77 comments

[ 3.0 ms ] story [ 129 ms ] thread
I will never tire of writing this. Please stop using these idiots. Stop helping a bunch of idiots get together and make money. As long as you cause them to make money, you cause more people to use it and more people to experience this disgrace.
A few years ago I looked for a new domain registrar. I selected Dynadot. They are one of the biggest registrars, pricing and benefits similar to Namecheap, but a much better GUI and they pass on their ability to "taste" domain names to the customer (get a refund in credit within 72 hours).
Which registrar does not do this kind of stuff, so that I can migrate over to them?
I'm very satisfied with porkbun. Haven't noticed any behaviour like that and really like their straight forward approach.
I've used Joker.com for years and never had this issue, or really any issue with them. I'm in the US, but at the time they were the cheapest for .com and they've been great.
Would be really nice if there was one central source for the current listing of registrars and whether they suck or not. Like wirecutter for registrars, evaluating based on privacy protection, dark patterns like this one, and security.
If this is true.. it would be a real shame if someone flooded their searches with domains they are "interested" in.
I have to imagine they coded in some stop-gap like 3 domains per unique visitor or something, otherwise even legitimate window shoppers could ruin them.

That said, if anyone has a bot net they're not using...

There’s likely an expiry on any limit they have since they are probably more interested in people who keep coming back to look for new domains. Just set a long schedule of a month plus some randomness and do a burst of searches. Slow going but with enough accounts…
This is a random Reddit post why is everyone treating it as 'news' or even correct?
(comment deleted)
Because, unfortunately, this is where we are at. We can't trust registrars to act in good faith. Lots of people have assumed that Namecheap was above the fray, but that assumption can easily be false. With competition from cloud providers who offer domains at wholesale prices, and free DNS as well, Namecheap may be resorting to less than savory tactics to keep themselves alive.
Absolutely not, we don't front run domains, never have and never will.
Is there any way you can show that? Like some kind of audit that verifies all the domains you register are associated with real customers somehow? I really want to trust you and your team, and have never experienced front-running while using your service, and I realize it is hard to prove you are not doing something, but I have to think that some kind of technical/audit-trail solution would be a lot more effective than replying on various social media posts.
As you can see, the original poster deleted his original claim on reddit. No one has ever provided a single shred of evidence that this is actually a thing.
Wow this is quite disappointing to hear. I’ve been a happy namecheap customer for years and have bought far too many domains from them (too many side projects lol). I always believed they were the good ones, but maybe I’ll need to start looking elsewhere.
Thank you, these claims are absolutely false, we do not front run domains on our website.
I buy and host my domains with AWS. I got tired of the tricks of these small fry places.
Yup. Hate to give yet more business to the behemoths, but I know Amazon will not play these games.

Still bitter about a domain that Godaddy stole from me when I wanted to quickly query one. Even at the time, I knew better, but was in a rush.

Amazon very well might if they are in a tight spot. I don't trust any registrar. I barely trust ICANN, because I have to.
Namecheap is hardly small fry in terms of domain registration. It's no Amazon no but they just have a much smaller portfolio of services.
That's such a shame. Namecheap was so great. Time to move on. Until then, I would recommend sending a feedback ticket to let the corporate overlords know. I doubt it'll do anything.

Feedback form: https://support.namecheap.com/index.php?/Tickets/Submit/Rend...

What are you going to point them to? A random Reddit post that provides zero details?
Yes, yes I will. If that helps to expose the truth, sure. Whatever that truth may be.
Thanks, these claims are absolutely false. We do not monitor nor register domain names that been searched at Namecheap, period.
I have been using namecheap. Super disappointed by this news.

Any good alternatives?

I have never had an issue with EasyDNS. I also do not have tremendous requirements.
Porkbun is very transparent and up front about every DNS transfer operation. Performant, free NS records (cough, looking at you Cloudflare), and priced well
Thank you, these claims are absolutely false, we do not front run domains on our website.
I appreciate you taking the time to respond to this.
> This experience left me convinced that Namecheap is holding onto domains to make a profit. I'm curious if anyone else has had similar issues with Namecheap and if there are other trustworthy registrars to consider. If you have any recommendations, please let me know. I'm in search of a reliable and safe option for domain registration.

'Make a profit'. God forbid a business does something to 'make a profit'.

Entirely unclear why people seem to believe that domain names are something of a public trust and should go by different rules than any other object or item a private company can profit from. I've noted this attitude literally since the 1990's with public comments about domain names or registrars.

There is nothing at all wrong, illegal or unscrupulous with a domain name registrar - if a domain is not paid for by their customer - with the registrar holding that domain to auction it or sell to another party.

And in fact many if not most registrars do a version of this (Godaddy as only one example). ICANN allows this as long as the contract that the customer signed or says has this possibility pointed out. ICANN does require domains that are not paid for deleted but doesn't prevent a registrar from deleting the domain from the customer account and then taking possession of the domain in order to resell it. (Prior info refers to .com .net .org .info and other common tld's).

This is definitely unscrupulous. It would be illegal if domains were a regulated market.

This seems basically like the definition of frontrunning:

> purchasing a security based on advance non-public information regarding an expected large transaction that will affect the price of a security

Domain searches are not public info. Domain expiry maybe, depending on how the expiry is handled (open auction where registrar bids vs registrar getting a unfair advantage and buying the domain before it becomes accessible to anyone else).

> This is definitely unscrupulous.

However it is not unscrupulous. Business and making money in this way is not unscrupulous. There is nothing to guarantee also that if the domain were not taken by a registrar it would be available to purchase at a nominal registration cost. It might not be for sale at any price.

> It would be illegal if domains were a regulated market.

Why does that matter. It's not a regulated market. That's like saying 'if it was illegal it would be illegal'.

> Domain searches are not public info.

There is nothing to indicate other than someone says something on reddit that the registrar front runned (what is being implied) even happened. As typical someone says something and everyone assumes all the facts are correct (ie someone searches and registrar says 'oh I will now grab that domain someone wants it!'.)

> Domain expiry maybe, depending on how the expiry is handled (open auction where registrar bids vs registrar getting a unfair advantage and buying the domain before it becomes accessible to anyone else

Except we don't know that is what happened here.

> It might not be for sale at any price

Sure, the domain could be unavailable because someone else wanted it. However with front running, the registrar does not want the domain in isolation. They want to domain purely because you are likely to want it based on the fact that you searched for it. The primary difference is using non-public data (your search) to make the decision to buy (which is part of the front running definition).

> Why does it matter

If the law was perfect at all times, it would never change. It is not a tautology because there are things that WOULDN’T be illegal even if the market was regulated as heavily as other ones. Pointing out that this is behaviour that is penalised in other situations is not useless. Precedent is the fundamental basis of many legal arguments.

The rest of your comment is about the truthfulness of the OP. For the argument I was making, it doesn’t matter. I was disagreeing with your original comment (which was that this general behaviour is not wrong). The morality of the general behaviour and whether Namecheap actually does it are two completely separate points.

They got 2 .COM's from me one time. I spend two months trying to prove that I never got early alerts, or alerts at all.. and I never did. But they just went on that auto-renew should've been on... They're selling them for a grand a piece. I have every single social media account with those names but the actual domain names... oh well.
So you didn't renew your domains and chose not to have them auto-renew?
I went on holiday and was not able to access the account. But I was getting email alerts, at least they were set-up. So, on an alert I would've tasked someone to deal with that for me. I don't travel with my Yubykeys, see...
You have something like 60 days after they expire to reverse it. It’s been a long time, but you should have been able to get them back.
Deleted. Don’t want to participate in this conversation sorry.
Switched myself and every project I’m involved with to Cloudflare registrar a while ago because of their front-running.

Namecheap completely burnt all the goodwill and positive word-of-mouth they had built up.

It would be nice to have an independent and reputable registrar outside of the big co’s but it’s apparent that the shadiness and incentives in the industry don’t allow this to happen.

> never search anywhere except Google or Amazon domain

Will these two are probably safe, if you want to be certain I suggest checking with the registry operator itself. You can often find these on https://nic.tld. For example: nic.io, nic.nl, nic.cloud, nic.foo, etc. For com/net/org check ICANN directly: https://lookup.icann.org/

I'm sorry that your domain was registered by someone else but it had nothing to do with our company, I can assure you of that.
Curious from a technical perspective what you might be doing to protect your users' domain queries from other administrators.
Administrators as in whom? No one on our team is monitoring searches and registering domains, period. These claims are 100% false. You can easily prove this at any time buy conducting a search yourself and monitoring what happens.
> I’ve searched for domain names and came up with some great ones only to find that very soon after they were registered by nanecheap.

That could easily be a coincidence. For one thing you don't know about all the domains that were searched for that were not registered by the registrar. Only the ones you searched for (which could very easily be registered for another reason meaning there was another signal indicating their desirability and you even said 'and came up with some great ones only to find').

> Do a Google search on Namecheap frontrunning and you’ll find tons of posts of people talking about how it happened to them.

Is this really the way you think? You do a search and if people are reporting a certain 'symptom' well it must be correct. An anecdote. I drank coffee this morning and XYZ happened wow 'many' people had the same experience!

> If you don’t want to lose that great domain name, never search anywhere except Google or Amazon domains.

As others have pointed out you can also just search from the command line using whois. Not sure why you think that Google or Amazon are super safe either. Amazon runs many domains through gandi.net. Either of them have their own downside. At least at Namecheap you can actually last I checked get in touch with the CEO or an actual employee.

Thank you, we absolutely do not front run domains that are searched with us. These claims are absolutely false.
You seemed willing to participate when you posted originally. I'm curious what changed?
I heard GoDaddy does this too. When I want to see if a name is available I go to who is
Well this is a shame to hear I guess time to switch registars.
Namecheap leadrship are on HN and have clearly (imo believably) stated that they don't do this. There was a famous one where some say, rpg.quest domain got bought after someone had looked at it, and it seemed clear it was just because it was an obvious domain and somebody else bought it, not namecheap frontrunning. Maybe their stance has changed?
(comment deleted)
Thank you, our policy has absolutely not changed and never will. We are in the business of serving our customers, not attempting to take advantage of them in any way.
I figured this out long ago that's why i search for useless domains in hopes they will waste money on them for nothing. screw em.
I can confirm this happened with an obscure .ai website I searched on namecheap last month:

Registrar: Namecheap Registered On: 2023-02-12

So it seems the CEO of namecheap in this thread has made a commitment to paying you a 50000$ reward if you provide the details of this incident that proves they do this.

I’m hoping your willing to provide the details.

That just means someone used namecheap to register it. It doesn’t mean Namecheap the company bought it.
Yes I understand how registrars work. Just happened to be quite the coincidence since I have no way to prove this.
This is false, we do not monitor customer searches nor do we register domains that have been searched on our site. I've said this before and I'll say it again here, if anyone cares to prove that this actually exists and someone within our company is registering searched domain names I will give them a 50k reward on the spot.
(comment deleted)
It shouldn’t be hard for someone making these claims to show whois data before and after. Maybe the whois before requires some foresight, but the whois after does not. I will note that despite putting “Confirmed” in the title of their Reddit post and saying they did a whois search that showed Namecheap had bought the domain, the user has not provided that whois data, nor the domain name so that others can independently confirm.

The price of a domain registration going up in real time as you’re trying to buy it is obviously a frustrating experience. Domain name frontrunning is a legitimate concern, shady registrars have done it in the past (e.g. NetworkSolutions), and there are many other entities besides registrars that might do it as well.

Trying to register a domain name is notably not a hygienic process at the best of times, the information that someone might be willing to pay money for a particular domain name could leak and be exploited at many different stages of a typical search process. Unfortunately, the user only finds out they’ve been exploited when they try to pay on the registrar’s site. Registrars concerned about being unfairly accused might find that providing some transparency into the process can assuage this reaction - perhaps a “why did this price go up?” button/link that shows excerpts from your log history of whois calls for that domain name, or if the problem is the gTLD provider changing their prices on the fly, maybe a log of that information over time.

(Exhaustive potential conflict of interest disclaimer: I hold ~$40/year worth of registrations through Namecheap and another ~$30/year worth of registrations through Gandi. Besides these two aforementioned purchases, I do not and have never been employed by, held an investment position in, or maintained any other kind of financial relationship with any domain registrar [lookup service, TLD provider, etc.] in any form.)

Thanks for being a customer and for your input here. I can also assure you that we do not adjust our pricing based on searches. Our pricing is pretty static and is usually given to us from the tld registries themselves. They sometimes create "premium" pricing for certain domain names and all we do is pass that on to the customer with a very minimal percentage added to it(usually less than 10%) in most cases.
I'm bored, let's try it:

I chose three domains, and for each of them, did a whois query from a local terminal then looked them up on Namecheap. All three are domains I can imagine someone registering (i.e. not just keyboard mashing).

They have these SHA1 hashes (echo -n '$domain $salt', all salts are the same string):

3ded27709bfcbba44ce893262f531c595ee82f72

78eb52058b915fde23df7289250146e4a6622a9e*

e5db7a02eec8ce2b351a5955d84cc6daa561a41f*

These three I did not whois first, and only looked up on Namecheap:

8d59b003b9261bbb7f8268d8f56fbebb1574688f

68a87269d6011110c43ec6bb928ca008de4fcb6e

fa636723fb66d2fb4e93b317f185eb058149e53b*

I will check them again sometime tomorrow and report back (and reveal the domains then).

(I have four domains registered with Namecheap, no other allegiances of any sort. I was not logged in while testing this.)

* Edit: Well, this is embarrassing. I posted this, then closed the Termux session on my phone where I was hashing them... without saving the hashes. Apparently that doesn't write to .bash_history. I recovered three of them from memory by brute forcing words I'd used against a list of TLDs. I'll update again if I remember any of the others.

If this sounds incredibly suspicious to you given the entire point of this comment, I don't blame you. I encourage people to try the same experiment on their own anyway, especially sometime when this isn't in the news.

Archive link of this comment from before I edited it: https://web.archive.org/web/20230329003044/https://news.ycom...

3ded27709bfcbba44ce893262f531c595ee82f72 ionicbutts.net

8d59b003b9261bbb7f8268d8f56fbebb1574688f another.domains

68a87269d6011110c43ec6bb928ca008de4fcb6e bleppr.com

Salt was "monosodium glutamate". One of the ones I forgot was "quadrangular" or a similar word, but I couldn't find it by brute force.

As of right now, none of these are registered. I did kind of screw this up, might be good to try again another time and against more registrars (and maybe not post about it in advance in a thread where the CEO is known to be watching). But currently I don't see any evidence that this is happening, at least not with Namecheap and not for every domain.

I had a similar experience with my domain, hegz.me, which I had purchased from Namecheap. I allowed it to expire and did not pay the redemption fees, thinking I could buy it again at a later time. However, to my surprise, after the redemption period had ended, it was listed for a price of $2,888. Can you explain why this is the case?
I like this offline solution to finding a good .com domain name, by downloading the virtually complete list of registered .com domains: https://sive.rs/com
After buying dozens of domains via Namecheap, I've never lost a domain to front-running. Maybe they know that all of my ideas are worthless...
I've searched for squillions of domains with Namecheap and moved to them years ago from 123, but never lost a domain to them, I don't believe this happens.
Let me assure you, you are right. We would never do this as firstly, it is unethical and secondly we value our customers. Thanks for being one of them.
I used to work at a registrar and I have trouble believing any registrar would buy domains you search in real time as stated in the Reddit. We got literally millions of searches everyday and, surprise, domains cost money! They’re not free for registrars. Maybe some shady registrars (one in particular who also happen to own an aftermarket) do it, non real time, but it would be a business reaaaally hard to make profitable.
I think the most likely explanation, if anyone is doing this, is an employee watching a log file and doing it on their own for domains that sound particularly desirable to them.
Is it possible the registrars themselves are monitoring incoming queries that are checking for domain availability? Or perhaps selling that data?