Blocklists don’t keep up with domain names as their use changes.
Michael Sumner, a partner at domain name sales data site NameBio, had a rough start to November. He woke up on November 2 to find a message from PayPal in his inbox with the subject “You can no longer use PayPal.”
In a follow-up communication, PayPal explained to him that some transactions were flagged because they mentioned domain names that have previously been used for malicious purposes. He wrote:
Imagine this… Example.tld is used for a file sharing site for years. That domain expires, one of you knuckleheads buys it, and then months later you try to auction it off. “I’ll buy a featured listing to promote the auction!” you say. Getting smarter, but not smart enough.
Now there is a PayPal transaction with the title “Example.tld featured listing for 7 days.” PayPal then implements a new system that flags transactions to/from file sharing sites. Only the list is out of date and Example.tld is still on it even though it expired months ago and hasn’t been used in that capacity since. Now PayPal thinks we’re involved with that file sharing site and taking payments on its behalf.
PayPal maintains blocklists of domains that set off alarm bells. To what extent it investigates the transactions before suspending an account is unclear. (PayPal did not respond to a request for comment for this story.) But it’s clear that PayPal uses domain blocklists to flag transactions and decides to suspend accounts before contacting the account owner for clarification. It also freezes funds in suspended accounts for 180 days.
It turns out this isn’t the first time that NameBio has faced a problem due to domains on blocklists. Its Mailchimp account was suspended earlier this year for a similar reason. Domain names it included in its daily emails were on blocklists at Mailchimp.
Like PayPal, Mailchimp operates with a “suspend first, ask questions later” policy. A Mailchimp spokesperson told Domain Name Wire:
Mailchimp uses a combination of third party and internally-maintained domain block lists. We use automated systems to check domains against the various lists, and we may automatically suspend an account or flag it for review when we find a match. If an account is flagged by our automated systems, and it’s from a legitimate research organization, news outlet, or another type of account with a valid reason to use or reference that domain name, our Compliance team will work with them to address the issue.
While I’ve never personally run into this issue writing about domains on Domain Name Wire, I take some precautions if I’m worried about how a domain might have been used in the past — or how it will be used in the future. I often add a space between the second level domain and .TLD.
Brian Krebs of Krebs on Security writes about lots of malicious websites. He uses the format secondleveldomain[.]topleveldomain.
The problem with domain blocklists is that a domain’s use and ownership changes. These blocklists can quickly become stale and outdated. If service providers use blocklists to flag “bad” domains, they owe it to their customers to research how it’s being used before suspending an account.
Great post. Thanks for covering this.
I would add that the 3rd party providers have some room for improvement as well. They are costing these companies using the block list services a great deal of time along with lost revenue/customers.
There is a great deal of trust lost by the shoot-first-ask-questions-later tactic but it’s the “weapon” that caused the problem too. These providers have a responsibility as well if. It to make a better tool, than to train the services in how to use the tool and not cause these issues.
Creation date is not that hard to scrape and recognize a domain went through a drop cycle. So it would seem research is not their issue, its a bad domain forever until proven otherwise. Similar to the treatment of the registrant.
Tell me about it, Andrew. I literally just bought a great domain for a very hefty sum that has no discernible bad use in Archive.org or screenshots history or in search, was probably held by the person I bought it from with only parking going on for years, plus perhaps some occasional parking-like forwarding, only to discover it is totally blocked on Facebook. You can’t post it or even mention it in any comments. That’s huge. It is also just plain bad. The error message alone when you try is also likely to be defamatory and injurious.
Plenty of sites out there where you can check blacklists – mxtoolbox.com, virustotal.com etc. If you own names that are blacklisted, REQUEST WHITELISTING!
Thanks for the tip. I checked mine and it’s clear, no blacklisting. Seems to be only blocked at Facebook. They are notoriously difficult to contact. I have tried numerous times and ways now, but no reply. Sad.
Thank you for answering the question of social media using public block lists versus creating internal block list.
Censorship aside, I had the feeling they really need to have their own internal lists because some miscreant behavior will be platform specific.
They obviously don’t care how this affects people when it’s either in error or no longer current. It also becomes false and defamatory when you are talking about new ownership and management.
Very interesting. I only really use PayPal to pay for names I acquire from other investors anymore. But when I do I also put the domain name in the memo/comment field so I can easily tie a transaction to the domain.
Moving forward this gives me pause to do so to avoid issues with my PayPal account, or theirs. I will probably just add a column to my spreadsheet for PayPal’s Transaction ID and track what transactions are for what domain that way.
I think that’s a wise idea.
I have no doubt that you can find many other non-domain businesses that have had serious issues with PayPal. Unless you know someone in power there, a decision by an employee to shut you down, for reasons they won’t tell you, can last for months or even permanently. As a small business, you are insane to trust PayPal as your only payment option, or even as a reliable backup.