How Spammers Find New Domain Registrations – Domain Name Wire

Spammers use a two-step process to learn about new domains and obtain registrant contact information.

My phone number has been abused in the last week. I received dozens of spam emails, robocalls, and telemarketing solicitations from people selling web design and logo design services.

It’s my fault. I made the mistake of registering domain names using my unprotected details. I should have known better than that.

In my post last week about spam volume, someone asked how spammers find out about new domain registrations.

A few years ago, a domain name registrar told me that they were amazed at how quickly people started getting spam after registering a domain name. Sometimes the play-off started less than 15 minutes after registration. It turns out that Verisign offered a service called Domain Name Zone Alert (DNZA). This service alerted people when a change was made to the zone file, including when a domain name was added to the zone.

There are legitimate uses for this data, but it has clearly been abused. Verisign ended the service over a year ago.

Spammers can still get data on new registrations, but not as quickly. Verisign is required to provide access to its zone files. It publishes the zone file every 12 hours and subscribers are allowed to download it once a day.

Again, there are many good uses for this data. That’s why ICANN asks Verisign to publish it. But it is abused.

There is a second step that spammers must follow to obtain contact information. .Com has a “lightweight” Whois environment. This means that the registrar maintains the contact details of the holder. When you make a Whois query, the registrar, not the Verisign registry, provides this information.

Spammers used to get Whois information in bulk over port 43. Many registrars no longer provide full Whois over port 43, so spammers either have to remove the Whois feature from the registrar. register on their site, or pay someone to retrieve the data manually. (The latter could be very affordable thanks to something like mTurk.)

Some services sell this data. They create the systems to collect and then sell it to multiple parties.

The good news for registrants is that most registrars started removing phone numbers after the GDPR took effect. GoDaddy started drafting this week.

The result is that there is data on fewer domain registrations available to spammers, so customers of registrars who still publish the data receive a higher volume of spam.