One of the most popular subjects readers contact me on is domain theft and abuse, and more messages came in after my recent story on “domain tasting.”
If you thought that practice was distasteful, you havent seen what I found next. It involves a domain-testing firm. But thats not whats most interesting.
It all started with a message from a reader. She was planning to put a Web site up and needed to register a domain name.
She chose to use her first and last names for the domain (just as I own larryseltzer.com) and checked it on at least one service for availability.
She went back in a day or two to register it and, lo and behold, it had just been registered to an outfit named Chesterton Holdings.
Its obvious that Chesterton Holdings is a domain squatter. The domain was not just registered, there was a Web page up on it.
The page was covered with the sorts of ads you usually see on squatted pages, and the ads were all syndicated through information.com.
Several days later, Chesterton released the domain, probably having had few or no hits on it. Chestertons own Web page contains the following statement:
So the question remains: How did Chesterton Holdings get hold of the readers domain name and register it before she did? Is it part of this mysterious “automated process”?
The main site she had used to check for domain availability was the CNet Domain Search page.
This is a “meta-search” page, meaning that when you enter a domain name in it, the page checks several other services for domain availability, consolidates the reports and delivers them back to the user.
I decided to run some tests, so I picked three names out of the air and checked them with the CNet Domain Search page including myfuzzycat.com and lickmynose.com.
I let the matter go and about 30 hours later I checked with a separate whois service and determined that the domains belonged to Chesterton Holdings.
The same ad-based Web pages were up on them. Bingo. Click on the thumbnail image nearby to see the page.
We tested a third domain, IWantToSexYouUp.com, which was subsequently grabbed by Chesterton Holdings.
to see screens of the ads being served.
Whois Stealing My Whois
At this point, its worth saying a little about the process of checking a domain. There is a protocol and software called Whois, which is used for querying the databases of domain names, ultimately maintained for each top-level domain (or TLD, such as .com, .org, etc.) by the “registry” for that TLD. Verisign maintains the registry for the .com and .net TLDs.
Whois used to be exclusively a UNIX-based command-line affair, but these days most people get their whois information from web-based interfaces which perform the whois query on the back-end. My favorite service is Completewhois. When hosting services like web.com tell you that a domain is or is not available they first perform a whois query in order to determine if it is.
Theres a lot wrong with whois. For example, anyone can set up a whois server, theres no master list of them, and different servers return data in different formats.
And when a hosting service, APLus.net for example, performs a back-end whois, its impossible to tell exactly what they are doing and to whom they are talking.
Anyway, my next step in testing was to go to the four hosting services meta-searched by CNet and search them directly with new domain names also picked out of thin air. Two days later they havent been taken.
At this point I have to say I dont know exactly whats happening, but something fishy is going on. With a whole lot more testing, I think I could figure out the source of Chestertons domain name feed, but I decided it was time to get the story out first.
The reader who brought all this to my attention called aplus.net, which told her that Chesterton Holdings monitors whois requests, and thats how they learn which domains to register.
This would be a great explanation if it were possible, as a general matter. But its not generally possible to monitor whois requests.
Here is whats possible, based on what I know:
- CNet, or someone at CNet, could be passing the requests on to Chesterton. I dont believe this for a second.
- One of the hosting services that CNet is checking with (and there could be more than they indicate) could be passing data on to Chesterton. This seems unlikely to me.
- Chesterton could have compromised one of the servers involved in the process, for instance the whois server used by one of the hosting services. This seems possible to me. There are a number of other hacking techniques, DNS cache poisoning for example, that could indirectly give Chesterton access to data from these queries.
- Verisign could be passing the data on to Chesterton. I dont believe this, either.
Ive been in touch with CNet about this matter as I have investigated it. They dont really have an explanation, nor would I expect them to if their meta-search was doing what it was supposed to do. I also attempted to contact Chesterton, without success.
Even though Ive speculated on possibilities that are more or less likely than others, I dont think Im close to a definitive explanation. All I really know is that theres no legitimate way to do what Chesterton Holdings is doing, and I hope they finally get called for it.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at firstname.lastname@example.org.