ICANN Drop Your Domain 1

ICANN Drop Your Domain

If you’ve ever taken a look at more competitive SERPs, you’ve likely run into the completely bogus whois data that’s used to preserve anonymity. This is frustrating but makes sense; no-one wants to be directly linked to spam-fuelled domains, and spammers don’t want to link their domains together.

Interestingly, this opens the domains up to a serious vulnerability.

You’re breaking the rules if you provide fake whois information, and breaking these rules (even accidentally) can get your site disabled, and even make your domain name available for purchase by others.

In this blog post we’re going to report one of my own domains to ICANN (Internet Corporation for Assigned Names and Numbers). Here’s the ICANN procedure in brief:

ICANNcompliance

For our test, I’ve registered fakewhois.xyz (you can register a site on this questionable tld for $1 on namecheap, with free whoisguard):

123fakestreet.xyz
Looks great.

We aren’t using the free whoisguard. Post registration, the whois records are updated with my registrar to the following:

Mr. Fake
123 Fake Street 
Springfield; NA W8 1BF
GB  tel: +44.1234567891
fax: +1.1234567891
[email protected]

The majority of fake whois data is set up with completely fake accounts, which do not forward to a monitored account. As a result they are vulnerable to this method.

The email used will forward to my own, but it will be ignored. We want to see how the registrar acts, and if they raise the issue of the reported fake data at the registrar account level (rather than simply contacting [email protected]).

Domains under WHOIS protection still reveal their information to ICANN, just not the general public. Still, since my plan is to anonymously snitch on myself here, I make this information public:

whois guard disabled

Once this fake information is public and verified with external whois services, we report the site to ICANN:

I CANN Report Myself

Date of submission: 24.11.2015

One week after submission, ICANN respond with the following:

Thank you for submitting a Whois inaccuracy complaint concerning the domain name http://fakewhois.xyz.  Your report has been entered into ICANN's database.  For reference your ticket ID is: OUM-161-68604.

A 1st Notice will be sent to the registrar, and the registrar will have 15 business days to respond.

For more information about ICANN's process and approach, please visit http://www.icann.org/en/resources/compliance/approach-processes .

Sincerely,

ICANN Contractual Compliance

ICANN First Response: 01.12.2015

Assuming the notice is sent immediately, the registrar will have 15 days to respond. Within a week, the host gets in touch with the email account listed in whois.

Subject: IMMEDIATE VERIFICATION required for fakewhois.xyz

As of January 1, 2014, the Internet Corporation for Assigned Names and Numbers (ICANN) has mandated that all ICANN accredited registrars begin verifying the WHOIS contact information for all new domain registrations and Registrant contact modifications.

The following change has been made to the Registrant contact information for one or more of your domains and requires verification: 

Details

Please click the link below to verify the Registrant email address. You have until 2015-12-23 14:43:51. to verify this email address. After this date, the domain(s) associated with this Registrant contact will be suspended until the email address is verified. 

 Click here to verify your email address

Registrar’s First Response: 08.12.2015

From this notice, it looks as though Mr. Fake has 15 business days to respond. Reading this more closely:

the domain(s) associated with this Registrant contact will be suspended until the email address is verified.

This seems pretty serious. I hope my losses are confined to Mr. Fake’s properties, rather than Mr. Mason’s.

Anticipated date of drop: 23.12.2015

Date of drop: 21.12.2015

On the 21st of December I’m notified by uptime robot that the domain is no longer responding. Digging a little deeper, I can see that Namecheap have updated my nameservers to indicate the problem:

As a result, the site goes down, as it no longer points at my webhost. Logging in, I see the following:
domainsuspended
The only option is to contact support. The domain is not yet available for purchase by other people. It will expire at the end of the year, at which point it will be available for purchase. If we revisit the flowchart, you can see that I’ve had the domain suspended, rather than terminated:

ICANNcompliance

The other sites registered in the same account were unaffected. In less than a month I’ve taken my own website down with a form submission:

batonrogue1

My fake whois data has lost me the domain thanks to an anonymous tip-off. The whole process took 30 days.

This is, as usual, a poor test. I tested on a single registrar. Other registrars might be different. Still, it’s nice to have test domains available for a dollar.

Part 2 : Abuse

Imagine that you’re competing in an aggressive set of SERPS. Smarter blackhat webmasters will use fake details that they can verify, registering and forwarding the given email address to an active one. Many won’t. This leaves the door open for Negative SEO and outright theft.

japaneseogre

Now, pretend that fakewhois.xyz was a good domain. One that ranked for terms like ‘whois’. One stuffed with affiliate links for hosting providers. You might consider doing the following:

  • Wget a static version of the site. Modify all affiliate links to your own.
  • Report to ICANN.
  • Set up page monitoring to notify you of changes.
  • If the domain drops (a big if), purchase and restore the modified site as soon as possible. The site will continue to rank, generating affiliate revenue for you.
  • Otherwise, enjoy reduced competition if the domain is instead suspended.

A domain name failing to resolve is not a positive ranking factor. The above process can be scripted to irritate a huge number of people. You’ll need to be ready for when the domains drop if you’re looking to acquire them, as the site owner will be aware if it’s a site they monitor. As this is a surprise drop, there won’t be competition from domainers. This idea is particularly interesting  for not-so-private-not-so-monitored blog network sites.

Assuming you can register the domain, It’s not going to be easy for the person who has lost their domain to make a case to dispute ownership. It’s not likely to be quick either.

If you do use this method for evil, the person will know who has registered/stolen their domain, as you’d be using legitimate whois data. Or… knowing the reporting to drop process takes ~28 days, you might decide to use fakewhois data and settle for a minimum ~28 days of revenue and relative anonymity.

P.S. Don’t actually do this.

8 thoughts on “ICANN Drop Your Domain”

  1. As a black hat… I can tell you this is actually really easy to protect yourself against.
    I buy any affiliate/money site domains on a fresh registrar account (managed in a gigantic f’ing Excel doc) via a prepaid debit card. These prepaid cards come with addresses for you to input when buying anything online, so you have a billing address, but with most of these cards you can also put in any address you want – Some providers will have an online dashboard where you can input “your address” as the billing address – Which obviously, you can exploit as well.

    ICANN will also not drop your domain if you click an email verification link (most of the time) – I had someone report a big domain I had that was using Number 10 downing street as the address, verified the email and never had an issue since.

  2. There are some good affiliate links in this text – no worries about that – but maybe you can disclaim it somewhere? Otherwise HQ as usual

      1. Ah, full on black hat affiliating. I’ll see you at blackhataffiliateworld, sir.

        (tips hat)
        (walks out)

  3. Hello, very interesting informations. I would like to recommend https://www.zerobounce.net/ . If you have a list that needs verification for invalid, do not mail, spam traps, catch-all and abuse emails, they have good accuracy and competitive prices. Also, for real-time validation, the API is available in mutiple wrappers like Java, PHP, C#, Python and many others. Now with full GDPR compliance, the privacy policy is fairly strict and no data is shared with any entities.
    Best regards!

  4. Add the site UptimeControl.net to the article, because only they have a 3-minute site availability check interval on the free plan.

Leave a Reply

Your email address will not be published. Required fields are marked *