Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
Oh man we had a person leave unexpectedly who controls our Apple organization for our dev accounts. I'm several months into me making requests, getting responses at least a week later for each email where the responder ... didn't really read my message. Then they ask for documents ... but they forgot to send me the secure link ... another week+ for them to do what they said they were going to do. Now one of my documents didn't include a sentence they needed ...
One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.
The amazing thing is that I bet scammers working this system can get through this faster than I can.
At this point they should just give me control because no way would some scammer fail this much at this ungodly process.
Scammers can definitely get through it faster than you can. Whenever you attempt to address abuse in a system by increasing the complexity of that system, you implicitly bias it towards those with the time and inclination to study it, which always includes those with intent to abuse it, and generally does not include your users.
I'm in a similar boat...and over the weeks where i have been sending the requested docs/files...Apple reps come back and state that one of docs i sent them was not valid...so i ask them to clarify their "definition" of the doc..and they just either reply with unhelpful comments, or delay a little and delay things further. When someone asks for a copy of a payslip and you send it...but then Apple says its not a payslip, i genuinely am sad about the overall state of the world...I dislike apple and all these big tech providers for their abusive control/power and at the same time vast layers and levels of incompetence. :-(
> Oh man. The infinite loops of impossible verification by large companies that should know better are massive pain peeve of mine.
I got hit by this from google.
1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).
2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).
3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.
Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.
Google made it very clear years ago that they shouldn't be trusted with anything irreplaceable/that would cause major problems if you lost access.
Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.
It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!
> Fundamentally, this was google's fault for misusing a recovery email for 2FA.
While this would absolutely suck and I sympathise with anyone getting hit by this out of the blue, it's pretty clearly your fault, not Google's. What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely? That would result in relatively more account hacks overall, for which they would inevitably be roasted in the court of public opinion.
Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.
I have an "OG" mac.com account (got it about five minutes after Steve announced it). My wife actually has her first name.
We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).
What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.
mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.
I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.
This happens to me several times a month. I'm more concerned about account termination, in that if their Gmail account is terminated for some reason, mine would be as well due to it being the backup email address.
A couple of years ago someone associated my email with their bank account in Santander UK. I tried to get in touch with Santander but turned out that the only way to do so is to either make an international call (I don't live in UK) or send them a paper letter. I gave up and just routed these emails to separate folder.
I meticulously report every single of emails like this as spam. Every single one. If it _could_ be read as a phishing attempt, I report them as phishing.
I prefer "please verify your account" to "thanks for joining" by a lot. The former presumably does not verify when I ignore it. The latter should be illegal but somehow isn't.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
Any idea what the incentive is for them to put in an email address they can't access?
I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse
A chronic problem is the idea that if something can't be automated with a human in the loop then it simply can't be done at scale. Technologists will do anything except employ humans to solve social problems.
> along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email"
What would you expect clicking that "wasn't me" link to do?
In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?
The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)
> and the site also won't send you any more email because they don't consider the email verified
Netflix, for one, didn't do this. They kept allowing this guy to "resend his confirmation email" periodically over several months (I never had a Netflix account).
My theory is that it was an affiliate scam of some sort; someone probably got paid for everyone who signed up with his code. So he "signed up" thousands of random mails in the hope that some of them would click through on the "you're almost ready to start your Netflix journey!" mail and actually subscribe to Netflix.
I'm currently in the endless email loop because someone named Raymond used one of my Gmail names to register with State Farm. One of their agents even emails me directly when he gets really behind on his payments but won't do anything when I tell them it's the wrong email.
In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).
This exact thing happened to me with a State Farm agent.
After a few months, I told them I was concerned about the privacy ramifications and would have to report it to their state insurance regulator, and it was very quickly fixed.
No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
> No need to look for malicious intentions, this is just a feature that costs money so it's very low (or zero) priority for profit driven organisations.
Malicious in-attention then, by the profit driven org? :)
If bartenders are legally (including criminally!) liable in some jurisdictions for their customers, then certainly a chain of legal liability can exist in other industries.
Smartly, I got firstnamemiddleinitiallastname@gmail.com. I never get anybody else' details.
On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.
They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.
It's entirely on us as citizens to leaving them as pet peeves instead of crafting them into strategic law that makes them not only illegal but shunned. A little bit of structure goes a long way here.
The registrar relying on Google Safe Browsing as a “trigger” for suspension is the most horrifying thing I’ve seen in a while. This basically makes the entire TLD unviable for serious use.
.online is one of the many TLDs that charge a dollar for registration but bump the price to $30-$35 for renewal. So far, this seems like a good signal to tell apart serious TLDs and ones just preying on customers who sort by cheapest (or capitalizing on one-off phishing domains).
It's the registry, not the registrar. I made a website that tries to help explain some of the lesser known nuances and risks relating to domains. The section about domain reclassification is based on first hand experience and is especially interesting IMO:
> This basically makes the entire TLD unviable for serious use.
It doesn't just make the TLD in question unusable. I think it makes most of the new gTLDs unusable. Registries can enact policies and systems like this, regardless of the detriment to registrants, due to a lack of oversight and registrant consideration by ICANN. That creates uncertainty and makes it pragmatic for registrants to simply choose the gTLDs with lots of history and precedence; .com, .org, etc..
The only two TLDs I'd personally rely on are .com (gTLD) and .ca (ccTLD).
This is the real story. This is 100% a problem with Radix. Safe browsing targets the website not the domain. No reason a registrar should be suspending an entire account over something a company reports. Black-holing the A and CNAMEs on a subdomain? Maybe..... But even then I don't think it's the registrars place to do that. Freezing the entire account? Absolutely not.
More generally, I think it's advisable to prefer the ccTLDs of places that are politically stable. And (IMO) to view com/net/org as defacto US ccTLDs (technically they aren't but for all practical purposes they might as well be).
These alternative domains are quite popular with the fediverse and other hobbyist-run groups. Affordable domains with somewhat recognisable names still available.
Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.
Despite blocking 66 TLDs and all IDN ccTLDs on my home dns I didn’t have these blocked. Guess I’ll consider it. Once you have the hagezi rpz files including threat information feed though you really have blocked most silliness.
> The domain ... has been suspended due to its blacklisting on Google Safe Browsing
Et voilà ... ! this is precisely the slippery slope I warned about a decade ago. The indirect censorship becomes direct censorship, defeating all the arguments about the morality of such a list. And:
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
This is 100% on Radix, not on Google. Google and Microsoft can (and probably should) have a registry of known-abusive websites. False positives are inevitable, so these should be taken with a grain of salt, but in most cases they're correct. Their lists are a lot more reliable than those from the "traditional" antivirus/anti-scam vendors that will list anything remotely strange to pump up their numbers.
The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
Exactly what we predicted would happen (someone would eventually put "too much faith" on this list) has literally happened, and your defense is still "well it's not Google's fault, it's a 3rd party's!". Obviously the point is not that Google was going to do it, but that others would , analogue to the process known as "self-censorship".
I read your comment as agreeing with the article: "Never buy a .online domain".
And Google has the right to publish a list, there should be more lists not less. But Google was at fault for not correcting their blacklist. Until the article appeared on Hacker News, this was not 0% on Google. A small, correctable mistake, but they deserved a tiny bit of blame.
Wym mean external people aren't these lists integrated to the browsers? I'm sure if you try to open a website from this list your browser won't let you and I'll put a big warning sign
Google’s allowed to have an opinion. But that doesn’t mean that the registrar should be suspending the domain immediately in response. These two mechanisms should be decoupled.
If a newspaper publishes a false story about a business and someone takes it upon themselves to attack the business, it's partially the newspaper's fault.
That is the bit that jumped at me immediately too. Why would a registrar take it upon itself to suspend a domain that another entity entirely blacklisted as part of their own completely opaque process? Who is Google? God?
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
It's like being unable to get a passport because Microsoft has you on The List, and Microsoft needs to see your passport to check why you're on the list.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
I wonder if Radix has unknowingly created a negative feedback loop here. From Google's perspective, the DNS records disappear shortly after being flagged by Safe Browsing, which their heuristics may interpret as scammy behavior.
Side note: My empirical experience is that vanity domains are disliked by some enterprise security systems. I have a friend who owns a .homes domain which ended up being blocked by quad9 as well as the enterprise security system of a friend's work for ~half a year. The block cleared by itself.
I had the same experience while buying another TLD. For ~1 month, certain people whose ISP "helpfully" had "safe browsing" features, simply blocked us outright. For being new and different.
The learning for me was that new domains are no longer trusted, and seemingly some vanity domains get even more strict treatment.
Even (uncommon) country TLD's too. I own a .vg domain which is a perfect match with the initials of my last name. My mails end up in spam quite often too, despite having set up SPF, DKIM, DMARC and all that stuff correctly. It's just not common so some security systems block it.
This does unfortunately actually work pretty well as a security measure. The new domains that are cheap and good for fun side projects, are also cheap for scammers.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
Because the entire security mechanism of the www today is "look at the domain name to make sure it matches." And the TLD is at the end where people might miss it.
It's not about the .online TLD being "weird". The problem is that it was free. That's going to attract a swarm of fraudsters, spammers, etc, and then turn into a strong "this is probably fraud" signal in all kinds of fraud scoring systems.
There are lots of domains out there other than .com that are just fine.
.online, .top, .xyz. info and .shop are some of the top TLDs that scammers use, precisely because of their rock bottom registrar fees that make them attractive for sites that have a shelf life of a few hours or a few days before being blocked. As a result, many places have a blanket "suspicious" flag for fresh domains under these TLDs.
If you plan on building a legit site, do not use any of these cheap TLDs.
Paying through the nose for a .com that is remotely memorable and easy to spell is not a great path forward for a hobbyist or someone who simply wants their own domain for email.
I know someone with a .org domain, and even they have a ton of issues with false flags on their emails due to not coming from a big email provider. They’ve been blacklisted a couple times and regularly get flagged as spam. I’m surprised he hasn’t given up after dealing with this stuff for 25 years.
These new TLDs, I thought, were supposed to open up more options for regular people to get a domain that is semi-decent. Instead they’re essentially useless. Some of the prices are also still insane, due to assumed “premium” status or domain squatters.
There has to be a better way to police this stuff.
Try finding a pithy domain these for under 10,000 these days. I tried a week ago and had to settle for something a lot longer than I wanted and even then it was something from outside the common three letter TLDs.
Probably this is what's happened here. Either the OP's domain was previously used for shady activities, or the almost-free stigma puts the whole .TLD in the grey list of high-risk assets. Probably is also explains the nuclear behavior of the registrar (suspension).
Readit News
This goes right to the top for me, along the ubiquitous "please verify your account" emails with NO OPTION to click "that's NOT me, somebody misused my email". Either people who do this for a living have no clue how to do their job, or, depressingly more likely, their goals are just completely misaligned to mine as a consumer and it's all about "removing friction" (for them).
One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.
The amazing thing is that I bet scammers working this system can get through this faster than I can.
At this point they should just give me control because no way would some scammer fail this much at this ungodly process.
I got hit by this from google.
1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).
2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).
3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.
Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.
Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.
It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!
While this would absolutely suck and I sympathise with anyone getting hit by this out of the blue, it's pretty clearly your fault, not Google's. What should they have done? Just permit everyone to avoid upgrading to 2FA indefinitely? That would result in relatively more account hacks overall, for which they would inevitably be roasted in the court of public opinion.
Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.
What would you do in Google's place?
I constantly remove it whenever Gmail sends me the notification.
I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.
We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).
What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.
mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.
I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.
I hope it's because I have small simple email and not because they want to steal it.
I get TONS of emails of people trying to join services that use my address as a "fake email".
Dead Comment
Etc.
I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.
I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse
That doesn't prevent a huge majority of them from sending you notification emails all the time even if you never verify.
What would you expect clicking that "wasn't me" link to do?
In 99% of cases, the user who signed up with your address already can't do any more with that account unless you positively confirm it was you; and the site also won't send you any more email because they don't consider the email verified (and so sending to it might result in their emails getting sent to spam -> their email-sending reputation score going down.) So things are already in the state you'd want them to be in, no?
The only problem I can think of with that state is that now you can't sign up "fresh" for an account with the same provider, because now there's already an account associated with your email address sitting there in their DB in the pending-email-verification state. (But you still can acquire that account, by clicking "forgot/reset password" and going through that flow, which will inevitably go through your email, as anything like a 2FA setup flow always waits behind email verification.)
Netflix, for one, didn't do this. They kept allowing this guy to "resend his confirmation email" periodically over several months (I never had a Netflix account).
My theory is that it was an affiliate scam of some sort; someone probably got paid for everyone who signed up with his code. So he "signed up" thousands of random mails in the hope that some of them would click through on the "you're almost ready to start your Netflix journey!" mail and actually subscribe to Netflix.
In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).
After a few months, I told them I was concerned about the privacy ramifications and would have to report it to their state insurance regulator, and it was very quickly fixed.
I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker
Malicious in-attention then, by the profit driven org? :)
Relevant xkcd:
https://xkcd.com/1279/
Yeah, I get the same regularly.
On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.
They can't just say "we don't want to deal with small timers who will not pay us big bucks doing nonstandard things" without pushback but they can write the policy so that a huge fraction of those use cases fall into some crack that can only be got out of by incurring the kind of expense that's a non-starter for those users. Your municipal code is rife with examples of this.
I believe they included the “unsubscribe” link too…
how naive. most of the world work to survive, not because its their dream vocation. they probably dont care as much as you do
https://tldrisk.com/beyond-basics/reclassification/
> This basically makes the entire TLD unviable for serious use.
It doesn't just make the TLD in question unusable. I think it makes most of the new gTLDs unusable. Registries can enact policies and systems like this, regardless of the detriment to registrants, due to a lack of oversight and registrant consideration by ICANN. That creates uncertainty and makes it pragmatic for registrants to simply choose the gTLDs with lots of history and precedence; .com, .org, etc..
The only two TLDs I'd personally rely on are .com (gTLD) and .ca (ccTLD).
https://news.ycombinator.com/item?id=40195410
.store .online .tech .site .fun .pw .host .press .space .uno .website
https://radix.website/
So, might as well to block entire TLDs and never buy a domain under those TLDs
Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.
I use them when I need a random domain.
Et voilà ... ! this is precisely the slippery slope I warned about a decade ago. The indirect censorship becomes direct censorship, defeating all the arguments about the morality of such a list. And:
> Not adding the domain to Google Search Console immediately. I don't need their analytics and wasn't really planning on having any content on the domain, so I thought, why bother? Big, big mistake.
Yet more monopolistic power to Google.
The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.
And Google has the right to publish a list, there should be more lists not less. But Google was at fault for not correcting their blacklist. Until the article appeared on Hacker News, this was not 0% on Google. A small, correctable mistake, but they deserved a tiny bit of blame.
What is to stop everyone from doing this blacklisting?
On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.
Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?
Because keeping Google happy or at least not bothered is an existential priority for registrars
Which likely is slow without a poke it's reasonable to base the decision on whats available.
That's just how reputation works.
Deleted Comment
Deleted Comment
I had the same experience while buying another TLD. For ~1 month, certain people whose ISP "helpfully" had "safe browsing" features, simply blocked us outright. For being new and different.
The learning for me was that new domains are no longer trusted, and seemingly some vanity domains get even more strict treatment.
For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.
Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.
It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.
Deleted Comment
There are lots of domains out there other than .com that are just fine.
If you plan on building a legit site, do not use any of these cheap TLDs.
I know someone with a .org domain, and even they have a ton of issues with false flags on their emails due to not coming from a big email provider. They’ve been blacklisted a couple times and regularly get flagged as spam. I’m surprised he hasn’t given up after dealing with this stuff for 25 years.
These new TLDs, I thought, were supposed to open up more options for regular people to get a domain that is semi-decent. Instead they’re essentially useless. Some of the prices are also still insane, due to assumed “premium” status or domain squatters.
There has to be a better way to police this stuff.
Dead Comment
Free is good, but sometimes it's not.
We struggled a lot when we opted for the .online domain for https://pinggy.io urls