Latest news of the domain name industry

Recent Posts

.sucks mystery deepens. Who the hell is Pat Honeysalt?

Kevin Murphy, March 24, 2021, Domain Registries

Another two .sucks domain names registered by the gTLD’s most prolific registrant have been found to be cases of cybersquatting, but now the squatter’s true identity is becoming more opaque.

In two recently decided UDRP cases before WIPO, registrant Honey Salt Ltd was found to have cybersquatted by registering and offering for sale bfgoodrich.sucks, uniroyal.sucks and tetrapak.sucks.

While earlier cases filed with the Czech Arbitration Forum had identified Honey Salt as a Turks & Caicos company, the latest few WIPO cases say it is a UK-based company.

However, searches at UK Companies House do not reveal any company matching that name.

The latest WIPO cases also identify an individual allegedly behind said company as a respondent, one “Pat Honeysalt”.

That’s either a pseudonym, or we’ve found one of those people who have somehow managed to keep their name out of Google’s index despite being well-funded and tech-savvy.

Honey Salt is believed to be the registrant of thousands of .sucks domains, all matching the trademarks of big companies, which all point to Everything.sucks, a wiki-style web site comprising scraped third-party criticism targeting the brands in question.

Its defense in its UDRP cases to date has been that it is providing non-commercial free speech criticism, and that the inclusion of “.sucks” in the domain means users could not possibly believe the site is officially sanctioned by the brand.

All but one UDPR panel has so far not believed this defense, with panelists pointing out that the domains in question are usually listed for sale on the secondary market (sometimes at cost, sometimes at an inflated price).

They further point out that the criticism displayed on the Everything.sucks site was written by third parties, often prior to the registration of the domain in question, so Honey Salt cannot claim to be exercising its own free-speech rights.

Honey Salt is represented in its UDRP cases by the very large US-based law firm Orrick, Herrington & Sutcliffe, which also represents .sucks registry Vox Populi.

IP lobby demands halt to Whois reform

Kevin Murphy, March 17, 2021, Domain Policy

Trademark interests in the ICANN community have called on the Org to freeze implementation of the latest Whois access policy proposals, saying it’s “not yet fit for purpose”.

The Intellectual Property Constituency’s president, Heather Forrest, has written (pdf) to ICANN chair Maarten Botterman to ask that the so-called SSAD system (for Standardized System for Access and Disclosure) be put on hold.

SSAD gives interested parties such as brands a standardized pathway to get access to private Whois data, which has been redacted by registries and registrars since the EU’s Generic Data Protection Regulation came into force in 2018.

But the proposed policy, approved by the GNSO Council last September, still leaves a great deal of discretion to contracted parties when it comes to disclosure requests, falling short of the IPC’s demands for a Whois that looks a lot more like the automated pre-GDPR system.

Registries and registrars argue that they have to manually verify disclosure requests, or risk liability — and huge fines — under GDPR.

The IPC has a few reasons why it reckons ICANN should slam the brakes on SSAD before implementation begins.

First, it says the recommendations sent to the GNSO Council lacked the consensus of the working group that created them.

Intellectual property, law enforcement and security interests — the likely end users of SSAD — did not agree with big, important chucks of the working group’s report. The IPC reckons eight of the 18 recommendations lacked a sufficient degree of consensus.

Second, the IPC claims that SSAD is not in the public interest. If the entities responsible for “policing the DNS” don’t think they will use SSAD due to its limitations, then why spend millions of ICANN’s money to implement it?

Third, Forrest writes that emerging legislation out of the EU — the so-called NIS2, a draft of a revised information security directive —- puts a greater emphasis on Whois accuracy

Forrest concludes:

We respectfully request and advise that the Board and ICANN Org pause any further work relating to the SSAD recommendations in light of NIS2 and given their lack of community consensus and furtherance of the global public interest. In light of these issues, the Board should remand the SSAD recommendations to the GNSO Council for the development of modified SSAD recommendations that meet the needs of users, with the aim of integrating further EU guidance.

It seems the SSAD proposals will be getting more formal scrutiny than previous GNSO outputs.

When the GNSO Council approved the recommendations in September, it did so with a footnote asking ICANN to figure out whether it would be cost-effective to implement an expensive — $9 million to build, $9 million a year to run — system that may wind up being lightly used.

ICANN has now confirmed that SSAD and the other Whois policy recommendations will be one of the first recipients of the Operational Design Phase (pdf) treatment.

The ODP is a new, additional layer of red tape in the ICANN policy-making sausage machine that slots in between GNSO Council approval and ICANN board consideration, in which the Org, in collaboration with the community, tries to figure out how complex GNSO recommendations could be implemented and what it would cost.

ICANN said this week that the SSAD/Whois recommendations will be subject to a formal ODP in “the coming months”.

Any question about the feasibility of SSAD would be referred back to the GNSO, because ICANN Org is technically not supposed to make policy.

Correction: UNR’s trademark block service

Kevin Murphy, March 11, 2021, Domain Registries

The registry or registries that buy UNR’s portfolio of new gTLDs at its firesale auction next month will be obliged to honor domains blocked by subscribers to its UniEPS brand protection service.

That’s contrary to what I reported yesterday, which was pretty much the opposite. I apologize for the error.

I asked UNR CEO Frank Schilling for comment about the post-auction UniEPS service, but did not receive a reply. Today, I learned that Schilling had in fact sent a lengthy reply, but it wound up in my email spam folder. Apparently my emails to him also wound up in his spam folder. The filtering gods clearly do not approve of our relationship.

According to Schilling, bidders for each of the 23 auctioned TLDs have been told “blocked names have to remain blocked, banned, or reserved after acquisition, even if they do not participate in our blocking service”.

Registrars were told:

Should an auction winner elect to withdraw the Asset(s) from UNR’s blocking services, the blocked domains will have to remain blocked, reserved, or banned in the acquired Registries until the expiry dates below. This is no different than a new owner honoring prepaid domains under management with expiry dates in the future. Once a block expires, the associated domains can be released for any registrant to purchase (fees from future registrations will be paid to the new owner).

Schilling also said that UNR is forgoing revenue from UniEPS auto-renews after March 15 until the gTLDs change hands. The new owners will be able to cancel these free renewals, he said.

The new owners will be able to continue to use UniEPS if the gTLDs remain on its registry platform. They could also choose to migrate them to their own blocking service, should they have one.

UniEPS, like other products on the market, blocks trademarks and variants such as IDN homographs from registration. It works out cheaper than defensively registering domains, but the domains cannot be used.

UNR, the former Uniregistry, will auction all of its 23 gTLD contracts April 28, as the company refocuses on back-end registry services.

Everything.sucks, in losing UDRPs, puts the lie to the .sucks business model

The World Intellectual Property Organization has delivered its first UDRP decision concerning a .sucks domain name, ruling that the name sanofi.sucks is in fact cybersquatting.

The three-person panel ruled that the domain was identical or confusingly similar to a trademark owned by Sanofi, a French pharmaceuticals manufacturer involved in producing vaccines for the COVID-19 virus.

That was despite the fact that the registrant, affiliated with the Everything.sucks project, argued that nobody would think a domain name ending in “.sucks” would be affiliated with the trademark owner.

That argument flies in the face of official .sucks registry marketing from Vox Populi Registry, which positions .sucks as a place for brand owners to consolidate and manage customer criticism, feedback and support.

The sanofi.sucks case is one of two UDRP losses in the last few weeks for Honey Salt, a Turks and Caicos-based company that is believed to account for over a third of all .sucks registrations.

Honey Salt has registered thousands of brand names in .sucks, linking them to a wiki site operated by Everything.sucks Inc that contains criticism of the brands concerned copied from third-party web sites such as TrustPilot and GlassDoor.

There’s evidence that Everthing.sucks and Honey Salt are affiliated or share common ownership with Vox Pop, but the registry has denied this.

In the Sanofi case, Honey Salt mounted a free speech defense, saying it was providing a platform for legitimate criticism of the company and that Sanofi was using the UDRP to silence such criticism.

Sanofi claimed that the domain had in fact been registered for commercial purposes and to unfairly suggest an official connection to the company.

But what’s interesting is how Honey Salt argues that the domain itself, regardless of the associated web site’s content, is not confusingly similar to the Sanofi mark. The WIPO panelsts wrote, with my added emphasis:

The Respondent maintains that the disputed domain name is not identical or confusingly similar to a trademark in which the Complainant has rights. According to it, the “.sucks” gTLD is not like other generic TLDs, and its pejorative nature renders the disputed domain name as a whole nonidentical and prevents confusion, and the inclusion of “.sucks” in the disputed domain name makes clear that the associated website is not affiliated with the Complainant, but instead contains criticism of it and of its business.

In other words, if you visit a .sucks domain, you automatically will assume that the site is not associated with the brand owner.

Honey Salt seems to have made an identical argument in the UDRP case of cargotec.sucks, which it also lost at the Czech Arbitration Forum last month. The panelists in that decision summarized the company’s defense like this:

The TLD at issue here, however, .sucks, is not like other generic top level domains. Its pejorative nature renders the domain name as a whole nonidentical and prevents confusion… The inclusion of “.sucks” makes abundantly clear that the website is not affiliated with Complainant and instead contain criticism of its business.

Again, this is completely contrary to the stated goal of the .sucks registry.

Vox Pop has from the outset claimed that .sucks domains are a way for brands to aggregate customer feedback and criticism in one place, using a .sucks domain controlled by the brands themselves.

That purpose goes all the way back to its 2012 ICANN new gTLD application and continues to this day on its official web site and Twitter feed, which is primarily used to goad companies undergoing media controversies into registering and using their .sucks exact-match.

Back in 2015, Vox Pop CEO John Berard told us:

A company would be smart to register its name because of the value that consumer criticism has in improving customer loyalty, delivering good customer service, understanding new product and service possibilities… They’re spending a lot more on marketing and customer service and research. This domain can another plank in that platform

Vox Pop even owns and uses voxpopuli.sucks and dotsucks.sucks, where it hosts a little-used forum welcoming criticism from people who say the company sucks.

But Honey Salt, its largest registrant by a significant margin, is now on-record stating that .sucks domains only imply ownership by third parties and could not possibly be confused with brand-owner ownership.

If the Many Worlds interpretation of quantum mechanics is correct, there exists a corner of the multiverse in which Honey Salt and Everything.sucks are just fronts for the entities that also control Vox Pop and its top registrar, Rebel.com. In that universe, it would be trippy indeed for the registry’s own affiliates to admit its entire stated business model is bullshit.

In our universe, that particular cat, which very probably has a goatee, is still firmly in the box, however.

Speculative forays into science fiction aside, Honey Salt’s record on UDRP is now three losses versus one win. It has six more cases pending at WIPO

Facebook lawsuit brings one country’s domain to a screeching halt

Kevin Murphy, February 22, 2021, Domain Registries

Bangladesh’s ccTLD registry has reportedly frozen all registrations and transfers after a cybersquatting lawsuit filed by Facebook.

According to local reports a couple weeks back, Bangladesh Telecommunications Company Ltd has implemented Draconian pre-registration roadblocks to registration, such that only exact-match domain names are available to individuals and organizations.

And Western corporate registrar CSC said today that BTCL has “implemented a temporary suspension to registration and transfer orders due to an ongoing legal matter” and is “diligently working to draft new regulations and procedures for registration orders.”

Registrants can still manage their Whois and DNS settings as normal, CSC said.

Facebook sued the registrant of the domain facebook.com.bd last November, asking for the domain to be cancelled and for $50,000 in damages, dragging BTCL into the case.

According to reports, the domain had been registered in 2008 when the registry used a largely paper-based system, but Facebook only resorted to the courts last year when the registrant listed it for sale for $6 million.

It’s a textbook case of cybersquatting, but .bd evidently does not have the mechanisms — such as UDRP — to handle such malfeasance outside of the courts.

While a Dhaka court reportedly issued an injunction against the domain in question, it’s still resolving and still listed for sale at $6 million.

Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains

Kevin Murphy, February 11, 2021, Domain Services

Security company Proofpoint has sued Facebook in order to keep hold of several typo domains that are deliberately intended to look like its Facebook and Instagram brands.

Proofpoint wants an Arizona court to declare that facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net and instagrarn.org are not cases of cybersquatting because they were not registered in bad faith.

Proofpoint — a $7 billion company that certainly does not phish — uses the domains in anti-phishing employee training services, as it describes in its complaint:

Proofpoint uses intentionally domain names that look like typo-squatted versions of recognizable domain names, such as , and the other Domain Names at issue in these proceedings.

By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.

Employees who click the bogus links are taken to harmless web pages describing how they were duped.

The court case comes shortly after Facebook prevailed in a UDRP case filed with WIPO.

In that case, the panelist decided that Proofpoint had no legitimate interest in the domains because they led to web sites that linked to Proofpoint’s web site, where commercial services are offered.

He therefore found that the names had been registered in bad faith, because visitors could assume that Facebook or Instagram in some way endorsed these services.

Proofpoint wants the court to reverse that decision and allow it to keep the names. Here’s the complaint (pdf).

It strikes me as at the very least bad form for Facebook to go after these domains, given that Proofpoint is tackling the Facebook phishing problem at source — user idiocy — rather than the reactive, interminable UDRP whack-a-mole Facebook seems to be engaging in.

New rules could stop registries ripping off big brands

Kevin Murphy, January 25, 2021, Domain Policy

New gTLD registries could be banned from unfairly reaching into the deep pockets of famous brands, under proposed rules soon to be considered by ICANN.

A recommendation approved by the GNSO Council last Thursday targets practices such as using reserved and premium lists to block trademark owners from registering their brands during sunrise periods, or charging them exorbitant fees.

It’s believed to target new TLDs that hope to copy controversial practices deployed by the likes of .sucks, .feedback and .top in the 2012 gTLD round.

The recommendations came in the final report of Review of All Rights Protection Mechanisms (RPMs) in All gTLDs working group, which suggests over 30 tweaks to policies such as Sunrise, Trademark Claims, Trademark Clearinghouse and Uniform Rapid Suspension.

While the recommendations almost all received full consensus of the working group, that’s largely because the group could not agree to any of the major changes that had been demanded by the intellectual property lobby.

The aforementioned RPMs will therefore not change a great deal for the next batch of new gTLD applicants.

Even the recommendation about not ripping off big brands is fairly weak, and may well be watered down to homeopathic levels by the forthcoming Implementation Review Team, which will be tasked with turning policy into practice.

This is the recommendation:

Sunrise Final Recommendation #1

The Working Group recommends that the Registry Agreement for future new gTLDs include a provision stating that a Registry Operator shall not operate its TLD in such a way as to have the effect of intentionally circumventing the mandatory RPMs imposed by ICANN or restricting brand owners’ reasonable use of the Sunrise RPM.

Implementation Guidance:

The Working Group agrees that this recommendation and its implementation are not intended to preclude or restrict a Registry Operator’s legitimate business practices that are otherwise compliant with ICANN policies and procedures.

The idea is that ICANN Compliance could come down on registries deploying unfair rules designed to rip off trademark owners.

Practices that have come in for criticism in the past, and are cited in the report, include:

.top’s attempt to charge Facebook $30,000 for facebook.top

.feedback registering thousands of brand-match domains to itself

.sucks placing brand-match domains in an expensive premium pricing tier

Famous Four Media doing the same thing

The working group could not agree on whether any of these should be banned, and it looks like the IRT will have a lot of wriggle room when it comes to interpret the recommendation.

Now that the GNSO Council has approved the RPM working group’s final report (pdf), it will be passed to the ICANN board of directors for consideration before the nitty-gritty work of translating words into reality begins.

GoDaddy has a secret weapon in its push into corporate domains

Kevin Murphy, November 19, 2020, Domain Registrars

While GoDaddy has been focused for the last two decades on small and microbusiness customers, its entry this year into the corporate domains management space should not be dismissed — the company has one huge advantage.

Earlier this week, the company announced the launch of GoDaddy Corporate Domains, really just a rebranding of the company Brandsight, which it acquired back in February.

The move pits GoDaddy against industry leaders such as MarkMonitor, CSC, Com Laude, Safenames et al.

But the company has one huge advantage that its new competitors do not have: cybersquatters and criminals.

Buried at the bottom of this week’s press release is the announcement of a new service, the Verified Intellectual Property program, which “provides pre-vetted, well-known and famous brands an escalation path to address IP abuse”.

It sounds basically like a trusted notifier service not unlike those offered at the registry level by the likes of Donuts and Radix.

VIP clients will be able to get sites and domains hosted on GoDaddy taken down much quicker, via a special escalation email address, a spokesperson said. Takedown requests will still be subject to manual review, he said.

VIP is currently invitation-only, but I assume being a Corporate Domains customer would help expedite an invitation.

This kind of service is something GoDaddy’s new rivals cannot offer — they generally have no retail channel or hosting, so have no cyberquatters, pirates or counterfeiters as customers. If they want to take down a domain or web site, it’s not a simple matter of flipping a switch.

They also don’t have tens of millions of domains under management, many of which, through no fault of GoDaddy, will be maliciously registered.

This is potentially a pretty cool USP for GoDaddy, which could have rivals worried.

That .sucks weirdness? Worse than I thought

Kevin Murphy, October 16, 2020, Domain Registries

A business plan to turn .sucks into a massive Wikipedia-style gripe site, described by trademark lawyers five years ago as a “shakedown”, has reared it ugly head again.

You may recall that earlier this week I reported how somebody had registered many hundreds of .sucks domain names and listed them for sale on secondary market web sites at cost price. It looked weird, almost as if the registry or an affiliate was the registrant, which the registry denied.

It turns out I only told you half the story, for which I can only apologize.

At the time, the domains in question were not resolving for me, probably due to my terrible, block-happy ISP. But now they are resolving, and they reveal the return of Everything.sucks, a plan first floated by the .sucks registry in 2015.

It’s a network of hundreds of .sucks micro gripe-sites, each targeted to a specific brand and each each populated with content scraped, usually without citation, from Wikipedia, social media, and consumer-review aggregator web sites.

Here’s where jackdaniels.sucks takes you, for example (click to enlarge).

Jack Daniels sucks

The description of the company is taken from Wikipedia. The customer comments below are taken from reviews of an apparently unrelated company called The Whisky Exchange published by TrustPilot, and the social media posts have been pulled from Instagram users deploying the hashtag #jackdanielssucks.

Other pages on the site seem to scrape content from GlassDoor, a site where employees review their employers.

While there’s nothing wrong with gripe sites, automating their creation over hundreds or even thousands of brands that you don’t genuinely have gripes with seems, charitably, churlish.

And these gripe sites are — or at least were — being monetized.

You’ll see a banner ad in the top-right corner of the above screen-grab, offering jackdaniels.sucks for sale. The link took you to a page on Sedo that offers the domain for sale with a buy-now price of $199 (the same as the registry’s wholesale fee).

Banners on other pages led to landers on GoDaddy-owned Uniregistry.com with prices of $599.

These banners, which appeared on every brand’s page that I checked, seem to have disappeared at some point over the last two days. I’m sure the change is unrelated to the fact that I started asking .sucks registry Vox Populi and parent Momentous difficult questions about these trademark-match domains on Wednesday.

While UDRP panels have disagreed over the years, there’s precedent dating back two decades that “trademarksucks.tld” domains with sites that contain genuine, non-commercial criticism can confer legitimate rights to the registrant and are therefore NOT cybersquatting.

I doubt a site that actively tries to sell the domain name in question for above out-of-pocket costs could be considered non-commercial.

Still, it looks like those banners are gone now, and I can’t find any other examples of obvious monetization.

I use jackdaniels.sucks as an example here as it’s the site I took a screenshot of before the changes, but there are many hundreds of similar trademark-match domains being used to feed traffic to Everything.sucks.

I note that unitedinternet.sucks, named after the parent company of Sedo, is for sale for $199 on Sedo and leads to a gripe site on Everything.sucks containing less-than-complimentary remarks. It’s for sale at $599 on Uniregistry.

But who is Everything.sucks?

The concept itself originates with the .sucks registry itself. Before the TLD launched in 2015, it floated the idea to a tsunami of criticism from trademark owners.

The plan back then was to sell .sucks domains for .com prices — a discount of a couple hundred dollars — but only to registrants unaffiliated with the trademark owner. These registrants would have had to forward their domains to an Everything.sucks-branded discussion forum.

Back then, Vox Pop said it planned to work with a non-for-profit third party on this initiative.

That third party never materialized, and later in 2015 appeared to mutate into a system called This.sucks, operated by a company called This.sucks Ltd, which took over the Everything.sucks domain name.

This.sucks sold .sucks domains for $12 a year, with the domains pointing to a forum/blogging platform that the company hoped to monetize.

Both This.sucks and Vox Pop denied there was any link between the two companies, but I later uncovered a lot of compelling circumstantial evidence linking the two companies, including the fact that Rob Hall, CEO of Vox Pop parent Momentous, paid for This.sucks’ web site design.

This.sucks appears to have fizzled out in the intervening years, but now Everything.sucks is back with a mystery registrant snapping up thousands of domains, at a cost of at least half a million bucks, under the Everything.sucks brand.

Public Whois is useless nowadays, of course.

But the front page of Everything.sucks describes it as “a non-profit organization and communications forum for social activism”.

Many of the domains that redirect to its site appear to be registered to a Turks and Caicos company called Honey Salt Ltd, a name that does not naturally suggest a non-profit entity.

Others use Momentous’ domain privacy service. All appear to be registered via Momentous-owned registrar Rebel, which sells .sucks domains at cost and is therefore one of the cheapest registrars on the market.

Back in 2015, intellectual property interests expressed doubt that the proposed Everything.sucks third party and the This.sucks third party were not in fact just smokescreens, fronts for the registry itself.

Vox Pop CEO John Berard on Wednesday denied to DI that the company had any involvement in the recent spurt of trademark-match registrations being used by Everything.sucks and expressed a lack of knowledge about the registrant’s intent.

I’ve not yet received comment from Momentous, but I’d be very surprised if the company does not know who is behind Everything.sucks.

At the very least, Vox Pop and Rebel are both privy to the unexpurgated Whois and/or customer records for whoever is running Everything.sucks and whoever it is that has grown the .sucks zone file by about 50% since June.

Could .cpa be the most successful new gTLD sunrise yet?

Kevin Murphy, September 25, 2020, Domain Registries

The registry for the new .cpa gTLD reckons it has received “thousands” of applications for domains during its current launch period, potentially making it the most successful gTLD sunrise since 2012.

The American Institute of Certified Public Accountants, which manages the TLD, said today:

Well over half of the 100 biggest U.S. firms — as well as an equally large percentage of the next 400 — have begun advancing their applications as part of the early phase of the .cpa registration process, which launched on Sept. 1.

Assuming “thousands” means at least 2,000, this would make .cpa a top three or four sunrise, judging by figures collected by ICANN showing Google’s .app the current volume leader at 2,908.

But we can’t assume that all the .cpa domains boasted of are trademark-verified sunrise period applications under ICANN’s rules.

AICPA is running a simultaneous Limited Registration Period during which any CPA firm can apply for domains that are “most consistent with their current digital branding” — ie, no trademark required.

Both of these periods end October 31, after which the registry will dole out domains in a batch, presumably giving preference to the sunrise applicants.

We have to assume the amount of purely defensive registrations will be relatively low, due to AICPA’s policies.

Not only are registrants limited to licensed CPA companies and individuals, but registrants have to commit to redirect their .cpa domain to their existing web site within a month and deploy a full web site within a year.

.cpa domains sell for $225 a year, according to the registry. General availability is scheduled for January 15.