.com registration details leaked

Every domain is required by ICANN to have a WHOIS entry, which among other things, includes the name, address, email, and phone number information of the domain's registrant, administrative, and technical contacts. While it's against the rules (section 3.3.5) to use this for marketing purposes, it's done all the time. It's partly for this reason that many domain registrars offer a "privacy" service whereby they act as a communication proxy for the domain's actual contacts.

There is no central WHOIS database, so I'll be honest I don't know how they find newly created domains*. While WHOIS records do contain information about when the domain was created, last updated, etc., I'm not aware of a way to query a WHOIS database based on these fields. But then I'm not a spammer either...

According to ICANN's website handling complaints about abuse of WHOIS data is outside their authority and they suggest you seek other methods to deal with the problem:

Spam complaints are outside of ICANN's scope and authority; for these types of complaints, please refer to one of the options listed below:

  • You may want to contact a law enforcement agency in your jurisdiction
  • You may want to file a complaint with a consumer protection entity such as the International Consumer Protection and Enforcement Network or the US Federal Trade Commission
  • You may want to contact the spammer's Internet Service Provider
  • You may want to contact the registrar of the spammer's email

If it's any consolation I've registered my fair share of domains and my experience has been the phone calls and spam email come to an end rather quickly.


*I did a quick Google search and discovered a number of services offering bulk access to WHOIS data.


Each gTLD registry is mandated through its ICANN contract to provide its zonefiles.

The zonefiles list all published domain names, which is almost all domain names in the TLD, but not all: this excludes domain names without nameservers (a totally legit case, you can sometimes wish to protect a name without associating it with any online service), or domain names being "on hold" (the EPP statuses clientHold or serverHold that remove the domain names from publication).

You can do a search on CZDA to find the online platform that will enable anyone, for free, upon accepting a contract, to be able to grab any gTLD zonefile, that are updated each day.

So, it is very easy that way to get a list of domain names, if you do it 2 days in a row you can compute the difference and find the newly added domain names (which would basically be the newly registered domain names, with some exceptions for the reasons outlined on top), and then do whois queries to grab the contact data associated to these domains and then contact people.

Note that when you access the CZDA you are signing a contract that enforce some rules on what you can or can not do with the data. I am not sure that the activity described here falls into the acceptable case of the contract, but I am not a lawyer and this is extremely difficult to respect. Anyway, it is trivial technically.

ccTLDs most often do not provide access to their zonefiles. Some of them (like .FR) just provide each day the list of newly registered domain names. Which puts you back exactly at the previous step when you computed the difference of two zonefiles, and then enables you to contact people in the same way.

Also, and completely unrelated, if you read carefully the ICANN registrars contract (so again only for gTLDs) you will find inside a clause showing that the registrars have to sell their full database of names + contact data in some specific cases. This is costly ($10 000 per registrar!) but can also be a way to get the data.

A way to protect yourself against all of these solicitations is to register your domain names with privacy/proxy services so that your personal data never appears in whois output. This is offered by many registrars, and will become more and more the norm, due to new regulations about data privacy for individuals, like the GDPR in European Union.