Latest news of the domain name industry

Recent Posts

ICANN confirms GoDaddy Whois probe

ICANN is looking into claims that GoDaddy is in breach of its registrar accreditation contract.

The organization last week told IP lawyer Brian Winterfeldt that his complaint about the market-leading registrar throttling and censoring Whois queries over port 43 is being looked at by its compliance department.

The brief note (pdf) says that Compliance is “in receipt of the correspondence and will address it under its process”.

Winterfeldt is annoyed that GoDaddy has starting removing contact information from its port 43 Whois responses, in what the company says is an anti-spam measure.

It’s also started throttling port 43 queries, causing no end of problems at companies such as DomainTools.

Winterfeldt wrote last month “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny port 43 Whois access to any particular IP address”.

It’s worth saying that ICANN is not giving any formal credibility to the complaint merely by looking into it.

But while it’s usual for ICANN to publish its responses to correspondence it has received and published, it’s rather less common for it to disclose the existence of a compliance investigation before it has progressed to a formal breach notice.

It could all turn out to be moot anyway, given the damage GDPR is likely to do to Whois across the industry in a matter of weeks.

Lawyer: GoDaddy Whois changes a “critical” contract breach

Kevin Murphy, March 13, 2018, Domain Registrars

GoDaddy is in violation of its ICANN registrar contract by throttling access to its Whois database, according to a leading industry lawyer.

Brian Winterfeldt of the Winterfeldt IP Group has written to ICANN to demand its compliance team enforces what he calls a “very serious contractual breach”.

At issue is GoDaddy’s recent practice, introduced in January, of masking key fields of Whois when accessed in an automated fashion over port 43.

The company no longer shows the name, email address or phone number of its registrants over port 43. Web-based Whois, which has CAPTCHA protection, is unaffected.

It’s been presented as an anti-spam measure. In recent years, GoDaddy has been increasingly accused (wrongly) of selling customer details to spammers pitching web hosting and SEO services, whereas in fact those details have been obtained from public Whois.

But many in the industry are livid about the changes.

Back in January, DomainTools CEO Tim Chen told us that, even as a white-listed known quantity, its port 43 access was about 2% of its former levels.

And last week competing registrar Namecheap publicly complained that Whois throttling was hindering inbound transfers from GoDaddy.

Winterfeldt wrote (pdf) that “nothing in their contract permits GoDaddy to mask data elements, and evidence of illegality must be obtained before GoDaddy is permitted to throttle or deny
port 43 Whois access to any particular IP address”, adding:

The GoDaddy whitelist program has created a dire situation where businesses dependent upon unmasked and robust port 43 Whois access are forced to negotiate wholly subjective terms for access, and are fearful of filing complaints with ICANN because they are reticent to publicize any disruption in service, or because they fear retaliation from GoDaddy…

This is a very serious contractual breach, which threatens to undermine the stability and security of the Internet, as well as embolden other registrars to make similar unilateral changes to their own port 43 Whois services. It has persisted for far too long, having been officially implemented on January 25, 2018. The tools our communities use to do our jobs are broken. Cybersecurity teams are flying blind without port 43 Whois data. And illegal activity will proliferate online, all ostensibly in order to protect GoDaddy customers from spam emails. That is completely disproportionate and unacceptable

He did not disclose which client, if any, he was writing on behalf of, presumably due to fear of reprisals.

He added that his initial outreaches to ICANN Compliance have not proved fruitful.

ICANN said last November that it would not prosecute registrar breaches of the Whois provisions of the Registrar Accreditation Agreements, subject to certain limits, as the industry focuses on becoming compliant with the General Data Protection Regulation.

But GoDaddy has told us that the port 43 throttling is unrelated to GDPR and to the compliance waiver.

Masking Whois data, whether over port 43 or not, is likely to soon become a fact of life anyway. ICANN’s current proposal for GDPR compliance would see public Whois records gutted, with only accredited users (such as law enforcement) getting access to full records.

Namecheap’s Move Your Domain Day actually works

Namecheap appears to have done a year’s worth of transfers in a single day, on its annual Move Your Domain Day promotion.

The company said this week that the promotion, which ran on March 6 this year, saw 20,590 domains transferred in from other registrars.

That’s pretty good compared to its usual transfer activity.

Registry report data shows that Namecheap usually gets 1,000 to 1,500 inbound transfers per month, across all gTLDs.

Move Your Domain Day was originally set up to capitalize on protests over GoDaddy’s support for the Stop Online Piracy Act in late 2011.

That year, when it benefited from greater publicity, the company said it saw over 40,000 transfers.

During the promotion, Namecheap discounts transfers and donates $1.50 per domain to the Electronic Frontier Foundation.

This year, the EFF will be getting a check for $30,885.

Namecheap said earlier in the week that it was having problems processing inbounds from GoDaddy, which it claimed was throttling automated Whois queries, but said it would process the transfers regardless.

Namecheap accuses GoDaddy of delaying transfers

GoDaddy broke ICANN rules and US competition law by delaying outbound domain transfers yesterday, and not for the first time, according to angry rival Namecheap.

March 6 was Namecheap’s annual Move Your Domain Day, a promotion under which it donates $1.50 to the Electronic Frontier Foundation for every inbound transfer from another registrar.

It’s a tradition the company opportunistically started back in 2011 specifically targeting GoDaddy’s support, later retracted, for the controversial Stop Online Piracy Act, SOPA.

But yesterday GoDaddy was delivering “incomplete Whois information”, which interrupted the automated transfer process and forced Namecheap to resort to manual verification, delaying transfers, Namecheap claims.

“First and foremost this practice is against ICANN rules and regulations. Secondly, we believe it violates ‘unfair competition’ laws,” the company said in a blog post.

Whois verification is a vital part of the transfer process, which is governed by ICANN’s binding Inter-Registrar Transfer Policy.

GoDaddy changed its Whois practices in January. As an anti-spam measure, it no longer publishes contact information, including email addresses vital to the transfer process, when records are accessed automatically over port 43.

However, GoDaddy VP James Bladel told us in January that this was not supposed to affect competing registrars, which have their IP addresses white-listed for port 43 access via a system coordinated by ICANN.

Did GoDaddy balls up its new restrictive Whois practices? Or can the blame be shared?

Namecheap also ran into problems with GoDaddy throttling port 43 on its first Move Your Domain Day in 2011, but DI published screenshots back then suggesting that the company had failed to white-list its IP addresses with ICANN.

This time, the company insists the white-list was not an issue, writing:

As many customers have recently complained of transfer issues, we suspect that GoDaddy is thwarting/throttling efforts to transfer domains away from them. Whether automated or not, this is unacceptable. In preparation for today, we had previously whitelisted IPs with GoDaddy so there would be no excuse for this poor business practice.

Namecheap concluded by saying that all transfers that have been initiated will eventually go through. It also asked affected would-be customers to complain to GoDaddy.

The number of transfers executed on Move Your Domain Day over the last several years appears to be well into six figures, probably amounting to seven figures of annual revenue.

DomainTools scraps apps and APIs in war on spam

Kevin Murphy, January 22, 2018, Domain Services

DomainTools is to scrap at least five of its services as it tries to crack down spam.

It’s getting rids of its mobile apps, its APIs, and is to stop showing registrants’ personal information to unauthenticated users.

CEO Tim Chen told us in an email at the weekend:

The Android app is no longer supported.

The iOS app will no longer be supported after February 20th.

The Developer API is no longer supported.

On February 20th, the Bulk Parsed Whois tool available to Personal Members will no longer be supported.

On February 20th, our production Whois API will no longer be available to individual membership levels, an Enterprise relationships will be required.

It’s all part of an effort to make sure DomainTools services are not being abused by spammers, which has lead to a dispute with GoDaddy over bulk access to its registrants’ Whois data.

The longstanding problem of new registrants getting spammed with calls and emails offering web hosting and such has escalated over the last few years. Domain Name Wire detailed the scale of the abuse registrants can experience in a post last week.

While to my knowledge nobody has directly accused DomainTools of facilitating such abuse, the scrapped services are the ones that would be most useful to these spammers.

The company is also going to scale back what guest users can see when they do a Whois lookup, and is to make automated scraping of Whois records more difficult for paying members.

In a blog post, Chen wrote last week:

As of today, unauthenticated users of the DomainTools Whois Lookup tool will not see personally identifiable information for the registrant parsed out in the results, and will be required to submit a CAPTCHA to see the full raw domain name Whois record. Phone numbers in the parsed results have been replaced with image files, much the same way emails have always been rendered

As well as hoping to ease relations with GoDaddy — the source of a very heavy chunk of DomainTools’ data — the moves are also part of the company’s strategy for dealing with the incoming General Data Protection Regulation.

This is the EU law that gives registrants more control over the privacy of their personal data.

Chen told us earlier this month that DomainTools is keen to ensure its enterprise-level suite of security products, which he said are vital for security and intellectual property investigations, continue to operatie under the new regime.

About 80% of DomainTools’ revenue comes from its enterprise-level customers, over 500 companies.