No Comments

How spammers find new domain registrations

Spammers use a two-step process to learn about new domains and get the registrant’s contact details.

Picture of a man screaming into a phone with the words "Whois Abuse"

My phone number has been abused over the past week. I’ve received dozens of spam text messages, robocalls, and telemarketing solicitations from people selling web design and logo design services.

It’s my fault. I made the mistake of registering domain names using my unprotected contact information. I should have known better than that.

In my post last week about the volume of spam, someone asked how spammers find out about new domain registrations.

A few years ago, a domain name registrar told me they were amazed at how quickly people started receiving spam after registering a domain name. Sometimes the barrage began fewer than 15 minutes after registration. It turns out that Verisign offered a service called Domain Name Zone Alert (DNZA). This service alerted people when a change was made to the zone file, including when a domain name was added to the zone.

There are legitimate uses for this data, but it was clearly abused. Verisign terminated the service over a year ago.

Spammers can still get data on new registrations but not as quickly. Verisign is required to provide access to its zone files. It publishes the zone file every 12 hours, and subscribers are allowed to download it once per day.

Again, there are many good uses of this data. That’s why ICANN requires Verisign to post it. But it is being abused.

There’s a second step that spammers must take to get the contact information. .Com has a “thin” Whois environment. This means that the registrar maintains the registrant’s contact details. When you make a Whois request, the registrar, not the registry Verisign, provides this information.

Spammers used to get Whois information in bulk through Port 43. Many registrars no longer provide full Whois through Port 43, so spammers have to either scrape the registrar’s Whois function on their site or pay someone to grab the data manually. (The latter could be very affordable through something like mTurk.)

Some services sell this data. They create the systems to collect and then sell it to multiple parties.

The good news for domain registrants is that most registrars began redacting phone numbers after GDPR went into effect.

The upshot is that there is data on fewer domain registrations available to spammers, so customers of registrars who still publish the data get a higher volume of spam.


Source: (

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.