Early in August someone on Circle ID noted that a wildcard entry had been added to the .cm country domain, which is the TLD (top-level domain) for the West African nation of Cameroon.
Cameroon? Who cares, you may be thinking. But a wildcard entry in the DNS (Domain Name System) for a TLD lets the administrators define an entry to handle all failed lookups, and, in case you didnt notice already, “.cm” is a common typo for those who really wanted “.com”. So, in other words, if you surfed to “www.eweek.cm” instead of “www.eweek.com” you would go to the page they defined.
Some engineers from Cameroon found out (see the comment thread below the Circle ID posting) and raised a stink with the right people back home, and now the wildcard is down.
Of course, this is just a technically interesting example of the broader problem of “typo-squatting”—the use of domain names close enough to other well-known domain names that users often type them by accident. Check out http://www.googgle.com/ for an example, but please dont click on any of the links; youd only be encouraging them.
Wildcarding first came into the news three years ago when VeriSign wildcarded the entire .com and .net domains, in a “service” it called Sitefinder. There is a plausible argument that users are better off going to the Sitefinder page than getting “Cannot find server or DNS Error” in their browsers, but VeriSign withdrew Sitefinder after considerable criticism.
Yet wildcarding remains: John Levine, author of “The Internet for Dummies,” did a quick study and found 13 of them at the top DNS levels. According to Levine, half of them are harmless, or perhaps even helpful. Some of the others try to “help” you to register the domain name you just typed.
The most incredible one is the .ws domain wildcard, which displays a get-rich-quick scheme. Try some obviously wrong domain like http://www.3dlk4fsjf3lksj5ds7aos.ws to see it. (Yes, duffel bags full of $100 bills are within your grasp through a proven Internet marketing method!) Three of the wildcards (*.cd—Democratic Republic of the Congo, *.ph—Philippines and *.vg—British Virgin Islands) redirect to a directory page with ad links through Yahoos Overture service.
I have only a small amount of patience for the arguments of those who claim theyre just making a living in the same way that MSN and Yahoo and Google are when they take advantage of technical flaws in the system and user errors to mislead people. The folks behind these sites are simple frauds and vultures.
In fact, while the .cm wildcard is down, several obvious typo-squats are up in that domain: Ask.cm, chase.cm, mapquest.cm, match.cm, weather.cm and youtube.cm are all up and serving ads. Many of the ads on these sites syndicate through Google Syndication and Yahoos Overture. I asked Google and Yahoo if their terms of service permitted ads through typo-squatted domains, but neither company responded to my question.
But Wait, It Gets
I dont think Im overstating things when I say that its a .jungle out there. The domain business is a lawless world where, unless youre a large company with a trademark being violated, the system is set up to the advantage of fast-moving speculators with no sense of respect for the rights of others.
For instance, I still dont know how theyre doing it, but I continue to hear stories from readers about domain speculators snapping up domain names after Whois searches have been made on them. The only explanations that Ive heard proffered are that the Web forms that front-end the Whois searches have been compromised or their owners are corruptly transferring the data.
And just recently the rollout of the new .eu TLD was poisoned when careless monitoring by its operator allowed hundreds of phony registrars to harvest domain names for resale. It will take a while to clear up that mess, assuming someone in authority is interested in clearing it up.
So, whos in charge here? Whos going to save us from the disarray in which the world of domains names finds itself? That would have to be ICANN, the authority at the top of the domain pyramid. Of course, ICANN is famously uninterested in protecting the rights of ordinary people. And now it has shown a renewed interest in making things worse.
ICANNs proposed new contracts for the .org, .biz and .info registries set the same standard fixed pricing for domains as in the current contract ($6 for .org, $5.30 for .biz, and $5.75 for .info). But it also allows the registries to change prices unilaterally with six months notice to the registrars (not to registrants like you and I).
John Levines on-the-nose analysis of the contract changes notes numerous problems with the contracts and the naiveté of Vint Cerf and, presumably, the others at ICANN who wrote these contracts. How would you like to spend years establishing presence with an Internet domain, like New Yorks Metropolitan Transportation Authority has with mta.info, only to hear that your renewal fee has gone from several dollars to $100,000?
Dont count on registrars to look out for the interests of registrants. Why should they tell you that a big price hike is in the offing? As Levine points out: “It is telling that the proposed agreements, which include a long list of required provisions in all registry-registrar contracts, could easily say that registrars must pass along word of a price change, but they dont.”
Also legal under these contracts is differential pricing on an arbitrary basis. As George Kirikos points out on Circle ID, if a registry wants to charge $1 million for sex.biz it can, irrespective of what it charges for other domains.
Whenever I write on these matters I get e-mail from people in these businesses who argue that theres nothing wrong with everyone charging what the market will bear, but I dont think this is right in this case, with ICANN and registries doling out a limited resource. They should be looking at domains as a means to promote the businesses that own them, not to promote the business of domains.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]