Late last year, I discovered and shared that people are able to contact domain registrants directly via the GoDaddy Whois lookup page. This may be helpful because domain registrant contact information was recently removed from GoDaddy Whois lookup pages. Earlier this week, I discovered a change in the format of the GoDaddy Whois contact form – instead of a custom message field, I was given four contact options from which to choose:
I shared what I found on Twitter:
GoDaddy has changed the format on the Whois contact form. You can now choose from several options, and an automated message is sent to the registrant. You can no longer send a customized message. https://t.co/YtVeDMItcR
— Elliot Silver (@DInvesting) August 13, 2020
George Kirikos replied to my tweet, and he said that he could still see the other form, which would allow for a customized 100 character message to be sent:
Maybe they are A/B testing, or still rolling it out to everyone, as I just tried it on a domain but could still enter up to 100 characters.
— George Kirikos (@GeorgeKirikos) August 13, 2020
I checked again from my Chrome browser, and I still see the drop down menu option, preventing me from sending a customized message to the domain registrant. However, when I used an Incognito mode browser, the old Whois contact form was there, allowing me to customize my message. I tested a few different times, both in standard and Incognito modes, and I noticed different forms for each. This, in my opinion, would indicate that GoDaddy is testing the form.
This contact form, which is apparently an ICANN requirement, is likely a target for scammers and schemers since delivery is seemingly guaranteed and the message comes via an official GoDaddy account email. In fact, attorney Jason Schaeffer reported that clients received scammy “offers” via this channel. GoDaddy could be trying to reduce the volume of spam or scam messages.
When I tested the new version of the form and selected the “Interested in purchasing the domain” option, here’s the email that was sent to the registrant email address:
Someone is trying to contact you regarding [domain name].
We received a request from someone who’d like to contact you regarding [domain name], which you registered through GoDaddy. This contact method is designed to provide a way for people who are interested in your domain to reach you, while still keeping your contact information private.
We’re required by ICANN regulations to forward these types of requests to you, and you’re not under any obligation to respond.
Remember, we have no information on the legitimacy of these contacts, and scammers have been known to try to pose as GoDaddy or other companies. Use caution when viewing or replying to unsolicited messages from third parties. If you determine you would like to respond to this message, please be aware that you are electing to respond directly to a third party that has no affiliation with GoDaddy.
Here is the message from firstname.lastname@example.org. Once again, this is NOT from a GoDaddy representative.
I am interested in purchasing this domain. Please respond if you are interested in selling.
To respond directly to the requester, simply reply to this email.
I was glad to see that GoDaddy removed the customer account number from the email, which is something I privately suggested when I noticed the form last year. Previously, if the recipient of the email replied directly from the contact email, the sender would see the person’s customer account number. I don’t know how risky that is, but I suppose it is a piece of information that theoretically could have been used for social engineering.
It will be interesting to see if GoDaddy is storing the data collected from this form. I assume they are, so it will be more interesting to see if GoDaddy uses this information for marketing or other purposes.