Latest news of the domain name industry

Recent Posts

.org price cap complaints more like “spam” says Ombudsman

Kevin Murphy, September 11, 2019, Domain Policy

ICANN’s Ombudsman has sided with with ICANN in the fight over the lifting of price caps on .org domains, saying many of the thousands of comments objecting to the move were “more akin to spam”.

Herb Waye was weighing in on two Requests for Reconsideration, filed by NameCheap and the Electronic Frontier Foundation in July and August after ICANN and Public Interest Registry signed their controversial new registry agreement.

NameCheap wants ICANN to reverse its decision to allow PIR to raise .org prices by however much it chooses, while the EFF complained primarily about the fact that the Uniform Rapid Suspension anti-cybersquatting measure now appears in the contract.

In both cases, the requestors fumed that ICANN seemed to “ignore” the more than 3,200 comments that were filed in objection back in April, with NameCheap calling the public comment process a “sham”.

But Waye pointed to the fact that many of these comments were filed by people using a semi-automated web form hosted by the pro-domainer Internet Commerce Association.

As far as comments go for ICANN, 3200+ appears to be quite a sizeable number. But, seeing as how the public comments can be filled out and submitted electronically, it is not unexpected that many of the comments are, in actuality, more akin to spam.

With this eyebrow-raising comparison fresh in my mind, I had to giggle when, a few pages later, Waye writes (emphasis in original):

I am charged with being the eyes and ears of the Community. I must look at the matter through the lens of what the Requestor is asking and calling out. The Ombuds is charged with being the watchful eyes of the ICANN Community. The Ombuds is also charged with being the alert “ears” of the Community — with listening — with making individuals, whether Requestors or complainants or those just dropping by for an informal chat, feel heard.

Waye goes on to state that the ICANN board of directors was kept well-briefed on the status of the contract negotiations and that it had been provided with ICANN staff’s summary of the public comments.

He says that allowing ICANN’s CEO to execute the contract without a formal board vote did not go against ICANN rules (which Waye says he has “an admittedly layman’s understanding” of) because contractual matters are always delegated to senior staff.

In short, he sees no reason for ICANN to accept either Request for Reconsideration.

The Ombudsman is not the decision-maker here — the two RfRs will be thrown out considered by ICANN’s Board Accountability Mechanisms Committee at its next meeting, before going to the full board.

But I think we’ve got a pretty good indication here of which way the wind is blowing.

You can access the RfR materials and Waye’s responses here.

Namecheap’s Move Your Domain Day actually works

Namecheap appears to have done a year’s worth of transfers in a single day, on its annual Move Your Domain Day promotion.

The company said this week that the promotion, which ran on March 6 this year, saw 20,590 domains transferred in from other registrars.

That’s pretty good compared to its usual transfer activity.

Registry report data shows that Namecheap usually gets 1,000 to 1,500 inbound transfers per month, across all gTLDs.

Move Your Domain Day was originally set up to capitalize on protests over GoDaddy’s support for the Stop Online Piracy Act in late 2011.

That year, when it benefited from greater publicity, the company said it saw over 40,000 transfers.

During the promotion, Namecheap discounts transfers and donates $1.50 per domain to the Electronic Frontier Foundation.

This year, the EFF will be getting a check for $30,885.

Namecheap said earlier in the week that it was having problems processing inbounds from GoDaddy, which it claimed was throttling automated Whois queries, but said it would process the transfers regardless.

Namecheap accuses GoDaddy of delaying transfers

GoDaddy broke ICANN rules and US competition law by delaying outbound domain transfers yesterday, and not for the first time, according to angry rival Namecheap.

March 6 was Namecheap’s annual Move Your Domain Day, a promotion under which it donates $1.50 to the Electronic Frontier Foundation for every inbound transfer from another registrar.

It’s a tradition the company opportunistically started back in 2011 specifically targeting GoDaddy’s support, later retracted, for the controversial Stop Online Piracy Act, SOPA.

But yesterday GoDaddy was delivering “incomplete Whois information”, which interrupted the automated transfer process and forced Namecheap to resort to manual verification, delaying transfers, Namecheap claims.

“First and foremost this practice is against ICANN rules and regulations. Secondly, we believe it violates ‘unfair competition’ laws,” the company said in a blog post.

Whois verification is a vital part of the transfer process, which is governed by ICANN’s binding Inter-Registrar Transfer Policy.

GoDaddy changed its Whois practices in January. As an anti-spam measure, it no longer publishes contact information, including email addresses vital to the transfer process, when records are accessed automatically over port 43.

However, GoDaddy VP James Bladel told us in January that this was not supposed to affect competing registrars, which have their IP addresses white-listed for port 43 access via a system coordinated by ICANN.

Did GoDaddy balls up its new restrictive Whois practices? Or can the blame be shared?

Namecheap also ran into problems with GoDaddy throttling port 43 on its first Move Your Domain Day in 2011, but DI published screenshots back then suggesting that the company had failed to white-list its IP addresses with ICANN.

This time, the company insists the white-list was not an issue, writing:

As many customers have recently complained of transfer issues, we suspect that GoDaddy is thwarting/throttling efforts to transfer domains away from them. Whether automated or not, this is unacceptable. In preparation for today, we had previously whitelisted IPs with GoDaddy so there would be no excuse for this poor business practice.

Namecheap concluded by saying that all transfers that have been initiated will eventually go through. It also asked affected would-be customers to complain to GoDaddy.

The number of transfers executed on Move Your Domain Day over the last several years appears to be well into six figures, probably amounting to seven figures of annual revenue.

SpamHaus ranks most-botted TLDs and registrars

Kevin Murphy, January 9, 2018, Domain Registrars

Namecheap and Uniregistry have emerged as two of the most-abused domain name companies, using statistics on botnet command and control centers released by SpamHaus this week.

SpamHaus data shows that over a quarter of all botnet C&Cs found during the year were using NameCheap as their registrar.

It also shows that almost 1% of domains registered in Uniregistry’s .click are used as C&Cs.

The spam-fighting outfit said it discovered “almost 50,000” domains in 2017 that were registered for the purpose of controlling botnets.

Comparable data for 2016 was not published a year ago, but if you go back a few years, SpamHaus reported that there were just 3,793 such domains in 2014.

Neither number includes compromised domains or free subdomains.

The TLD with the most botnet abuse was of course .com, with 14,218 domains used as C&C servers. It was followed by Directi’s .pw (8,587) and Afilias’ .info (3,707).

When taking into account the relative size of the TLDs, SpamHaus fingered Russian ccTLD .ru as the “most heavily abused” TLD, but its numbers don’t ring true to me.

With 1,370 botnet controllers and about five and a half million domains, .ru’s abused domains would be around 0.03%.

But if you look at .click, with 1,256 botnet C&Cs and 131,000 domains (as of September), that number is very close to 1%. When it comes to botnets, that’s a high number.

In fact, using SpamHaus numbers and September registry reports of total domains under management, it seems that .work, .space, .website, .top, .pro, .biz, .info, .xyz, .bid and .online all have higher levels of botnet abuse than .ru, though in absolute numbers some have fewer abused domains.

In terms of registrars, Namecheap was the runaway loser, with a whopping 11,878 domains used to control botnets.

While SpamHaus acknowledges that the size of the registrar has a bearing on abuse levels, it’s worth noting that GoDaddy — by far the biggest registrar, but well-staffed with over-zealous abuse guys — does not even feature on the top 20 list here.

SpamHaus wrote:

While the total numbers of botnet domains at the registrar might appear large, the registrar does not necessarily support cybercriminals. Registrars simply can’t detect all fraudulent registrations or registrations of domains for criminal use before those domains go live. The “life span” of criminal domains on legitimate, well-run, registrars tends to be quite short.

However, other much smaller registrars that you might never have heard of (like Shinjiru or WebNic) appear on this same list. Several of these registrars have an extremely high proportion of cybercrime domains registered through them. Like ISPs with high numbers of botnet controllers, these registrars usually have no or limited abuse staff, poor abuse detection processes, and some either do not or cannot accept takedown requests except by a legal order from the local government or a local court.

The SpamHaus report, which you can read here, concludes with a call for registries and registrars to take more action to shut down repeat offenders, saying it is “embarrassing” that some registrars allow perpetrators to register domains for abuse over and over and over again.

Namecheap to bring millions of domains in-house next week

Kevin Murphy, January 5, 2018, Domain Registrars

Namecheap is finally bringing its customer base over to its own ICANN accreditation.

The registrar will next week accept transfer of an estimated 3.2 million .com and .net domains from Enom, following a court ruling forcing Enom owner Tucows to let go of the names.

The migration will happen from January 8 to January 12, Namecheap said in a blog post today.

Namecheap is one of the largest registrars in the industry, but historically it mostly acted as an Enom reseller. Every domain it sold showed up in official reports as an Enom sale.

While it’s been using its own ICANN accreditation to sell gTLD names since around 2015 — and has around four million names on its own credentials — it still had a substantial portion of its customer base on the Enom ticker.

After the two companies’ arrangement came to an end, and Enom was acquired by Tucows, Namecheap decided to also consolidate its .com/.net names under its own accreditation.

After Tucows balked at a bulk transfer, Namecheap sued, and a court ruled in December that Tucows must consent to the transfer.

Now, Namecheap says all .com and .net names registered before January 2017 or transferred in before November 2017 will be migrated.

There may be some downtime as the transition goes through, the company warned.

NameCheap stops selling .xyz domains

Kevin Murphy, October 11, 2016, Domain Registrars

NameCheap may have sold over a million .xyz domains, but apparently it will sell no more than that.

The registrar confirmed to DI this evening that it is no longer taking .xyz registrations. It declined to explain why.

It has also stopped selling .college and .rent domains — two other gTLDs owned by XYZ.com. Other new gTLDs are not affected.

It’s reportedly not accepting inbound transfers either, though existing domains can be renewed.

The switch-off happened at the end of last month, a NameCheap representative said.

That’s just one month after the registrar celebrated its one millionth .xyz registration, which XYZ.com commemorated with a blog post bigging up NameCheap’s user-customers.

The move is peculiar indeed. NameCheap is the third highest-volume .xyz registrar, behind West.cn and Uniregistry, responsible for about 15% of .xyz’s domains under management.

It’s also NameCheap’s biggest direct-selling gTLD by a considerable margin.

NameCheap is well-known as primarily an eNom reseller — it accounts for 28% of eNom’s domains under management and 18% of its revenue, largely from .com sales.

But with new gTLDs it has started selling domains on its own IANA ticker, meaning a direct connection to the registry and more gross profit for itself.

According to June’s registry reports, the million .xyz names accounted for roughly two thirds of NameCheap’s total DUM (not counting names sold via eNom).

The closet rival in its portfolio is .online, which provided the registrar with about 81,000 DUM.

The registrar added about 350,000 .xyz domains in June, a month in which it briefly offered them at $0.02 each.

At that time, the company reported technical issues that led to a 12-24 hour backlog of registrations to process, though its blog post announcing the problem appears to have since been deleted.

NameCheap has declined to comment on the reason for the surprise move, and XYZ did not immediately respond to a request for comment.

The fact that all of XYZ.com’s TLDs have been cut off suggests some kind of dispute between the two companies, but the fact that renewals can still be processed would suggest that NameCheap has not lost its .xyz accreditation.

More info if I get it…

.xyz tops 5 million domains as penny deals continue

XYZ.com became the first new gTLD operator to top five million domains in a single TLD last night, when .xyz added almost 1.5 million names.

According to our parse of today’s zone file, .xyz has 5,096,589 names, up 1,451,763 on yesterday’s 3,644,826.

On Monday, the number was just under 2.8 million.

The massive spike came after what was supposed to be the final day of a three-day discounting blitz, as registrars sold the names for $0.02, $0.01 or even nothing.

Uniregistry, which sold for a penny, seems to have claimed the lion’s share of the regs.

The company supplied DI with data showing it had processed over 1.16 million registrations on June 2, about 90% of which CEO Frank Schilling said were .xyz sales.

At its peak, Uniregistry created 95,793 new domains in an hour, this data shows.

Judging by the numbers published on its home page, the registrar has pretty much doubled its domains under management overnight.

The rapid growth of .xyz is very probably not over.

Some registrars said they will carry on with the penny giveaways for an extra day.

At least one popular registrar, NameCheap, told irritated customers that the popularity of its $0.02 offer meant it had a backlog of registration requests that would take 12 to 24 hours to process. Those may not have showed up in the zone file yet.

In addition, .xyz prices are expected to be dirt cheap — just $0.18 at Uniregistry, for example — for the rest of the month, at least at the 50-odd registrars XYZ says are participating in its promotion.

Registrars selling .xyz names for pennies

XYZ.com’s campaign to keep its volumes high as .xyz approaches its second anniversary seem to have resulted in basically free registrations.

Uniregistry said yesterday that it has started selling .xyz domains for just $0.01, and NameCheap is offering them for $0.02.

The prices, which apply to first-year registrations, kicked in yesterday and expire at midnight June 3.

Over in China, Xin Net and West.cn are both pricing the domains at a relatively huge CNY 2 ($0.30).

I expect there are similar offers at other registrars too.

West.cn. the largest .xyz registrar, said last week that it is also subsidizing renewals for the month of June, bringing the cost down to $2.73.

The aforementioned registrars have big splashes announcing the offers on their home pages.

XYZ said Friday that it has put aside “several million dollars” to advertise its birthday on registrar storefronts and elsewhere.

Uniregistry said that from June 3 to June 30 the price will be just $0.18.

Uniregistry’s current .xyz volume is measured in the tens of thousands. It’s ranked just behind Go Daddy, which does not appear to be participating in this promotion, by .xyz domains under management.

.xyz went into general availability June 2, 2014.

Since August 2015, not long after its anniversary deletes have been substantially outstripping renewals, but adds have been going nuts.

It has about 2.8 million domains in its zone file right now, two million of which have been added in the last 12 months.

Despite the anniversary hoopla this time around, there was not a big spike in .xyz registrations around its first birthday last year, when it added a fairly normal 50,000 or so domains.

Go Daddy advertising privacy petition on Facebook

Go Daddy appears to be putting its money where its mouth is when it comes to arguments about domain privacy.

The company is paying for “sponsored” posts on Facebook that promote the ongoing petition against proposed changes to Whois policy at ICANN.

This has been appearing on Facebook for me all day, seriously interrupting my Farmville time:

Go Daddy ad

Clicking the ad takes you directly to the Save Domain Privacy petition, rather than a Go Daddy sales pitch.

As I reported last week, thousands of internet users have blasted ICANN with template comments complaining about proposed limits on Whois privacy.

There are currently over 10,000 such comments, I estimate, with over a week left until the filing deadline.

Registrars, Go Daddy among them, are largely concerned about a minority proposal emerging from in a proxy/privacy service accreditation working group that would ban transactional e-commerce sites from having private registrations.

They’re also bothered that intellectual property owners could get more rights to unmask privacy users under the proposals.

Despite Go Daddy’s outreach, Repect Our Privacy, letter-writing campaign, backed by NameCheap and the Electronic Frontier Foundation, seems to be responsible for most of the comments filed to date.

Not that it’s necessarily relevant today, but NameCheap and Go Daddy were on opposing sides of the Stop Online Piracy Act debate — a linked controversy — a few years back.

Tucows and Namecheap exit $14m .online deal

Tucows and Namecheap have both pulled out of their joint venture with Radix to run the .online registry.

Tucows revealed the move, which will see Radix run .online solo, in a press release yesterday.

Both Tucows and Namecheap are registrars, whereas Radix is pretty much focused on being a registry nowadays.

While financial terms have not been disclosed, Tucows CEO Elliot Noss had previously said that each of the three companies had funded the new venture to the tune of $4 million to $5 million.

I estimate that this puts the total investment in the deal — which includes the price of winning .online at auction — at $13 million to $14 million.

Noss has also hinted that the gTLD sold for much more than the $6.8 million paid for .tech.

.online has not yet been delegated.