the company has limited visibility into likely uptake.

Brian King, director of policy at MarkMonitor, told us: “We generally encourage our clients to consider blocks. They can be cost effective and a lot of times clients would rather have their brand be unavailable without having to register in TLDs where they don’t want to own domain registrations for any number of reasons.”

One reason brand owners may want to consider converting to AdultBlock — it’s rumored that GoDaddy will be relaxing its eligibility criteria for .xxx next year, removing the requirement for registrants to have a nexus to the porn industry.

It’s always been kind of a bullshit rule, basically a hack to allow ICM to run a “sponsored” TLD under ICANN’s rules from the 2003 application round, but doing away with it would potentially make it easier for cybersquatters to get their hands on .xxx domains.

CSC told customers in a recent webinar that the rules are likely to be changed next year, increasing the risk of cybersquatting.

There’s some circumstantial evidence to suggest that CSC might be on to something — pretty much every “sponsored” gTLD from the same 2003 application round as .xxx has relaxed their reg rules to some extent, sometimes when their contracts come up for renewal and ICANN tries to normalize them with the text of the standard 2012-round agreement.

And GoDaddy’s .xxx contract with ICANN is being renegotiated right now. It was due to expire in March, but it was extended in February until December 15, a little under a month from now. We may soon see ICANN open up the new text for public comment.

Kirsch, who’s not part of the negotiations, could not confirm that the eligibility relaxation is going to happen or that it’s something GoDaddy is pushing for.

If it were to happen, it wouldn’t be for some time, and it wouldn’t necessarily impact on the December 1 deadline for Sunrise B conversions, which is going to be interesting to watch in its own right.

“There are registrations that are protecting people’s trademarks that are expiring and our primary objective here is to ensure that that protection continues, and that’s what we’ll do,” GoDaddy’s Kirsch said.

“If we just let them expire, it would create a lot of opportunity for brand infringement. Faced with that choice, our primary objective is to protect trademark owners,” he said.

GoDaddy says it turned around Neustar, and .biz numbers seem to confirm that

Kevin Murphy, November 4, 2021, Domain Registrars

GoDaddy is pleased with how its new registry division is doing, with CEO Aman Bhutani claiming last night that it’s managed to turn around the fortunes of Neustar, which became part of GoDaddy Registry a year ago.

Reporting a strong third quarter of domains revenue growth, Bhutani highlighted the secondary market and the registry as drivers. In prepared remarks, he said:

On Registry, we are continuing to prove our ability to acquire, integrate, and accelerate. A great example is the cohort performance within GoDaddy Registry. When we acquired Neustar’s registry assets in Q3 last year, its new cohorts were shrinking, with new unit registrations down 4% year over year. We are now one year into the acquisition, and we’re pleased to report that within that first year, we have been able to accelerate new business significantly. We are now seeing new unit registrations increase nearly 20% year over year — all organically.

If you’re wondering what a “cohort” is, it appears to refer to GoDaddy’s way of, for analysis purposes, slicing up its customers, how much they spend and how profitable they are, into tranches according to the years in which they became customers.

So GoDaddy’s saying here that Neustar’s number of new customers was going down, and it was selling 4% fewer new domains, at the time of the acquisition last year, but that that trend has now been reversed, with new regs up 20%.

The numbers are not really possible to verify. Neustar’s main three TLDs for volume purposes were .us, .co and .biz, and of those only .biz is contractually obliged to publish its zone file and registry numbers.

But look at .biz!

.biz zone graph

That’s .biz’s daily zone file numbers for the last two years, with the August 2020 acquisition highlighted by a subtle arrow. It’s only added about 50,000 net names since the deal, but it’s reversing an otherwise negative trend.

Monthly transaction reports show .biz had been on a general downward, if spiky, line since its early 2014 peak of 2.7 million names. It’s now at about 1.4 million.

When asked how the company achieved such a feat, Bhutani credited “execution” and left it at that. Perhaps this means something to financial analysts.

When asked by an analyst whether GoDaddy was giving its own TLDs preferential treatment, promoting its owned strings on the registrar in order to better compete with .com at the registry, Bhutani denied such frowned-upon behavior:

We don’t do that. All TLDs work on our registrar side in terms of their merit. It’s about value to the customer — whatever works best irrespective of whether we own the registry side or not. That’s what we’ll sell in front of the customer.

The company reported domains revenue up 17% at $453.2 million for the third quarter, with overall revenue up 14% at $964 million compared to year-ago numbers. Net income was up to $97.7 million from $65.1 million a year ago.

GoDaddy expects domains revenue to grow in the low double digits percent-wise in the current quarter.

.basketball domain emerges under GoDaddy with fewer hoops

Kevin Murphy, October 20, 2021, Domain Registries

The .basketball gTLD has finally had its coming-out party, with the registry announcing general availability this week.

Fédération Internationale de Basketball has outsourced management of the gTLD to sports marketing agency Roar Domains, doing business here as Roar.Basketball, which in turn is using GoDaddy Registry for the technical registry functions.

The domain has been in a seemingly interminable series of qualified launch programs, community priority registration phases and sunrise periods for the last four years, but FIBA said yesterday .basketball is now open to all-comers.

Technically, it’s been in general availability for a few months, but the broader marketing effort only began this week.

Right now, it’s being marketed via Roar’s site at be.basketball, where the base registration price is $50 a year. Premiums are available at higher prices.

Roar appears to be using Australian registrar Bombora Technologies, which GoDaddy acquired as part of its Neustar deal last year, as its primary — possibly exclusive — registrar.

Roar’s FAQ states that be.basketball “is the only site where you can register and manage a .basketball domain name”.

Other registrars are accredited, and almost 20 have a handful of presumed sunrise regs, but currently Bombora holds 80% of the 600 domains currently under management.

Weirdly, GoDaddy itself does not appear to currently sell .basketball names through its primary storefront.

Roar/FIBA originally had MMX as its partner, with CentralNic as its back-end, but that changed earlier this year when GoDaddy acquired most of MMX’s assets, including the .basketball relationship.

Man with broken shift key sues ICANN and GoDaddy over Bitcoin domain

Kevin Murphy, October 13, 2021, Domain Policy

Sometimes I wonder if all they teach you at American law schools is how to correctly use upper-case letters.

A Georgia man who lost a cybersquatting case with Sotheby’s, concerning his registration of sothebysauctionbitcoin.com, has taken the auction house, along with ICANN, GoDaddy, and ADR Forum to court.

Harris’ case is filed pro se, which is Latin for “he doesn’t have a lawyer, his complaint makes no sense, and the case is going to get thrown out of court”.

He claims a UDRP decision that went against him recently was incorrect, that ADR Forum is corrupt and biased, and that the UDRP itself is flawed.

The domain was registered with GoDaddy, and ADR Forum was the UDRP provider.

He wants his domain back, along with root-and-branch reform of the UDRP and “self-regulating lumbering Monopolistic Behemoth” ICANN, which is apparently still working under the auspices of the US Department of Commerce.

Here’s a flavor of the filing (pdf), which was filed in a Georgia District Court yesterday:

We are ASKING THE Court to find the UDRP (Uniform Dispute Resolution Procedure) #FA2108001961598 (Sotheby’s and SPTC v Harris) Arbitration process and resulting ruling was Fatally Flawed; whereas ICANN failed to properly parse the “Provider” and we believe allowed Sotheby’s Counsel of Record in those proceeding to have specifically chosen ADR Form ADR FORUM whose history is tainted by a Consent Decree in their previous corporate iteration as an arbitration Provider for bad behavior and is also known to be a pro Claimant Provider.

In the version published to PACER, the complaint ends abruptly mid-sentence and seems to have one or more pages missing.

The decision in the original UDRP case is equally enlightening. Harris apparently sent nine responses to the complaint, many of which seemed to argue that Sotheby’s should have made an offer for the domain instead of “intimidating and bullying” him.

Harris apparently argued that the registration was a “legitimate investment”, thereby conferring rights to the domain.

Sole panelist Neil Anthony Brown seems to have taken pity on Harris, who had declared that Sotheby’s citation of previous UDRP cases was “irrelevant”, by deciding the case (against him, of course) without direct reference to prior precedent.

It was basically a slam-dunk decision, as I expect this lawsuit will also be.