Oversee.net's Chesterton Holdings carry on domain swiping as Maltuzi Holdings

The world of domain swiping continues unabated. Oversee.net and their operations, who I covered before, continue to domain taste and, apparently, to domain swipe.

To summarize:

• Chesterton Holdings swipe domains following whois searches in online whois portals
• Chesterton Holdings register those domains through NameKing.com
• Chesterton Holdings use the Information.com service to monetize the domains

The same goes for Jucco, Munchale, and LaPorte, and all of the other "holdings" companies.

And the link to Oversee.net?

• Oversee.net own NameKing.com, their pet domain registrar
• Oversee.net own DomainSponsor, which operates Information.com
• Oversee.net share a corporate HQ with Chesterton Holdings

You can read the original post for more details on the connection between Chesterton Holdings and Oversee.net.

Since I detailed the links between the domain swipers at Chesterton Holdings and Oversee.net, Oversee have publicly admitted the connection between Oversee.net and Name King, the registrar they use to make their "domain tasting" operation possible:

My name is Jothan Frakes. As Tim mentioned, I'm a senior account manager at a company called Domain Sponsor. In the interest of full disclosure and to make sure there's integrity to this session, I do want to disclose that my parent company [Oversee] owns a registrar, Name King, and that company does participate on behalf of its customers for domain tasting or add grace use.

While checking to see if Chesterton were still going, I found that only the websites for the "holdings" companies Jucco and Field Lake and Sky remain, with an obvious reference to "Chesterton Holdings LLC" in the code for their webpages. I also stumbled across a page describing the operations of an apparently new company, "Maltuzi Holdings". Chesterton have gone fairly quiet, and it should be no surprise that Maltuzi are just a new incarnation. They have garnered the same attention and reputation as Chesterton did at first, yet the connection between Maltuzi and Chesterton has not been noticed.

In case there is any doubt about the connection, the Maltuzi website shares the same reference to Chesterton in its code as the Jucco and Field Lake and Sky websites:

<param name="movie" value="Chesterton Holdings LLC.swf">

Sure, more care may have been taken on the company address, using a forwarding address in the "Downtown Mountain View Center", but the registered agent used for their company registration is identical to that used for Chesterton Holdings.

Maltuzi also uses NameKing.com and the Information.com services, owned by Oversee.net, just as Chesterton Holdings did.

There are a lot of complaints about Maltuzi (inevitably, given that they are swiping domains).

Business Week seem to have got a response out of Maltuzi:

T. Salonen, manager of Mountain View (Calif.)-based Maltuzi, says his company is a "bulk registrant" of domain names, but says there's nothing wrong with that. "We are actively buying domain names based on a variety of criteria," he writes in an e-mail interview. "We...purchase those domain names which have certain traffic levels or pay-per-click viability and return those which do not meet those and other criteria."

That doesn't say very much at all that we didn't already know, and very little about domain swiping, or the connection between Maltuzi and Oversee.net.

Specific sources for the swiped domains are again unclear, but one post describes using Instant Domain Search, and then losing a domain to Maltuzi, which fits the previous method identified by Larry Seltzer: the CNet Domain Search page.

DomainTools (run by Name Intelligence) claim that domain swiping is a myth, and that names are simply registered by coincidence, but that doesn't line up with the facts. Instant Domain Search are similarly dismissive in replies to a blog post fingering their site as a source of domain name leaks. Did Chesterton really register "lickmynose.com" by complete coincidence, so soon after Larry looked it up? I think not!

If there are markets of whois query information inside the lookup and registrar communities then having NameKing.com gives Oversee.net (and so Chesterton, Maltuzi, etc.) easy access, whatever the methods. My favorite theory is that the whois meta searches go off and query every accredited registrar: NameKing.com is the registrar owned by Oversee.net, who appear to also operate Maltuzi... easy.

The ups and downs of the Maltuzi domain portfolio can be followed at the excellent IPWalk, and they feature high in DailyChanges and the DomainDB top DNS lists. We're talking seven figures of domains, and daily changes of six figures, as before with Chesterton and friends.

Domain tasting and swiping are still very much in the news, but with major benefactors such as Oversee.net involved in ICANN and not fully disclosing what they do under the banner of "holdings" companies, the prospects for eliminating domain tasting and swiping or discovering exactly how Oversee's holdings operations are "swiping" domains appear remote.

A step has been taken in the right direction by the .org registry, but whether that is effective and how the rest of the name space is dealt with by the industry and by ICANN remains to be seen.

Oversee.net and Maltuzi did not respond to queries.

Domain swiping is an abuse of the trust that users place in the whois services, and domain tasting is causing real harm to others, such as real costs for registrars. If the domains involved are typo-squatting (as a great many are) then users are being manipulated into visiting sites that they never intended to visit, and trademarks are being abused.

None of domain swiping, tasting or typo-squatting are spam, but they all demonstrate the same contempt for others that characterizes spam.

Chesterton Holdings are swiping spammers' domains from under their noses - but who are "Chesterton"?

Domains used by spammers in links to their websites have recently been swiped by an outfit calling themselves "Chesterton Holdings". Far from being a white knight vigilante, it seems Chesterton may themselves be a nuisance, part of a murky corporate world of "domainers", domain kiting and pinched whois searches.

I was checking out a spam sent on 1st August from a "Pharmacy Express" spammer (possibly Yambo Financials) selling "Vijagra" and "Cijalis" from a site called www.brotersad.com. To my surprise the website was one of those holding pages, used to make money out of dormant domains. It had entries to sponsored links for "Sexual Enhancement" and "Phetermine", so while it wasn't what the spammer wanted me to be seeing, curiously it did seem to know in what context the domain was to be (or had been) used. The site served links from Information.com, and a search for words on the page found several more holding pages like this hosted by Information.com. The spam was sent on the 1st, and the domain was registered by "Chesterton Holdings" on the 2nd, through the registrar Name King.

On the second occasion a week later a spam this time certainly from Yambo Financials was affected. Instead of going to a page for MyCanadianPharmacy, the URL redirected to a page entitled "Zeretcon.com: What you need, when you need it". This is the Oversee.net "DomainSponsor" service. Thousands of other sites share the same layout. Oversee.net own Information.com, so the previous site is probably part of the same service. The domain was registered in the same way to "Chesterton Holdings" very soon after (or even before) the spam was sent, giving an address and phone number in Los Angeles as the registration details.

A phishing domain has also been grabbed by "Chesterton Holdings", again with text on the holding page tailored to the right topic, such as "Midamerica Bank", and with the same "What you need, when you need it" tagline and layout.

At first sight it looks like Chesterton Holdings are somehow discovering domains that a spammer is using or intends to use in spam, registering those domains with Name King before the spammer gets there himself, and then using Oversee.net's DomainSponsor service to "monetize" the domain. The uncannily accurate wording on the would-be spam or phishing site may be influenced by people searching in the box on the page for words relevant to the phish or spam that lead them to the page. Using those words, the sites cleverly adapted their contents, as the DomainSponsor site boasts.

So, who are Chesterton Holdings?

On the chestertonholdings.com website they claim that they "acquire our names in bulk through proper channels and sophisticated technology", which doesn't make things any clearer, and sounds downright fishy. A few incidents, most notably covered in eWeek's "Whois Hijacking My Domain Research?" by Larry Seltzer with more comments elsewhere, suggest they may be domain kiting (or domain tasting) after somehow acquiring results from web based whois lookups - which does not sound like entirely "proper channels" (as the spammers like Yambo might agree). The suspicions of domain kiting were confirmed by DailyChanges, who track domain sales - Chesterton both bought and sold over 100,000 domains in one day in August 2006, which is a sizeable portion of the total daily adds and deletes.

Research by Brad Waller on ReveNews (using tools listed at Server Usage> on Spam Links) shows that several similar companies are operating from the same server: 207.234.147.193 hosts Hornbrook Holdings (hornbrookholdings.com), Hornbrook Company (hornbrookcompany.com), LaPorte Holdings (laporteholdings.com), Jucco Holdings (juccoholdings.com), Munchale Holdings (munchaleholdings.com) and Field Lake and Sky (fieldlakeandsky.com), all registered with similar details and all through Name King.

A search of California State records (found off US States Public Records on Spam Links) showed that Chesterton Holdings and LaPorte Holdings are registered businesses in California, while Munchale Holdings is now suspended. Both Chesterton and Munchale were registered on 10/28/2004 at 818 West 7th St Ste 700, Los Angeles, CA 90017, while LaPorte was registered on 9/13/2004 at 5482 Wilshire Blvd #128, Los Angeles, CA 90036.

Looking into Name King, the registrar for the domains, showed that unusually there was no way to sign up to register domains with Name King on their website. One site, Domain Cargo (domaincargo.com) claimed to register their domains via Name King, and unconvincingly implied that they are separate entities. Neither NameKing nor Domain Cargo were registered as companies in California, though Domain Cargo's whois showed the registrant as Munchale Holdings, linking it back to Chesterton Holdings. Name King have been involved as registrar in past domain squatting cases, for the majority of which LaPorte were registrant and failed to answer the complaint. Of the rest, some were against "Horoshiy" and Jucco Holdings. When I checked a domain "gapbusters.com" that was once owned by Horoshiy it was instead registered with Jucco Holdings, so it is possible that Horoshiy is linked to Chesterton and friends.

Looking more closely at the registrations for the various domains listed earlier, I could see that the domains hornbrookcompany.com, hornbrookholdings.com, chestertonholdings.com, juccoholdings.com, munchaleholdings.com and fieldlakeandsky.com all had name servers provided by nameking.com and were all served from the single IP 207.234.147.193, hosted with Affinity Internet. The Name King servers were hosted out of one of Oversee's IP ranges, which suggested a connection between Name King and Oversee.net, who provide the holding pages.

The addresses used for Name King (2202 S. Figueroa St. Suite 721, Los Angeles, CA 90007), LaPorte (5482 Wilshire Blvd #128, Los Angeles, CA 90036), and Chesterton, Domain Cargo, Munchale, Hornbrook and Jucco (655 Flower St #253, Los Angeles, CA, 90017) were respectively a UPS store and two MailBoxes etc. stores. The Chesterton (and Munchale) Holdings corporate registration address (818 West 7th St #700, Los Angeles, CA 90017) is located right next to the second MailBoxes store, and a short drive both straight up S. Figueroa St to the UPS store and up Wilshire Blvd to the first MailBoxes store. Only fieldlakeandsky.com does not fit in - it is in Wyoming - but the address is another MailBoxes store. At one point the same West 7th St address was given in , but seems to have been altered since, so Name King and Chesterton, LaPorte etc. are one and the same, not registrar and customer!

Checking the phone numbers in the domain registrations, I confirmed that they are all in the core of the downtown Los Angeles business district. The number for Name King (213-220-5715) is a cell phone, as are those for Chesterton (213-407-1774) and Hornbrook/Jucco (213-924-8981). Those for Domain Cargo/Munchale (213-612-0610) and LaPorte (213-683-9910) are fixed lines, and a business reverse search on this last number of LaPorte's gave the same W 7th St address as for Chesterton Holdings, possibly taken from an old whois registration.

Going back to Oversee.net, who provided the DomainSponsor holding pages to which the swiped domains pointed, I found that the Oversee.net company headquarters are located at exactly the same address (down to the suite number) as that given in the Chesterton Holdings corporate registration - and both use the same company, Paracorp, as their registered agent. The suite number (700) was confirmed by the address given on low.com, an Oversee.net site, and on whois registrations for Oversee.net's networks. This address is also that at which Name King once gave an address in whois, and with which LaPorte holdings is associated by a reverse phone lookup. The post boxes are thus conveniently located a short drive from the Oversee.net headquarters, and the Oversee.net corporate address coincides with addresses used by Chesterton and in the past by LaPorte and Name King.

The picture that emerged was that Chesterton Holdings (and the other "holdings" companies), Domain Cargo and Name King are closely tied with each other, and with Oversee.net. Name King appears to be used to allow the group to register domains for themselves, and the holdings companies are used to dissociate the less PR-friendly activity from Oversee.net. By using mailboxes and registered agents, the relationship between Oversee.net, Chesterton Holdings, Name King and Domain Cargo was shrouded, but the evidence shows that all of them are run from the same offices. The same conclusion is reached in this thread on Domain State, though the corporate registration piece is missing from their jigsaw puzzle; this is picked in up this digg thread on the same topic.

A Friendster page of an Oversee employee helps confirm the link: Vy Tran lists her companies as "LaPorte Holdings, Oversee". That may have been enough to have her personally named in a lawsuit that the Scouts brought against Oversee back at the start of the year.

Who are Oversee.net?

Oversee.net is an Internet advertising company. A large part of their business revolves around "monetizing" and growing their domain name portfolio. Lawrence Ng is the head of Oversee.net. Aged 21, in 2000 he co-founded the company with Fred Hsu. Ron Sheridan is Director of Business Development, whose saying is "He who controls the traffic, makes the rules". Jothan Frakes is Director of Strategic Accounts, who hosted a recent ICANN meeting on these very issues in the "domain marketplace".

Swiping and monetizing domains searched in whois might appear to be a natural extension of the Oversee.net business model ("He who controls the traffic, makes the rules"), but given the secrecy surrounding the Chesterton Holdings page, Oversee.net apparently do not wish to be associated with this. The press contact for Oversee.net stated that the "business model of Oversee.net is not based on deliberate bad-faith domain registration", but failed to respond to further questions.

As to how domain swipers get the data, Larry Seltzer and others point the finger at harvested web based whois searches, but exactly from where and how the whois search data reaches "Chesterton" remains unclear. The number of domains registered as Chesterton Holdings is large and rapidly changing so it is likely they will cross another spammer or two (as well as less deserving victims) in the future.

Timeline:

30 Nov 2000 OVERSEE.NET company registered
18 Mar 2001 oversee.net registered
21 Mar 2001 targetwords.com registered
03 Jul 2001 inboxrewards.com registered
31 Jul 2001 domainsponsor.com registered
17 May 2002 proredirect.com registered
02 Sep 2004 C AND J VENTURES, INC. registered
13 Sep 2004 LAPORTE HOLDINGS, INC. registered
28 Oct 2004 MUNCHALE HOLDINGS, INC. registered
28 Oct 2004 CHESTERTON HOLDINGS, INC. registered
  Nov 2004 Oversee.net launches DomainSponsor 2.0
29 Nov 2004 hornbrookcompany.com registered
30 Nov 2004 laporteholdings.com registered
30 Nov 2004 hornbrookholdings.com registered
22 Jan 2005 First page in archive.org with NameKing.com in current form
08 Mar 2005 chestertonholdings.com registered
19 May 2005 domaincargo.com registered
03 Mar 2006 juccoholdings.com registered
07 Jun 2006 fieldlakeandsky.com registered
21 Jun 2006 munchaleholdings.com registered

(A similar domain swipe seems to have happened back in April this year, to the same "Pharmacy Express" spammer, this time affecting the domain swigotis.com. The site showed the same DomainSponsor layout, but the registration of the domain is to a "C and J Ventures Inc", based in Long Beach, California. It is not immediately clear how much this has to do with the main Chesterton Holdings domains, but the location may be more than coincidence.)

[Edited to add employee details, and move swigotis paragraph to the end.]