Recent Posts
- The Swiss can register .swiss domains from next week
- .ai up to 425,000 domains
- A million “free” .music domains up for grabs
- D3 to get $5 million in crypto to apply for .ape gTLD
- Alibaba hit with ICANN breach notice
- New Vegas conference “Davos for Web3 interoperability”
- ICANN content policing power grab may be dead
- Cable company unplugs its dot-brand after acquisition
- Germany crosses 10,000 dot-brand domains milestone
- Founders out as Com Laude gets equity injection
- PIR’s Diaz to leave domain industry
- Some registrars have already quit ICANN’s Whois experiment
- ICANN opens $217 million Grant Program
- Internet could get one-letter gTLDs (but there’s a catch)
- .ai registry fights deadbeats with tweaked auction rules
- Amazon and Google among .internal TLD ban backers
- .ai registry advises buyers not to use GoDaddy
- .post liberalizes with new sunrise period
- Team Internet spends $41 million on content farm
- Epik backtracks on Kiwi Farms claim after legal threat
- .austin names launch on blockchain
- Freenom shuts down 12.6 million domains — report
- GoDaddy’s next .xxx contract may not be a done deal
- GlobalBlock blocking 2.5 million domains
- Microsoft moving its cloud apps from .com to .microsoft
- ICANN 79: anonymous trolls and undercover lawyers
- ICANN scores win in single-letter .com lawsuit
- Cosmetics brand terminates its gTLD
- Up to 70 jobs on the line at Nominet as .uk regs dwindle
- Governments back down on new gTLD next round delay
- Private auctions could be banned in new gTLD next round
- ICANN meeting venue “insensitive and hurtful”
- GoDaddy to start selling graphic.design domains
- GAC spinning up new gTLD curveball at ICANN 79?
- GoDaddy’s GlobalBlock supports blockchain names
- Police .uk domain takedowns dive in 2023
- GoDaddy wants to cut the bullshit from .xxx
- Dueling domain blocking services to launch at ICANN 79
- Freename tries to bridge DNS and blockchain
- Olive retires from ICANN
- Whois policy published without life-saving disclosure rule
- UK gov takes its lead from ICANN on DNS abuse
- Tucows reports 2023 results
- Twitter “completely unresponsive” on clickable domains
- ICANN spends $5 million more than planned in first fiscal half
- .art takes a million domains off its premium list
- KeyTrap ‘the most devastating vulnerability ever found in DNSSEC’
- Freenom settles $500 million Meta lawsuit and will exit domain business
- New gTLD lottery to return in 2026
- First GlobalBlock prices revealed — they ain’t cheap
- Domain universe grows on new gTLDs despite .com shrinkage
- D3 signs up crypto gTLD client number five
- GoDaddy reports strong domains growth
- How to qualify for a $40,000 gTLD
- Registry service provider evaluation handbook published
- WebUnited inks deal to “mirror” country’s TLD in the blockchain
- GoDaddy project unveils brand-blocking calculator
- Report: Monster “misappropriated” millions from Epik
- .com is shrinking but Verisign raises prices again anyway
- D3 announces fourth crypto new gTLD client
- Donald Trump loses second UDRP case
- UK cybersquatting complaints hit record low
- No excuses! PIR to pay for ALL registries to tackle child abuse
- ICANN insists it is working on linkification
- Namecheap sues ICANN over .org price caps
- GoDaddy offers free Ethereum blockchain integration
- Epik reveals who is running the company
- Epik gets acquired again! The plot thickens…
- Airline gTLD crashes and burns
- First chunks of new gTLD Applicant Guidebook drop
- Epik to reveal its owners soon
- Another crypto firm to apply for a new gTLD
- Monster and Royce are NOT involved in Epik?!
- Nominet to overhaul .uk registry, turn off some services
- Russia blames DNSSEC, not Ukraine, for internet downtime
- Team Internet says revenue beat estimates
- Sold for over $20k, insure.ai and dog.ai back in .ai’s expired names auction
- .ai helps UDRP cases rise in 2023, WIPO says
- Freenom’s domains land at Gandi after termination
- .ru domains fly off the shelf as Western sanctions bite
- ICANN picks its first ever Supreme Court
- Lebanon’s ccTLD going back to Lebanon after ICANN takeover
- ICANN picks the domain it will never, ever release
- ICANN approves domain takedown rules
- Has Epik gone “woke”?
- First bits of new gTLD Applicant Guidebook expected next week
- ICANN bans closed generics for the foreseeable
- You can’t use money to buy .box domains
- After 14 years, ICANN practices what it preaches on IDNs
- Weak demand for private Whois data, ICANN data shows
- .ing doing way better than .meme
- DNS Women barred from ICANN funding?
- Dev releases free open-source TLD registry platform
- INCO flips a gTLD to Identity Digital
- Anguilla fears the .ai junk drop
- Five more gTLDs get launch dates
- $10 million of ICANN cash up for grabs
- Almost 50,000 .ai domains sold in a quarter
- ICANN threatens to regulate your speech [RANT]
- Life insurance company kills dot-brand
- ICANN finds new home for Lebanon’s TLD after founder’s death
- ICANN begs people to use its new Whois service
- Shiba Inu outs itself as crypto new gTLD applicant
- Over 50,000 .ai domains sold in three months
- Amazon planning new push into registrar market?
- Registries and registrars vote ‘Yes’ to new DNS abuse rules
- ICANN predicts flattish 2025 for domain industry
- Fast-growing Gname buys another 150 registrars
- GoDaddy service to let you block domains in over 650 TLDs
- Did I find a murder weapon in a zone file?
- ICANN drops the “man” from Ombudsman
- Have your say on police domain takedown powers
- Most registrars are shunning ICANN’s new Whois system
- Nominet to take over .gov.uk
- ICANN picks Istanbul for 2024 meeting
- ICANN’s private Whois data request service goes live
- .au regs slide on 2LD anniversary
- ICANN accused of power grab over $271 million auction fund
- A registrar is getting blamed for an Israeli war propaganda site
- Two more dot-brands bite the dust
- Google sells five-figure AI domain and six-figure .ing hack
- .blackfriday is still a bit rubbish
- Internet Naming Co acquires five more gTLDs
- Domain universe grows despite .com drag
- Did somebody spend a million bucks on a Google domain hack?
Police .uk domain takedowns dive in 2023
The number of .uk domain names taken down as a result of requests from law enforcement shrank substantially last year, according to the latest stats from Nominet.
The registry said today that it suspended 1,193 domains in the 12 months to October 31, down from 2,106 in the previous period. It’s a record low since Nominet started tracking the data, for the second year in a row.
As usual, alleged intellectual property violations were the biggest cause of action. The Police Intellectual Property Crime Unit had 717 names taken down, with the National Fraud Intelligence Bureau suspending 321 and the Financial Conduct Authority 116.
While police takedowns were low, domains suspended by Nominet’s proactive Domain Watch anti-phishing technology were up about 20%, from 5,005 to 5,911. Nominet said this is because the tech, which flags possible phishing domains for human review at point of registration, is getting better.
The number of domains suspended because they appeared on threat feeds doubled, from 1,108 in the 2022 period to 2,230 last year, the company said.
Cybersquatting cases in .uk have also been declining, Nominet reported earlier this month.
While correlation does not equal causation, it might be worth noting that .uk registrations overall have been on the decline for some time. There were 10.68 million .uk domains at the end of January, down from 11.04 million a year earlier.
Dueling domain blocking services to launch at ICANN 79
Norwegian startup NameBlock is set to launch its suite of brand protection and domain security services later this week, with a somewhat different take on the market to its primary competitor.
Recently appointed CEO Pinky Brand tells me the company plans to formally launch March 1, the day before the ICANN 79 public meeting begins in Puerto Rico.
The company is coming out with two services to begin with — BrandLock, which allows trademark owners to block their marks across multiple TLDs, and AbuseShield, which blocks hundreds of variant domains that are considered at the most risk of abuse.
BrandLock is perhaps most directly comparable to the DPML service offered by Identity Digital, GoDaddy’s AdultBlock, and the multi-registry GlobalBlock service that is also due to formally launch in San Juan next week.
The service requires the buyer to own a verified trademark, and the exact match of that mark will be blocked over a multitude of ccTLDs and gTLDs. Brand said reseller partners may choose to bundle different TLDs thematically or offer them as one-offs.
He said he expects it to retail for $40 to $50 per domain per year, so presumably makes the most sense for the more-expensive TLDs or for buyers who have other reasons to want a block rather than a defensive registration.
The value proposition seems a lot clearer for AbuseShield, which is notable for not requiring a trademark to get protection — it’s more of a security pitch than a brand-protection story.
Under AbuseShield, when a registrant buys a name in a participating TLD, they will be given the option to pay to block a couple hundred potentially abusive variant domains in that same TLD, for a far lower cost than they’d pay to defensively register them individually.
Using data from NameBlock’s majority shareholder iQ Global, the company identifies homographic variants and common “abuse prefixes” — strings such as “login” and “https” — to compile a list of domains to be blocked. A feature called VariantCatcher will automatically block already-registered risky domains at the registry when they expire, for no extra cost.
“We want to make the abuse prevention market much, much wider than it has been before,” Brand said. “You’d pay $89 to $129 a year the block the 100 to 250 variations that we know are most likely to be used by someone to do you harm.”
At first, the service will be available through NameBlock resellers, currently those registrars focused on corporate services, but the company plans to make an API available in a few months that will let retail registrars offer the service as an up-sell in their storefront.
At launch, NameBlock has around 15 resellers, such as MarkMonitor, CSC, 101Domain, Encirca and Gandi, Brand said. Registries for about a dozen TLDs will be on board, but Brand said he expects this to grow to 40 to 50 in a couple months.
CoCCA which makes registry software used by 57 ccTLDs, has already announced its support for NameBlock’s services.
Elsewhere at ICANN 79, you’ll find the Brand Safety Alliance, a GoDaddy-led initiative purveying the new GlobalBlock service, which is more of brand-protection play
As I’ve previously blogged, because portfolio registries GoDaddy and Identity Digital are involved, GlobalBlock can provide blocking coverage in hundreds of TLDs — over 560 at the current count — with prices starting at about $6,000 a year retail.
While GlobalBlock and NameBlock are certainly operating in the same space, there appears to be enough variation between the two services that the market might be able to support both.
Newly launched .zip already looks dodgy
A trawl through the latest zone file for Google’s newly launched .zip gTLD reveals that it is likely to be used in malware and phishing attacks.
.zip is of course also a filename extension used by the ZIP archive format, often used to compress and email multiple files at once, and many domains registered in the .zip gTLD in the last few days seem ready to capitalize on that potential for confusion.
I counted 3,286 domains in the May 14 zone file, and a great many of them appear to relate to email attachments, financial documents, software updates and employment information.
I found 133 instances of the word “update”, with sub-strings such as “attach”, “statement”, “download” and “install” also quite common.
Some domains are named after US tax and SEC forms, and some appear to be targeting employees at their first day of work.
I don’t know the intent of any of these registrants, of course. It’s perfectly possible some of their domains could be put to benign use or have been registered defensively by those with security concerns. But my gut says at least some of these names are dodgy.
Google went into general availability with eight new TLDs last Wednesday, and as of yesterday .zip was the only one to rack up more than a thousand names in its zone file.
The others were .dad (913 domains), .prof (264), .phd (605), .mov (463), .esq (979), .foo (665) and .nexus (330).
Facebook sues free domains registry for cybersquatting
Facebook parent Meta has sued Freenom, the registry behind multiple free-to-register ccTLDs including .tk, claiming the company engages in cybersquatting.
Meta alleges that Freenom infringes its Facebook, Instagram and WhatsApp trademarks over 5,000 domain names in the TLDs it operates.
While best-known for Tokelau’s .tk, which had almost 25 million registrations when Verisign stopped counting them a year ago, Freenom also operates .gq for Equatorial Guinea, .cf for the Central African Republic, .ml for Mali, and .ga for Gabon.
Apart from some reserved “premiums”, the company gives domains away for free then monetizes, with parking, residual traffic when the domains expire or, one suspects more commonly, are suspended for engaging in abuse.
Naturally enough, it therefore has registered, to itself, a great many domains previously used for phishing.
Meta lists these names as examples of infringers: faceb00k.ga, fb-lnstagram.cf, facebook-applogin.ga, instagrams-help.cf, instaqram.ml, chat-whatsaap.gq, chat-whatsaap-com.tk, and supportservice-lnstagram.cf, though these do not appear to be monetized right now.
It accuses the registry of cybersquatting, phishing and trademark infringement and seeks over half a billion dollars in damages (at $100,000 domain).
Today, Freenom is not accepting new registrations, but it’s blaming “technical issues” and says it hopes to resume operations “shortly”.
Facebook is one of the most prolific and aggressive enforcers of its trademarks in the domain space, having previously sued OnlineNIC, Namecheap and Web.com. OnlineNIC had to shut up shop due to its lawsuit.
(Via Krebs on Security)
ICANN extends Covid-19 abuse monitoring to Ukraine war
ICANN has started monitoring domains related to the war in Ukraine for potential abuse, expanding an ongoing project related to the Covid-19 pandemic.
CEO Göran Marby has during multiple sessions at ICANN 73 this week said that the Org will soon announce an extension of its DNSTICR project — pronounced “DNS Ticker” and standing for Domain Name Security Threat Information Collection & Reporting.
The plan is to alert registrars about Ukraine-related domain names being used to scam people or drop malware.
“There will be coming up more information about this very soon, but we have decided to also add names in relationship to the conflict in Ukraine,” Marby said during a session with the Commercial Stakeholders Group.
DNSTICR was launched in March 2020, when the pandemic was in full swing, to find new domains containing keywords such as “covid”, “pandemic” and “coronavirus”, and check them against domain abuse lists.
From May 2020 to August last year, it flagged 210,939 pandemic-related domains, and found that 3,791 of them were malicious with “high confidence”.
CTO John Crain said in a session on Monday: “There’s a lot of stuff in the press and some technical papers out there that show clearly that the bad guys, as always, have, once again, pivoted to whatever is happening in the world. So if we can do a little bit to help, we will.”
GoDaddy hack exposed a million customer passwords
GoDaddy’s systems got hacked recently, exposing up to 1.2 million customer emails and passwords.
The attack started on September 6 and targeted Managed WordPress users, the company’s chief information security officer Demetrius Comes disclosed in a blog post and regulatory filing this week.
The compromised data included email addresses and customer numbers, the original WordPress admin password, the FTP and database user names and passwords, and some SSL private keys.
In cases where the compromised passwords were still in use, the company said it has reset those passwords and informed its customers. The breached SSL certs are being replaced.
GoDaddy discovered the hack November 17 and disclosed it November 22.
It sounds rather like the attack may have been a result of a phishing attack against a GoDaddy employee. The company said the attacker used a “compromised password” to infiltrate its WordPress provisioning system.
Comes wrote in his blog post:
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection
You may recall that GoDaddy came under fire last December for punking its employees with a fake email promising an end-of-year bonus, which turned out to be an “insensitive” component of an anti-phishing training program.
About 500 staff reportedly failed the test.
Donuts offers name spinner to show potential attacks
Donuts has launched a tool to show off its TrueName offering, which blocks potential phishing attacks at the domain registry level.
It’s like a regular name spinner, but instead of showing you available domains it shows you visually confusingly similar domains — homographs — that it will block if you register said name in any of Donuts’ portfolio of 2xx (subs, please check) TLDs.
For example, spinning truename.domains returns results such as trʋenɑme.domains (xn--trenme-exc57b.domains) and trᵫname.domains (xn--trname-xk6b.domains), which could be used in phishing attacks.
How many strings get blocked depends largely on what characters are in your name. The letters I and O have a great many visually confusing variants in other non-Latin scripts, and each instance exponentially increases the potential attack vectors.
For example, if I were to register “domainincite” in one of Donuts’ TLDs, Donuts would block 767 homographs at the registry level, but if I were to register “kevinmurphy”, it would only need to block 119.
It only blocks the homographs in the same TLD as the original name. It’s not a replacement for brand protection in other TLDs.
Donuts doesn’t charge anything extra for this service. It’s included in the price of registration and offered as a unique perk for Donuts’ selection of gTLDs.
I gave TrueName a brief post when it launched last year, but I have to say I really like the idea. It’s a rare example of true innovation, rather than simple money-grubbing, that has come from the new gTLD program.
If Verisign were to roll out something similar in .com, it would eliminate a bunch of phishing and cut down on legal fees for big brands chasing phishers and typosquatters through UDRP or the courts.
It was born out of Donuts’ Domain Protected Marks List product, which allows trademark owners to block their brands and homographs across the whole Donuts stable for less money than defensively registering the names individually.
The downside of the spinner tool is of course that, if you’re a bad guy, it simplifies the process of generating samples of homograph Punycode (the ASCII “xn--” string) that can be used in any non-Donuts TLD that supports internationalized domain names.
The tool is limited to 10 domains per spin, however, which limits the potential harm.
Try it out here.
Security firm sues Facebook to overturn UDRP loss of “good faith” typo domains
Security company Proofpoint has sued Facebook in order to keep hold of several typo domains that are deliberately intended to look like its Facebook and Instagram brands.
Proofpoint wants an Arizona court to declare that facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net and instagrarn.org are not cases of cybersquatting because they were not registered in bad faith.
Proofpoint — a $7 billion company that certainly does not phish — uses the domains in anti-phishing employee training services, as it describes in its complaint:
Proofpoint uses intentionally domain names that look like typo-squatted versions of recognizable domain names, such as
, and the other Domain Names at issue in these proceedings. By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names.
Employees who click the bogus links are taken to harmless web pages describing how they were duped.
The court case comes shortly after Facebook prevailed in a UDRP case filed with WIPO.
In that case, the panelist decided that Proofpoint had no legitimate interest in the domains because they led to web sites that linked to Proofpoint’s web site, where commercial services are offered.
He therefore found that the names had been registered in bad faith, because visitors could assume that Facebook or Instagram in some way endorsed these services.
Proofpoint wants the court to reverse that decision and allow it to keep the names. Here’s the complaint (pdf).
It strikes me as at the very least bad form for Facebook to go after these domains, given that Proofpoint is tackling the Facebook phishing problem at source — user idiocy — rather than the reactive, interminable UDRP whack-a-mole Facebook seems to be engaging in.
GoDaddy pranks employees with “insensitive” phishing test
GoDaddy has apologized to its staff after teasing them with a $650 Christmas bonus that turned out to be nothing but a test of whether they could be duped into handing over their sensitive personal info.
Employees worldwide reportedly received emails promising the bonus December 14 from an official-looking but presumably spoofed address.
Those who clicked through and filled out a form with their personal data received a second email a few days later informing them they’d actually just failed a “phishing test” and would “need to retake the Security Awareness Social Engineering training.”
Around 500 staff reportedly failed the test.
But many were pissed off that the company would dangle a bonus, only to snatch it away, just a week before Christmas and at a time when the coronavirus pandemic has caused many to fear for their livelihoods.
While GoDaddy rode out the pandemic just fine, it laid off hundreds, regardless.
After the prank last week attracted media attention, the company apologized to its employees, saying in a statement sent to the AFP:
GoDaddy takes the security of our platform extremely seriously. We understand some employees were upset by the phishing attempt and felt it was insensitive, for which we have apologised. While the test mimicked real attempts in play today, we need to do better and be more sensitive to our employees.
I sincerely hope nobody spent their illusory $650 in the days before the test was revealed.
GoDaddy denies weird front-running claim
GoDaddy has been forced to deny (again) that it engages in front-running after a social media post attracted hundreds of comments.
Front-running is the practice of a registrar monitoring customers’ availability searches then registering the name itself in order to mark it up to a premium price.
No reputable registrar does this any more, if only because it would be reputation suicide.
But a poster on HackerNews claimed to have been exploited in precisely this way,
searched a few days ago for felons.io, looked for unique names for simple game didn’t know if I wanted it or not
guess godaddy decided for me: 1 days old Created on 2020-09-16 by GoDaddy.com, LLC
just a warning if you have a special name do not use godaddy to check if its available
Domains can appear to be front-run due to the law of large numbers. Registrants may think they’re the only one with a unique domain idea, but they’re likely not.
After the HackerNews post attracted hundreds of comments (largely promoting Namecheap as a superior competitor) and a post from Eliot Silver, GoDaddy decided to issue a response.
“These accusations are 100% false. This type of behavior is predatory, unethical, and goes against everything we stand for as a company,” registrar head Paul Bindel posted over the weekend.
Bindel went on to post the results of search queries for “felons” and related terms over a couple of weeks. There weren’t a huge amount.
Complicating the story, he also says that the felons.io domain was suspended not long after registration, and will soon be deleted, after it was flagged as a fraudulent registration by a compromised account.
Interestingly, the HackerNews account used to post the original allegation appears to have been created on the same day as the post, which is literally the only thing he or she ever posted on the site.
Recent Comments