.com registration details leaked

Question

I recently registered a .com domain name though a well known registrar. I made the mistake of adding my phone number to the domain.

The domain name is fairly obscure, and I registered it for an extended period (5 years). There is no publicly accessible website associated with the domain name, and I control the DNS servers (and mail servers).

In the 24 hours after registering the domain name I've received 2 unsolicited calls from third parties trying to sell me web design services. They lie/speak garbage when asked how they discovered this information.

My question is this

How are they discovering the domain name registration?
Is there a public/semi-public database they are using, is my registrar selling this information or something else?
Do the .com root nameservers create a record and sell data of requests made against them?

I have 3 *.com domains and 5 *.de domains... all with my full address, mail and phone number... never got a letter, mail or call... — Mischa, Oct 13 '17 at 08:57
@MischaBehrend you're very lucky. As for davidgo: sign up for a separate/new Google account, and set up Google Voice on it -- do NOT forward the number to your actual phone, but just have it forward text/voice messages to the new email. Then use the new Google email and Voice # in your WHOIS data and you can still receive legit messages but now YOU get to choose when you have to sift through the crap. Also be prepared for the inevitable snail-mail spam: http://www.dcsny.com/technology-blog/idns-domain-registrar-scam/ — Doktor J, Oct 13 '17 at 14:21
I've had a solid handful of domains registered for decades with a number I've kept for that same length of time, and have yet to receive and unsolicited call regarding domain/web services. Then again, I don't know what magic Google Voice does to protect me from spam callers. — music2myear, Oct 13 '17 at 23:49
In my experience it's ramped up in recent years. Nowadays a new domain gets me maybe 25 phone calls and 50 emails in the following weeks. Web design, logo design, business advertising. — Matt Nordhoff, Oct 14 '17 at 05:18
“How are they discovering the domain name registration?” `whois yourdomain.com` in any terminal, I guess. — Andrea Lazzarotto, Oct 14 '17 at 10:31
@AndreaLazzarotto But any idea how they know to look up a domain that was just registered? — I say Reinstate Monica, Oct 14 '17 at 17:27
Downloading and diffing the [.com zone file](https://www.verisign.com/en_US/channel-resources/domain-registry-products/zone-file/index.xhtml) on a daily basis, maybe? (Excludes domains with no nameservers, but good enough.) — Matt Nordhoff, Oct 14 '17 at 19:54

score 38 · Accepted Answer · edited Oct 07 '21 at 07:34

38

Every domain is required by ICANN to have a WHOIS entry, which among other things, includes the name, address, email, and phone number information of the domain's registrant, administrative, and technical contacts. While it's against the rules (section 3.3.5) to use this for marketing purposes, it's done all the time. It's partly for this reason that many domain registrars offer a "privacy" service whereby they act as a communication proxy for the domain's actual contacts.

There is no central WHOIS database, so I'll be honest I don't know how they find newly created domains*. While WHOIS records do contain information about when the domain was created, last updated, etc., I'm not aware of a way to query a WHOIS database based on these fields. But then I'm not a spammer either...

According to ICANN's website handling complaints about abuse of WHOIS data is outside their authority and they suggest you seek other methods to deal with the problem:

Spam complaints are outside of ICANN's scope and authority; for these types of complaints, please refer to one of the options listed below:

You may want to contact a law enforcement agency in your jurisdiction

You may want to file a complaint with a consumer protection entity such as the International Consumer Protection and Enforcement Network or the US Federal Trade Commission

You may want to contact the spammer's Internet Service Provider

You may want to contact the registrar of the spammer's email

If it's any consolation I've registered my fair share of domains and my experience has been the phone calls and spam email come to an end rather quickly.

*I did a quick Google search and discovered a number of services offering bulk access to WHOIS data.

edited Oct 07 '21 at 07:34

Community

1

answered Oct 13 '17 at 05:31

I say Reinstate Monica

25,487
19
95
131

Thank you for your email. I was aware of the who's database and it's contents but was unaware that ICANN let's it be abused (after reading https://whois.icann.org/en/primer I'm pretty sure that this is how the data is being acquired. ) – davidgo Oct 13 '17 at 05:39
It's a public entry for third parties to contact you meant to give them an option to contact your if something with your site is off or for business. So it's not really ICANN that lets it being abused but rather those that contact you. The primer is pretty good on that. – Seth Oct 13 '17 at 08:28
3

@Seth, except for their statement "Under the ICANN contracts, WHOIS can be used for any legal purpose except to enable mass unsolicited, commercial advertising or solicitations, or to enable high volume, automated, electronic processes that send queries or data to a registry or registrar's systems, except as necessary to manage domain names." – davidgo Oct 13 '17 at 08:39
Yes but its not a legal reason and your local registry can actually have other requirements for the usage of that data. If I take my local ccTLD it expressively reads: It is not permitted to use it for any purpose other than technical or administrative requirements associated with the operation of the Internet or in order to contact the domain holder over legal problems. ... It is prohibited, in particular, to use it for advertising or any similar purpose. Another question would be how its handled if you access that data through a third party that first had to agree to those terms. – Seth Oct 13 '17 at 08:56
1

My first thought on _how_ they discover new addresses would be bruteforce - automatically run `whois` queries on random strings, random words (from a dictionary API, say), or a combination of both, and logging the responses. Though I have no idea if that's how its actually done. Could be a bunch of people in a room manually typing in random `whois` queries for all I know. – CGriffin Oct 13 '17 at 13:55
1

You can also do a whois com -L or similar query to get lists of data from a whois server – PlasmaHH Oct 13 '17 at 14:20
2

@davidgo it's worth noting that "can be used", here, likely means "you are allowed to do this without getting in trouble". It does *not* mean "it is physically impossible to spam, but other things are possible". That might be why the spammers were hesitant to tell you exactly how they acquired your contact details. – Soron Oct 13 '17 at 17:20
"'ll be honest I don't know how they find newly created domains" this is trivial, see my answer for details. And you are right that you can not query (domain name) whois servers on anything else than a domain name (or a contact id or a nameserver name or IP but all of these cases are irrelevant here) – Patrick Mevzek Apr 06 '18 at 05:50

Patrick Mevzek · Answer 2 · 2018-04-06T05:58:56.397

Each gTLD registry is mandated through its ICANN contract to provide its zonefiles.

The zonefiles list all published domain names, which is almost all domain names in the TLD, but not all: this excludes domain names without nameservers (a totally legit case, you can sometimes wish to protect a name without associating it with any online service), or domain names being "on hold" (the EPP statuses clientHold or serverHold that remove the domain names from publication).

You can do a search on CZDA to find the online platform that will enable anyone, for free, upon accepting a contract, to be able to grab any gTLD zonefile, that are updated each day.

So, it is very easy that way to get a list of domain names, if you do it 2 days in a row you can compute the difference and find the newly added domain names (which would basically be the newly registered domain names, with some exceptions for the reasons outlined on top), and then do whois queries to grab the contact data associated to these domains and then contact people.

Note that when you access the CZDA you are signing a contract that enforce some rules on what you can or can not do with the data. I am not sure that the activity described here falls into the acceptable case of the contract, but I am not a lawyer and this is extremely difficult to respect. Anyway, it is trivial technically.

ccTLDs most often do not provide access to their zonefiles. Some of them (like .FR) just provide each day the list of newly registered domain names. Which puts you back exactly at the previous step when you computed the difference of two zonefiles, and then enables you to contact people in the same way.

Also, and completely unrelated, if you read carefully the ICANN registrars contract (so again only for gTLDs) you will find inside a clause showing that the registrars have to sell their full database of names + contact data in some specific cases. This is costly ($10 000 per registrar!) but can also be a way to get the data.

A way to protect yourself against all of these solicitations is to register your domain names with privacy/proxy services so that your personal data never appears in whois output. This is offered by many registrars, and will become more and more the norm, due to new regulations about data privacy for individuals, like the GDPR in European Union.

score 0 · Answer 3 · answered Oct 18 '17 at 12:40

You have received many good answers already but I think my experience indicates this information is being sold on a grand scale at a very fundamental level of access. I registered 3 domains 6mo ago and received about 50 telemarketing calls. 3mo later I moved and updated my ICANN information - it immediately triggered another volley of marketing calls. So, it seems the information is immediately available and triggered with any changes :(

This is so blatant and consistent as to make me believe the information is immediately available directly from ICANN and/or the name registration entities, either deliberately or through negligence. It's quite probable the name registrars are actively black marketing the information or at least negligent in protecting it.

Even after the last update 3mo ago I continue to receive 1-2 calls a day. In the future, I will use expired or message only phone numbers. (I have a magic jack number I no-longer use, or I could use a google voice number that is no-longer in use.)

Nothing is available to ICANN as they don't take a role during registration. Only registry (except COM/NET) and registrars have the contacts detail. Your registrar is free to sell all your data, if it says so in the contract you signed with it. Besides that, per ICANN rules, each registrar is required to sell all "whois data" for a rate not exceeding $10000/yearly. Be aware however that giving false information, including phone numbers, may yield to problems later when you have to prove domain ownership, and can be ground for domain termination. — Patrick Mevzek, Aug 24 '21 at 21:38

.com registration details leaked

3 Answers3