Search Quality & Cyber-Intelligence Lab (SQ-CIL)

Spam Double-Funnel: Connecting Web Spammers with Advertisers



 

When a user visits a Web site, her browser may be instructed to visit other third-party domains without her knowledge. Some of these third-party domains raise security, privacy, and safety concerns. The Strider URL Tracer, available for download, is a tool that reveals these third-party domains, and it includes a Typo-Patrol feature that generates and scans sites that capitalize on inadvertent URL misspellings, a process known as typo-squatting. The tool also enables parents to block typo-squatting domains that serve adult ads on typos of children's Web sites.

• Yi-Min Wang, Doug Beck, Jeffrey Wang, Chad Verbowski, and Brad Daniels, "Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting," Usenix 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), July 2006
  
  
• Windows XP/IE6 URL Tracer Download (v. 1.0.1.0, April 7, 2006) ("Save" to Desktop and double-click to install this research prototype)
  • This tool is a standalone client-side tool. It does not perform any lookups on our typo-domain database and it does not report back any scan results.
  • Quick Start and Help File
  • Screenshots (typo domains of Slashdot.org, WashingtonPost.com, and others)
  • We highly recommend running the scan from a virtual machine or a non-mission-critical machine.
  
  
• News
  • "Google Lets Advertisers Opt Out of Domain Parking Sites", March 13th, 2008
  • "Microsoft files cybersquatting lawsuits," Sept. 13, 2007
  • "Verizon Sues iREIT for Alleged Cybersquatting, April 5, 2007
  • "Microsoft Expands Global Effort to Combat Cybersquatting," March 14, 2007
  • "Microsoft Launches Enforcement Campaign Targeting Web Site “Cybersquatters” Who Use Online Ads," August 22, 2006
  • "The Web's Million-Dollar Typos," The Washington Post, April 30, 2006.
  • "Typed too fast? Google profits from your typo," The Seattle Times, April 30, 2006.
  • "Google Propping Up Typosquatting Biz?", Slashdot, April 30, 2006.
  • "Microsoft spells the end of typos," ipwalk, April 20, 2006
  • "Microsoft Tool To Help Users Avoid Typo Domains," Slashdot, April 14, 2006.
  • "Microsoft Ships 'URL Tracer' to Hunt Down Typosquatters," eWeek.com, April 7, 2006.
  • "Microsoft 'URL Tracer' Hunts Typosquatters," Slashdot, April 7, 2006.
  • "MS Research: Typo-Squatters Are Gaming Google," eWeek.com, December 19, 2005.
  • Wikipedia: Typosquatting
  
  
• Technical Report - "Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting"
  • Summary - In our three sets of scans, 40%~70% of active typo domains were parked with the following top six services, which means trademark owners can easily identify major typo-squatters by using the Strider URL Tracer to track and categorize ads-fetching traffic sent to these parking services.
    
    The Timeline
    
    December 19, 2005: This eWeek news article first exposed the large-scale, systematic typo-squatting activities by major squatters. In response, oingo.com removed adult ads served on the typo domain http://disnryland.com.
    
    December 2005 ~ March 2006: We reported 2,182 oingo-parked and Unasi/Domaincar-owned typo domains at http://research.microsoft.com/Typo-Patrol. In response, 1,668 of them were de-activated.
    
    April 7, 2006: We released the Typo-Patrol tool and the technical report. The second eWeek article came out and more adult ads served on typo domains of children's web sites were removed.
    
    April 24, 2006: Sedo started blacklisting questionable typo and non-typo domains reported on this page.
    
    

    April 27, 2006: Unasi/Domaincar quickly de-registered 66 of the 84 reported typo domains but continued to target Comcast.net, Morganstanley.com, and NYTimes.com. It also de-registered 122 of the 166 reported non-typo domains. April 27, 2006: Trademark-related statements appeared on http://domaincar.com and http://domibot.com and were linked from bottom of typo domain pages. We have constructed Domaincar Reporting Page Domibot Reporting Page. All interested users of Strider URL Tracer can scan these domains to monitor the progress of trademark-related domain removals. April 27, 2006 ~ May 1, 2006: We reported 2,500+ questionable Unasi/Domaincar-owned typo and non-typo domains at the Domaincar Reporting Page.

    
    
    May 7, 2006: Domain parking services can now use the Strider Global Typo-Domain List to quickly screen for domain parkers whose portfolios appear to contain a large number of questionable domains.
    
    These 8,598 typo domains of 60 target domains are being used as the Strider Typo-Patrol benchmark "TP-60". We will periodically scan them and report the results as a way of monitoring the trend and movement of this industry. Send email to tppatrol@microsoft.com if you own an Alexa top-500 web site or a major banking web site and would like to be added to the benchmark, which in general should discourage typo-squatting of your web site.
    
    
    • Oingo.com [WhoIs Oingo]: 20%, 19%, and 44% in our three sets of scan data, respectively
      • Try opening these two URLs in two separate windows to verify that oingo.com is serving the ads: http://www.MorganStnaley.com and http://apps5.oingo.com/apps/domainpark/domainpark.cgi?s=morganstnaley.com&dp_lp=24&hl=en&dp_lp=7&cid=DTRG4295&dp_p4pid=oingo_inclusion_xml_06&dp_format=1.3. Clicking on the ads will send you through http://pagead2.googlesyndication.com (see screenshot).
      • How Oingo.com domain parking works
      • See a sample screenshot of oingo-parked WashingtonPost.com typo domain.
      • See a sample screenshot of a negative advertisement served on an oingo-parked typo domain of http://MorganStanley.com
      • Typogoogling: an example of advertisers paying for ads served on the typo-squatting domains of their own web sites
      • See a large number of domains parked with oingo.com, typos and non-typos.
        
        

      How big is this domain parking business (traffic x revenue per visit): Traffic number approximation: compare oingo.com traffic (daily reach: ~4,000 per million users) with googlesyndication.com traffic (daily reach: ~9,000 per million users) There are now more than one billion Internet users. Clicking on oingo.com ads generates traffic to googlesyndication.com. Sample revenue numbers for parked domains: Domainsponsor: $65~$200+ Per 1000 Unique Impressions (RPM) Sedo: $24~$80+ RPM Dotzup (no adult or trademark domains): $90 network average CPM (Cost per Thousand) The most well-known, Panama-based(?) typo-squatter Unasi/Domaincar appears to be a major customer of oingo.com. Unasi/Domaincar owns 76% of all the typo domains parked with oingo.com in our study. Together, they are sharing profits from serving ads on a large number of typo domains (see thousands of such domains). The real identity of Unasi/Domaincar may be discovered by following the money trail of Oingo.com's payment to its Client ID DTRG4295. Our data shows that, when you make a typo and reach an active domain, one in every four such domains are parked with oingo.com and one in every six such domains are registered to Unasi/Domaincar. In response to this eWeek news article, Unasi/Domaincar de-activated a large number of "anchor domains" that were used to aggregate typo traffic and to trick Oingo.com into serving adult ads on typo-squatting domains of children's web sites. Unasi/Domaincar was responsible for 46 of 110 such domains found in our study. Between December 2005 and March 2006, we reported 2,182 typo domains owned by Unasi/Domaincar and 1,668 of them have been de-activated. See reported domains at http://research.microsoft.com/Typo-Patrol Unasi/Domaincar and oingo.com are also profitting from serving ads on a large number of domains that contain non-typo brand names such as Disney, Microsoft, Sony, EBay, Nokia, Canon, Nintendo, Panasonic, Gucci, Citibank, etc. See 166 such domains; additional domains will be added periodically. According to another study, "DomainCar ... and several related companies, controlled some three million domain names, around four percent of the global total." See list of 70+ domain name complaints against Unasi/Domaincar.

      • Other major clients (although they all appear to be much smaller than DTRG4295/Unasi/Domaincar; April 19~20, 2006 data)
        • Client ID dots5698: see domain list or an example
          http://apps5.oingo.com/apps/domainpark/domainpark.cgi?s=WASHINGTRONMUTUAL.COM&cid=dots5698.
        • Client ID GALT6690: see domain list or an example
          http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=GALT6690&s=bankofameerica.com.
        • Client ID TWOS3769: see domain list or an example
          http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=TWOS3769&s=sovereingbank.com
        • Client ID JPET7259: see domain list or an example
          http://apps5.oingo.com/apps/domainpark/domainpark.cgi?client=JPET7259&s=www.sovereignbakn.com
    • Domainsponsor.com/Information.com [WhoIs DomainSponsor]: 21%, 14%, and 12%
      • See a sample screenshot of domainsponsor-parked WashingtonPost.com typo domain.
      • See a list of sample domainsponsor/information-parked typo domains.
    • Sedoparking.com [WhoIs Sedoparking]: 8.6%, 3.3%, and 3.8%
      • Sedo's Rights Protection Program (RPP)
        • "Sedo developed the Rights Protection Program (RPP) to give intellectual property rights holders a streamlined process for submitting complaints regarding domains being listed for sale or being parked with Sedo."
      • Sedo has blacklisted all of the 190 parked domains reported in this list.
      • Sedo has responded to the following three reports as well:
        • May 4, 2006: see another list of 1,600+ typo domains
        • May 4, 2006: see a list of 104 non-typo domains
        • May 5, 2006: see a list of Unasi/Domaincar/Domibot-owned typo domains
      • Clicking on the ads will send you through http://pagead2.googlesyndication.com (see screenshot).
    • Qsrch.com [WhoIs Qsrch]: 4.5%, 3.3%, and 1.8%
      • See a sample screenshot of qsrch-parked Comcast.net typo domain.
      • See a list of sample qsrch-parked typo domains.
    • Netster.com [WhoIs Netster]: 2.9%, 2.2%, and 4.1%
      • See a sample screenshot of netster-parked WashingtonPost.com typo domain.
      • See a list of sample netster-parked typo domains.
      • Clicking on the ads will send you through http://pagead2.googlesyndication.com (see screenshot).
    • Hitfarm.com [Whois Hitfarm (identity shielded)]: 2.1%, 3.1%, and 2.3%
      • See a sample screenshot of hitfarm-parked WashingtonPost.com typo domain.
      • See a list of sample hitfarm-parked typo domains. (Hitfarm has responded to this report.)
      • Domain complaint form
      • Click on the ads on the second page will send you through overture.com (see screenshot).
  • Beyond typo-squatting, these parking services also park a large number of domains with names containing (non-typo) brand names (April 2006):
    • See a few such domain names.
    • 780 *Disney* domains: grouped by parking services; grouped by IP addresses
    • 418 *Yahoo* domains: grouped by parking services; grouped by IP addresses
    • 370 *Microsoft* domains: grouped by parking services; grouped by IP addresses
    • 366 *Sony* domains: grouped by parking services; grouped by IP addresses
    • 320 *XBox* domains: grouped by parking services; grouped by IP addresses
    • 280 *Ebay* domains: grouped by parking services; grouped by IP addresses
    • 190 *Nokia* domains: grouped by parking services; grouped by IP addresses
    • 112 *Canon* domains: grouped by parking services; grouped by IP addresses
    • 79 *Nintendo* domains: grouped by parking services; grouped by IP addresses
    • 71 *Panasonic* domains: grouped by parking services; grouped by IP addresses
    • 61 *Gucci* domains: grouped by parking services; grouped by IP addresses
    • 48 *Citibank* domains: grouped by parking services; grouped by IP addresses
    • 44 *Marriott* domains: grouped by parking services and traffic affiliates; grouped by IP addresses
    • Get access to .COM & .NET Top-Level Domain (TLD) Zone Files
  • See sample typo traffic statistics at http://slsahdot.org
    • See http://slsahdot.org traffic anomaly due to this Slashdot
  • Strider Typo-Patrol Project Home Page
  
  
• Typo-Squatting-Related Laws
  • Uniform Domain-Name Dispute-Resolution Policy (UDRP), October 24, 1999
    • Applicable Disputes. You are required to submit to a mandatory administrative proceeding in the event that a third party (a "complainant") asserts to the applicable Provider, in compliance with the Rules of Procedure, that
      • (i) your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and
      • (ii) you have no rights or legitimate interests in respect of the domain name; and
      • (iii) your domain name has been registered and is being used in bad faith.
  • Anticybersquatting Consumer Protection Act (ACPA), Signed by President Clinton, November 29, 1999
    • A person shall be liable in a civil action by the owner of a mark, including a personal name which is protected as a mark under this section, if, without regard to the goods or services of the parties, that person --
      (i) has a bad faith intent to profit from that mark, including a personal name which is protected as a mark under this section; and...
    • In a case involving a violation of section 43(d)(1), the plaintiff may elect, at any time before final judgment is rendered by the trial court, to recover, instead of actual damages and profits, an award of statutory damages in the amount of not less than $1,000 and not more than $100,000 per domain name, as the court considers just.
  • Truth in Domain Names Act, 2003
    • Sec. 2252B. False or misleading domain names on the Internet
      • (a) Whoever knowingly uses a misleading domain name with the intent to deceive a person into viewing obscenity on the Internet shall be fined under this title or imprisoned not more than 2 years, or both.
      • (b) Whoever knowingly uses a misleading domain name with the intent to deceive a minor into viewing material that is harmful to minors on the Internet shall be fined under this title or imprisoned not more than 4 years, or both.
  
  
• Potential Actions by Trademark Owners Based on the Typo-Patrol Tool
  • Filing multi-domain disputes against registrants of typo-squatting domains
    • Tool Usage: use the "Group by Internet Address" view, expand an IP address node, and "right-click->Whois" on a typo domain to manually look up the registrant name.
    • Run the Reverse-IP tool or http://webhosting.info against those IP addresses that host a large number of typo domains to discover even more typo domains owned by the same typo-squatters.
    • Related Information:
      • "Cybersquatter Fined $100,000 Per Domain Name," November 2000
        • Electronics Boutique Holdings Corp. v. Zuccarini, U.S. District Court, Eastern District of Pennsylvania, October 30, 2000
          • Cybersquatting (or cyberpiracy) "refers to the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners."
          • $500,000 fine for five domain misspellings: "www.electronicboutique.com," "www.eletronicsboutique.com," "www.electronicbotique.com," "www.ebwold.com," "www.ebworl.com."
      • "Disney-porn Hook-up Sends Typosquatter to Jail," March 1, 2004
        • Zuccarini To Receive 30 Months in Prison, Feb. 27, 2004
      • "Cyberscam Targeted by FTC," 2001
      • "Battling Cybersquatters: New Tools for Trademark Holders," February 2000
      • Shields v. Zuccarini, 2001
      • Domain name disputes
        • National Arbitration Forum: State Farm Mutual Automobile Insurance Company v. Unasi Management, Inc.
        • WIPO Arbitration and Mediation Center: Deutsche Telekom AG v. Unasi Management Inc.
        • See many more examples
        • See even more examples of domain name disputes against Unasi/Domaincar/Domibot
      • Use whois.sc or whois.ws or whois.net or Domain Dossier - Investigate domains and IP addresses or samspade.org WhoIs lookups to find out who owns a given typo-squatting domain.
  • Sending multi-domain takedown notices to ISPs hosting typo-squatting domains
    • Tool Usage: use the "Group by Internet Address" view and expand an IP address node.
    • Use Domain Dossier - Investigate domains and IP addresses or samspade.org IP Whois lookups to find out which ISP is hosting a given typo-squatting domain.
    • Takedown example
    • IP addresses that host a large number of parked domains (April 8, 2006 data)
      • Run the Reverse-IP tool against these IP addresses to retrieve even more typo domains owned by the same typo-squatters.
      
      
      

      Interserver Inc (typo-patrol results from scanning the first batch of typo domains in this file) 64.20.33.4: list of 57 parked domains; Domain WhoIs: Domaincar c/o Perthshire Marketing 64.20.39.27: list of 15 parked domains; Domain WhoIs: Domaincar c/o Perthshire Marketing 64.20.33.131: list of 11 parked domains; Domain WhoIs: Domaincar, Panama 66.45.225.11: list of 10 parked domains; Domain WhoIs: Domaincar, Panama

      • TELUS Communications Inc. (typo-patrol results from scanning this file)
        • Try 208.38.61.228 at http://centralops.net/co/
        • 208.38.61.228: list of 31 parked domains
        • 207.219.111.23: list of 26 parked domains
        • 64.225.154.135: list of 13 parked domains
      • Internap Network Services (typo-patrol results from scanning this file)
        • 64.74.134.14: list of 33 parked domains
        • 64.94.29.14: list of 18 parked domains
        • 64.94.29.64: list of 17 parked domains
        • 64.74.134.64: list o 10 parked domains
      • Alchemy Communications Inc.
        • 209.132.212.132: list of 28 parked domains
      • Sago Networks (typo-patrol results from scanning this file)
        • 66.118.136.67: list of 52 parked domains; Domain WhoIs: Manila Industries, Inc.
  • Filing multi-domain trademark complaints with domain parking services serving ads on typo-squatting domains
    • Tool Usage: use "View Top Domains" and expand a domain parking service node.
    • Related Information:
      • Google AdSense for Domains Trademark Complaint Procedure (see potential oingo.com examples)
      • DomainSponsor Terms of Use (see potential domainsponsor.com/information.com examples)
      • Sedo's Rights Protection Program (RPP)
  
  
  
• Other Related News and Links
  • "Typosquatters Target Anti-Virus Vendors," 2005
  • "Typo-squatter sued by FTC," 2002
  • "Large-Scale Registration of Domains with Typographical Errors"
  • "Google Squashes 'Typosquatting'," Associated Press, Jul. 09, 2005
  • "Air France Wins Typo Squatting Dispute," Demys News Service, July 30, 2003
  • "Harry Potter and the Order of the Typo," Personal Computer World, Dec. 10, 2004
  • "Googkle.com installed malware by exploiting browser vulnerabilities," April 26, 2005
  • Typogoogling, December 20, 2005
  • "WIPO Responds to Significant Cybersquatting Activity in 2005," January 25, 2006
  • "Should Owners Of Web Sites Be Anonymous?" By William M. Bulkeley, Wall Street Journal Online, April 27, 2006
  • "Yahoo Sued for Spyware, Typosquatting-Based Ads," Slashdot, May 3, 2006
  • "Suit accuses Google of profiting from child porn," CNET News.com, May 5, 2006
  • "For These Sites, Their Best Asset Is a Good Name," The Wall Street Journal, May 1, 2006.
    • Analysts estimate these types of site, known as "domain parking," generate about 5% to 10% of search-engine revenue, putting the industry's annual revenue at about $600 million. "The profit margins are extraordinary," says RBC Capital Markets analyst Jordan Rohan. He predicts industry revenue could double to $1.2 billion within three years.
    • Potential typo domains
    
    
    
  • Fiddler HTTP Debugging Proxy
    
    
  • Dotzup Domain Potential: Yield per visit, etc.
  • Domain Name Wire: News and Views for the Domain Name Industry
  • DailyChanges.com: millions of new and deleted domains
  • MarkMonitor
  • "Domain Monetization: Allocation Methodology"
  • sTypo generates typo domains, scans them through Overture™ Search Term Suggestion Tool to get traffic estimates, and also provides availability and parking information. (sTypo is for domain parkers, while Strider URL Tracer is for trademark owners who want to catch domain parkers.)
    
    
  • Third-party domains associated with parked domains
    • Oingo.com (see sample parked domains)
    • DomainSponsor.com (see sample parked domains)
      • "We have some names that routinely generate Revenue per 1000 Unique Impressions (RPM) of $100, $200 or more, and our overall portfolio generates an RPM of $60."
    • Sedo (see sample parked domains; most of them have been blacklisted by Sedo)
      • "The RPM for some of our domains is $80 or more..."
    • Netster.com (see sample parked domains)
    • Hitfarm.com (see sample parked domains)
    • Qsrch.com (see sample parked domains)
    • TrafficZ.com (see sample parked domains)
    • Zedo.com (see sample parked domains)
    • Ownbox.com (see sample parked domains)
    • DomainSpa (see sample parked domains)
    • ParkingDots (see sample parked domains)
    • GoldKey (see sample parked domains)
      • "All domains submitted must be reviewed by Yahoo for Trademark conflicts. Yahoo provides the feed for GoldKey."
    • DomainHop (see sample parked domains)
    
    
  • Typo domains redirecting back to target domains through third parties (April 8, 2006 data)
    • Owners of target domains may be paying typo-squatters, knowingly or unknowingly, for their traffic through affiliate programs.
    • 93 typo domains of overstock.com redirecting through click.linksynergy.com
    • 36, 22, and 6 typo domains of VerizonWireless.com redirecting through clickserve.cc-dt.com, service.bfast.com, and spellhelp.com, respectively
    
    
  • Hidden, proxied, N/A, identity-shielded, or privacy-protected WHoIs records (April 8, 2006 data)
    • "Whois IDentity Shield, Vancouver, BC, Canada V6C 1A1" (Nameview)
      • Hitfarm.com (http://whois.ws/whois-com/ip-address/hitfarm.com/)
    • "Moniker Privacy Services, Pompano Beach, FL 33069"
      • Ultsearch.com (http://whois.ws/whois-com/ip-address/ultsearch.com/)
      • Other examples: Kanoodle.com, searchabc.com, nbcsearch.com,
    • "Domains by Proxy, Inc., Scottsdale, Arizona 85260"
      • Exactsearch.net (http://whois.ws/whois-net/ip-address/exactsearch.net/)
      • Other examples: sportsinfosites.com, 404recovery.com
    • "Whois Privacy Protection Service, Inc., Bellevue, WA 98007"
      • Mivrosoft.com (http://www.whois.sc/mivrosoft.com)
      • Other examples: Microsocft.com, Vpptechnologies.com, etc.
    • "Privacy Protect, Inc, Houston Texas,77079"
      • Bmnq.com (http://whois.ws/whois-com/ip-address/bmnq.com/)
      • Other examples: Bnmq.com
    • "N/A N/A (Registrar: ENOM, INC.)"
      • Sonicads.com (http://whois.ws/whois-com/ip-address/sonicads.com/)

Use the Strider URL Tracer to automatically and systematically expose third-party web beacons and bugs, and then seriously ask the following questions: "What data are you collecting about me?"; "Are you following the privacy rules by giving me proper notices and choices?"; "Are you safely storing the data and for how long?"; "Who in your company has access to the data?"; "Are you correlating the data with other potentially personally identifiable information without my permission?"; "Are you selling or sharing the data with other companies without my knowledge?"; etc.

Proper uses of web beacons can improve web sites' ROI and web users' experience; abusive uses of web beacons may invade user privacy. Strider URL Tracer brings web beacons to the spotlight, including all third-party URLs because any of them could be used as a generalized form of web beacons.

• "Ad firms set rules for Web tracking bugs," CNET News.com, November 26, 2002.
• Use these web sites to find out whether your machine's externally visible IP address is static and could be used to correlate your browsing activities on multiple web sites: DomainTools "My IP Information"; WhatIsMyIP.com; AuditMyPC.com.
  
  In an enterprise environment, if your employees' machines' externally visible IP addresses are those of your web proxy servers, which can be mapped to your company name, then web beacons could potentially leak your company's business intelligence in the form of your employees' collective browsing activities.
• Network Advertising Initiative
  • Opt Out of NAI Member Ad Network Cookies
  • "Web Beacons – Guidelines for Notice and Choice"
• Yahoo! web beacons opt-out
• Web Analytics Association
• Redirection domains for some of the most popular web beacons:
  • Google-analytics.com (~24,000 URLs)
  • Extreme-dm.com (~17,000 URLs)
  • Hitbox.com (~15,000 URLs)
  • Statcounter.com (~12,000 URLs)
  • Sitemeter.com (~11,000 URLs)
  • Webtrendslive.com (~9,000 URLs)
  • Hitslink.com (~5,000 URLs)
  • Addfreestats.com (~4,000 URLs)
  • Webstats4u.com or Nedstatbasic.net (~3,000 URLs)
  • Coremetrics.com (~2,000 URLs)
  • Web-stat.com (~2,000 URLs)