Slashdot Mirror
Domains May Disappear After Search
Ponca City, We Love You writes "Daily Domainer has a story alleging that there may be a leak that allows domain tasters to intercept, analyze and register your domain ideas in minutes. 'Every time you do a whois search with any service, you run a risk of losing your domain,' says one industry insider. ICANN's Security and Stability Advisory Committee (SSAC ) has not been able to find hard evidence of Domain Name Front Running but they have issued an advisory (pdf) for people to come forward with hard evidence it is happening. Here is how domain name research theft crimes can occur and some tips to avoiding being a victim."
Theft? Crimes? Does Slashdot now think, an idea can be "property" and/or "stolen"?
In Soviet Washington the swamp drains you.
No, because they get to sit on the domain name for free for 30 days and then drop it if they want. Domain Name registration is an amazingly shady part of the internet for being such an important piece. I have long suspected that the registrars (especially the no-name ones) and the domain squatters are one in the same.
I read the internet for the articles.
Would it be possible to request so many nonexistant domains to make this unprofitable? Or would they just figure you're having a seizure at your keyboard and drop your IP from the logs?
Don't do a whole lot of searches very rapidly. Set the timing up to use random, sporadic, infrequent intervals. Make a program to share with the whole world so that everyone can install it and run it in the background such that it will only use idle, spare cpu cycles and bandwidth. If tens of thousands of people would run it, the result would be like death by a bazillion tiny little paper cuts, all coming in from all directions, to these "domain taster-squatters". After all, don't they actually end up having to eventually pay for all the domains they've squatted upon?
Can anyone give one legitimate reason why anyone would need to "trial" a domain? Is that to see how it looks in the browser's address bar?
Wouldn't doing away with that stupidity make things a lot harder for these losers that park / squat domains?
Dan East
Better known as 318230.
Comment removed based on user account deletion
Actually most of bigger squatting operations don't pay a dime on a per name basis. They hold the name for 30 days, then release it at no cost.
They don't need to release it. They just get another shell company to snap it up.
Domain tasting is causing nothing but headaches for the internet at large and they need to abolish it.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
When thinking of potential domain names, I usually use the inurl: function in Google. I generally only use part of the name too - that way you're able to see all the potential variations of the domain name you're thinking of working with (and possibly giving you some inspiration too)...
Having the connection between your browser and the registrar encrypted is irrelevent, as the whois query the registrar sends out will be unaffected.
> So there's the answer to the problem. Bombard the servers with requests for random names.
> The sleazoids will be forced to either go through the names manually, looking for likely
> candidates, OR they'll have to register everything...which might tend to get a tad
> expensive.
It doesn't cost them a penny. Google "domain tasting".
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
I posted this over 18 hours ago. I checked it on Network Solutions's web-based Whois last night and again a few minutes ago. The domain is available.
By the way, the solution to the "tasting" problem is to either put a very low limit on the number of "free tastes" people or companies can have in a year.
Another way is to simply charge tem a pro-rated amount based on a minimum usage, say, 1/26 of the annual fee for 2 weeks.
Another way is to charge a non-refundable setup fee, say, 1/12 of the annual fee, which would be credited against the 12th month of service. Whatever this fee is, it should cover the actual costs of registering and de-registering a domain plus provide an optional small profit to the registrar.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
There's been some concern about this over at the Anti-Phishing Working Group. Much phishing seems to come from domains held for very short periods. But it turns out that's not "domain tasting". It's phishers buying domains with stolen credit card numbers, using retail domain registrars. After a few days, the credit card number is detected as stolen, the transaction is reversed by the bank, and the registrar deletes the domain.
This seems to be a separate problem from "domain tasting". But the "grace period" loophole that makes "domain tasting" possible also enables this scam. If registrars couldn't return domains to the TLD registry without paying, they'd have to raise their standards of customer validation.
Curiosity was framed, Ignorance killed the cat.
Let me get this clear, you think that destroying a fairly vital part of the internet infrastructure by a ddos is a good use of a bot net ?
MP3 Search Engine
Maybe someone can enlighten me here. If I look up a domain, then try to buy it and see if it is taken, I move on to some other variant of the name. Do people actually purchase from squatters? I guess it's the same as, do people buy products from email spam? It only takes a couple to make it profitable.
Flexible bare-metal recovery for Linux/UNIX
Why is this so hard to verify. Use each registrar to test availability of domain xyzzyplugh99.com, changing the index number "99" for each test. Try back the next day and see which ones are sudden unavailable, then complain LOUDLY!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
People don't really learn german or latin or whatever roots to their languages these days, so they're unaware of the true meanings of some words. It's not uncommon for half of peoples' vocabularies to come from words that they just know by rote. People on the internet and in music (and pop culture in general) are now just making up words because they feel they have a word that fits better simply because they feel the word they use somehow has an intrinsic meaning, or that the use implies its meaning and it takes hold. The language you know and love only is used in business and has its roots in proper grammar and definitions etc; It's not the same language that people use in social situations or popular culture. This pop language will continue to grow and evolve because it has its roots in today's culture because the people creating and growing these terms do so because they understand where the words come from. They don't understand the roots of their language so they're not going to use words that they learnt by rote instead of by the root, when they can just as easily throw out words that have much more meaning to them and the people around them. We're just going to have to start having "formal english" and "social english."
By instinct, I would pronounce a lot of words the wrong way, such as "draught" or "digest", because I don't know how to pronounce those words except phonetically. I never learned the roots of the words or how to pronounce certain things when or why. Some words are going to sound or look weird to me or even seem out of place just because I don't know these things, so I will be much more likely to use words that mean something more to me and tie into my experiences more.
I don't know if you've seen some french books, and then heard french people talking. Around here at least, it's totally not the same thing. One is definitely more formal and one is definitely more slang-laden. It doesn't even matter if the book is for casual reading. If you walk into a job, then you're not going to use the slang-laden french either, you'll turn to the more formal french. And then when you're hanging out with friends, it's back to slang-french. That's just how things will always be until people in formal situations accept slang, or people are taught languages formally and learn the roots of their languages as well.
Twinstiq, game news
I didn't RTFA (I must not be new here and besides, it's a PDF) but the summary is pretty confusing.
'Every time you do a whois search with any service, you run a risk of losing your domain,'
So if I do a whois search on mcgrew.info I risk losing my domain? That hardly seems likely! But if I hadn't registered it it wouldn't be mine, now would it? You cannot steal imaginary property, and if it's only in your head it's by definition imaginary.
And why would one do a whois search to look up a domain one wanted? I'd go to my registrar and try to register the damned thing! If it was already registered it wouldn't cost me anything. This seems a silly non-issue and I'd like someone to enlighten me.
Here is how domain name research theft crimes can occur
So there is a law against "stealing" someone's idea? What law? In what country? And how could such a law actually solve anything? It isn't a crime if it's not against the law, now is it?
Please don't od this insightful because the summary has me feeling so damned ignorant I just may (gasp) RTFM.
And don't get me wrong and start flaming. IMO this is a shady shoddy practice but no law could fix it, since the internet is global and laws are country-specific. It sems ICAAN is the only one who could do something, and they seem lately to be just another arm of the corporate cartel that runs the world's governments. Since it's most likely the corporates doing this sleaze, I don't see anybody's government or ICAAN doing jack about it.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Two days later (after checking with my client) I went to register it
Why would you wait to days and check with your client when you can register a domain for about two bucks? I'm a cheapass but man, you have me beat. You can't even buy a single beer in a bar for two bucks!
You should have gone ahead and registered it as soon as you thought of it without doing any whois lookup, THEN checked with your client. If he didn't want it you were out two bucks. If he did then you could have transferred it anywhere, to your servers or your host.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
none that I know of, but I do my whois for domain prospecting from my ISP's registration tool, thus once I find one not taken I'm already registering it. I did some work for a client, and as I had her write down everything she could think of wanting for a domain with her line of business. I ended up registering 10 different domains, figuring I would park those she didn't want with some basic advertisements and an offer to sell for a reasonable price. At first she was leary of having "so many different websites" Till I explained domain forwarding and all she had to do was pick her favorite for the main site and then the rest would point to it. She ended up buying all of them ($500 w/ a 3 year domain support agreement).
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
[*] Just to be silly, I've done a whois on syntheticdemand.com, which at the time I write this post does not exist. Wonder how soon that will get registered?
Yes. I do. And I didn't say ddos it. If I send out a whois every second for a month, I'll probably get banned from doing a whois. Some idiot might have registered 2,592,000 domains, but no one is going to take notice.
Now say I spread that request out so that one computer is doing a whois per month but still the same total. Less likely to get banned and I could probably up that to 2-3 per day and still be safe.
If you DDoS the entire thing, you're done. NO ONE can do anything their scripts will be useless they're just going to chalk it up to a DDoS and go on. However if you load it up to 90% of capacity then these automated "take a whois and register it" scripts will be registering everything possible. If you get enough computers loading the system so that everything is being registered someone is going to notice it.
Please report to central maintenance. Your humor filter is defective.
Tho is domain squatting really a "petty crime"? I agree... it is petty to squat on a domain, as it is petty to jay walk, or spit on the sidewalk etc.
However, is it really so petty when it is systematic? Is it really so petty when it is repeated over and over to the point of the denial of others of their fair use of publically accessable services?
Surely it is petty to fill water bottles from park drinking fountains and turn around and sell the full bottles. Is it still petty when you have expanded the operation such that your organization has people at 90% of the fountains, constanatly filling water so that all the thirsty people who don't want to pay your extortionist prices need to stand in long lines and wait for their water? How about when you have taken all of the public fountains, and nobody can even get their water?
We are not talking about petty crime here, we are talking about organized crime.
-Steve
"I opened my eyes, and everything went dark again"
>The crime is contract breach.
Come to the table with that signed contract and the consideration that was negotiated for it, and you won't get laughed out of the room.
-fb Everything not expressly forbidden is now mandatory.
Unless, of course, the squatters would find the website and filter on its contents ;).
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
That would be fine because they would then ignore any names that are on the site. Thus if you wanted to check a domain, and didn't want it squatted, you submit it to the site, and the squatters ignore it. So, if the squatters filter on the contents of the site, your problem is still solved.
And just why would VeriSign do that? It costs them a fortune to keep messing with the registry for domains that people 'taste' for 30 days and then release without ever paying for.
I'd suggest you look at the registrars rather than the registry.
The reality is that ICANN impose certain restrictions and requirements on VeriSign. One is domain name tasting. Another is that VeriSign allow ICANN-accredited registrars register new domains - it isn't for VeriSign to say who should or who should not be accredited. If ICANN says that DomainHiJackerServicesInc is an accredited registrar, then VeriSign must accept their registrations.
This sort of thing has been going on for ages. You check on a domain name, it turns out to be available, then next day it's mysteriously gone. After all, why would someone check up on the availability of a domain name unless they were interested in buying it? And if they're interested in buying it, maybe they wouldn't object to paying a bit more for it?
If you can afford a Nominet membership, two static IP addresses and a Linux box with Apache, Perl, GPG and BIND, you too can become a domain scammer! Sell domain names "from" some riduculously low figure, which -- it transpires, after reading the small print, which is so small you have to press ctrl + "+" several times just to be able to see it -- only applies to long, unpronounceable strings, with actual words coming at a higher rate. Set yourself up a dodgy affiliate programme {is that a tautology?} where people can put a little form on their pages querying your WHOIS service. A little drive-by download which diverts other domain queries to your own server wouldn't go amiss {best to do this from one of your affiliates' pages, though}. Now you know what domains people are looking up and, being a Nominet member, you are in a position to register the most interesting ones straight away {you can even do this fully-automatically, since all you have to do to buy a domain is send a GPG-encrypted email}.
Registering a domain is so cheap, if you're a member of Nominet, that it's worth a few failures for the successes you will achieve. (You can also register easy mistypings of the name, and post content there which might help persuade the owner of the correctly-spelt domain to purchase those domains from you.)
Je fume. Tu fumes. Nous fûmes!