If you’ve ever taken a look at more competitive SERPs, you’ve likely run into the completely bogus whois data that’s used to preserve anonymity. This is frustrating but makes sense; no-one wants to be directly linked to spam-fuelled domains, and spammers don’t want to link their domains together.
Interestingly, this opens the domains up to a serious vulnerability.
You’re breaking the rules if you provide fake whois information, and breaking these rules (even accidentally) can get your site disabled, and even make your domain name available for purchase by others.
In this blog post we’re going to report one of my own domains to ICANN (Internet Corporation for Assigned Names and Numbers). Here’s the ICANN procedure in brief:
For our test, I’ve registered fakewhois.xyz (you can register a site on this questionable tld for $1 on namecheap, with free whoisguard):
We aren’t using the free whoisguard. Post registration, the whois records are updated with my registrar to the following:
Mr. Fake 123 Fake Street Springfield; NA W8 1BF GB tel: +44.1234567891 fax: +1.1234567891 firstname.lastname@example.org
The majority of fake whois data is set up with completely fake accounts, which do not forward to a monitored account. As a result they are vulnerable to this method.
The email used will forward to my own, but it will be ignored. We want to see how the registrar acts, and if they raise the issue of the reported fake data at the registrar account level (rather than simply contacting email@example.com).
Domains under WHOIS protection still reveal their information to ICANN, just not the general public. Still, since my plan is to anonymously snitch on myself here, I make this information public:
Once this fake information is public and verified with external whois services, we report the site to ICANN:
Date of submission: 24.11.2015
One week after submission, ICANN respond with the following:
Thank you for submitting a Whois inaccuracy complaint concerning the domain name http://fakewhois.xyz. Your report has been entered into ICANN's database. For reference your ticket ID is: OUM-161-68604. A 1st Notice will be sent to the registrar, and the registrar will have 15 business days to respond. For more information about ICANN's process and approach, please visit http://www.icann.org/en/resources/compliance/approach-processes . Sincerely, ICANN Contractual Compliance
ICANN First Response: 01.12.2015
Assuming the notice is sent immediately, the registrar will have 15 days to respond. Within a week, the host gets in touch with the email account listed in whois.
Subject: IMMEDIATE VERIFICATION required for fakewhois.xyz As of January 1, 2014, the Internet Corporation for Assigned Names and Numbers (ICANN) has mandated that all ICANN accredited registrars begin verifying the WHOIS contact information for all new domain registrations and Registrant contact modifications. The following change has been made to the Registrant contact information for one or more of your domains and requires verification: Details Please click the link below to verify the Registrant email address. You have until 2015-12-23 14:43:51. to verify this email address. After this date, the domain(s) associated with this Registrant contact will be suspended until the email address is verified. Click here to verify your email address
Registrar’s First Response: 08.12.2015
From this notice, it looks as though Mr. Fake has 15 business days to respond. Reading this more closely:
the domain(s) associated with this Registrant contact will be suspended until the email address is verified.
This seems pretty serious. I hope my losses are confined to Mr. Fake’s properties, rather than Mr. Mason’s.
Anticipated date of drop: 23.12.2015
Date of drop: 21.12.2015
On the 21st of December I’m notified by uptime robot that the domain is no longer responding. Digging a little deeper, I can see that Namecheap have updated my nameservers to indicate the problem:
My fake whois data has lost me the domain thanks to an anonymous tip-off. The whole process took 30 days.
This is, as usual, a poor test. I tested on a single registrar. Other registrars might be different. Still, it’s nice to have test domains available for a dollar.
Part 2 : Abuse
Imagine that you’re competing in an aggressive set of SERPS. Smarter blackhat webmasters will use fake details that they can verify, registering and forwarding the given email address to an active one. Many won’t. This leaves the door open for Negative SEO and outright theft.
Now, pretend that fakewhois.xyz was a good domain. One that ranked for terms like ‘whois’. One stuffed with affiliate links for hosting providers. You might consider doing the following:
- Wget a static version of the site. Modify all affiliate links to your own.
- Report to ICANN.
- Set up page monitoring to notify you of changes.
- If the domain drops (a big if), purchase and restore the modified site as soon as possible. The site will continue to rank, generating affiliate revenue for you.
- Otherwise, enjoy reduced competition if the domain is instead suspended.
A domain name failing to resolve is not a positive ranking factor. The above process can be scripted to irritate a huge number of people. You’ll need to be ready for when the domains drop if you’re looking to acquire them, as the site owner will be aware if it’s a site they monitor. As this is a surprise drop, there won’t be competition from domainers. This idea is particularly interesting for not-so-private-not-so-monitored blog network sites.
Assuming you can register the domain, It’s not going to be easy for the person who has lost their domain to make a case to dispute ownership. It’s not likely to be quick either.
If you do use this method for evil, the person will know who has registered/stolen their domain, as you’d be using legitimate whois data. Or… knowing the reporting to drop process takes ~28 days, you might decide to use fakewhois data and settle for a minimum ~28 days of revenue and relative anonymity.
P.S. Don’t actually do this.