Domainers Gone Blind: The Trouble With Bogus IDN Auctions
It's no secret that domain prices are on the way up. But what happened this weekend caught even the hardened domainers among us by surprise:
The domain auction for xn--fx-kja.com attracted 102 bids from 26 bidders - and closed with a final bid of $46,001!
These domain investors must know something that we don't:
- Is xn--fx-kja a high-traffic typo of the latest Web 2.0 company to be snapped up by Yahoo?
- Has Bubble 2.0 reached its peak, with domain names back at their 1999 valuations?
- Is this a misconceived publicity stunt to promote an otherwise shunned URL?
Actually, it's none of the above.
xn--fx-kja.com is simply the ASCII representation (punycode) for fìx.com, which looks deceptively similar to fix.com.
fìx.com and fix.com?
In case you didn't notice any difference, we didn't either, and neither did several commentators over at Com. Take another look:
fìx.com - fix.com
Of course, fìx.com (the first one) is pretty much worthless and nobody in their right mind would pay $46,001 for such an ugly domain. But when it looks like the highly valuable fix.com (the second one), it's understandable that potential buyers get excited and smell a bargain. But this time, it wasn't meant to be and the winning bidder will probably refuse to pay when he realizes his mistake.
Meanwhile, at the time of writing, the auction for wìne.com (xn--wne-nma.com) is still in progress. It has attracted 9 bidders, with the top bid currently at €510. How many of them believe they are competing for wine.com? [Note: The auction ended with a winning bid of €31,001.]
Sedo, the company that manages these auctions, does indicate in the fine print that these domain are IDNs, which are, essentially, domains that allow the use of special characters such as á, ï, è etc. However, many domain newbies will not realize what they are getting themselves into.
Therefore, Sedo should either announce these junk domains as follows:
xn--fx-kja.com (fìx.com)
xn--wne-nma.com (wìne.com)
… or ban them entirely. Their domain auction service had started out as a pleasant alternative to eBay's scrap heap but it has degenerated rapidly in recent weeks.
Incidentally, yet another imitator is up for auction on eBay. This time it's fıx.com. No, not fix.com, but fıx.com, which is actually xn--fx-hpa.com. Buyer beware!
While legitimate IDN domains do serve a limited purpose, these bogus domains are worthless and even dangerous. Fortunately, due to spoofing concerns most browsers convert these domains to their ASCII representations: if you copy fìx.com into your address bar and hit enter (or click here), the URL will actually be displayed as http://xn--fx-kja.com. Using your browser as assistant in this way may be the only sure-fire way to guarantee that a domain you're interested in isn't just a cheap pretender.
Note: Sedo has since made important changes to the way they list IDN auctions.
Sedo belongs to 1And1.com, one of the World's Worst Registrars.
Not surprisingly Sedo is following the steps of their parent company by misleading the public with their fine print.
———–
xn--fx-kja.com (fìx.com)
xn--wne-nma.com (wìne.com)
———–
That's a bit draconian don't you think, I suggest;
UTF8.EXT (xn--ABC09)
This would do more justice to the actual function of idn's, they are in the first place meant as UTF8-identifiers, it seems logical to emphasize their representation as it is typed and in most cases represented to the webuser as supposed to the blunt ascii-counterpart that only serves as the ip-identifier.
I suggested the above to sedo in several topics on namepros and dnforum, in fact sedo was warned about this several times through these topics + the email they got from concerned domainers. As a response to one of these topics sedo added the notification that the domain is in fact an IDN, this notification is in itself very clear :
"
Domain Name without content.
Important Notice: This is a Multi-Lingual (IDN) Domain
"
leading to :
IDN Domains are "Internationalized Domains Names", they make the use of special non-English characters possible (i.e. Umlauts like "ä", "ö" und "ü", other European Characters like "á", "é", "í"). These domains are subject to many temporary technical restrictions, for example users need an IDN compatible browser to visit them.
Following this measure, we responded in the specific topic that domainers would still ignore this notice because they might simply confuse this with international domains in terms of meaning (and not character presentation). There was no response back..
————-
… or ban them entirely. Their domain auction service had started out as a pleasant alternative to eBay’s scrap heap but it has degenerated rapidly in recent weeks.
————
You're going way to far with your suggestions, phishing domains are domains and phishing domains can be idn's, that's the basic kiddy logic here. Duplication, replication, it's all in the game, if don't have a great name, pretend you have by mixing characters, this is as old as domaining and you know it.
The fault is with the seller for mimicking (and only that) a name that ís valuable, the auctioneer for leaving out the punycode AND the buyer for effectively ignoring the notice on IDN. The one thing NOT at fault is the technology behind it.
—————–
While legitimate IDN domains do serve a limited purpose
——————
Limited to those who see little purpose for it in the first place, get real, idn's have been in development for over a decade, instigated by the fathers of the internet as a necessity for true global accessibility without restrictions; it's meant to REMOVE restrictions.
Ignorance is idn's greatest problem here, people will be suckered into believing things that are to good to be true, from this moment till the end of mankind, the difference between those who are and those who aren't is the knowledge they posses.
I think the author meant to ban the auctions of these phishing domains, not IDNs.
The seller could have just used a one for an 'l' or a zero for an 'o' like the old days.
Some people are taking advantage of a situation and others are copy-catting for easy money.
>>>Fortunately, due to spoofing concerns most browsers convert these domains to their ASCII representations: if you copy fìx.com into your address bar and hit enter (or click here), the URL will actually be displayed as http://xn--fx-kja.com
I agree, measures have to be taken, sedo should use an active approach in preventing phishing
domains being exchanged through their site. However they can't write an algorithm to recognize
phishing domains without classifying a larger group of domains as phishing domains, i.e. they will
have to manually filter out phishing domains, which is very difficult in the case
of idn's for several reasons :
- names as described in this article may appear to be phishing domains solely because they are
similar to their non-accented counterpart, this however would be to blunt for the simple reason that
many words in latin, anglo-saxon and german languages only differ by an accent or two, words have been and will be
exchanged between (and especially in) these language groups. Is sedo going to linguistic experts for this ?
- mixed script domains (not the case for the above names), like the infamous paypal-example where a latin p was
replaced by a cyrillic p-like letter, are not necessarily phishing domains. Latin mixed with cyrillic and other
scripts which are similar in presentation but which belong to different language groups maybe be categorized
as phishing domains, this makes sense, however symbolic asian scripts are used with ascii-acronyms all the time so they
should (as by example) be exempt from any blocking measure.
The only things remaining are :
- A very clear due diligence policy on the side of the bidder, bidder beware
- In light of the previous, sedo should provide necessary information to evaluate the
seller and the domain –> seller history,punycode, mixed characters mentioning.
- I mentioned seller history; this would reflect any violation of sedo policy
; that being said, is offering phishing domains even a violation of sedo policy ?
(- blocking of mixed scripts, which are similar in appearance and which belong to different language groups)
Mentioning punycode and mentioning the presence of mixed characters are easy steps, maybe seller history
is stretching it. Let it be clear that IDN's give an entire new dimension to domaining, in a few years
time you will have to be knowledgeable about the languages your are dealing with otherwise you're
target practice for malicious sellers.
Feb 15th, 2007 at 9:50 am
[...] Hace unos días en com.es se comentó el tema de la subasta en Sedo del dominio fíx.com, un dominio IDN cuyo nombre es xn--fx-kja.com. En los comentarios del post de Ferran, algunas personas indicaron que se veía claramente como Sedo advertía que era un dominio IDN pero otras indicaban que habían hecho pujas y ellos también se había confundido. La noticia también fue recogida por DailyDomainer. [...]
Feb 15th, 2007 at 2:51 pm
[...] de la confusión de los dominios IDN en las subastas de Sedo, tema que se habló en otros blogs ingleses y españoles, así como en foros de dominios, Sedo ha [...]
May 15th, 2007 at 3:20 am
[...] In theory, the shift into and out of international domain names could occur seamlessly and invisible to the user. This is a useful feature for users but can also expose them to a dangerous spoof. In essence, the idea behind the IDN spoof is to register a domain name visually very similar to a trademarked name, for example Paypal. Due to the visual similarity of the Latin "a" and Cyrillic "a" a domain name consisting of mixed alphabets can be registered and when presented as a link, (like this, http://www.pаypal.com/ where the first "a" is actually a Cyrillic "a") can easily fool users into think they are at the genuine Paypal website. This, of course, would be a great opportunity for phishing scams - or bogus domain auctions. [...]
Oct 24th, 2007 at 1:09 am
[...] In theory, the shift into and out of international domain names could occur seamlessly and invisible to the user. This is a useful feature for users but can also expose them to a dangerous spoof. In essence, the idea behind the IDN spoof is to register a domain name visually very similar to a trademarked name, for example Paypal. Due to the visual similarity of the Latin "a" and Cyrillic "a" a domain name consisting of mixed alphabets can be registered and when presented as a link, (like this, http://www.pаypal.com/ where the first "a" is actually a Cyrillic "a") can easily fool users into think they are at the genuine Paypal website. This, of course, would be a great opportunity for phishing scams - or bogus domain auctions. [...]