Taking control of a typosquatting domain with a UDRP case

Posted by Paul on 7 April 2022


Have you ever mistyped our website as “polulu.com”? (It’s a common mistake.) Until recently, you would have ended up on the page shown above, full of ads and offers to buy the domain. Even worse, emails misaddressed to polulu.com would disappear without any notification, and the domain owner could easily have used it in phishing scams against our customers. We have been working on tightening up our domain security to fight this kind of abuse, and polulu.com was an obvious problem we needed to solve.

This post describes how we obtained polulu.com under the Uniform Domain-Name Dispute-Resolution Policy (UDRP). While the UDRP is supposed to be an efficient and accessible process, I could not find any clear step-by-step guides online, so I’m posting our experience both to help others and get feedback about what we could have done better.

Background

The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organization that controls the domain name system (DNS) of the Internet. Rather than manage DNS directly, they delegate the job to thousands of contracted registrars around the world. To get a domain, you pick an appropriate registrar, sign a contract, and arrange payment. Then they take care of the administrative details and provide you with some kind of control panel for configuring your domain. Normally there’s not much to it, so the registrar’s job seems pretty simple.

It gets complicated when there are disputes about domain ownership, particularly over trademark rights. To address this, since 1999, the registrar’s contracts have incorporated terms called the Uniform Domain-Name Dispute-Resolution Policy (UDRP). The idea of UDRP is that people have a right to their trademarked names over someone who has no trademark rights and registered a domain “in bad faith”. Evidence of what ICANN considers bad faith includes trying to resell the name, advertising confusingly similar services, or “typosquatting” – registering a domain that takes advantage of a common typo or which looks visually similar to an existing domain.

With UDRP, instead of suing under some particular country’s laws, trademark owners file a complaint in a special independent arbitration court. ICANN has designated several courts around the world, which are listed here. Currently there are six, and you can choose any of them for a UDRP dispute.

By the way, there is a specific alternative in the USA; we could have sued the owner of polulu.com in federal court under the Anticybersquatting Consumer Protection Act (ACPA). The ACPA could be more powerful than UDRP, for example allowing us to recover damages and costs. But it would probably have required spending thousands of dollars on a lawyer, and who knows if a US law would have any effect on an anonymous domain owner in a foreign country? So we didn’t consider this as a serious option, and we decide to move forward with a UDRP case.

Filing a UDRP case

So, we needed to pick a court for our UDRP case. When I first started looking into this, WIPO came up first in my searches, and since that is a big international organization, I mistakenly thought they were just in charge of UDRP. Looking into it a bit more, I found the complete list and started considering each option. The National Arbitration Forum (NAF), based in the USA, seems to be the second-most-popular provider, and all the other courts are much smaller.

The Czech Arbitration Court (CAC) is much less commonly used, but it seemed like an interesting option. While the other two have flashy websites, CAC’s low-budget layout that looks like it’s from the 90s was actually a lot easier to use, with the important information very readily available. For example, when submitting a complaint, WIPO and NAF have you download a Word file and fill in blanks, while CAC presents a web-based form that made me more confident that I wasn’t going to mess something up. The fees were lower, too. A UDRP case with WIPO costs $1,500; I couldn’t easily find the NAF fees on their website, but various sites quote it at $1,300 to $1,700. The basic CAC price is just 800 EUR, with a possible “additional” fee of 300 EUR, for a total of at most about $1,300.

Paying the CAC seemed relatively complicated, involving setting up an international wire transfer to Czechia with unknown fees and an unknown exchange rate from dollars to euros. From what I read in a few places, the CAC will also subtract their own bank’s fee of about $18 from your payment. If you overpay, they won’t refund you or even tell you by how much, and if you don’t get them enough money in time, you could lose the whole case by default. But I reasoned that this could also work in our favor: if the owner of polulu.com wanted to respond to our complaint in certain ways, they might also have to send in a payment with a strict time limit, and if they failed, it would be easier for us to prevail.

So, we decided to file a UDRP complaint with the CAC. Here’s what the top of their form looks like:

After the basic contact information, there’s this question about “preliminary control”:

I think that this is to help you avoid problems with a deficient filing; we decided to gamble that we would be able to get it right the first time.

Next I needed to enter the contact information for the “Respondent”, the current domain owner. A “Whois” lookup for polulu.com returned only anonymized information, so I didn’t actually know who the owner was, and it was not obvious to me what to enter in that section:

Domain Name: POLULU.COM
Registry Domain ID: 260530185_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.above.com
Registrar URL: http://www.above.com
Updated Date: 2019-09-20 16:39:38.847175+10
Creation Date: 2005-11-18 21:57:43+11
Registrar Registration Expiration Date: 2022-11-18 21:57:43+11
Registrar: ABOVE.COM PTY LTD.
Registrar IANA ID: 940
Registrar Abuse Contact Email: abuse@above.com
Registrar Abuse Contact Phone: +61.390164107
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Registry Registrant ID: above_privacy
Registrant State/Province: Hong Kong
Registrant Country: HK
Registrant Email: polulu.com@privacy.above.com
Registry Admin ID: above_privacy
Admin State/Province: Hong Kong
Admin Country: HK
Admin Email: polulu.com@privacy.above.com
Registry Tech ID: above_privacy
Tech State/Province: Hong Kong
Tech Country: HK
Tech Email: polulu.com@privacy.above.com
Name Server: ns1.lionns.com
Name Server: ns2.lionns.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-09-20 16:39:38.847175+10  <<<

I decided to enter them as an organization called “Above.com Domain Privacy”, using the email address and phone as listed in the Whois information, and entering “Hong Kong” for City, State, and Country.

After entering information about the registrar (Above.com) I had to decide between a single-member panel and a three-member panel to decide the case. A three-member panel has some advantages, but of course it’s a lot more expensive, so we were fine sticking with the single-member option.

Next, I had to choose the “mutual jurisdiction”, which is where any follow-up legal actions have to be filed if someone wants to fight a UDRP decision in a government court. There are two choices: the location of the Respondent (apparently Hong Kong) and that of the Registrar (Australia). Of course I wanted to make it as difficult as possible for the Respondent to contest the decision, so I selected Australia. Note that if you own domains, this is a good reason to pick a registrar in a friendly jurisdiction!

A few questions later I got to “Indicate the remedies sought for each disputed domain name”. There are two choices: to have the registrar revoke the domain or have it transferred to you. I can’t imagine who would ever choose revocation; if you do that, someone else is just going to grab the domain right away and put up another advertising page, and you’ll have to start the UDRP process all over again.

Next follows a long list of checkboxes in outline format, suggesting different possible justifications for the UDRP case. Here’s what I selected:

The first part is about Pololu’s rights to our trademark, while the second “Legal Grounds” explains why we think polulu.com violates these rights. Note that the three sections of “Legal Grounds” correspond to points 4.a.i, 4.a.ii, and 4.a.iii in the ICANN UDRP Policy. All of these parts are essential for a UDRP case to go forward, so even though the checkboxes are optional, they were really helpful in making sure that I had everything covered before writing up the details in the next section.

The argument text is where you get to explain the justification for your UDRP complaint in detail. After looking at some examples online, I started with an introductory paragraph identifying the parties and the subject of our complaint, then elaborated on all the points I had selected in the checkboxes:

Some points about the argument:

  • Since trademark rights are often limited to specific geographical regions, I made sure to mention our Hong Kong distributor here.
  • Typosquatting, profiting from confusing similarity, and use of anonymizing services are all considered evidence of “bad faith”, so we brought up each one to make the complaint seem as clear-cut as possible.
  • Further down in the form, the CAC recommends including a record of our attempt to notify the Respondent about the issue. So I took a couple of days to email them a copy of the argument text and mentioned that we had not heard back from them here.

Next is a section for attaching files with evidence supporting the complaint. I included screenshots of polulu.com, our trademark registration at USPTO, and the email we had sent to the domain owner.

With the complaint form mostly filled out, we were confident and ready to proceed with the case, so we had to pay the fees charged by the CAC: 800 EUR, or $907 at the time. Like I said, it’s difficult to know how to make sure all the exchange rate conversions and bank fees are covered without overpaying a lot. Our bank charges a particularly exorbitant amount for payments in EUR, but the CAC lists an account we could use for USD payments, so sending a USD transfer seemed most likely to minimize our cost. Overall, I estimated that 1% for the currency exchange plus a $20 fee was likely, which brought the amount we would need to send up to $936. We decided to round it up to $950, just in case.

So, we sent $950 to their USD bank account, uploaded a copy of the payment receipt to the complaint form, checked everything carefully, and submitted it on December 10, 2021. The system acknowledged our submission right away, then we didn’t hear anything until December 13, when they acknowledged receiving our payment:

So, we’ll never know how much we overpaid by.

Our UDRP case proceeds, slowly

Remember how I had named the domain holder as “Above.com Domain Privacy”? The next communication from the CAC was December 21, a “notification of deficiencies” for not properly identifying the actual domain owner, which we had five days to correct. The CAC also sent us on the same day (probably not coincidentally!) an email from Above.com providing more specific contact information for the Registrant, including an email, phone number, and physical address in Hong Kong. Their name was given as “Domain Administrator”, which made me a little uncertain, but since that’s all I had, I entered all of that information, with “Domain Administrator” as the name, into an amended complaint form.

The next day, December 22, the CAC notified us that the case had begun, and the Respondent had 20 days to respond.

On January 4, 2022, the CAC sent a warning to the Respondent (copying us) that they had until January 11 to respond, which seemed like a good sign.

Sure enough, on January 12, the CAC said that they had received no response and were going to proceed without one:

At the same time, they appointed a lawyer as the “panelist” who would decide our case. We heard nothing from him until January 27, and then got this:

While the case had seemed so clear-cut to us, it was apparently not to him. Maybe the fact that polulu.com had been in use since 2005, long before our trademark registration, gave him some doubt about our claims? To be sure, he wanted to see evidence that we had been using the name “Pololu” all the way back to the 2001 date we claimed. The “Additional UDRP Fees” (300 EUR) we now had to pay made it seem like a bait-and-switch scheme, even though we had half-expected something like this to happen. With just five business days to get the money to their bank account, we immediately sent a $375 wire transfer and started working on assembling a response.

I wasn’t sure whether they wanted hard, verifiable evidence, which there isn’t much of, or something more like a clear explanation of our history, so I did my best to include both. On the verifiable side, the Massachusetts and Nevada state websites showed when we had first registered Pololu in those states (2001 and 2002), and I included a copy of the Whois information for pololu.com, showing that we had registered it in the year 2000. On the softer side, I linked to Jan’s blog post about our first 20 years, an MIT page from 2001 that mentions our IR beacon being used in their robotics contest, and a 2001 screenshot from the Wayback Machine. I also included a copy of an ancient PayPal email to us, to help establish that we were actually using the pololu.com domain name to conduct our business. We submitted all of this additional evidence the day after their notice.

On January 31, the CAC confirmed receipt of the additional payment. (We still have no idea how much we overpaid.)

There was no communication for the next two weeks (I was not trusting my email and checking the website constantly!), until finally, on February 15, we got this:

Hooray! The decision to transfer the domain to us was published online, and everything seemed nicely wrapped up.

Taking control of the domain

But what was supposed to happen next? The court doesn’t get involved in the technical details of actually transferring the domain; that’s up to the registrar. I think they were supposed to do it within 10 business days, but nothing happened.

On March 2, I went on a chat with Above.com, and they suggested emailing their abuse email address.

Not having received any response, the next day we looked into our options. Since ICANN is the agency that ultimately controls everything, they have a mechanism for enforcement, described on this page, which links to a simple complaint form that I filled out. It seemed like it could take a few weeks for that to do anything, since according to their FAQ they send out three notices, waiting 5 business days after each one.

Still, we kept not hearing anything from anyone. I went onto a support chat with Above.com a second and third time, was directed to email their support address, and on March 28 finally something happened:

Finally we got the domain! The way they transferred it to us was by giving us a temporary Above.com account and assigning the domain to us. I was able then able to log into the website and manage the domain. There were a few minor hiccups using their system, but within a day I had it moved over to our normal registrar, and https://www.polulu.com/ was redirecting to us. ICANN also finally responded to our complaint, more than a month after I filed it, closing it since everything was resolved. (Maybe that complaint is what motivated Above.com to do the transfer.)

Conclusion

Overall, I was happy with the CAC system for filing UDRP, and now that I’m familiar with it, I would use them again. With the “additional UDRP fees” and all the uncertainty in the transfers, we ended up paying a total of $1325, higher than I had hoped but still less than the fees I expect at other providers. Next time I would try to avoid additional fees by submitting more evidence about our trademark ownership in the initial complaint.

I would be happy to hear from others with related experiences or suggestions; please leave a comment below!

2 comments

I shared this with an IT group and got a link to a related podcast that had this paper attached. Might be helpful for preventing this kind of thing in the future without necessarily registering every possible bad domain name.

https://www.sans.edu/cyber-research/doppelgangers-finding-job-scammers-who-steal-brand-identities/
Thanks for the feedback. The article seems to be talking about a way to efficiently identify and block phishing domains, for example within a few hours after they are registered. But we don't get to block domains for our customers, and I don't know what else we can easily do. For example, polulu.com was not (to our knowledge) engaged in phishing, so I don't think a takedown request to the registrar would have been effective. I'd be happy to hear about specific approaches to taking down a domain that are easier than UDRP!

Post a comment

Using your Pololu account allows you to customize your avatar and manage your comments; you can also post anonymously.

New Products

Zumo 32U4 OLED Robot Kit (No Motors)
8-AA Battery Holder, 2×2×2 Arrangement
VL53L5CX Time-of-Flight 8×8-Zone Distance Sensor Carrier with Voltage Regulator, 400cm Max
4-AA Battery Holder, 2×2 Arrangement
Motoron M3S256 Triple Motor Controller Shield for Arduino (No Connectors)
7.5V Step-Up Voltage Regulator U3V40F7
Free Circuit Cellar magazine May 2022
Zumo 32U4 OLED Main Board
Zumo 32U4 OLED Robot (Assembled with 75:1 HP Motors)
5V Step-Up Voltage Regulator U3V40F5
Log In
Pololu Robotics & Electronics
Shopping cart
(702) 262-6648
Same-day shipping, worldwide
Menu
Shop Blog Forum Support
My account Comments or questions? About Pololu Contact Ordering information Distributors