Large-Scale
Intentional Invalid WHOIS Data:
A Case Study of "NicGod
Productions" / "Domains For
Sale"
[ Overview - "Domains For Sale" - Types of WHOIS Errors - Specific Domains - Summary Statistics - Conclusions - Policy Implications - Motivation ]
In recent years, many Internet users have become aware that domain name registrants do not always offer accurate contact information. The distributed "WHOIS" database storing and distributing this contact data is generally thought to be important for correcting technical errata, resolving disputes over domain name allocation, and holding web site operators responsible for the content they distribute. A series of contracts, from ICANN to registrars to registrants, requires that contact data be complete and accurate, but nonetheless certain registrants fail to properly provide the required contact information.
While many WHOIS errors likely result from accidental error in data entry or data processing, certain registrants have been found to intentionally provide systematically inaccurate contact information to registrars for inclusion in the WHOIS database. Such fraud can include the entry of invalid street addresses and phone numbers, i.e. contact information that in fact reaches no one, or it can instead offer as the purported registrant of a domain some third party in fact wholly unrelated to the domain.
In recent research, I have documented 2754 domains reregistered by one particular firm known for its widespread use of invalid WHOIS contact information. The majority of these domains redirect users to a single web page displaying a list of links to content that is, by and large, unrelated; the remaining domain names provide access to sexually-explicit images. While this research is by no means exhaustive -- other firms likely follow similar registration practices, and still others make numerous invalid registrations and reregistrations that no doubt differ in various ways -- a review of these specific registrations as well as their general characteristics may be helpful in understanding the behavior at issue.
Note that this research is focused specifically on large-scale domain registrations. I do not address the questions of privacy, spam, and consumer protection raised by publication of individual registration data in the WHOIS database.
A Case Study: "Domains For Sale" Reregistrations by an Undetermined Registrant
Recent testing reflects that a firm calling itself "NicGod Productions" and "Domains For Sale" (henceforth, "NicGod") operates at least 2754 domain names that by and large redirect to a page that offers a list of links unrelated to the requested domain. A subset of NicGod's domains offer sexually-explicit images on a paid subscription basis.
NicGod's 2754 domains include a wide variety of character strings. The vast majority of domain names explicitly suggest specific content other than what is present on the subsequent list of links -- for example, angry-kids.com, californiastateuniversity.com, doctorjohn.com, polygram-us.com, reform-party-usa.org, and winthrop-police.com.
It seems that most or all of NicGod's domains were previously held by other registrants. According to archive.org, at least 1844 (67.0%) of NicGod's domains previously offered HTML titles suggesting the availability of other content, precisely indicating that the domains were previously put to another use before registration by NicGod. Some 246 (8.9%) of NicGod's domains continue to be listed in Yahoo, in categories reflecting the prior availability of content other than the current NicGod listing of links. Similarly, some 2170 (78.8%) of NicGod's domains are mentioned on one or more other pages, as reported by Google; these many outside references further suggest that the NicGod domains previously hosted other content. In this regard, NicGod's registration practices seem to be similar to those documented by this author in his April 2002 Domains Reregistered for Distribution of Unrelated Content: A Case Study of "Tina's Free Live Webcam".
A review of the current registrants of domains previously held by NicGod suggests that certain registrants, among them the major American firms of Hewlett-Packard and AOL, are coming to hold certain domains held by NicGod as recently as March of 2002. These firms may be purchasing the domains at issue from NicGod or may be using a UDRP or similar challenge to obtain the domains.
Update: This author attempted to contact NicGod at one of the phone numbers provided in WHOIS contact records. In a return call of four days later, the author learned that a randomly-selected NicGod-registered domain was available for $1200 (asking price) and could be transferred within 24 hours. The NicGod representative suggested payment via an escrow company, Paypal, or Afternic, noting that Afternic would charge a $100+ fee that he thought to be excessive. The NicGod representative responded to complaints about the proposed fee by reporting the randomly-selected domain's popularity in search engines Lycos, Hotbot, and Altavista and further noting that the domain received, in his experience, 200 or more "type-in" requests per day. When asked about the minimum price he had ever accepted for a domain name ("to avoid a loss" as he put it), the representative said $550 was his minimum, and when asked about his identity, he said he had "no secrets" and that his name was in fact Allen Ginsberg, notwithstanding that this is also (but, he seemed to suggest, only coincidentally) the name of a famous poet. The NicGod representative spoke fluent English in a heavy accent that this author found consistent with the hypothesis of Eastern European national origin. Caller ID was blocked on his incoming call. (May 15, 2002)
Update: I have added nearly 1500 additional domains currently or recently registered to NicGod, increasing the count of domains documented here from 1278 to 2754. (June 3, 2002)
WHOIS Errors and "Tricks": NicGod's Methods for Keeping Its Identity Secret
A review of NicGod registration practices shows a variety of techniques that seem to be used to keep secret the identity, location, and contact information of the NicGod staff.
The NicGod domains are notable for their wide variety of registration methods and purported contact locations. NicGod's domains use a total of eleven distinct registrars; leading registrars are Bulkregister (1294 domains), Dotster (379), The Registry at Info Avenue (285), eNom (154), Namescout (113), and iHoldings / dotRegistrar (62). Furthermore, NicGod provides at least nine distinct countries for registration of its various domain names, including Armenia, Bulgaria, Canada, Estonia, Germany, Hong Kong, the Netherlands, Russia, the Ukraine, and the United States. A series of investigations has shown various of these addresses to be invalid. (International Herald Tribune, Detroit News Online / Bloomberg News, Radio Free Europe).
In addition to using a large number of invalid addresses for the registration of its domains, in many instances NicGod seems to enter the names of one or more well-known individuals as the purported registrant of its domains. For example, some 425 NicGod domains purport to be registered by Allen Ginsberg, also the name of a deceased American poet. For other domain registrations, NicGod uses a variety of company names -- including "Domain ForSale," "Grafikal Kompilations," "Merkus, Matching," "Triple Zero Networks," and "Ugol Hostmaster." An OECD report further alleges that in some instances NicGod uses or previously used as the registrant name for one domain the prior registrant's name from another domain -- causing substantial confusion as to who is responsible for NicGod's registrations.
Many of the domains registered by NicGod offer a telephone and fax contact in the United States. The specified phone number is a voice mail box in the 309 area code assigned to Bloomington, Illinois. Documentation gathered by the OECD suggests that NicGod may purchase this service from an Illinois voice mail firm; in this case, NicGod itself may nonetheless have no actual presence in Illinois.
Data collected by Patrick Jones of UDRPlaw.net suggests that NicGod has faced at least 27 challenges under the Uniform Domain-Name Dispute Resolution Policy (UDRP) but has in every instance failed to respond to complaints. It is possible that staff of NicGod would prefer to forfeit their domains under the UDRP, rather than reveal their identity by responding to a UDRP complaint; alternatively, staff of NicGod may not receive UDRP complaints precisely as a result of the invalid contact data provided by NicGod to its registrars.
Of course, even NicGod's methods may ultimately prove inadequate for keeping secret its identity. Most or all NicGod domains are hosted at dslextreme.com, an ISP in Canoga Park, California; it is possible that this firm knows the true identify and location of NicGod, information that it might have obtained in the course of billing or customer support. Alternatively, any of NicGod's registrars might know the firm's identity location from similar interactions. It is possible that any or all of these firms might disclose known information on the basis of a subpoena or other request. A Detroit News Online / Bloomberg News article suggests that the individual behind "NicGod Productions" may be Emil Lazarian, an 18-year-old Armenian exchange student.
Specific Domain Registrations with Invalid Contact Data
In recent testing and archiving, I have prepared a listing of a total of 2754 distinct domains that are (or recently were) registered to (or by) NicGod, and that likely offer (or recently offered) invalid contact data.
For each domain, I have attempted to obtain a variety of information including:
The results of this data collection effort are freely and publicly available. Due to the large size of the listing of results, the listing is provided in sections by first letter of domain name:
Of the 2754 distinct domains registered to NicGod, 2027 (73.6%) currently point to listings of links with pop-up advertising and possible click-through sponsorship. Of the remaining 166 domains, at least some have been transferred to other registrants (among them AOL and HP), and at least 43 offer sexually-explicit images.
According to current testing in Google, 2170 of NicGod's domains (78.8%) are mentioned in one or more web pages (as via a link or a textual reference to the domain name).
Yahoo continues to classify 246 of NicGod's domains (8.9%) into its hierarchical directory categories. In a casual inspection, none of these categories seems to properly characterize the content available from NicGod.
Archive.org reports that at least 2027 (73.6%) of NicGod's domains previously contained a title suggesting the availability of other content.
NicGod uses at least eleven different registrars (primarily Dotster, Bulkregister, and Namescout) and uses multiple registration addresses in at least nine distinct countries. Contact information in some registrations invokes the names of well-known individuals who are deceased as well as unaffiliated with NicGod.
Of NicGod's domains, Alexa toolbar logs reflect that the most popular were ITLIBRARY.COM (previously a resource about information technology) and ASCGAMES.COM (a computer game developer site). In the past six months, these sites received 131788 and 59361 accesses, respectively, from users of the Alexa toolbar -- making them, at least among Alexa users, the 3161th and 6877th most popular sites on the web. A total of 75 of NicGod's domains received more than 100 requests from Alexa users in the past six months -- suggesting that many of NicGod's domains were and remain relatively popular.
While the data linked above is but a single case study of what is known to be a more widespread phenomenon, it is nonetheless possible to draw certain conclusions on the basis of work completed to date. Possible conclusions include the following:
Future Work, Discussion, and Policy Implications
This work has focused on only several hundred registrations by a particular single firm. While that firm is in some circles notorious for the invalid data it enters into the WHOIS database, it would be desirable to collect additional data so as to better understand the scope of the problem. Unfortunately, large-scale analysis is difficult because it is in many instances time-consuming, difficult, and costly to determine whether or not a given contact is in fact invalid. Future work will seek to develop additional automated methods for verifying telephone numbers, for cross-checking telephone numbers with street addresses, and for otherwise recognizing suspect trends in WHOIS data. To this end, the author welcomes submission of additional examples of domains with intentionally-invalid contact information; send such submissions to the author.
While a full policy analysis is beyond the scope of the current project, available data suggests that existing work by registrars and ICANN has been unsuccessful in assuring the accuracy of WHOIS data. Instead, systematic errors have remained over time, and known-abusers have continued to register at least hundreds of domains without providing valid contact information.
In this context, ICANN's recent Registrar Advisory Concerning Whois Data Accuracy seems arguably too limited to fully and efficiently address the entire problem at hand. Instead, when a given domain is found to contain invalid contact information, and when this contact information is found to be intentionally invalid, a registrar might consider canceling all of that registrant's domains rather than only a particular single domain. (To reduce the risk of error, the registrar would of course first use all available methods to attempt to contact the registrant. Furthermore, the domains at issue would initially be placed into some sort of "hold" status wherein they do not function on the Internet yet, for a limited time, can be returned only to the prior registrant but not to any other interested party.)
John Berryhill points out that improvements in the accuracy of the WHOIS database may have a dual effect -- first, as expected, to increase the ability of interested parties to learn the identity of the registrant of a given domain; second, to use that registrant's contact information to induce the registrant to transfer the domain to some other registrar or to otherwise defraud the registrant. (More information about domain name scams from the FTC.)
Some registrants may prefer to keep their contact information confidential. ICANN's Registrar Accreditation Agreement anticipates this possibility and therefore allows registrars to hold registrants' valid contact information in trust, while publishing in WHOIS only a placeholder address. Certain third-party firms provide a similar service. Note, however, that these intermediary services are separate and distinct from the large-scale intentional entry of invalid contact information that is the subject of this document's discussion and of which NicGod is an example.
The purpose of this work is primarily academic -- to document the activity at issue for the benefit of those who seek to make policy decisions on related matters. In the context of ICANN's recent Registrar Advisory Concerning Whois Data Accuracy as well as associated Congressional hearings, the availability of this data and analysis is intended to be helpful to policy-makers and other interested parties.
This page is made available to inform discussion about the registration of Internet domain names. The data contained here is not intended for use for other purposes, and it should not be used for other purposes without first contacting the author.
In order to confirm the results of my testing and to attempt to obtain certain other information, I sent an email inquiry to various of the contacts listed in WHOIS records of domains registered by NicGod. I have to date received no reply to the questions posed. Comments from NicGod staff remain welcome, as are comments from others interested; with the permission of the author, comments may be posted or linked from this page as appropriate.