A friend recently looked into buying a domain name. She typed the domain into Internet Explorer and nothing came up. She typed the domain name into the search box at GoDaddy.com and the domain was available. But she didn’t buy it right away.
When checking the domain again the next day we saw that the domain had been registered by someone else just a few hours after she had searched for it. Because the name did not contain any English words (or real words in any language) we knew that it could not have been a coincidence.
My first thought was that GoDaddy had stolen the domain name and was kiting it — which would have been hypocritical because the CEO of GoDaddy had written a criticism of the practice on his blog. Further research indicated that domains were being stolen even without typing them into GoDaddy, so that ruled out GoDaddy.
The ICANN Wiki explains "domain kiting" or "domain tasting":
Because there is a 5 day grace period which for returning and receiving a refund on a domain, registrants are utilizing this to register domains, test them for traffic and keep the domains which are monetizable. This approach has the potential to be particularly lucrative and low risk because these businesses can test the residual traffic of a domain name before paying for it. In addition, the registrant can benefit from any residual income from the traffic received during the five day period even if the domain is refunded.
Sure enough, 5 days after the domain was stolen it was released and my friend was able to register it. We had already begun to investigate the issue of who stole her domain name.
The company that appears to have stolen her domain name and “tasted” it is called UltraRPM.com.
This is a screenshot of their home page:
The UltraRPM.com home page says:
UltraRPM is a next generation, predictive data analysis company. UltraRPM seeks to use its proprietary algorithms to identify and create higher ROI online marketing opportunities.
Our products are still under development so please check back for more information once we have launched.
Internic shows that UltraRPM does business as Metapredict.com, but Metapredict.com does not resolve when typing it into a browser.
We began testing other domain names to see if they would be stolen and "tasted". For the first test, I booted up Damn Small Linux and and typed a domain into GoDaddy’s search box. I wanted to try it on a clean operating system. The test was not 100% clean though because my friend had also typed the domain into the address bar of Internet Explorer on her computer. Sure enough, the domain was registered by UltraRPM a few hours after searching for it.
In my research I came across a blog post on domaintools.com about stealing domain names. The article mentioned that ISPs sell Non-eXistent Domain (NDX) data to people. I began to suspect that my ISP might be stealing the domain names.
The DomainTools article didn’t seem to think that spyware was a common issue:
For any browser plug-in that is free, ask yourself why is it free and whether they send data back to a server. Avoid software on computers that reports data back to the Internet. Of course this is the most obvious advice, but I need to mention it. The likelihood of someone datamining domain name research from spyware is small. If they have spyware on your computer, itâ€™s more likely they are going after credit cards numbers and social security numbers instead of domain research.
To test this, I typed a few non-existent domain names into my browser in Linux on the same Internet connection. Those domains were not registered and kited like the previous ones. That seemed to indicate that the ISP was not responsible. I recommended that my friend run AVG Anti-Spyware which is the strongest spyware/trojan scanner that I’ve found. AVG-Anti Spyware found many problems on her computer including a trojan. I didn’t see the list of scanned items though so I don’t know exactly what spyware was on the computer and whether it could have been responsible for stealing her domain names as she typed them into the address bar of Internet Explorer.
The original suspects in this case were GoDaddy, my ISP, and spyware. GoDaddy and the ISP seem to have been eliminated through my non-scientific experiments. At the moment I am suspecting that spyware may have been the problem in this case.
It would be great if readers could perform similar tests on their own computers. I recommend running your tests as follows:
- Experiment with only one domain at a time
- Don’t use dashes in the domains
- Make up a domain that sounds like a brand name, possibly with a component that is not a real word.
The only other mention I’ve found of UltraRPM is on an article about companies who are exploiting the popularity of Madeleine McCann’s Web site (a child abducted in Portugal).
If you find anything interesting or have more information about UltraRPM and Metapredict, please leave a comment below. I’m also interested in more information about domain tasting and what is being done to stop it.
UPDATE: Thanks for the many comments. If this has happened to you and you are using Windows, please run the free trial of AVG Anti-Spyware on your computer and send me the log of any malware that the program finds. Finding a common piece of spyware (or lack of one) across many incidents it might shed some light onto this issue. To contact me, please use the contact form.