16 comments

[ 0.23 ms ] story [ 46.4 ms ] thread
That's strange. A quick search shows lots of people complaining that GoDaddy is front running. The company swears they do not and they are against the practice. Maybe their servers are compromised?
> The company swears they do not and they are against the practice. Maybe their servers are compromised?

No, they're just full of shit.

"They" might not do it, but they sell the data to someone who does. The end result is the same. Their statement is meaningless.

"I didn't kill my wife. The hitman I hired did."

> the only explanation is that GoDaddy knew I had searched it and so bought it pre-emptively

They've been known to do this in the past (or at least so I've heard), and yes getting a domain purchased within an hour is unlikely, but with millions of domains out there, this would happen by chance eventually.

It could also be a compromised chrome extension and not necessarily GoDaddy doing it.

Front running in domain names has been going on for years. Never search for domain names on a domain registrar, just use dig/host/nslookup/whatever on the command line, using a sensible resolver.
What's the sensible resolver?
You want whois instead. A domain can be unavilable but without working DNS.
Yes. Twice. By GoDaddy

Aduro.com in 2004. And I forget another in 2007/2098 (perhaps Sandbay.com)

Not a fan of GD since.

But if we check the domain history of aduro.com, it was not available to buy in 2004. It was owned until 06/2004 by Yahoo and then it looks like it went through 3 holding companies until it ended up with another hosting company.

So, you never bid enough on the domain even though godaddy showed it to you as purchasable?

Godaddy does keystroke logging (it's their web page, why not).

Without your actually clicking "buy" Godaddy knows your domain.

Try it! Using a throwaway email, fill in the Godaddy form with a novel domain name, email contact, etc, but don't click on any "next" or "buy" or even "search" buttons.

Sit back and wait. The spam will start to arrive. The spam will be web and SEO and logo and app developers.

They are "affiliates" and they pay Godaddy for details of new DNS domains. They don't pay much perhaps, but they are getting first-hand info of your DNS ideas.

That's where the front-runners get the info; domain-squatting is free so it's free money to them.

Does that count as a "business relationship" per the CAN-SPAM Act?
Can you link to the form you are talking about? If I fill out the "find my domain" part I have to create an account before I can fill out any contact details.
I rechecked using the UK site at godaddy -- godaddy.com/en-gb

and couldn't reproduce it. The steps were:

1. pick a novel domain 2. register and account with name and throwaway email 3. click checkout 4. empty the cart 5. enter a new novel domain name but don't Enter or Search 6. wait two days -- observe no email 7. click search 8. wait two days -- observe no email.

So I conclude they don't do the keystroke logging any more, or at least not on the UK site.

Yes. If you put a domain in your cart and you abandon it, it will go to a list of affiliates who may then buy the domain.
I feel like the easy way to solve this is to run an experiment (perhaps across a small group of people and IPs) that search for a pre-defined list of domains (maybe 10-50 domains), but don't complete checkout. Perhaps even spread this out over a few days.

Then, run a lookup to see which one of these domains have been taken. If none, then I'd argue this looks like a coincidence. If one or more domains were taken, it may be interesting to look into it further. If one would assume that the registrar is acting in bad faith, then I guess they're having some sort of "qualifier" algorithm that only takes the domain if they think there's a great chance of it paying off. They can't just buy any domain, that'd be way too obvious.

The sad thing is that raising domain prices would probably make the squatting less attractive ($1000 a domain). And only partly so, because they'd still continue to be a classic business expense (even on a larger scale) for squatters, but really hurt the individual or those starting out considerably (not sure about a side project, is it worth a $1000 domain?).

It's like the EU cookie thing, there is a problem that needs to be solved and everyone knows it. But the solution is not that simple apparently (or, as with the EU cookie banners, it looked simple but turned into a disaster).

And if it turns out to be true, that godaddy or affiliates just auto-buy domains fitting certain criteria, it should be somewhat easy to exploit that and screw them (or the affiliate)?

I do have a personal godaddy account, since that was the easiest way for me to enter the .co domain auction, so I sometimes look for domains there and buy them on my company registrars website (their interface for finding free domain names sucks...). I've not had the issue with a domain I searched for not being available to buy. And while I've never had that issue with godaddy itself, companies under the Host Europe umbrella have done this to me (meaning search for a domain in a e.g. a Host Europe account, realize I used the wrong account, sign into the partners Domain Factory account and the domain is unavailable).