Domains May Disappear After Search

Ponca City, We Love You writes "Daily Domainer has a story alleging that there may be a leak that allows domain tasters to intercept, analyze and register your domain ideas in minutes. 'Every time you do a whois search with any service, you run a risk of losing your domain,' says one industry insider. ICANN's Security and Stability Advisory Committee (SSAC ) has not been able to find hard evidence of Domain Name Front Running but they have issued an advisory (pdf) for people to come forward with hard evidence it is happening. Here is how domain name research theft crimes can occur and some tips to avoiding being a victim."

This has been happening a long time

[jafiwam]

Though, not on the "in minutes" time scale.

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

Sure enough, two days later some squatter had them.

I think the leak is in the registrars themselves. Imagine the money someone could get from the squatters by simply setting up a script to automatically email these queries somewhere.

"Never a more wretched den of scum and villany" describes the whole domain registration process pretty well I think.

Re:This has been happening a long time

[Shotgun]

My buddy and I even made up names with random letters in a string of 15 or 20, then some porn words stuck on the end ".com".

So there's the answer to the problem. Bombard the servers with requests for random names. The sleazoids will be forced to either go through the names manually, looking for likely candidates, OR they'll have to register everything...which might tend to get a tad expensive. A script that would hit the whois server with a single randomly generated name every time someone logged into a linux box would probably not put undue hardship on the root servers, but still generate way to many names to feasibly register.

The way to break a scam is to make it expensive to continue. A similar scheme could work for spam. Go through the filtered emails, making a list of URLs. Wait for slow network usage, and do a throttled wget to /dev/null on the websites. Once they can't sell Viagra from their DDOSed site, they'll stop. Someone will eventually try spamming with a URL of a big corporation. The big CEO will sit down with the Pres, explain their problem, the finally the FBI, CIA, NSA, MADD, and AARP will all be called out, and the spam problem will finally be brought to an end. (Heh, I jest...but only slightly).

MD5 lookup as defence

[zakeria]

perhaps whois should provide Md5 lookup for a domain instead so people cant snoop at the domain being queried.. so instead of for example whois: somedomain.tld its whois: a79f888f1c2dc50c6b354c0d816f5bf5 simple and effective.

Domain tasting is wrong and evil

[rickb928]

Period.

Much of not most of the spam I'm deflecting nowadays seems to come from 'tasted' domains. Or just made up. I almost don't care about the difference.

The last time I read about this, more than a month ago, one snarky idea was to script a tool to randomly taste domains, constantly. If the registrars are forwarding the requests to squatters, they would go crazy with the surge in requests. The squatters would fritter away resources keeping up with these random searches, and eventually the WHOIS functionality of the registrars would have to change. And the script would change, and so on.

I think domain tasting ought to go away, or cost something. $2 for a 14 day taste would wreck the economics, maybe, certainly if random search scripts got going. My server could probably do 100,000 searches a day. I know it can send out 3-4 million spams a weekend, sadly.

Of course, the registrars could block my IP after a while. And blocks of IPs. So we need a Seti@Home-type script that hammers these things out, and let them block every dialup/dsl/cable/sat block. Hehe.

No, it's not devious enough.

Re:never use the web for such queries

I am positive this happened to me, and I only used the whois command from the OpenBSD command line to look the domain up. It was not a domain name that I can imagine anyone else wanting, but it was fairly short. Two days later (after checking with my client) I went to register it and it had been taken. I became immediately suspicious. Three days after that, I see this story...

Would it help anyone to know who took the domain? I can't seem to get to the article yet.

Re:never use the web for such queries

[ardent99]

According to one of the articles linked, the command line is actually a worse alternative. NSLookup requests go through your ISP's domain name server, which logs the NXD (Non-eXistent Domain) responses. Many ISPs augment their revenue by selling this information.

Doing a whois request at a reliable registrar's web-site doesn't go through your ISP's DNS. The larger registrars are probably more trustworthy than your run-of-the-mill ISP. For example, I believe GoDaddy and Network Solutions have stated that they would never provide such information to third parties.

Re:never use the web for such queries

[thecountryofmike]

Several years ago, I mentioned to my roommate at the time that it would be cool to register thinkoutsidethebox.com. Before I knew it, he had typed the name into some website that supposedly lets you know if the name is taken or not. I was like "Dude, why would you do that? They'll just end up registering the name themselves!".

The domain wasn't registered when he queried it. But since he didn't buy it right then and there, it WAS registered an hour or so later, by the very site he typed it into.

This has been going on for years, but now the scammers don't even have to rely on roommate stupidity.

Easier solution

[suggsjc]

Beat the scammers at their own game. Set up an automated script that does whois lookups for random combinations of words. More or less just flood them with requests and they won't be able to tell which ones are legit lookups. Whoever the douchebag is, will either eventually run out of money, or have to expend more time to improve his algorithm, or just blacklist your ip.