What is a domain reseller?

Yesterday we covered reseller hosting, but you may have also noticed that there is something called a domain reseller.

Domain resellers are simply proxies to real registrars. They are not accredited by ICANN, but instead offer domains through a third party. Many small to medium-sized web hosts are domain resellers. Individuals can also resell domains, but if they don’t already have a large customer base on hand, making bank is a challenge.

That being said, there is nothing wrong with buying a name through a reseller, but you will pay a higher price. Resellers always mark prices up higher than a registrar and don’t always offer the same promotions. Buy domains directly from the registrar instead.

Photo | annaOMline

Web Attacks May Be Linked

Mary Landesman, senior security researcher at ScanSafe believes that three major waves of SQL injection attacks may be linked, originating from the same attacker. Approximately 80,000 Chinese, 67,000 U.S., and 40,000 Indian websites are still infected by a botnet due to SQL injection attacks. At one point, millions of Chinese sites were compromised. Landesman says the attacks were the work of the same attacker because of similar domain name registration information and methods used.

“It’s the thread of the domain names being used,” Landesman says. Seven of these “mal-domains” — a term coined by Landesman to describe domain names used solely to build Internet infrastructure to spread malware or otherwise cause harm — were registered under the same name and address (which are clearly bogus, being not more than gibberish).

Most of the domains were registered to a major registrar, which is uncharacteristic of such attacks. Usually attackers choose lesser-known or less reputable registrars in order to slip through unnoticed. The problem is the system, Landesman says, which allows people to register domain names using completely false information with procedure for verifying identity.

Source: Network World
Photo: Flickr

ICANN Plans to Rethink Expired Domain Recovery

It happens all too often. You have a lapse and forget to renew your domain name registration. One day you go to your website to find it filled with text link ads instead of your content. Re-registering should be simple, but ICANN‘s At-Large-Advisory Committee (ALAC) reports that the methods available to consumers who want to recover their expired domains “have proven to be ineffective.”

The current system involves a 45-day auto-renew grace period. After the grace period ends, the registrar deletes the domain, and it enters a 30-day redemption grace period. At this point no website will appear when trying to access the domain. The registrant can still renew the domain at this point through their current registrar.

ICANN’s consultation asks: “whether adequate opportunity exists for registrants to redeem their expired domain names; whether expiration-related provisions in typical registration agreements are clear and conspicuous enough; [and] whether adequate notice exists to alert registrants of upcoming expirations.”

They are also considering whether there needs to be some type of notification system as the domains progress through each grace period and face deletion. Furthermore, registrars are allowed to sell domains in the auto renew period to third parties. That is often when you will see your domain suddenly appear with ads. Then when you try to register it again, the new owner might try to sell it for you for a high price. The ALC intends to evaluate all of these issues.

Source: Out-Law.com

School Prayer Controversy Heats Up

In recent news, two school teachers at Pace High School in Florida, USA are under investigation for publicly promoting their religion. The news has caused an upsurge in searches for the school’s website and sites related to the controversy. The school’s website can be found at the domain: pacehighschool.net. If someone types in pacehighschool.com, however, he will be met with quite a surprise.

The latter domain points to a pornographic website, and their Whois information is hidden. The only indication of who might own the domain is that they registered it with a Canadian registrar. Parents and others looking for the school’s actual website have complained, but officials of the Santa Rosa school district and even the Santa Rosa County Sheriff claim there is nothing they can do.

Under the UDRP established by ICANN, individuals and organizations have the right to contest domains that are confusingly similar to their trademarks. But it is unlikely that the school district registers trademarks of the names of their schools. Nevertheless, they could still file a complaint against the owners of pacehighschool.com. It would seem at this point, the school district has nothing to lose by trying and much to lose by doing nothing.

Source: Santa Rosa Press Gazette

Does domain front-running exist?

Imagine: you discover a domain you want to register and check to see if it’s available at your registrar’s website. It is, but you decide to sleep on the idea and purchase the name in the morning. Come the next day, it’s taken! What happened?

This phenomena might just be a case of bad luck, or an instance of domain front-running, a highly unethical practice in which a registration company registers domains looked up by customers. Taking advantage of the standard 5-day grace period allowed by ICANN during which a domain can be deleted for little or no charge, the registrar can taste the name and either keep it or delete it depending on its value.

Domainers have cried foul about this problem since it became an issue nearly three years ago. ICANN recently looked into it, however, and did not discover any instances of domain front-running among registrars. The practice has become less prevalent mainly because the rules regarding the 5-day deletion policy were changed in 2008.

Before, the entire purchase price was refunded, including a 20 cent administrative fee charged by ICANN. Now, this fee is not refunded. For one or two registrations, this makes little difference. But for someone who tastes 10,000 domains a day, it drives them out of business.

Probably the best view on the matter is that before the new policy was introduced, domain front-running was a problem. Today, domain experts consider it to be virtually nonexistent.

ICANN Revokes Accreditation of Three Registrars

ICANN announced yesterday that they had sent notices to three domain registrars informing them that their accreditation would not be renewed. According to the documents available on ICANN’s website, the registrars have violated the conditions of the RAA (Registrar Accreditation Agreement). The reasons and details of the violations are explained in each letter.

The first registrar, based in New York, failed to provide accessible Whois information on their domains, a service required by the RAA. ICANN sent a letter to them on July 17, but the registrar failed to respond. Since then, they have activated their Whois service but still do not have all of the required information available. The second registrar failed to escrow gTLD registration, which is apparently a database containing certain domain data. They failed to submit the data and did not respond to ICANN’s requests. They also failed to pay their ICANN fees.

The final registrar also failed to escrow gTLD and pay their ICANN accreditation fees. In all three cases, ICANN informed the registrars that their accreditation will be allowed to expire, but they can renew if they remedy the problems. Assuming that does not happen in time, ICANN will begin procedures to transition the domains from the non-compliant registrars.

Source: ICANN
Photo: Flickr

Data breach occurs at registrar

Despite all the security measures online payment systems provide, the reality is Internet shoppers are never 100% safe. Last week one of the largest domain registrars in the United States reported a security breach that affects some 573,928 customers.

The incident involved a piece of malicious code running on servers associated with affiliates of the registrar- companies who sell its domains under a different business name. The breach opened on March 12 of this year and once detected, was closed on June 8.

The good in all of this is that the registrar was honest enough to report the breach and has promised to compensate victims for any fraudulent account activity or identify theft that takes place. So far none has been reported.

Source | Credit FYI

Should there be price caps on new gTLDs?

One issue of contention among domainers lately is when the new gTLD system is introduced next year, should price caps be placed on the extensions?

Currently, ICANN forces price caps on all TLDs, including .com, and limits registration terms to ten years. This helps ensure customers get a fair deal and prevents registrar abuse.

In the gTLD Guidebook 2.0, a manual of sorts for the new system, ICANN implicitly states there will be no price controls, stating that price caps would be too hard to enforce given the global nature of domains. However, it does state that the issue is open to debate and registrars will be required to notify customers at least 6 months in advance before increasing prices.

The problem here is if ICANN lets gTLD companies name whatever price pleases them, what about registrars selling .coms and other TLDs? I think that gTLD sponsors should be able to set the price, but ICANN seems to have dug itself into a hole here. Just another reason why I think more oversight is needed in Marina Del Rey.

Source | The Domains

Twitter Outsources Domain Name Portfolio

The micro-blogging giant Twitter has handed over management of its domain portfolio to an Australian registrar. It includes a two-year, deal during which the company will manage all of Twitter’s domains. It is a common practice for registrars to provide single portals for customers who need to manage multiple domains.

With this deal, however, the registrar will not simply provide registration services. It will actually look after the domains, renew domains before the expire, and register new ones that suit the company’s interests. Usually this is something done in-house by a company’s IT department. In some cases this can lead to problems when a single individual has control of a company’s domain.

This may be the indication of a new trend, where companies outsource their domain management to IT specialists, allowing them to focus more on their actual sites and services. Such a service would also be helpful for companies involved in trademark disputes. It is unclear if that is part of the Twitter packaged deal.

Should falsifying domain contact information be illegal?

Few Americans know that it is in fact illegal to to falsify personal details when registering a domain. With the enacting of the Truth in Domain Names Act in 2003, it became a crime to “knowingly and with the intent to defraud” provide false contact information to a domain registrar. Offenders are punishable by up to 5 years in prison and/or fines.

The law was enacted with the goal of protecting Internet users and to fight child pornography online. To help support their case, the bill’s sponsors gave the example of John Zuccarini, a notorious typosquatter who faced several lawsuits for his cyber crime. However, those behind the lawsuits were unsure if the name– obtained from the WHOIS database– was even accurate.

A number of organizations, including the ACLU, have criticized the law for being over ambiguous and violating civil liberties, most notably the right to privacy. While I think it is important to keep the Internet honest, I don’t see how this law is doing much good. It does nothing to impose regulation at the registrar level and is designed to be enforced after the fact. As in the case of Zuccarini, even if false contact data is provided, how can the authorities track down the real registrant?

According to one estimate, 10% of all domain registrations are under false names. That seems like an awfully high number. My guess is most of these people do not know about WHOIS privacy services and are simply trying to protect their identities. Perhaps this situation would be better handled by registrars. A much more effective deterrent would be to force registrars to verify domain contact data and then purge registrations if the details do not match up. But of course, nothing will ever be that easy.

Sources | JCIL & iBLIS