Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Detecting scam webshops before they open

Data-based fraud prediction

Just like legitimate goods, fake goods are now increasingly sold on line. A growing number of scam webshops offer designer clothes and accessories at knock-down prices. However, what their customers, or victims, actually receive is poor quality fakes. Adidas, Ray-Ban and Gucci are just some of the brands whose reputations are abused by unscrupulous internet traders. In response, many brand owners actively trawl the internet for scam webshops, with a view to reporting them and getting them taken down. The problem with that 'reactive' strategy is that the good guys are always playing catchup: a lot of damage can be done before each fraud is stopped.

Final study project

As part of my Computer Science course at Delft University of Technology, I therefore decided to look into the possibility of detecting fraudulent webshops before they start trading. The research formed my final study project, and was carried out at SIDN Labs. If a way could be found to predict whether a newly registered domain name was going to be used for the sale of fake goods, that would open the way for preventive intervention to protect consumers.

I came up with the idea of building a data model using a combination of registration data and infrastructure metrics, which could then be used to make predictions about new domain name registrations.

Data-based fraud prediction

Whereas existing anti-fraud strategies focus on identifying scam webshops by analysing site content, the goal of my research was a way of predicting what a site's content is going to be before it goes live. That implied relying on the data that's available immediately following registration of the domain name.

Reuse of recently cancelled domain names

First, we looked at the information provided by the registrant. The registrant's name, address, phone number and e-mail address, plus the time of registration, were used to build a profile, which was analysed against historical data to calculate the probability of fraud. The history of the registered domain name was also considered. That's relevant because it's common for scam webshops to reuse recently cancelled domain names. Scammers probably hope to take advantage of the fact that domain names that have been in use for a while do better in terms of positioning in search engine results. Many scam webshops consequently have domain names that bear no relation to what they are selling. Expensive shoes might be sold by a site whose domain name relates to a former art gallery, for example. Or a webshop offering designer jeans might have a domain name that once belonged to a housing association.

Webhosting data from OpenINTEL

In addition to registration data, information about the infrastructure used by a site can provide valuable pointers. SIDN's records include details of the registrar used to register the domain name, as well as the associated name servers. However, SIDN doesn't hold the web hosting details. In order to include that data in the prediction process, I turned to OpenINTEL. OpenINTEL is an active DNS measurement-platform: the status of large parts of the Domain Name System, including the .nl zone, are scanned on a daily basis and the results are archived. By drawing on OpenINTEL records, the address of the web server could be included in the data model. The registrar's name and the addresses of the name servers and web server together form an infrastructure profile that I expected to provide further pointers as to the probability of fraud. 

My supposition was that certain service providers would be attractive to scammers due to a combination of low prices, high convenience and a slack attitude to abuse reports.

Training the model

The various items of data referred to above were collected for two groups of domain names: one group that had recently been used for scam webshops and one group that had been used for legitimate purposes. The two datasets were then used to 'train' a prediction model. That involved analysing the data with a machine-learning algorithm. The outcome was a model capable of making predictions about how recently registered domain names are likely to be used. Over time, both the registration profiles and the infrastructure profiles associated with fraud are likely to change. The model therefore requires regular retraining on the basis of the latest data. To that end, details of correctly identified fraudulent domain names can be used to build a dataset for subsequent model retraining. A continuous cycle is thus established, enabling the model to adapt to new trends and developments. Training is based exclusively on domain names registered in the last two months, so that the model is not pointlessly complicated by the inclusion of registration profiles and infrastructure profiles that are no longer indicative of fraud. 

Evaluation

In order to assess the accuracy of the prediction model, we input all registrations made in the first six months of 2018. For the experiment, the model was retrained daily using the latest information. Of the domain names flagged up by the model as suspicious, 85 per cent did indeed appear to be fake product outlets. In 12 per cent of the suspicious cases, it was not possible to establish what the domain name was actually used for. Predictions of abuse turned out to be demonstrably false in just 3 per cent of cases.

Findings

All registrations made between April 2016 and August 2018 were analysed using the procedure described. That gave us a dataset on 30,000-plus scam webshops. Analysis of the dataset yielded a number of interesting additional findings. First, two thirds of all fraudulent webshops studied were the product of just twelve campaigns (where we define a campaign as a group of registrations that use the same procedure to generate the details needed to register a domain name). 

Coordinated operation

The majority of fraudulent registrations appear to be part of coordinated operations. For example, we observed repeatedly that campaigns would abruptly switch registrars or hosting service providers. Some registrations also appeared to be automated, with large numbers of domain names all registered at the same time. On the other hand, spelling and typing errors were common in the registration data, suggesting manual entry. 

Activity

Looking at when domain names are registered for fraudulent webshops, it's apparent that most malicious registrations are made on weekdays, just like legitimate registrations. However, there's a noticeable difference where the time of day is concerned: malicious registrations are typically made between midnight and 10am (UTC). That suggests that the registrations are initiated outside Europe, in a time zone where the peak period coincides with the working day. The China Standard Time zone (UTC+8) is a likely candidate. The malicious registration time window that we observed corresponds to the period 8am to 6pm in that time zone. What's more, analysis of weekly registration numbers reveals that there is one week in each year when almost no domain names are registered for scam webshops: the week of the Chinese New Year festival.

The future

Using the prediction method described, it's possible to identify scam webshops before they start trading. The system is currently 85 per cent accurate, and there is scope for improving on that. By studying the detected fraud campaigns, inspiration can be found for the development of new features. It would also be interesting to investigate whether the approach is transferrable to the detection of other forms of domain name abuse.

Download the complete thesis 'Proactive Domain Abuse Warning and Notification System'

Article by:

Thijs Brands

Student