Domain Kiting

["Dominik Filipp" <dominik.filipp@xxxxxxxx>]

The domain kiting issue has been a long-term problem for over last
several months. Among the biggest domain kiters there are still several
well-known ICANN 'accredited' registrars such as Belgiumdomains,
Capitoldomains, Domaindoorman and perhaps also Dotster, a former owner
of the previously mentioned ones. According to the actual
'webhosting.info' domain gain/lost reports they are still doing massive
domain squatting.
The first three mentioned companies have the same looking website and
even sit on the same IP address (perhaps, on the same machine). Their
services are pretty suspicious as one cannot do any whois search. All
whois requests end up with 'session expired' message just faking whois
lookups and remembering your valuable name for being snatched out of you
in a short while...
I am also one of those having been attacked by such kiters and took me
ten hard days (having had a good luck) to take and register my domains
back.

It's primarily an ICANN business to get into it and define some
regulations that should become part of a renewed contract between ICANN
and registrars. Apparently, registrars themselves don't tend to change
the existing registration model as they are not a primary target of
domain kiters. The practice should therefore be an important topic for
an upcoming ICANN meeting, at best, at the meeting in Sao Paulo in
December this year.

The Domain Kiting evidence

Though the domain kiting can be quite easily recognized intuitively
(when a registrar gains 10 times more domains than he actually
possesses, of which over 90 percent are lost (and regained again) during
one month without paying a dime); an unequivocal proof of such activity
can hardly be provided. The problem is that registrars have no legal
obligation to officially account for the reasons leading to delete and
regain domain names repeatedly (they simply cancel the registration
after 5 days and get the money back). We can still imagine a legal
scenario - an incompetent registrar verbally claiming to fail to
complete most of its domain name orders in due to alleged massive
fraudulent order attacks being constantly made on him; and immediately
rushing for new registrations for the same names. This is a pretty
stupid excuse but, unfortunately, legally hardly controversial.
But even if the registrars were obliged to keep traceable evidence of
such deletion (/regaining) stored, there is still a possibility how to
fabricate it. In fact, the only efficient way seems to prevent domain
kiters from even thinking of doing so. Some ideas...

1. Redefinition of Add Grace Period

The original meaning of Add Grace Period is to allow for typo
corrections as well as for cancelling fraudulent domain orders resulting
in complete refund of the registration costs if this comes to happen.
For typo corrections we normally don't need the refund as the registrant
doesn't demand to cancel the registration but rather to correct the name
(sure, in some cases, the corrected name can already be taken and the
registrant can no longer be interested in it). In such cases

a) The registrar should explicitly request the registry for removing the
domain name and reimbursing the order, but only upon written detailed
and traceable evidence sent to the registry. The registry can then
decide to accept or reject the request. This would bring more overhead
on both sides but could be deterrent enough for domain speculators.

b) Other possibility is to apply the Bob Parsons' approach where the
deletion can be made directly on registrar's behalf (as usual) but
charged some fee. The problem here is that the fee could still be too
low to avoid the speculations, although, the overall number of tasted
domains would certainly go down. This solution, however, is not
fundamental enough. The kiting would still survive.

2. The 'Inaccessible DNS Entry' approach

Surprisingly enough, there exists another way how to dramatically
decrease the kiting effort, which as far as I know has not been broadly
discussed yet. The main idea is that during the Add Grace Period none
registrar's name server for a new domain can be listed in the registry's
records. In other words, unless a domain is properly registered and paid
for, the related DNS entry is not accessible whatsoever. The basic whois
lookup through the registry will work as usual with one exception - the
registrar's name servers are not listed in the whois report.
The idea is to completely cut off the kiters from doing pay-per-click
advertising, which is the core of their tasting effort. Without having
access to the Internet the kiters cannot measure the domain name ranking
and taste the quality of the name.
To get this approach to run an extension to the existing Add Grace
Period concept is required. Currently, during the 5 days grace period
the intention for genuine registration (for at least one year) cannot be
recognized. In the proposed model there are two clearly distinguished
options

a) the registrar pays for a new domain name to the registry and claims
the 'final status'. The domain name can be immediately locked
(REGISTRAR-LOCK) and the refund is not more applicable. The 5 days
period is then restricted to possible typo correction (see point 1 in
the next paragraph). The registrar's name server resolving the domain
name can be immediately defined and published at registry database. The
domain is properly registered.

b) the registrar pays for a new domain name to the registry and claims
the 'pending status'. The domain name is strongly locked (REGISTRY-HOLD)
and after 5 days the refund is possible if demanded. The registrar's
name servers resolving the domain name are not available during the
'pending status'.

Violation of the 'Inaccessible DNS Entry' rule can be quite easily
detected by comparing the registration status of the given domain name
and the domain accessibility on the Internet. If the domain has not been
properly registered but an existing TLD server's IP address for the name
is obtainable e.g., by ping call, it is the registry who has violated
the rule. This, however, is higly unlikely as the registry would take an
enourmous risk of loosing its lucrative TLD business.

But, is this the solution?

Unfortunately, not. However smart the mentioned approach might seem it
isn't. The domain kiting can still work in a 'silent' mode. Even if
eliminated from the Internet, domains can still be gathered for a long
period for free. After 5 days the money is back and the domain can be
'registered' again and again either for a new fictitious registrant or
transferred to another dummy registrar. This all for reselling domain
names for hundreds dollars to everyone claiming interest in them. As
there is registrar's contact in the basic whois report, potential buyers
are given a possibility to contact them... and receive an offer to pay
an incredible amount for the domain. This can be a profitable business,
particularly, when massive domain registration for free is legally
allowed.
But even if no contact to registrar was published in the whois record or
anywhere else, domains would still be worth of being gathered by kiters.
Imagine a domain name you are interested in. You find it taken but by
reading the whois record and noticing the missing dns-server entry you
quickly come into conclusion that the domain is grabbed but not properly
registered, that is, it's most likely for sale. You then visit a broadly
announced website providing auctions on pending-registered domains. Then
you make another whois lookup right there in order to find out whether
your domain is for sale, and whoops, it is... You can then contact an
anonymous company for obtaining the offer. Internet users could soon get
used to using their whois lookups instead of official ones at
registries. Nightmare, isn't it?

3. Honestly, do we really need Add Grace Period?

In general, the mentioned typo corrections, fraudulent orders, or
whatever 'refuse to pay' decisions constitute the meaning of Add Grace
Period (AGP). Let's have a look at them more in detail

1. For typo corrections we don't need AGP as the correction doesn't
cause the order to be cancelled; it just gives registrants an
opportunity to correct minor typos in their domain name during a short
period after the registration. To avoid possible misuse only one such a
correction should be possible. The typo change should be officially
requested at registrar, accepted or rejected by registry (not registrar)
and the request archived at registry for further investigation purposes.

2. Refund in due to fraudulent orders sounds a bit suspicious. If this
was true then the domain registration service would profit from a
privilege other services can just dream of. I can't mention any service
(such as ordering software online for hundreds dollars) that is
protected by such a sort of 'grace period'. It this happens to them they
(at worst) have to go to court and claim their money back like anyone
else. There is no any reason for prefering domain registration to other
services in such a way.

3. 'Refuse to pay' summarizes whatever reasons for not paying for the
ordered domain name. Although companies from time to time introduce
limited offers such as 'Money-back guarantee' this is not common in
trading. They themselves take a risk of possible consequences and can
cancel the offer whenever an abuse is likely or proven. The abuse of AGP
in terms of millions of snatched domains is more than evident.

Getting summarized, there is not too much left for keeping on supporting
the AGP model. The pros are negligible and the cons enormous - millions
of snatched domains that are not paid for and being constantly taken
away from people willing to buy and use them.

The only consistent solution seems to get rid of AGP at all.

Dominik