Something has to be done.
Robocalling, SMS spam and email spam to contacts collected from newly-registered domain names are out of control. Simply out of control.
I registered a domain name last week using a Google Voice number so I could track the marketing. I received two SMS messages from people pitching logo design and video production within 24 hours. One around midnight. I also received a phone call from someone offering to create a website on my new domain name.
I blame nefarious peddlers who are making it easier and cheaper than ever to obtain Whois information.
But regardless of blame, I hope that registrars can come together to take out the revenue side of this equation. It might be a game of Whack-a-Mole, but can we give it a shot?
Each SMS or spam message leads to a website. If these websites are suspended then the marketers have to switch domain names to keep the revenue flowing.
This morning I received an SMS message promoting video production at OctaVideos.com. The domain is registered at PublicDomainRegistry (part of Endurance International Group) and hosted at LiquidWeb.
Based on this whois record, I don’t know how it passed verification checks:
Another one I received links to 29DesignX.com. That domain uses eNom’s whois privacy. Another…LogoRadical.com is registered at GoDaddy using its Whois privacy service.
I realize false complaints could be an issue, but something has to be done about this.
Or maybe a registrar can file a false advertising suit. Consider this claim made by “Frank” at OctaVideos when I chatted with him this morning:
One other solution: Registrars can offer free “phone number privacy” to customers. They would just make the phone numbers go to a voicemail system. Email spam is easy to handle. Robocalls and SMS are not.
Oh, and Apple: please create an app to block this crap, or at least let third parties offer apps for it.
The gTLD Club says
Did you write “verification checks”?
Andrew Allemann says
Correct
James says
It should have failed WHOIS “format validation”, meaning the fields were empty and/or not confirming to the expected format (e.g. a “/” in the “State” field).
Verification checks that the data provided is accurate versus third party sources or confirmed directly. Much harder and prone to failure.
I’m only pointing this out because we are seeing yet another push within ICANN for the latter….
Jamie Zoch says
I was hammered the same way all last week and bleeding into this week after registering a domain as well. It was crazy!!!
The easiest way around it currently is simply to use whois privacy, not register domains or use BS whois data 🙂
Andrew Allemann says
The unfortunate thing for you and me is that a lot of other spam is based on old lists. So even if we stop it now, we’ll continue to get some marketing. But I suspect recent registrations are the most valuable to these marketers.
Luke says
Yep, unfortunately many of them use very old lists. I still get bombarded about domains that I sold years ago or domains that were switched to using whois privacy services some time ago.
Nick says
GoDaddy goes out of there way to allow SPAM and make it easier for domain owners to get their account hacked through WHOIS research. When I buy Expiring Domains on Godaddy Auctions it puts my MAIN Godaddy email address in the public whois info, instead of email address I set on “Domain Registration Defaults” . I brought this up with GoDaddy many times, but GoDaddy 100% does not care about WHOIS SPAM of any sort or care about phishing attempts on the email addresses of customers.
Joe Styler says
Thanks for the comment Nick. It is a good point and something we have on our list to change but it has not been addressed yet. You can add privacy to the domain as soon as it hits your account. Ive seen this done many times and places like Domaintools were not able to pick up the personal info before it changed but you do need to be right on top of it until we make a change.
Nick says
Hi Joe, I’m sure if it was up to you, you would not let my MAIN Godaddy email address be out in the public whois info, instead of email address I set on “Domain Registration Defaults”. However , you said what I always hear Godaddy say which is Buy Privacy. Is this why Godaddy refuses to help customers stop phishing attempts ? So they can try to charge a crazy $8 FEE for Every Domain just to stop phishing attempts? Pay double the domain fee or we will help the hackers and spammers find you. That’s the business model right?
Anticareer says
Who is the person most responsible for requiring public WHOIS requirements when registering a domain. Would be eye opening to them if every time someone registered a domain they put that person’s contact info in there and let them get the constant spam.
Adam says
Thank you for posting about this. This happens to me all day, every day. Seems it just started a couple of months ago or so.
Andrew Allemann says
It has certainly gotten much worse recently.
Joseph Peterson says
Has it gotten worse? Already the volume of whois-based robo-calling was high enough that I’ve kept my phone almost permanently OFF for the past 2 years.
And I’ve been clicking past scads of spam emails every day for at least a couple of years now.
Andrew Allemann says
The numbers are increasing for me, but I don’t have exact numbers.
Joe Mizereck says
Amen, Andrew. I am bombarded daily by these idiots.
Sinisha says
in the last seven days i have received 27 spam emails targeting some of my newly registered domains and on top of that i have received numerous phone calls, precisely 11 offering to build out the website for specific domain name, and they are very persistent and aggressive, sounded like they were calling out of India judged by their accent, because of the time difference they calling when we sleep, ggrrrr…
Acro says
Google voice numbers block all spam, SMS included. Just make sure you use it so that you won’t lose it.
THCNames says
Partial whois privacy is a good option. That only shows your name or company, and all the other contact details are hidden.
I’ve seen a lot of people use partial privacy and include a URL in the name field.
Eric Lyon says
It’s crazy how every time we close a door to spam, a new one opens. There are people so desperate for business that all they do is spend months researching and thinking up ways to get an unauthorized (Spam) sales ad in front of you.
I think the biggest hurdle when it comes to this type of data-mining/harvesting campaign for the purpose of unsolicited advertising, is that the laws are different in every country. At the end of the day, every country needs to be on the same page and enforce said laws before any of these tactics stop. I’m not sure it’s the sole responsibility of the registrar and maybe more-so the registry or ICANN to formulate a counter-measure.
Rubens Kuhl says
Perhaps these are issues worth raising at the ongoing RDS PDP…
John Berryhill says
Rubens, you know how that discussion goes.
First, they deny the scope of the problem.
Then, they suggest the problem is largely fictitious or anecdotal.
Finally they put in some token and ridiculous required “terms of use” for Whois data for which there is zero economic benefit or efficiency for anyone to enforce, and say that the problem is solved because no one is allowed to use Whois data for spam.
But a someone, somewhere, is buying fake or counterfeit medications because they can’t afford the real ones (or else know full well they don’t have a prescription, and so…. everyone else who registers a domain name has to get unsolicited telephone calls and emails.
John says
And so much for do not call lists…
Andrew Allemann says
Yeah, really. I guess it’s too hard for the government to track down who is making these calls.
Join Domains says
If they are lucky I am playing guitar when they ring, Strange? They hang up instantly
Jonny Quest says
Someone should reg a few … using the contact info for GoDaddy & other domainer-spammer allowing company executives …
Joseph Peterson says
@Johnny Quest,
Why on earth would you blame GoDaddy or any other registrar for the actions of spammers?
Louise says
Didn’t you consent to it in the terms of use? Check out some excerpts from:
GoDaddy Privacy Policy
Last Revised: February 9, 2017
under, Contacting you.
Under, Information Collection and Use:
So, Godaddy is trying to make your, “purchasing experience,” more enjoyable.
It is another website, like Google itself, that logs your IP address, and all its associated activity, but doesn’t associate it with your personally identifiable information.
Troubling is warning that, though you may delete your account at Godadd,
When your GoDaddy account is cancelled (either voluntarily or involuntarily) all of your personally identifiable information is placed in “deactivated” status on our relevant GoDaddy databases. However, deactivation of your account does not mean your personally identifiable information has been deleted from our database entirely. We will retain and use your personally identifiable information as necessary in order to comply with our legal obligations, resolve disputes, or enforce our agreements.
Whatever you agreed to, “greed,” being the operative expression, Godaddy intends to enforce it into perpetuity.
Jonny Quest says
Uh … only because (as others point out above) they refuse to allow, e.g., the use of alternative / secondary phone numbers and other methodologies to greatly reduce or stop this; and because they charge for privacy, which should be free.
Joseph Peterson says
@Johnny Quest,
Most registrars that offer whois privacy charge for it. Some places sell bottled water too, instead of giving water away for free. Perks (like free whois privacy or free drinks) are nice, but they aren’t rights.
Also, there’s a difference between “refuse to allow” and “haven’t yet implemented”. You can scroll up and see GoDaddy’s actual response to this issue, which was (and I quote):
“It is a good point and something we have on our list to change but it has not been addressed yet.
Doesn’t sound like a refusal to me. Naturally there are a lot of changes we’d like registrars and market places to make, but let’s be fair. Spammers are responsible for sending spam. Robo-callers are responsible for unwanted calls.
Steve R says
Your response sounds a bit like employing a security company to monitor your house, you lock all your doors and windows then give them the keys, they then post a public list that informs potential thieves you are on vacation. Not a company I would use.
On the opposing side is the sheer volume of spam mail to my personal email, a one point 100+ a day, with links to Verisign registered websites, where is the proper validation?, and enforcement of no spamming rules?.
Umer says
Get yourself Truecaller app, what i have noticed is most of these calls show up as Restricted or Unknown you could simply set up block calls from hidden numbers in truecaller. It worked for me at least 😉
Andrew Allemann says
Thanks Umer. Is it true you have to give them access to your address book?
James says
WHOIS privacy helps. But we need to address the problem of WHOIS harvesting. Registrars can employ counter measures (quotas,rate limits,CAPTCHA, etc.) but the bad actors still mine the data.
And what is the role of the carriers? I’ve called Verizon about this, and even provided them with a list of numbers (some admittedly spoofed), but they do not seem to think they have a role in the problem.
John Berryhill says
…which is remarkable considering the lobbying effort on WHOIS data that the telco representatives in ICANN have put into ICANN, while the volume of fraud and crime conducted through the telephone network grows unabated.
Registernuke says
Although not a real solution for every new domain bought, what I have from time to time is to actually use a landline number that has the ringer turned off. It’s either that or use the elevator phone number. But receiving calls within 2 days of a new domain registration from “expert” web designers is a common thing and yes it does get annoying.
A Mitchell says
Do-not-call lists (DNC) do not cover or protect commercial enterprises. Nor is coverage afforded by other consumer-oriented telephone-solicitation protections such as no-rebuttal and ask-for-permission rules, which like call-center-registration requirements in the US, are set, administered and enforced on the state level. Because it is so tedious and relatively expensive for offshore call centers to register in individual US states, and because enforcement risks for non-compliance are practically non-existent, most operators simply ignore registration requirements.
An obvious solution would be for the National Association of Attorneys General to facilitate a national clearinghouse for standardized multi-state registrations, possibly tiered so as to bring in small operators as well as the big ones.
Another solution would be for US consular-affairs offices in South and Southeast Asia to provide ombudsman services for crime victims in the US seeking enforcement actions against fraudulent operators overseas. Some offshore jurisdictions have efficient and responsive cyber-crime cells. Rajasthan, for example, which is India’s largest state, has a cyber-crime unit with a good reputation. The law-enforcement capacities of the two provinces to the west of Rajasthan, Punjab and Sindh, leave something to be desired, as illustrated by the Wikipedia entry for Axact Pakistan.
Pure-play merchant call centers are declining in popularity in comparison to other types of offshore facilities that are dialing into the US. Merchant facilities don’t appear to be the big problem here. Instead, the problems come from operations where voice makes up less than 25% of the work being conducted. These operators don’t see themselves as call centers. They’re not bothered by US legal considerations. A few well publicized convictions could provide a valuable education for this lot.
Another area for enforcement would be to go after the list brokers for selling dirty lists that combine commercial enterprises with consumers, in recognition of the fact that many domain registrants do not operate as commercial enterprises. Properly scrubbed and highly targeted lists are expensive, with prices starting at 20 cents per name. A big old dirty list can cost less than a penny per name. “Old” means older than six months.
Lists are often leaked (stolen or illegally resold) from one entity to another. An ops manager at a merchant facility can make extra money reselling lists that have been paid for by US clients. I have yet to hear of any prosecutions or civil actions taken in response to such activities. If any of the lists that I’ve provided have not been re-used, it would come as a surprise.
Louise says
As noted in my comment, above: https://domainnamewire.com/2017/02/16/control-block-sms-spam-robocalling-based-whois-info/#comment-2243278
it appears godaddy clients consent to appear in their database of call center leads, which certainly is an income stream for Godaddy.
It’s open season on your browsing, purchasing habits, and other online activities, as regards Godaddy because of the terms you agreed to, in order to have your whois public.
Registrars, ICANN, and VeriSign are hugely benefitted from private whois, in order to keep their theft of valuable domains opaque. That is why, Godaddy punishes you for public whois, by selling your data to unscrupulous call centers.
Here is an example of a company which deals in call center leads:
http://www.caldwell-list.com/call-center-leads
Andrew Allemann says
I could care less if GoDaddy calls me. It’s dozens of spammers calling me that I don’t want.
Louise says
I get it. See my reply to Joe Styler, below.
Joe styler says
GoDddy simply does not sell any customer information to anyone. We don’t give away your information to spammers or call centers and to my knowledge have never done so. (I’ve been here 11 years.).
The information is being gathered from the public Whois. I also get this spam and texts and it has increased for me as well recently.
Louise says
But you’re covered. Godaddy is covered by its terms.
You told me here – and I appreciate it! – that Godaddy doesn’t sell information as call center leads.
The terms are vague:
And:
Here is the kicker:
Godaddy Is well-covered by geniuses who write its terms, to block a class action lawsuit, in case Godaddy DOES sell on your personal info as call center leads.
@ Joe Styler, you may not be aware. Why don’t you ASK, if selling customer information is an income stream for Godaddy?
Registrars’ margins of profit on domain registrations are low . . . so an income-stream from selling public whois information as call center leads doesn’t seem far-fetched.
Sincerely,
Louise
Louise says
Furthermore, Godaddy prizes its public whois info enough, that your email addresses and phone numbers DO NOT appear on regular whois searches, only by accessing the whois on Godaddy website, after proving you are not a robot.
For example, the url which redirects to this blog:
http://whois.domaintools.com/dnw.com
Email address and phone is not accessible from this whois lookup.
You go here:
https://www.godaddy.com/whois
and prove you’re not a robot
https://www.godaddy.com/whois/results.aspx?checkAvail=1&domain=dnw.com&prog_id=GoDaddy
to access the information.
Godaddy keeps tabs on any attempts to harvest public whois data for call center leads.
Godaddy has painted itself in a corner on this matter. It alone has easy access to your public whois info. Its terms broadly cover robo-calls and messages from its partners.
Louise says
I’m sorry to you on this forum, who have to deal with robo calls and unwelcome text messages, because your public whois info – which can’t be accessed by just anyone! – was sold to unscrupulous telemarketers by Godaddy, who regards your time and energy as cheap, and rewards your collective loyalty to Godaddy this way. Hope you sort it out.
In conclusion, keep careful track of your domains with Godaddy, and all account linked to your mobile phone numbers! Reporting any loss to the authorities may be more effective, if in aggregate with the commenters to this thread . . . Andrew did a great thing to publish this.
Joe Styler says
GoDaddy doesn’t give sell any customer data. The info is harvested from the WHOIS. It would make little sense for us to sell customer info to third party companies looking to service your domain with SEO or web building services when we provide those. The issue of WHOIS spamming is very bad but there have been some good suggestions on how to deal with them in the comments on this post such as reporting them to authorities and also repairing the domain profiles so that they work with auction wins on GD which I will pursue.
Louise says
You can’t have it both ways.
Godaddy can’t slip in terms which protect extreme misconduct, and – at the same time – say the thought never occurred to Godaddy!
Joseph Peterson says
@Louise,
What terms “protect extreme misconduct”? I don’t see anything untoward. Scrolling up, I see a portion of the contract that describes storing customer information. But that’s commonplace and perfectly reasonable.
E-commerce websites need to log data about transaction history, including past and present customers. Even a simple domain blog retains information supplied by people who leave comments.
It seems to me you’re fundamentally mistaken about the source of domain-related spam and robocalling. Although you allege registrars are unscrupulously selling customer contact info, that’s pure speculation; and it has been denied by the company.
Most of us understand that spam comes from people who are buying bulk whois info. And we already know who sells the info, how much it costs, etc. Articles have been written about them long before this. Public whois info is readily available in bulk; and that cached data is dirt cheap too. All the time, strangers send me unsolicited emails and text messages, offering to sell a comprehensive database of whois phone numbers and emails for peanuts.
There’s no need to go to GoDaddy or any other registrar to get this contact info because it’s floating around already. Registrars couldn’t earn much by selling whois data – not even if they wanted to – because the people who’ve scraped / pirated / copied the whois contact info, without any help from registrars, would undercut them on price.
On this issue, you’re blaming the wrong people.
Louise says
Hi, However primitive that strategy I accuse Godaddy of profiting from sounds, it is embodied in the Registration Data Access Protocol (RDAP), concocted by the ICANN / VeriSign / major Registrar syndicate, “which was designed to address the many deficiencies of WHOIS.”
Please bear with me.
The 2013 Registrar Accreditation Agreement states in part 3.3.6:
“In the event that ICANN determines, following analysis of economic data by an economist(s) retained by ICANN (which data has been made available to Registrar), that an individual or entity is able to exercise market power with respect to registrations or with respect to registration data used for development of value-added products and services by third parties, Registrar shall provide third-party bulk access to the data subject to public access under Subsection 3.3.1 under the following terms and conditions:
3.3.6.1 Registrar shall make a complete electronic copy of the data available at least one (1) time per week for download by third parties who have entered into a bulk access agreement with Registrar.
3.3.6.2 Registrar may charge an annual fee, not to exceed US$10,000, for such bulk access to the data.”
The ICANN / VeriSign / major Registrar syndicate determined public whois data has reselling value, and has taken steps to protect it from illegal harvesters. For instance, Godaddy, Moniker, and Network Solutions whois lookup require the user to prove he is human, not a bot. That minimizes harvesting from the website (while flagging potential domains for reselling interest!).
2. in the Registration Data Access Protocol (RDAP) are defined levels of client access. My searches are anonymous public or, in your case, when you are logged into your accounts via mobile, they see the lookups from your account identifier.
“Unlike WHOIS, RDAP gives servers the ability to vary the amount of information returned in a response based on the client’s identity and the amount of information they are authorized to see.” That is, the clients who would be interested in buying different data points of public whois,based on the limits they signed up for. To make it scalable of which client is entitled to what, Versign launched federated authentication.
‘What is federated authentication? It’s a form of authentication in which the parties involved in using and providing a service agree to form cooperating units with third-party identity providers to create, manage and use identification credentials.”
So, one server manages the credentials to limit access by different clients.
Joseph, bear with me.
What the VeriSign / ICANN / major Registrars syndicate is talking about in the RDAP replacement for whois is:
“thinking now about how to make the best use of these features to ensure that we can optimize and appropriately manage access to registration data.”
Public whois data has value. The whois replacement is going to limit access from anonymous harvesters. That is a good thing. But it will be promoted and sold to paying clients, who are supposed to agree to not SPAM or robo-call or text message en masse.
It’s still in the testing phase. Also, in the Draft Charter for a PDP WG on a Next-Generation gTLD
Registration Directory Service (RDS) to Replace WHOIS of October 2015, there was mentioned “risk assessment,” “risk analysis requirements,” and:
Risks: What risks do stakeholders face and how will they be reconciled?
Probably talking about legal exposure, not security.
This article and thread would factor into a discussion about risks.
Ref:
We Need You: Industry Collaboration to Improve Registration Data Services
– blog.verisign.com
How Will Your Registration Data Be Managed in the Future?
– blog.verisign.com
A Mitchell says
The spam calls and spam emails from my GoDaddy names are dwarfed by those received for domains registered at eNom and Uni.
It doesn’t seem logical that a registrar would be selling or giving away whois data.
Why would GoDaddy sell registrant data to companies that offer services similar to those offered by GoDaddy?
Answer: they wouldn’t.
Instead, I would guess that the data is being aggregated by list companies and perhaps by offshore web development companies that operate captive (non-commercial) call center operations to support their business development activities. To clean these lists (of non-commercial entities and cell phone numbers) would cost money and eliminate most of the names on the lists, so cleaning simply isn’t done. The legal liabilities for selling dirty lists needs to be explored and clarified, especially for lists containing cell-phone numbers that are also on DNC lists, and for the use of dirty lists by captive facilities in India.
Some manual dialing is obviously being done, but more than half of it appears to be coming through modern autodialers and US PoPs. Mom-and-pop shops don’t have autodialers.
It would not be difficult to run honey pots to catch some of these offshore captive facilities, but if there is no mechanism for prosecution – then identification and apprehension activities are premature. If there was a bounty paid for successful prosecutions, how might that change the volume of spam emails and sales calls?
Louise says
The only ones left out of the remuneration scheme to sell registration data to
“an individual or entity [who] is able to exercise market power with respect to registrations or with respect to registration data used for development of value-added products and services”
– 2013 Registrar Accreditation Agreement
is the one whose public whois registration data will be exploited – you, me, the REGISTRANT.
There is a way to remedy the disparity If Blake Irving asks me here, I’ll detail it.
sanny says
With SpamHound I can manually configure your filters in the Black- and Whitelists and easily create rules for clearing my inbox from undesired content.
Alok Sharma says
I live in India, a country where telecalling, telemarketing and spamming is as common as tea-stalls at every corner of the street. These people have no fear because they know how to twist and bend the law.
Just like everyone, I too got fed-up with dozens of phone calls, emails & SMSes come through after registering domain names.
At the end of March 2019, I contacted ICANN and briefed them about this problem and this what they replied:
—
WHOIS is to be used for any lawful purposes except to enable marketing or spam, or to enable high volume, automated processes to query a registrar or registry’s systems, except to manage domain names.
There is ongoing development on the Registration Data Access Protocol (RDAP) to improve or reduce the issue you may be experiencing. This new protocol was created as a replacement for the WHOIS protocol. The advantages over the older protocol include providing the option to enable differentiated access (e.g., limited access for anonymous users and full access for authenticated users).
You may find more information about RDAP via the following link:
https://www.icann.org/resources/pages/rdap-gtld-profile-2016-07-26-en
—
Almost 2 years later, nothing has changed.
This week, I registered a few domains and since then have been bombarded with telephone calls. And when I told them that who authorized them to harvest my information from WHOIS and call me, the MF said, that your information is public and anyone can access it and use it to for marketing purposes.
Now I am thinking of putting fake address & phone number to get rid of all this. But that would not entirely solve the problem as these MF’s will report inaccurate WHOIS to the registrars.
Hopefully ICANN re-considers about the ongoing issues and takes necessary steps.
Alok Sharma says
BTW, has anyone heard about this https://anonymize.com/whois-protection/
I did sign-up, and it created an anonymous record including a unique email address for me which I am supposed to update at my registrar.
However, I am not very much sure how safe it is considering the fact that they provide a unique Anonymize.com email address. If god forbids, something wrong happens at their end, I will completely lose access to my domain name in terms that I won’t be able to transfer it to anyone if I am not able to access that email address.