Have you heard of ‘Domain Kiting’? I hadn’t

Bob Parsons (CEO of GoDaddy, a domain registration firm) taught me everything I know about it in “35 million names registered in April. 32 million were part of a kiting scheme. A serious problem gets worse”.

The article is very detailed; a few bits:

All of us are familiar with the illegal practice of check kiting. Quite simply check kiting involves taking advantage of timing and the banking system to generate cash that simply isn’t there. In many ways that is what domain kiting does. Domain kiting takes advantage of timing and the domain name system in an abusive and improper way to generate cash.

Domain kiting registrars put up mini-Web sites — loaded with search engine links — for domains names for which they never pay. When people land on these Web sites and click on the links, money is made. It’s easy to spot one of these registrars as the number of total registrations they make often far exceed the number of permanent registrations — or names for which they actually pay. This is why during the month of April 2006, out of 35 million registrations, only a little more than 2 million were permanent or actually purchased. The vast majority of the rest were part of the domain kiting scheme.

Yowzah! But, you say “so, where is the money made?”. Search, of course.

The short version: kiters set up mini web sites and then advertise these sites any way they can. One way, is through comment spam (which I am constantly fighting on this blog). The spam includes URLs to the mini sites, which get picked up by the search engines. If enough of the same links get picked up, search ranking goes up, the mini-sites show up in results, and you get the drift.

Okay. Now you say, “so what?”. True enough; people searching for something hit the mini site, the site gets paid for advertising, the URL redirects to a real site that might offer the product (or redirects multiple times to God-knows-where). Commerce is satisfied; the purchaser is happy.

However, the kiters abuse the five-day domain registrar refund policy, failing to pay the registrar for the domain. The faux domains get purged sometime after and the kiters do it all over again. Because their costs are low (not quite zero) and can be automated, it’s a profitable venture.

How big a problem is it? Note the numbers in Mr. Parsons’ headline: 35 million registrations, 32 million that were bogus.

The opsan.com offline drama

Back in April, my domain (http://www.opsan.com/ and https://blog.opsan.com/) was offline for a few days. This occurred because Network Solutions had removed my URL from the name servers in response to a complaint (which turned out to be bogus).

Background
I have a few posts on this blog about an individual named Robert Soloway, who is allegedly a spammer. He owns (or is associated with), a company named Broadcast Email. This company sends out a variety of mass-marketing emails.

My original posts referenced Soloway’s ridiculous SPAMIS initiative last year (accusing Microsoft of sending spam). These posts have elicited a huge number of comments as other domain owners have joined the conversation and are in the process of chasing Soloway and his domains around the globe.

(links to old posts removed)

It seems the discussion on these articles is striking a nerve. Please note that I clean out offending and threatening comments as they’ve appeared; that kind of stuff isn’t productive for anyone. That said, I really doubt anyone from Soloway’s organization ever read anything like that, but, c’est la vie.

The first hint of trouble
I received an email on 4/7/06 from my hosting provider (HostDepot). The mail said that an automated process at SpamCop (their spam filter) had detected the string ‘www.opsan.com’ in a number of emails. The gist:

“It has been brought to our attention that SPAM messages are being sent spamvertising this website hosted here at Host Depot (www.opsan.com).”

The automated process made the assumption that the presence of http://www.opsan.com in an identified spam was promoting my web site. Now, the text around the URL was interesting:

“the owner of http://www.opsan.com has a blog that at times has had comments made relating to death threats to the owner of our organization, simply for our assistance in offering charity emailings to non-profit organizations.

help us prevent future death threats to the ceo of our organization by complaining about http://www.opsan.com to: reportspam@networksolutionsemail.com”

A human who read that message would have seen that it was hardly a promotion for my site. I replied to SpamCop and advised the domain was being used without my permission, and I promptly forgot about it.

The second sign of trouble
Network Solutions sent me an email with the subject line “Confirmation of DNS Change”. It was a little ominous, as I’d not ordered a DNS change. The text was a bit scary:

Domain Name: OPSAN.COM
Previous DNS Name Servers:
NS27.WORLDNIC.COM
NS28.WORLDNIC.COM

New DNS Name Servers:
INVALID-DNS.AUPTERMINATION.COM
NOT-HOSTED.AUPTERMINATION.COM

To put it politely, I think this is the first time I have EVER said the, umm, “expanded” version of ‘wtf’ out loud. I think I scared Cassandra, who was happily shredding magazines into ribbons at the table next to me. You don’t have to be a network engineer (I’m not, although I am skilled in DNS) to surmise that ‘INVALID’, ‘NOT-HOSTED’ and ‘TERMINATION’ are bad descriptors to have in your name server references.

The mail tried to be helpful, pointing me to my Network Solutions VIP account (I’m the technical contact on a ton of domains, so they consider me a pretty important guy). However, my account had same information as the email, with no way to point it to proper name servers.

Time to go to the phones.
I got a helpful, but incredibly scared guy on the first call. It’s pretty obvious he’d only been in the call center a short while. As soon as he saw those frightening words, he stuttered and came to a halting stop. He muttered something about ‘legal lock’.

Then, he put me on hold.

When he came back, he was trying (but not succeeding) to be calmer. Poor guy; I’d basically slammed him with the polite version of ‘wtf’, and he’d not yet had a call like that. The end result? The domain was closed for business, and my only option was to wait forty-eight hours from the time of my call to hear why this had happened, VIP status, be damned. The words ‘legal lock’ escaped his lips once again.

Memo to Network Solutions: This is broken. If you get a call from a customer (VIP or not), you need to give them better information. People who care about their domains will call you. Folks who are trying to scam you WON’T call and you can blow them off.

The Resolution
Fifty-two hours later, in the middle of a meeting with my Microsoft VP, my cell goes off and it’s the guy from Network Solutions. Once he confirmed I was a real person, we exchanged a few emails (providing him the background and my intent) and my domain was reactivated.

Simply put, Network Solutions reacted, rather than responded; not the ideal of customer service. I cannot think of a good reason to defer a customer resolution discussion for 48 hours, under any circumstances, even those relating to volume. Again, the customers who care will call you; the scammers won’t.

What am I doing differently? Nothing. I may see another ‘complaint attack’ like this, but that’s just the way it is. Until then, I’ll maintain the comments, purging any I deem to be unacceptable. Meanwhile, I’ll watch the group of domain administrators keep each other up to date in their efforts to reduce the world’s spam, one spammer at a time.

The oldest bits on earth

Did you know that Zircon is the oldest known material on earth? I didn’t. Scientists discovered bits of Zircon in Western Australia that are 4.404 billion years old. The Earth formed a scant 150 million years prior to that. Older bits were discovered in a meteorite in Chile, clocked at 4.6 billion years old.

How can this be? From the article:

Zircon contains its own internal atomic clock. Its crystal accumulates atoms of uranium, which decay to lead at a known rate. By measuring the relative abundance of two types of uranium and lead in a zircon, geologists can determine old it is. Zircon is also incredibly durable. It remains unscathed while other rocks and minerals melt and re-form under the tremendous heat and pressure of continental shifts, mountain-building, and violent asteroid impacts.

Yowzah!

In fact, like most of us, I assumed Cubic Zirconia (imitation diamonds) were derived from Zircon. They’re not. The cubic variety is laboratory-grown for your inexpensive pleasure.

Read “Zircon” from the “Add more color to your life” site.

Mad about ‘Captcha’?

The Wall Street Journal says we are.

‘Captcha’ is an acronym (of course), for ‘completely automated public Turing test to tell computers and humans apart’. You and I will recognize them as the funny images with strangely-shaped letters we see on some sites. The intent is to prevent automated registration to credentials and to sites. Yeah, they’re annoying, but I get why they’re necessary.

Not everyone is so pragmatic. WSJOnline: “Codes on Sites ‘Captcha’ Anger of Web Users”.

Anatomy of a 419 Scam

I learned WAY too much about 419 scams when I published “Microsoft teams with Nigera to fight scammers” (on my birthday, no less).

I was able to read a ground-level dose of 419 reality when The New Yorker published “THE PERFECT MARK”.

The resource links from my earlier article.

• Nigarian Frauds Website, hosted by the Freeman institute. Has a history of the scams. v.interesting.
• 419 Coalition Web Site
• http://www.419scams.com/

Don’t fall for these. These are always false and always a scam. If you get one you think is compelling, check out the sites. If you still think it’s the real deal, call or write me, and I’ll help you research it.

Scary Washington Mutual Online Phish

Another scary phish in my mailbox (my last was “Scary Chase Online Phish”). This one, targeting Washington Mutual (WaMu) customers showed up yesterday:

Looks pretty darned good. The message is consistent with a phish, especially the “If we do not receive the appropriate account verification within 48 hours” part, where they threaten to suspend the account. Sense of urgency, and all that.

Let’s look for trouble. Mousing over the renewal ‘IdentityManagement’ URL reveals:

You’ll note that while the link looks legitimate (https even), the mouse over shows you’d be sent to an IP site that redirected to another (now-defunct) IP site.

The other URLs on the page are legitimate:

Which is typical; these sites will pull content from legitimate links to support their illusion.

Don’t be fooled by these.

NYC Trip

I had the pleasure to visit the Big Apple this past week to work with a partner. It’s been a few years (almost eight) since I was there. Naturally, I had to visit my old haunts on the Upper East Side. Unhappily, most of them had closed, were being renovated or just plain gone.

Quick inventory:

• The Barbizon is being converted to condos.
• Chianti (terrific Italian food on 3rd and the mid-50s) is now a pizza joint.
• Circus (terrific Brazilian food on 63rd and Lex) is now a hoity-toity wine and olive bar.

The good news:

• Hot and Crusty (63rd and 2nd) is still there; no bread pudding, though.
• Mister Softee is EVERYWHERE, as are the Sabrett (“The Hot Dog New Yorkers Relish”) stands.
• Starbucks is EVERYWHERE; the last time I was there, the nearest to the office was two blocks away.

I took the MTA NYC Subway most places; there was a stop a half block from my Sheraton hotel.

The construction site formerly known as Ground Zero is solemn and stirring, at the same time. There was quite a crowd down there (take the E Train to the WTC stop, also known as Church Street). This temporary stop connects to the PATH trains to New Jersey and lets you off at the fence surrounding the excavation. A single wreath in this station reminds us of what happened here. If you’re not passing through to Jersey, you can walk most of the way around the site and read the signs describing the timeline of 9/11 and history of the site.