Latest news of the domain name industry

Recent Posts

BMW porn site leads to registrar getting suspended

Kevin Murphy, January 18, 2022, Domain Registrars

A Hong Kong registrar has had its ICANN contract suspended after failing to transfer a cybersquatted domain to car maker BMW.

ThreadAgent.com, which has about 32,000 .com and .net domains under management, attracted the attention of ICANN compliance after a customer lost a UDRP case concerning the domain bmwgroup-identity.net.

The domain led to a site filled with porn and gambling content, and the UDRP was a slam-dunk win for BMW.

But ThreadAgent failed to transfer the domain to BMW within the 10 days required by ICANN policy, leading to Compliance reviewing the registrar for other areas of non-compliance.

A December 22 breach notice led to the registrar transferring the domain to BMW last week, but it had failed to resolve the other issues ICANN had identified, leading to a suspension notice the very next day.

ICANN wants ThreadAgent to explain why the UDRP was not processed according to the policy, and how it will be compliant in futre. It also says the company is not operating a web Whois service as required.

ICANN has told the company it will not be able to sell gTLD domains or accept inbound transfers between January 28 and April 28, and must display a notice to that effect prominently on its web site.

That second requirement may prove complicated, as ThreadAgent appears to be one of about 20 registrar accreditations belonging to XZ.com, a Chinese group based in Xiamen. It has not used the domain threadagent.com in several years, and its other accreditations, which use the same storefront, are all still unsuspended.

If you guessed Facebook’s “Meta” rebrand, you’re probably still a cybersquatter

Kevin Murphy, November 3, 2021, Domain Policy

Guessing that Facebook was about to rebrand its corporate parent “Meta” and registering some domain names before the name was officially announced does not mean you’re not a cybersquatter.

Donuts this week reported that its top-trending keyword across its portfolio of hundreds of TLDs was “meta” in October. The word was a new entry on its monthly league table.

We’re almost certainly going to see the same thing when Verisign next reports its monthly .com keyword trends.

The sudden interest in the term comes due to Facebook’s October 28 announcement that it was calling its company Meta as part of a new focus on “metaverse” initiatives.

The announcement was heavily trailed following an October 19 scoop in The Verge, with lots of speculation about what the name change could be.

Many guessed correctly, no doubt leading to the surge in related domain name registrations.

Unfortunately for these registrants, Facebook is one of the most aggressive enforcers of its trademark out there, and it’s pretty much guaranteed that Meta-related UDRP cases will start to appear before long.

While Facebook’s “Meta” trademark was only applied for in the US on October 28, the same date as the branding announcement, the company is still on pretty safe ground, according to UDRP precedent, regardless of whether the domain was registered before Facebook officially announced the switch.

WIPO guidelines dating back to 2005 make it clear that panelist can find that a domain was registered in bad faith. The latest version of the guidelines, from 2017, read:

in certain limited circumstances where the facts of the case establish that the respondent’s intent in registering the domain name was to unfairly capitalize on the complainant’s nascent (typically as yet unregistered) trademark rights, panels have been prepared to find that the respondent has acted in bad faith.

Such scenarios include registration of a domain name: (i) shortly before or after announcement of a corporate merger, (ii) further to the respondent’s insider knowledge (e.g., a former employee), (iii) further to significant media attention (e.g., in connection with a product launch or prominent event), or (iv) following the complainant’s filing of a trademark application.

Precedent for this cited by WIPO dates back to 2002.

So, if you’re somebody who registered a “meta” name after October 19, the lawyers have had your number for the better part of two decades, and Facebook has a pretty good case against you. If your name contains strings such as “login” or similar, Facebook’s case for bad faith is even stronger.

Of course, “meta” is a dictionary word, and “metaverse” is a term Facebook stole from science fiction author Neal Stephenson, so there are likely thousands of non-infringing domains, dating back decades, containing the string.

That doesn’t mean Facebook won’t sic the lawyers on them anyway, but at least they’ll have a defense.

Guy fills exact-match domain with porn, wins UDRP anyway

Kevin Murphy, October 19, 2021, Domain Policy

A Chinese registrant has managed to survive a UDRP over an exact-match domain name, despite not responding to the complaint and filling the associated web site with porn.

An ADR Forum panelist yesterday ruled the registrant could keep the domain boltonmenk.com (NSFW) despite Bolton & Menk, a Minnesota engineering firm that says it was founded in 1949, claiming infringement of common-law trademark.

Bolton & Menk has used the hyphenated version, bolton-menk.com, since 1996.

The non-hyphenated version at issue in this case has been in the hands of third-party registrants for at least 15 years, with at least 13 drops, according to DomainTools.

It seems to have been mostly parked with regular, inoffensive ads, and it was presumably only the recent addition of hard-core pornography that caught the complainant’s attention.

But the UDPR panelist ruled that Bolton & Menk, which has only a pending US trademark application, had failed to provide enough evidence that its brand also operates as a common-law trademark.

The complaint was therefore dismissed for the complainant’s lack of rights without even considering the registrant’s bad faith or legitimate interests.

It looks like a case of the bad guy getting away with it due to a less-than-comprehensive complaint.

Man with broken shift key sues ICANN and GoDaddy over Bitcoin domain

Kevin Murphy, October 13, 2021, Domain Policy

Sometimes I wonder if all they teach you at American law schools is how to correctly use upper-case letters.

A Georgia man who lost a cybersquatting case with Sotheby’s, concerning his registration of sothebysauctionbitcoin.com, has taken the auction house, along with ICANN, GoDaddy, and ADR Forum to court.

Harris’ case is filed pro se, which is Latin for “he doesn’t have a lawyer, his complaint makes no sense, and the case is going to get thrown out of court”.

He claims a UDRP decision that went against him recently was incorrect, that ADR Forum is corrupt and biased, and that the UDRP itself is flawed.

The domain was registered with GoDaddy, and ADR Forum was the UDRP provider.

He wants his domain back, along with root-and-branch reform of the UDRP and “self-regulating lumbering Monopolistic Behemoth” ICANN, which is apparently still working under the auspices of the US Department of Commerce.

Here’s a flavor of the filing (pdf), which was filed in a Georgia District Court yesterday:

We are ASKING THE Court to find the UDRP (Uniform Dispute Resolution Procedure) #FA2108001961598 (Sotheby’s and SPTC v Harris) Arbitration process and resulting ruling was Fatally Flawed; whereas ICANN failed to properly parse the “Provider” and we believe allowed Sotheby’s Counsel of Record in those proceeding to have specifically chosen ADR Form ADR FORUM whose history is tainted by a Consent Decree in their previous corporate iteration as an arbitration Provider for bad behavior and is also known to be a pro Claimant Provider.

In the version published to PACER, the complaint ends abruptly mid-sentence and seems to have one or more pages missing.

The decision in the original UDRP case is equally enlightening. Harris apparently sent nine responses to the complaint, many of which seemed to argue that Sotheby’s should have made an offer for the domain instead of “intimidating and bullying” him.

Harris apparently argued that the registration was a “legitimate investment”, thereby conferring rights to the domain.

Sole panelist Neil Anthony Brown seems to have taken pity on Harris, who had declared that Sotheby’s citation of previous UDRP cases was “irrelevant”, by deciding the case (against him, of course) without direct reference to prior precedent.

It was basically a slam-dunk decision, as I expect this lawsuit will also be.

James Bond domains listed for sale by .bond registry

Kevin Murphy, October 4, 2021, Domain Registries

ShortDot has made James Bond related domain names in the gTLD .bond available for sale or lease, as the movie franchise’s latest outing smashes box office records.

Both james.bond and 007.bond are currently listed for sale for $25,000 each at Dan.com, with a lease-to-own option of $2,084 a month. The .bond registry is listed as the seller. They will renew at the standard rate.

The offers were announced shortly before the weekend opening of No Time To Die made a reported $120 million internationally in cinema ticket sales, beating pandemic-related box office records.

Both “James Bond” and “007” are trademarks of movie producer EON Productions, so it seems buyers might be assuming some UDRP risk. I asked ShortDot about this last week but did not receive a response.

In a press release, the company made hay about the fact that that “James” is a super-common given name and “007” is a three-digit numeric, which are both sought-after categories of domains.

These are the kinds of assertions you’d expect in a UDRP defense.

.bond was originally a dot-brand for Bond University in Australia, but it was sold to ShortDot in 2019 after laying dormant for years.

Regular .bond domains retail for about $70 a year. There are over 4,000 currently registered.

.sucks registry probably “connected” to mass cybersquatter, panel rules

Kevin Murphy, August 19, 2021, Domain Registries

Vox Populi, the .sucks registry, is probably affiliated with and financially benefiting from a mass cybersquatter, a panel of domain experts has said.

In the UDRP case of Euromaster v Honey Salt, a three-person panel handed the complainant the domain euromaster.sucks, ruling that it was a case of cybersquatting.

It’s one of 21 .sucks UDRP complaints filed against Honey Salt, a Turks & Caicos company operating under unknown ownership believed to own hundreds or thousands of brand-match .sucks domains.

It’s lost 17 of the 19 so-far decided cases. It also won one case on a technicality and another early case on the merits after mounting a free-speech defense that subsequent panels have not bought.

What’s new about this one is that the WIPO panel — Lawrence Nodine, Douglas Isenberg and Stephanie Hartung — is the first to follow the money and openly infer a connection between Honey Salt and Vox Pop.

The panel said that it “infer[s] that the Respondent [Honey Salt] and Registry [Vox Pop] are connected”, and that Vox is probably trying to make money by charging trademark owners premium fees for their own brands.

Vox Pop has previously denied such a connection, when I first made the same inference last October.

Regular readers will recall that Honey Salt has registered hundreds of .sucks domains and pointed them to a wiki-style web site called Everything.sucks, ostensibly run by a third-party, US-based non-profit.

Rather than containing original “gripe” content, which could easily enable it to win a free-speech UDRP defense, Everything.sucks simply populates its site with poor-quality, context-free content scraped by bots from social media and third-party web sites such as TrustPilot and GlassDoor.

Originally, each page carried a banner linking to a secondary market page at Uniregistry or Sedo where the domains could be purchased, often at cost price.

That quickly disappeared when the first UDRP cases started rolling in, and earlier this year Everything.sucks said on each page that it refused to sell its domains to anyone, instead offering a free transfer.

It even published the pre-authorized transfer codes on each page, meaning literally anyone could seize control of the domain in question without asking permission from or negotiating with Honey Salt in advance.

The problem with that is that transfers are not free. Some domains are flagged as premium — including lots of brand-matches — and have transfer fees in the thousands of dollars. Even the cheapest still carry the base registry fee.

Many registrars steer well clear of this model, disallowing any .sucks transfers.

One registrar that reliably does allow .sucks transfers is Rebel, which is sister company to Vox Pop under the Momentous group of companies. It offers .sucks domains at the registry wholesale fee, which is $200 for an non-premium.

It’s been painfully obvious since the outset that the only parties that stand to make a profit on the Everything.sucks business model are the registry and its affiliated companies — it simply doesn’t make sense that Honey Salt would invest hundreds of thousands of dollars in trademark-infringing domains, simply to hand them over at cost.

But the Euromaster panel is the first to infer the connection, or at least the first to publicly infer the connection.

Euromaster had filed a supplemental document in its complaint pointing out that the “free” transfer of euromaster.sucks would in fact cost a “premium” fee of $2418.79. The registrar quoting that fee is not revealed.

The WIPO panel asked Honey Salt for an explanation and it sounds like it got a bunch of procedural waffle in response.

This led to the following discussion, to which I’ve added some emphasis:

The Panel also finds that Respondent [Honey Salt] has failed to show that it has no financial interest in the Disputed Domain Name. Complainant’s Supplemental submissions demonstrate that Complainant’s chosen registrar quoted a fee of USD 2418.79 to transfer the Disputed Domain Name. Complainant’s report is consistent with M and M Direct Limited v. Pat Honey Salt, Honey Salt Limited, WIPO Case No. D2020-2545, where a different panel conducted an independent investigation and reported that the domain name at issue in that case was not offered “free” as promised, but instead that registrars classified the domain names at issue as “premium” and quoted transfer fees of USD 3,198 and USD 4,270 respectively.

This directly contradicts any claim to be offering a free and noncommercial service, and given that any registration would result in a fee being paid to the Registry by a registrar, leads the Panel to infer that the Respondent [Honey Salt] and Registry [Vox Pop] are connected.

Given the prior decision in M and M Direct, and the evidence that Complainant’s Supplemental submissions, the Panel afforded Respondent an opportunity to submit additional argument and evidence to explain the inconsistency. Respondent made no effort to do so, but instead only opposed consideration of Complainant’s supplemental evidence and repeated its previous contentions. The Panel rejects the objections to Complainant’s Supplemental submission, and emphasizes that Respondent was given an opportunity fully to respond.

The Panel finds that Complainant’s evidence raises substantial questions about the credibility of Respondent’s assertion that it has no financial interest in the Disputed Domain Name and whether Respondent’s offer to transfer the Disputed Domain might, directly or indirectly, financially benefit Respondent. Accordingly, the Panel finds that Respondent has not carried its burden to show that its use is noncommercial

In other words, the panel suspects that Vox Pop is in on Honey Salt’s bulk-cybersquatting game.

The closest any other UDRP panel has come to making this link was in a recent case filed by multiple, unrelated trademark owners, where the panel, while denying the complaint on procedural grounds, suggested that aggrieved trademark owners instead invoke ICANN’s Trademark Post Delegation Dispute Resolution Procedure.

The Trademark PDDRP is a mechanism — so far unused and untested — that allows trademark owners to allege registry complicity in cybersquatting schemes. Think of it like UDRP for cybersquatting registries.

Frankly, I’m amazed it hasn’t been used yet.

Panel hands .sucks squatter a WIN, but encourages action against the registry

A UDRP panel has denied a complaint against .sucks cybersquatter Honey Salt on a technicality, but suggested that aggrieved trademark holders instead sic their lawyers at the .sucks registry itself.

The three-person World Intellectual Property Organization panel threw out a complaint about six domains — covestro.sucks, lundbeck.sucks, rockwool.sucks, rockfon.sucks, grodan.sucks, tedbaker.sucks, tedbaker-london.sucks, and tedbakerlondon.sucks — filed jointly by four separate and unrelated companies.

The domains were part of the same operation, in which Turks & Caicos-based Honey Salt registers trademarks as .sucks domains and points them at Everything.sucks, a wiki-style site filled with content scraped from third-party sites.

Honey Salt has lost over a dozen UDRP cases since Everything.sucks emerged last year.

But the WIPO panel dismissed the latest case without even considering the merits, due to the fact that the four complainants had consolidated their grievances into a single complaint in an apparent attempt at a “class action”.

The decision reads:

although the Complainants may have established that the Respondent has engaged in similar conduct as to the individual Complainants, which has broadly-speaking affected their legal rights in a similar fashion, the Complainants do not appear to have any apparent connection between the Complainants. Rather it appears that a number of what can only realistically be described as separate parties have filed a single claim (in the nature of a purported class-action) against the Respondent, arising from similar conduct. As the Panel sees it, the Policy does not support such class actions

The panel decided that to force the respondent to file a common response to these complaints would be unfair, even if it is on the face of it up to no good.

Making a slippery-slope argument, the panel suggested that to allow class actions might open up the possibility of mass UDRP complaints against, for example, domain parking companies.

So the case was tossed without the merits being formally considered (though the panel certainly seemed sympathetic to the complainants).

But the sting in the tale comes at the end: the panel allowed that the complainants may re-file separate complaints, but also suggested they invoke the Trademark Post Delegation Dispute Resolution Procedure.

That’s interesting because the Trademark PDDRP, an ICANN policy administered by WIPO and others, is a way to complain about the behavior of the registry, not the registrant.

It’s basically UDRP for registries.

The registry for .sucks domains is Vox Populi, part of the Momentous group of companies. It’s denied a connection to Honey Salt, which uses Vox sister company Rebel for its registrations.

According to ICANN: “The Trademark PDDRP generally addresses a Registry Operator’s complicity in trademark infringement on the first or second level of a New gTLD.”

Complainants under the policy much show by “clear and convincing evidence” that the registry operator or its affiliates are either doing the cybersquatting themselves or encouraging others to do so.

There’s no hiding behind shell companies in tax havens — the policy accounts for that.

The trick here would be to prove that Honey Salt is connected to Vox Pop or the Momentous group.

Nothing is known about the ownership of Honey Salt, though Whois records and UDRP decisions identify a person, quite possibly a bogus name, as one “Pat Honeysalt”, who has no digital fingerprint to speak of.

The most compelling piece of evidence linking Honey Salt to Vox is gleaned by following the money.

The current business model is for Everything.sucks to offer Honey Salt’s domains for “free” by publishing transfer authorization codes right there on the squatted domain.

But anyone attempting to claim these names will still have to pay a registrar — such as Rebel — a transfer/registration fee that could be in excess of $2,000, most or all of which flows through to Vox Pop.

If we ignore the mark-up charged by non-Rebel registrars, the only party that appears to be profiting from Honey Salt’s activities appears to be the .sucks registry itself, in other words.

On its web site, Everything.sucks says it’s a non-profit and makes the implausible claim that it’s just a big fan of .sucks domains. Apparently it’s a fan to the extent that it’s prepared to spend millions registering the names and giving them away for free.

An earlier Everything.sucks model saw the domains listed at cost price on secondary market web sites.

The Trademark PDDRP, which appears to be tailor-made for this kind of scenario, has not to my knowledge been used to date. Neither WIPO nor ICANN have ever published any decisions delivered under it.

It costs complainants as much as $30,500 for a three-person panel with WIPO and has a mandatory 30-day period during which the would-be complainant has to attempt to resolve the issue privately with the registry.

The six domains in the UDRP case appear to have all gone into early “pending delete” status since the decision was delivered and do not resolve.

Honey Salt stops responding to .sucks cybersquatting complaints

Kevin Murphy, May 27, 2021, Domain Policy

.sucks cybersquatter Honey Salt has stopped responding to UDRP and URS complaints related to the affiliated Everything.sucks web site.

Three UDRP decisions and one URS decisions resolved since early April have stated that the shadowy Turks & Caicos company defaulted or did not respond to the complaints.

It lost all four cases, all on pretty much the same grounds, losing its domains or having them suspended as a result.

Panelists concluded that while Everything.sucks presents itself as a grassroots free-speech wiki populated by user-generated content, in reality it’s just stuffed with undated, anonymous, context-free comments scraped from third-party web sites and designed to pressure brand owners into buying their .sucks domains.

Honey Salt has been hit with 19 UDPR and URS complaints covering 27 .sucks domains since last September. It’s lost all bar one of those that have been decided, an early UDRP in which the panelist bought its free-speech defense.

With the precedent that Everything.sucks is a cybersquatting enterprise pretty solidly set, it presumably doesn’t make much sense for Honey Salt to pay expensive lawyers to put up a defense any more.

In earlier cases, when Honey Salt was still responding, the company was represented by Orrick, Herrington & Sutcliffe, the US law firm that has also worked for .sucks registry Vox Populi.

Locked-down .music could launch this year

One of the most heavily contested new gTLDs, .music, could launch this year after new registry DotMusic finally signed its Registry Agreement with ICANN.

The contract was signed over two years after DotMusic prevailed in an auction against Google, Amazon, Donuts, Radix, Far Further, Domain Venture Partners and MMX.

It seems the coronavirus pandemic, along with ICANN bureaucracy, was at least partly to blame for the long delay.

I speculated in April 2019 that .music could launch before year’s end, but this time DotMusic CEO Constantinos Roussos tells me a launch in 2021 is indeed a possibility.

The contract the company has signed with ICANN contains some of the most stringent restrictions, designed to protect intellectual property rights, of any I’ve seen.

First off, there’s going to be a Globally Protected Marks List, which reserves from registration the names of well-known music industry companies and organizations, and platinum-selling recording artists.

Second, registrants are going to have to apply for their domains, proving they are a member of one of the registry’s pre-approved “Music Community Member Organizations”, rather than simply enter their credit card and buy them.

DotMusic will verify both the email address and phone number of the registrant before approving applications.

There’s also going to be a unique dispute resolution process, a UDRP for copyright, administered by the National Arbitration Forum, called the .MUSIC Policy & Copyright Infringement Dispute Resolution Process (MPCIDRP).

Basically, any registrant found to be infringing .music’s content policies could be slung out.

The content policies cover intellectual property infringement as you’d expect, but they also appear to cover activities such as content scraping, a rule perhaps designed to capture those sites that aggregate links to infringing content without actually infringing themselves.

The registry is also going to ban second-level domains that have been used to infringe copyright in other TLDs, to prevent the kind of “TLD-hopping” outfits like The Pirate Bay have engaged in in the past.

In short, it’s going to be one of the least rock-n-roll TLDs out there.

Tightly controlled TLDs like this tend to be unpopular with registrars. Despite the incredibly strong string, my gut feeling is that .music is going to be quite a low-volume gTLD. There’s no word yet on pricing, but I’d err towards the higher end of the spectrum.

Everything.sucks publishes transfer auth codes for thousands of domains in latest .sucks pimpage

Kevin Murphy, April 19, 2021, Domain Registries

Everything.sucks, which is quickly emerging as one of the world’s most prominent organized cybersquatting projects, has a novel new way to sell .sucks domains without, technically, selling them.

The company, which casts itself as a “non-profit organization and communications forum for social activism” has published the transfer authorization codes for what appears to be the thousands of .sucks domains in its portfolio.

This means that anyone can transfer any of the company’s .sucks domains into their own registrar account with just a few clicks and without asking the current registrant — if they can afford the exorbitant transfer fee and don’t mind legal exposure.

You may recall that Everything.sucks is a Wikipedia-style web site that is fed by traffic from thousands of .sucks domains that, as the company freely admits, match the trademarks of famous companies.

Typing poptarts.sucks into your browser address bar will take you to the Everything.sucks wiki pages for Pop-Tarts, which contains content critical of the brand scraped from third-party web sites.

Everything.sucks emerged last year, and in October I reported that hundreds of .sucks domains were pointing there.

At the time, the web site carried banner ads on each brand’s page that took visitors to secondary-market sales pages at Sedo or Uniregistry, where the price was usually the same as the .suck’s registry’s wholesale price of $200.

I thought it was weird that a registrant at the very least flirting with cybersquatting would put up their domains at cost price, but Vox Populi, the registry, denied any involvement with the domains.

The registrant of these names, according to several UDRP decisions that it lost, is a probably fictitious individual named Pat Honeysalt, from a company called Honey Salt Ltd based in either Turks & Caicos or the UK.

Honey Salt has told UDRP panels that it registers the names on behalf of Everything.sucks. Given the volume of registrations, it must have spent many millions of dollars.

In any event, shortly after the UDRP cases started trickling in and not long after DI’s initial coverage, the banner ads on the .sucks pages disappeared.

And now, the auth codes have appeared. It looks like this:

Poptarts

Publishing auth codes right there on its web site appears to be the latest stage in a cat-and-mouse game Everything.sucks is playing with the trademark lawyers pursuing it through the UDRP process.

The boilerplate reads:

We occasionally buy a dot sucks domain and point it at a specific page. We do this to bring awareness to our site and because, well, we love the dot sucks domain. If you ask us if we would sell the domain, our answer is simple. Absolutely not. We will give it to you.

It’s not technically offering to sell these domains any more, right? As far as this nominal non-profit is concerned, it’s giving them away for free to anyone who wants them, including the brand’s owner.

But if you want the names, you’ve still got to pay for the transfer, of course. In the case of poptarts.sucks, it’s $2,399 at the registrar screen-capped below. Another registrar has the same name priced at $2,599.99.

Poptarts

If we’re following the money here, the only beneficiaries that spring to mind are Vox Pop, which gets its fat-margin registry fee, and the hapless registrar, which gets whatever its markup on a .sucks domain transfer is.

I tried these auth codes at six leading registrars and found that four of their shopping carts informed me point-blank that they do not support .sucks transfers at all.