Why You Might Get Spammed for Buying a New Domain Name (And How to Use Domain Privacy to Prevent It)

The rude awakening

You’ve finally settled on the perfect domain name for your blog or small business. You’ve registered it with a trusted Canadian registrar like Webnames.ca. You’ve barely begun to setup email and web hosting, yet the very next day, you wake up to an inbox full of spam – emails hawking web design, SEO services, prospect lists, app development, video production – you name it. Some target you by name with clever phishing tricks and malware. Then the text message spam and robocalls start to roll in.

So what just happened? Did Webnames sell your personal information to scammers?

Webnames will never disclose your personal information to third parties without your consent

No, we didn’t sell you to the scammers. In fact, Canada’s privacy laws prevent companies from using your personal information for non-essential activities, or selling it to third parties, without your consent. Most reputable domain registrars abide by these rules. (But word of advice … always read those terms and conditions!) Unfortunately, that doesn’t mean someone else wasn’t watching when you registered your domain…

“WHOIS a scammer for $200, Alex.”

When you register a domain, the worldwide Internet governing body, ICANN, requires that your contact information be added to a publicly-searchable directory called WHOIS. This directory helps confirm who is entitled to control the domain, who to contact regarding technical issues with its operation, and who should receive complaints of abuse. ICANN also requires that registrars like us take reasonable steps to validate the registrant, administrative, and technical contacts on each domain’s WHOIS record to ensure that the information is valid.

But the registries do not make their WHOIS databases available en masse, and there is no bell that dings whenever a new domain is registered. So how do the scammers know you’re there? It turns out that most registries also publish their top-level root zone files nightly. Scammers can obtain these lists, determine which domain names were newly registered compared with the previous day, and then run mass WHOIS lookups against all the new domains to obtain the personal contact information.

It’s true that most registries impose bandwidth throttling and limitations on their WHOIS lookup servers, but people have found ways around those restrictions by distributing their requests globally across many client IP addresses, or in some cases, by paying large WHOIS aggregator services.

Privacy to the rescue

Although as registrars we are required to keep accurate contact information for all our domain registrants, we are allowed to “mask” or withhold that information from the public WHOIS directory through a privacy or proxy service. When you enable Webnames Privacy service (sometimes referred to as WHOIS Privacy), we submit generic, non-personally-identifiable information, and provide a means for legitimate third-parties to contact you through us (either snail mail or email). We’ve found that this effectively blocks almost all spam.

Here’s an example of the difference Webnames Privacy service can make on your domain. The WHOIS record on the left has no privacy service. As you can see, your full contact information is available. But the WHOIS record on the right has privacy enabled, making everything anonymous:

If a spammer tries to send a message to the email address listed on the WHOIS for a Webnames Privacy Customer, the email will not automatically be delivered. They must pay a $10 processing fee, complete a Contact Request Form, fax it back to us and receive approval before their email will be forwarded to the administrative contact we have on file. This effectively blocks all spam, since it’s not efficient for scammers to spend time and money trying to reach you through us when there are millions more unprotected domains out there. We charge customers a nominal fee of $10 per domain per year for Webnames Privacy. This helps recoup our development, operational, and administrative costs for the service, and is competitive with other registrars.

A note about privacy for .ca and other TLDs

Some TLD registries, notably .ca, provide a basic level of WHOIS privacy automatically for individual (non-organizational) registrants. However, you can still use Webnames Privacy to obtain a second layer of protection, keeping your contact information only on our protected servers, and out of a central registry. And if you’re a business or other organization, Webnames Privacy is a great way to reduce spam and telemarketing.

Use Privacy right from the beginning!

Next time you register a domain, enable Webnames Privacy right from the beginning. It’s easy to enable it right in our shopping cart purchase flow. On the other hand, if you do your registration without privacy and then add it a few days later, your personal information could be already be compromised. If you find yourself in this situation, we still recommend adding privacy – late is better than never because it will help to mitigate new rounds of unwanted solicitations, but you’ll get the most benefit from using it from day 1.

Share: Share on FacebookTweet about this on TwitterShare on LinkedInEmail this to someoneShare on Google+

Posted in:

Domain Names Security