Cenzic 232 Patent
Paid Advertising
web application security lab

Can I hide.to?

I ran across this domain name (Tonic.to) when I was looking through one of the forums. I’m sure some of you have heard of this, but it was news to me. Not only does it do a good job of hiding your information, but it basically makes whois useless for people attempting to locate and stop spammers:

$ whois tonic.to
Tonic whoisd V1.0
tonic
$ whois hack.to
Tonic whoisd V1.0
hack ns.freewebtown.com 198.78.81.43 ns2.freewebtown.com 198.78.81.44
$ whois blah.to
Tonic whoisd V1.0
No match for blah
$ whois test.to
Tonic whoisd V1.0
test ns.soontech.co.kr 61.100.1.232 ns2.soontech.co.kr 61.100.1.236
$ whois hide.to
$ whois asdfasdfasdfasdf.to
$ whois viagra.to
$ whois tonic.to
$ whois hack.to
$

As you can see after just a few attempts it completely blocked my IP from doing more whois lookups. Spammers delight! I’d expect this TLD to get on everyone’s blacklist pretty quick, if it isn’t already. Thankfully you can do as many nslookups as you like as well as traceroutes to find the upstream to shut the whole thing down. Looks like another fun spammy TLD.

8 Responses to “Can I hide.to?”

  1. tribute Says:

    In their FAQ:
    Tonic is very serious about keeping the .TO domain spam-free.

    heh. I noticed no SSL on their site for changing DNS, etc. eww

    Also, when you go to buy a domain, it says “Use our Secure server (If you prefer to send your credit card number encrypted.)” hahaha

  2. kroy Says:

    This appears to be more flood control than a way for spammers to hide. If you throw enough queries at it fast enough, it will eventually stop responding. But give it a moment to catch its breath, and it will start responding again.

  3. Michael Says:

    The registration server is in the Verio/NTT netblock, looks like San Francisco, assuming the server is not on the embassy grounds it would be subject to US law.

    I suggest you address your complaints to Eric …

    Administrative Contact:
    Eric Gullichsen
    Government of the Kingdom of Tonga
    H.R.H. Crown Prince Tupouto’a
    c/o Consulate of Tonga
    360 Post Street
    Suite 604
    San Francisco, California 94108
    United States
    Email: egullich@colo.to
    Voice: +1.415.462.3014
    Fax: +6493583024

  4. hackathology Says:

    interesting stuff here…

  5. thedoghouse Says:

    Sure, if you have no idea what a “whois” is actually (no sorry, was not made for uber-leet-cia-hacker-wannabe’s) made for, and that many of them actually have an IP based daily/hourly/etc quota…

    Yeah, you might feel that you just have found the spammers el dorado! Kill em! Block em! Friggn ban them! That’s the best solution if someone has no brains.

    omg… you guys are just not better than the many rest.


    2 Funny things though..

    1. I never got a spam mail from a .to domain (real source, not a faked header - dunno if you guys actually know that spammer faked email headers).

    2. .to is not the only “whois-free” TLD.. how about a whitelist with com/net/org? - or maybe think of a better anti-spam strategy..

  6. RSnake Says:

    You have some good points. The real question is how many legitimate .to domains do you visit on a daily basis? I can’t think of a single one, personally. To me this is clearly a domain squatter’s heaven. I was simply pointing that out since I hadn’t heard of the .to domain until that day. However, it wasn’t exactly like I was spamming it with requests - you saw yourself it was only a half dozen and it was blocked. Yes, I know there are others, which is why I said, “yet another spammy TLD”. I just hadn’t written this up before.

  7. thedoghouse Says:

    You can not compare my daily internet consumption with someone else as I surf the net on a “wider range” * .. Therfor: yeah I have some .to sites I visit daily, that have nothing to do with spam.

    A Domainspammer will be kicked there faster than he can send spam (which is even a very aggressive policy!), therefor top spammer domains ARE hk/cn/com/tr/etc.

    Funny thing: I just saw, your domain is “protected” via “domainsbyproxy.com” (or something similar)..
    - why not a .to domain?
    - are u a spammer?
    - why should your data be kept “safe” but others not? (e.g. they will be “titled” as spammer by you)

    That your whois queries got blocked that fast seems a little unusual to me, too. But take into consideration, that you are most likely using a dynamic IP, and maybe their server just went down? It’s internet, many things can happen.. must not always be a bad (+ paranoid) sign..

    * + I am an europeean.. we use more TLDs than americans, that seem to only know TLDs like .com/.net/.org - every other TLD they don’t know is their enemy ;)

  8. RSnake Says:

    If I were a spammer I wouldn’t be using my own domain. You must be kidding of course, as the whole point of this site it to show how web applications can be secured. Domain proxying is one way to obfuscate owner contacts so they can’t be used in other attacks. It has nothing to do with spam.

    The rest of your points I agree with, although it definitely didn’t go down. I tried from a number of different IP addresses and it had the same effect. It’s not paranoia - it’s thorough testing. ;)