Before you buy a domain name, first check to see if it's haunted
194 comments
·October 25, 2024lefstathiou
a_t48
I'd be somewhat interested in seeing the cels. :)
lefstathiou
I have a +100 cel backlog that I need to catalog and photograph. Was planning to do it this holiday season so check back in.
Dalewyn
I... actually remember that address floating around and it indeed was hentai.
We're talking like 20 years back. Holy shit, my brain is getting jostled by this sudden tsunami of forgotten memories.
EDIT: Digging around on Wayback Machine (obviously NSFW, for the curious), apparently it was actually still around until somewhere between 2018 and '19 when it finally died. The snapshots from around 2007 are peak Web 1.5 design with stuff like affiliate buttons and table layouts. Man I miss that era.
317070
It is also blocked by the UK ISP porn filter.
amy-petrik-214
Ah great! Such nostalgia for that site, they had the -best- porn back in the old days, one of my favorite pron sites.
postcert
You have some awesome cells, thanks for sharing them online. Had completely forgotten about Robot Carnival and neat to see you have a few pieces from some of the shorts(episodes?)
Also the resources->galleries was useful, found some new but actually old sites to check out.
your_challenger
Great domain name! I can see why you went through the effort of contacting all the web filters.
internet101010
Did you get anything from the Heritage auction last week? They had a ton of good stuff.
Citizen_Lame
Where does one buy cells, apart from ebay?
ruthmarx
> I hired a square space specialist
I had no idea such a thing existed.
If you can set up your own domain why would you need someone that specializes in a super limited non technical frontend for customizing prebuilt web templates?
lefstathiou
In hindsight I didn’t need him. I am pretty technical but I couldn’t figure out what happened so I hired some squarespace seo guy to make sure I had everything configured properly. It was the first and only time I heard of this happening.
veunes
It’s wild how these past associations can stick and haunt a domain, even after it’s changed hands entirely.
edm0nd
[flagged]
0xFACEFEED
> not what work resources are for
Employees are not robots. They are human beings. Sometimes human beings have human problems that need the assistance of other humans. This makes humans happier and more productive.
It's depressing to think that there are people who actually believe that optimal use of work resources is even worth calling out as an issue. In 2024.
kortilla
>actually believe that optimal use of work resources is even worth calling out as an issue.
Setting aside moral arguments, if it raises to the level of embezzlement, it’s a crime.
eru
If you want your employees able to deal with emergencies, you can't run them at 100% capacity all the time. You need some slack, so you have capacity when shit hits the fan.
Using a small amount of that slack to keep another employee happy can be a good investment. In addition, it's good for someone like the CISO to poke around the innards of your network (etc) configs from time to time, just to stay up to date with what's going on in the company and to perhaps flag anything that smells suspicious.
You can do these kinds of exploration exercises completely free form, or you can take a little task like 'figure out exactly why this specific site is blocked' as a token of motivation.
I agree that all of this mostly only makes sense, if it doesn't take too much time.
Though if this specific task would take a lot of time, that would also indicate that either the CISO needs to upskill, or the network config is too complicated. In either case, that would be a valuable insight.
bryant
> Wait, so you begged your CISO to figure out why your work internet ecosystem was blocking your personal project website from work computers? Man that sounds like a horrible waste of the CISOs time and not what work resources are for.
Sticking to your strict productivity line of thought, this kind of ask would:
1) be a great small teaching task for an intern, and
2) build goodwill elsewhere in a company, something good CISOs won't pass up an opportunity to do when the cost is relatively cheap.
But it's also likely that the CISO just wanted to help.
rjbwork
Turns out humans are not soulless automatons and like to do favours for the people they work with and are friendly with from time to time.
getlawgdon
Ooooor, it could be, like, a person helping another person out, or something like that, you know?
romanhn
Another "haunted domain" check is by trying to post about it on social media. I ran into this with my current project's domain name. After building an MVP and trying to test the social sharing functionality, I found that Facebook was blocking the domain outright. Turns out there was some spamming from it years ago. Getting it unblocked was extra fun, as the page to request manual review was itself broken! Thankfully I knew someone on the inside who alerted the relevant team, but the whole experience was quite the novel speedbump.
nicoloren
I faced the same issue with one of my project. But, as i don't know anybody at Facebook, I left the domain and buy a new one.
survirtual
So much of the world is still based on who you know. This is a bug in our society I would really, really like to see fixed in my lifetime.
Dilettante_
Reframe:
It's not that the smooth path you can get via nepotism is the base way things work which people who don't "know a guy" are excluded from. Rather, everything is falling apart and shitty, and if you're lucky, you occasionally get to circumvent that shittyness.
mewpmewp2
I think with AI it is going to become the opposite. You only trust who you know in real life and ignore everything else.
conartist6
I would really like to see it fixed too, especially as regards these faceless behemoths which nevertheless worm themselves into dictating important parts of real peoples' real lives with absolute authority and no recourse
mschuster91
The fix is called "legal system", or rather, also making it accessible for individuals and small businesses against the large mega corporations without risking getting bankrupt in case of losing. And companies that continuously lose in judgements get fined progressively until they establish enough support infrastructure to not be a burden on society.
concordDance
Sadly, the most likely "fix" would be to remove the "who you know" path and just make things shit for everyone. :(
poincaredisk
Is this a bug? I think this is a built in feature since version 1.0.
winddude
I had that one happen as well, after launching a project. I could even post in a messages to friends.
veunes
Social media platforms can be some of the biggest canaries in the coal mine when it comes to a domain’s “haunted” reputation
nickfromseattle
I have a fairly boring consulting business, blocked by Twitter for being malware. Fortunately FB / LinkedIn / WhatsApp all work.
dtdynasty
> Ideally, search engine algorithms would give new domain owners a fresh start.
Sadly, I think this would be instantly gamed by abusers. They would release the domain name and attempt to register as a new owner or start repeatedly doing handoffs. It's difficult to tell who the owner is changing between and whether or not the new one is a better actor than the former.
AnthonyMouse
> It's difficult to tell who the owner is changing between and whether or not the new one is a better actor than the former.
This doesn't seem like that hard of a problem to solve, because these are domains with negative reputation, i.e. worse than zero.
So if a) the domain is no longer hosting any of the stuff previously complained about and b) is no longer receiving new complaints over a period of a year, it costs you nothing to reset the domain to zero. Because the bad actors don't have to behave for a year to get back to zero, they can just register a new domain.
All you're doing is giving the new owner the same fresh start that anybody can get by buying a never before registered domain for the same price as a year's renewal on the existing one.
dustyventure
Using a domain every second year in that environment would get it a gradually raising rank where it isn't penalized/sanitized (by accident, on principle, etc) so every restart after a $30 pause year would be much more effective than a new domain.
soared
It gets reset every year so how would it be more effective?
jacobyoder
How about not even look for a new owner, and just... check the content and complaint levels? If I was hacked and hosted spam, getting blocked/banned for months at a time when... the spam is cleaned and the hole that allowed it is fixed ASAP... that gives folks less incentive to fix/clean/remediate.
dtdynasty
3 assumptions that from my read are baked into your comment.
- Any empty domain starts with the same reputation
- Registering a new domain is a 0 cost action
- The eng effort to reset domain reputation is 0
Certain domains are used by abusers more often, usually due to them being cheaper. Forcing them to move domains is extra friction to the abusers which "haunted" domains force more than the proposed new system.
For the last point, I think it's simplifying a complex system change. Even if the new system was marginally better, it could be a large eng effort and not worth pursuing.
edit: styling
AnthonyMouse
> Any empty domain starts with the same reputation
What basis would you have to do otherwise, and if there is something (like TLD), why wouldn't "resetting to zero" in terms of past content just mean resetting to that zero?
> Registering a new domain is a 0 cost action
No, that registering a new domain has a similar cost to renewing an existing domain, which is a valid assumption. In fact, the new domains are often cheaper because registrars often discount the initial registration as a loss leader with the expectation that people will make future renewals at a higher price.
> The eng effort to reset domain reputation is 0
It is the job of the party operating that system to make it operate as correctly as feasible. Needlessly causing collateral damage purely out of laziness and unaccountability is how you get people showing up at government offices demanding for you to be regulated or broken up, if not showing up at your offices with a disposition to cause bodily harm.
> Certain domains are used by abusers more often, usually due to them being cheaper.
Running out of domain names is physically impossible. There are more possible domain names in any given TLD than there are atoms in the observable universe. So the low price is going to be the price set by the registry for that TLD.
Whether the TLD itself has some reputation is orthogonal to the reputation of one domain in that TLD relative to another one in the same TLD. Moreover, you would presumably do the same thing for the TLD -- if one TLD is doing promotion and has $1 registrations this year and then gets used for a lot of scams, and then next year it costs $15 and so do the renewals so the scammers move to a different TLD, the reputation of the TLD should be reset just the same as the individual domains.
> Even if the new system was marginally better, it could be a large eng effort and not worth pursuing.
If the primary goal is to reduce engineering effort then the obvious solution is to delete the entire reputation system so it doesn't have to be maintained anymore. If the primary goal is to make it work well then you have to, well, you know.
fhub
Google product manager interview question - Write some code with an LLM tool that leverages a LLM to determine if the new owner of a domain is doing (a) same dodgy thing as prior owner that got flagged (b) different dodgy thing as prior owner but should be flagged (c) something completely innocuous (d) needs further review.
jsheard
Please don't give Google ideas for more ways they can have an algorithm arbitrarily screw you over with no recourse, they're listening.
richardw
Well, current approach guarantees you’re getting screwed over. Any improvement is beneficial unless it blocks a better approach?
fhub
Follow up interview question. Update the code using your LLM code gen tool of choice that, when someone submits a complaint via an online form, feeds that complaint text back into your LLM to score it again. Points deduction if the candidate ever mentions informing the complainant of anything.
lazide
Why would they care?
xg15
If it's instantly released, then yes. But in this thread are reports where the offensive actions happened 15 years ago. After such a long time of "good behavior" it makes no sense for me to still keep the domain blocked/downranked.
xp84
Honestly, these days, with domains in general being nearly free compared to the profit potential of a single successful spammer grift, I’m not sure I even see the point of blacklisting domains at all. 25 years ago maybe a spammer would be devastated that he had to “start all over and buy a new domain and build up its reputation.” Now, spammers launch and abandon what, a million new domains a day? Google or anyone spitefully holding onto hard feelings about what a domain “did” years ago is pointless because the spammers will move on anyway. They wouldn’t reuse abcqwertuiop26abc dot xyz anyway because it’s safer to make up a new gibberish domain anyway. Only people who acquire domains legitimately are hurt by this.
I would want to experiment judging them based on what they’ve been seen to do in the past month.
lazide
The only reason they go to those new domains is because of the blacklist.
If you remove the blacklist, they’d just stop doing that and it would be even easier for them.
ricardo81
A tweak to that could be along the lines of "if the DNS lookup of the domain responds with NXDOMAIN for more than x days, give it a fresh start".
I'm not up to date with SEO so unsure whether Google would (or is able to) reset the domain's backlink profile, I'd guess it would be possible. A lot of the value of using expired domains is for backlinks (or at least was)
mschuster91
Require a deposit then, say 1000$, that is to be refunded after a year of probationary period. You get caught being a scammer/spammer, you lose the deposit.
Dilettante_
The deposit would be either too high for normal people to pay, or too low to matter to bad actors
mschuster91
Given that spammers cycle through thousands of domains, they'd run into serious cash flow issues very soon.
lazide
Who holds the deposit, and what is to stop them from having someone report your domain as a spammer so they can keep your money?
kmoser
Sadly, the same holds true for IP addresses.
veyh
Some time ago I noticed that my side project (with a domain that is not haunted) shows up fine on Google but not Bing/DuckDuckGo.
So I checked the Bing Webmaster Tools. URL Inspection says "Discovered but not crawled - The inspected URL is known to Bing but has some issues which are preventing indexation. We recommend you to follow Bing Webmaster Guidelines to increase your chances of indexation."
That's quite unhelpful. What's more, when I open the "Live URL" tab, it says, in green: "URL can be indexed by Bing."
It's a simple static Hugo site hosted on Cloudflare R2 (DNS mapped directly to bucket). https://pagespeed.web.dev gives it a score of 100 in every category.
Anyone else had something like this happen?
shakna
Yup. I've regularly had problems with a static site [0]. Sometimes it's a top hit for my name on Bing, sometimes completely unlisted. Seems to flip back and forth - with that same message you get.
It's a handwritten HTML website, enhanced with JS but not reliant on it, hosted on Cloudflare. Not quite a 100 in every PageSpeed category, but just about.
bryanbraun
OP here, and yes, I've been getting that same message for musicbox.fun. I thought it just needed some time but I requested a fresh index two weeks ago, and nothing seems to have changed. :/
dazc
A side effect of negative seo is that some stuff that hasn't worked on Google for a long time still does on Bing (They, Bing, obviously, not being the real target of the attack).
I've seen a few sites become de-indexed and the 'give away' is the type of results that first appear when the penalty is eventually lifted. For example, just a dozen or so urls with really weird query strings that never existed before. The real stuff does come back after time though and, in my limited experience, it's a one-off incident.
Just to add, not many sites are insignificant enough not to attract negative seo - especially this type of low-level, zero cost malarkey.
8organicbits
Another variant of this is cached or preloaded security configurations.
HSTS (which forces browsers to validate HTTPS when connecting) asks browsers to cache the configuration for a set "max-age". Some sites set huge values here, like Twitter's 20 year max-age[1]. There's also the preload lists [2] to consider. This creates a problem if you want to serve non-HTTPS/unencrypted HTTP on your new domain and the previous owner didn't.
MTA-STS [3] is another variant that's becoming more popular. It limits which mail servers your domain uses and enforces TLS certificate verification. "max_age" is capped to a year by the RFC. If you don't set your own policy, then the previous domain owners policy would impact any senders who previously cached the policy.
Thankfully HPKP (key pinning) is obsolete, otherwise you'd also need to worry about old pinned keys too. That RFC recommended, but did not enforce, a 60 day max-age limit.
These are especially tricky as the old security policy only lives in the caches of any end-user devices that previously connected to the domain. Double haunted.
[1] https://alexsci.com/blog/hsts-adoption/
[3] https://alexsci.com/blog/smtp-downgrade-attacks-and-mta-sts/
LeonM
FWIW, you can invalidate MTA-STS cache by updating the DNS assertion record to a different 'id' value. This is how you indicate a policy has changed.
So the sender is supposed to obey the normal DNS TTL caching period, and re-query the assertion record if TTL expired. It should re-fetch the MTA-STS policy if the 'id' value in the DNS assertion changed, or the max_age in the previously fetched policy has expired.
8organicbits
Almost, it's a little more involved.
> RFC 8461 section 3.3: Conversely, if no "live" policy can be [...] fetched via HTTPS, but a valid (non-expired) policy exists in the sender's cache, the sender MUST apply that cached policy.
You'll also need to host a "none" policy doc. Full instructions are here: https://www.rfc-editor.org/rfc/rfc8461.html#section-8.3
account42
The worst part about HSTS is that the spec doesnt just define the interaction between the browser and the website but also goes as far as mandating that the browser restricts the options it provides to the user ... and would-be user agents actually go along with that.
Pikamander2
A client of mine once swapped over to a new domain that was coincidentally one letter away from another major domain. It wasn't an attempt to typosquat or anything nefarious, but Chrome started automatically showing everyone a big scary warning page before entering the site. We looked into appealing it but there was no guarantee of it getting whitelisted in a timely manner, so we ended up canceling the domain migration before they lost too much traffic.
campbel
I wonder if it would be a reasonable requirement of registrars to now allow domains to be purchased if they are some edit distance away from existing/active domains. Its fine if Google wants to protect its users, but ideally this would be caught sooner.
ajsnigrutin
That would be a pain...
Look at the milka.fr problems... Milka is also a female name over here, and that already proved to be a problem in france. But so are Mirka and Minka so yeah... no domain for them? Also Micka. Oh and mivka is (beach) sand. Want to sell beach sand? It's just one letter away from milka, so no domain for you either.
account42
Is it really better if Mirka, Minka and Micka get to pay for a domain but won't be able to use it because the dominant webbrowser shows super scary warnings?
Still seems better to raise the issue as early as possible so they can find a solution (appeal or chose a different domain) before investing into the unusable domain name. It would also mean that the dispute is at a layer (ICANN) where you at least theoretically have some rights instead of at the hands of a megacorporation that thinks the best way to reduce customer support costs is to make it impossible to get support.
dasil003
Defining “active” seems like the tricky part
r1ch
This can also happen with IP addresses. We recently moved one of our sites to a new IP and got a trickle of complaints about it being inaccessible from various authoritarian countries. After some digging, the new IP was used as a Tor bridge (not even an exit node) over _ten years ago_. I gave up any hope of fixing that and just ordered a different IP address.
rsingel
Not always the easiest thing to do. A haunted domain could have been haunted 15 years ago. And Google refuses to tell you why or fix their system.
Just one more place where the web gets screwed by a company too big to have to do basic customer service.
aabhay
In their defense (and I don’t defend Google often), addressing this really well means:
- knowing all the complexities of every local, state, federal, international jurisdiction that might interfere with the whitelist
- awareness of the content in question which could be millions of subpages
- a customer support team that is definitely not incentivized based on tickets triaged per day, but is somehow incentivized to spend hours on “whale” tickets.
- going through ticket history and solving the problem for everyone now that its policy to solve this
- dealing with the inevitable rush of fraud that follows every tiny change in google systems
p3rls
The usual version of this is the popular SEO technique of buying an aged domain with a few backlinks and slapping a wordpress on it.
lmz
If it was easy to reset reputation with search engines what's stopping people from saying "under new management" every once in a while for an existing poor reputation domain? Probably better to just cut their losses and find another domain.
snowwrestler
> It wasn’t until I had redirected all of my musicboxfun.com traffic to musicbox.fun that I noticed that something wasn’t right: my web traffic from organic search dropped to zero.
Some practical advice here: do not change your canonical domain[1] name unless you really really have to.
If he had just set his fun new domain to redirect to the existing domain, instead of making the new domain the canonical, it likely would have had no negative effect.
I’m not saying this is how things should work. But the practical reality is that your domain name is like a Social Security number: it’s the basis for assigning a type of reputation score, even though it was not intended to do that originally.
[1] The domain at which your web pages finally load, after all redirects have completed.
viraptor
I've had an opposite experience. One domain I bought was used for an entirely different purpose in the past, which got linked on a Wikipedia article in references. This gives me some good link juice and at least matches the geo area of the previous business. Since it's an extremely niche entry and low on the list of references, I decided to be slightly naughty and not touch it for a couple of years. Not sure what's the opposite of haunted in this case, but it was just as surprising.
alentred
Enchanted?
This happened to me and I found this tool super helpful to get my site unblocked: https://dnsblacklist.org/
I purchased a valuable premium domain to host a personal art collection (of anime cels). For some bizarre reason, the site was inaccessible from my work computer and it was de-listed from Google even if I typed the url itself into search.
I hired a square space specialist to figure out why, to no avail. I then begged our company’s CISO to investigate and it turns out we had some firewall setting on UniFi that blocked the domain because it appeared on a list. Once I checked way back, it turns out that it was as an anime porn aggregator years back. I personally reached out to all the web filters out there (Google, Symantec, bing) and one by one filed tickets for them to mark it as art instead of pornography and it worked. I am now properly crawled on Google but still MIA on Bing, search console is giving me some BS error that’s incomprehensible, typical of MSFT.