WHOIS – U.S.-Based Domain Registration Protection Companies Hide Identities Of Individuals Behind The Most Important Al-Qaeda-Affiliated Websites

July 13, 2012

Introduction

Currently, fewer than 10 major active websites are directly used by Al-Qaeda and other leading jihadi organizations. Like all other websites, these sites have domain names and other identifying information that can be looked up using the WHOIS protocol.[1]

 When a new domain name is registered, the domain owner is required to submit information to the WHOIS database; however, some domain owners opt to use domain privacy services offered by registrars.  This option leaves them technically compliant but enables them to avoid listing their actual information.

The following report is another example of how terrorist groups have come to depend on American companies for their activities online.

What Is WHOIS?

WHOIS is a protocol used for querying databases that store the registration information of users of an Internet source, such as a domain name. WHOIS originated as a method of obtaining contact information for IP address assignments or domain name administrators. It is now used for other purposes, including determining the registration status of domain names and assisting law enforcement in enforcing national and international laws.

The Internet Corporation for Assigned Names and Numbers (ICANN) exercises control of the WHOIS databases, under the authority of the U.S. Commerce Department.

WHOIS Information On Anwar Al-Awlaki’s Website Led To Its Closure

In 2009, when radical Yemeni-American Anwar Al-Awlaki posted an article on his website praising Fort Hood shooter Maj. Nidal Hasan, MEMRI published a report on his website that included WHOIS info.[2] The report stated: “The registration information for his website is as follows: The domain ANWAR-ALAWLAKI.COM is protected by the private domain registration company DomainsByProxy.com. The information listed for DomainsByProxy.com is: Domains by Proxy, Inc., DomainsByProxy.com, 15111 N. Hayden Rd., Ste 160, PMB 353, Scottsdale, Arizona 85260, United States, (480) 624-2599 Fax (480) 624-2598. A trace of the server hosting the website shows that it is hosted by New Dream Network, LLC, 417 Associated Rd., PMB #257, Brea, CA 92821; their Abuse Team can be reached at: +1-714-706-4182, [email protected]

Within two hours of MEMRI report’s publication, the site was removed and shut down, and has not returned.

Domain Privacy Services “Namecheap” and “WhoisGuard” Mask Identity of Domain Owners

Namecheap, a leading ICANN-accredited domain name registrar and web hosting company located in Los Angeles, CA,[3] was founded in 2000; currently, it has over 800,000 clients and over three million domains under its management. Namecheap provides domain names, web hosting, secure SSL certificates, and WhoisGuard domain name privacy.[4]

Among Namecheap’s most important products is WhoisGuard Domain Privacy Protection. The product description on Namecheap.com for WhoisGuard provides information on why potential clients might want to use its services – many of which are attractive to jihadis: “The Internet Corporation for Assigned Names and Numbers (ICANN) policy requires you to provide accurate contact information while registering domain name – or you can risk losing it… When you register a domain, you risk exposing your name, address, e-mail and phone number to spammers, marketing firms, and other online fraudsters. Use ‘WhoisGuard,’ our privacy protection option, and stay worry-free!”[5]

The product description adds: “Namecheap’s WhoisGuard domain privacy service is the best global domain privacy option for your domain name. Our WHOIS protection ensures that your private domain name registration always stays private as long as your privacy protection is active. When you purchase and enable WhoisGuard on your domain, we make the following changes in public WHOIS: 1) Replace your postal address with our address; 2) Replace your phone number and fax number with our phone and fax numbers; 3) Replace your email address with a uniquely-generated “[email protected]” email address. Every email that is sent to the WhoisGuard address is forwarded to an email address of your choice.”[6]

Namecheap and its WhoisGuard service have long been used by online jihadi groups and Al-Qaeda affiliates. Media reports going back to 2004 have identified this issue, bringing it to the attention of Namecheap founder and CEO Richard Kirkendall.[7] Another 2004 media report noted that Namecheap once hosted Ekhlass, one of the most important Al-Qaeda-affiliated websites, before it was shut down. On this matter also, Kirkendall was contacted by the media, but he never responded to concerns that he was assisting Al-Qaeda.[8]

The Top Two Al-Qaeda-Affiliated Online Forums – And Others – Rely On WhoisGuard

Registration information for the two most important Al-Qaeda-affiliated forums, Al-Shumoukh and Al-Fida’, is currently blocked by WhoisGuard. This means that whoever created and registered the sites is paying WhoisGuard to conceal their identity.

The following is the Whois listing from these two forums, showing how registration information is protected by WhoisGuard:

Al-Shumoukh
Full WHOIS for SHAMIKH1.INFO:
Domain ID: D38010794-LRMS
Domain Name: SHAMIKH1.INFO
Created On: 14-May-2011 00:22:30 UTC
Last Updated On: 23-Apr-2012 17:20:00 UTC
Expiration Date: 14-May-2013 00:22:30 UTC
Sponsoring Registrar: eNom, Inc. (R126-LRMS)
Status: OK
Registrant ID: fce7ae13f22aa29d
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard
Registrant Street1: 11400 W. Olympic Blvd. Suite 200
Registrant City: Los Angeles
Registrant State/Province: CA
Registrant Postal Code: 90064
Registrant Country: US
Registrant Phone: +1.6613102107
Registrant Email: [email protected]
Admin ID: fce7ae13f22aa29d
Admin Name: WhoisGuard Protected
Admin Organization: WhoisGuard
Admin Street1: 11400 W. Olympic Blvd. Suite 200

Al-Fida’
Full WHOIS for AL-FIDAA.COM:
Registrant Contact: WhoisGuard WhoisGuard Protected
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064 US
Administrative Contact:
WhoisGuard WhoisGuard Protected ([email protected])
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064 US
Technical Contact: WhoisGuard WhoisGuard Protected ([email protected])
+1.6613102107
Fax: +1.6613102107
11400 W. Olympic Blvd. Suite 200
Los Angeles, CA 90064, US
Creation date: 27 May 2010 21:37:00
Expiration date: 27 May 2012 16:37:00

Other U.S.-Based Domain Privacy Companies Used By Online Jihadis

Network Solutions, Privacypost, Privacyprotect, Register.com, and PrivacyRegContact are other U.S.-based domain privacy services used by online jihadis.

Ansar Al-Mujahideen English Forum Vitally important to Al-Qaeda and its Western supporters and recruits, and aimed at audiences both Muslim and non-Muslim, the Ansar Al-Mujahideen English Forum (AMEF), ansar1.info, is considered the primary English-language jihadi forum, disseminating the majority of Al-Qaeda’s propaganda for the English-speaking West. AMEF was established in 2008 in Arabic, and later launched multiple language pages, including English; it has thousands of threads and individual messages.[9] Its Whois information is registered with Privacypost.com.

Full WHOIS for ANSAR1.INFO (using Privacypost.com):
Domain ID: D31419025-LRMS
Domain Name: ANSAR1.INFO
Created On: 04-Feb-2010 16:49:41 UTC
Last Updated On: 19-Apr-2012 02:48:14 UTC
Expiration Date: 04-Feb-2014 16:49:41 UTC
Sponsoring Registrar: Domain.com, LLC (R656-LRMS)
Status: OK
Registrant ID: DOT-8IB2AOYX9YYN
Registrant Name: N/A
Registrant Organization: c/o ANSAR1.INFO
Registrant Street1: P.O. Box 821650
Registrant City: Vancouver
Registrant State/Province: WA
Registrant Postal Code: 98682
Registrant Country: US
Registrant Phone: +1.3604495933
Registrant Email: [email protected]
Admin ID: DOT-49LI2P08AZ8O
Admin Name: N/A
Admin Organization: c/o ANSAR1.INFO
Admin Street1: P.O. Box 821650
Admin City: Vancouver
Admin State/Province: WA
Admin Postal Code: 98682
Admin Country: US
Admin Phone: +1.3604495933
Admin Email: [email protected]
Billing ID: DOT-WRBWRC7KYWGD
Billing Name: N/A
Billing Organization: c/o ANSAR1.INFO
Billing Street1: P.O. Box 821650
Billing City: Vancouver
Billing State/Province: WA
Billing Postal Code: 98682
Billing Country: US
Billing Phone: +1.3604495933
Billing Email: [email protected]
Tech ID: DOT-SVXV1G32Y6MR
Tech Name: N/A
Tech Organization: c/o ANSAR1.INFO
Tech Street1: P.O. Box 821650
Tech City: Vancouver
Tech State/Province: WA
Tech Postal Code: 98682
Tech Country: US
Tech Phone: +1.3604495933
Tech Email: [email protected]
Name Server: NS1.NAMERESOLVE.COM

Tawhed.net Another important jihadi website is tawhed.net. Since 2003, Sheikh Abu Muhammad Al-Maqdisi’s website, Minbar Al-Tawhid Wal-Jihad (“The Pulpit of Monotheism and Jihad,” henceforth MTJ) has been the main online home for the global Salafi-jihadi movement. Over time, his website became the main platform for disseminating Salafi-jihadi doctrine, publishing extremist texts, and issuing jihad-related fatwas. In addition to Al-Maqdisi himself, the website is overseen by a shari’a committee of radical Salafi-jihadi clerics from various countries.[10] Tawhed.net’s WHOIS information is registered with PrivateRegContact.

Full WHOIS for tawhed.net (using PrivateRegContact):
[Querying whois.verisign-grs.com]
[Redirected to whois.melbourneit.com]
[Querying whois.melbourneit.com]
[whois.melbourneit.com]
Domain Name: tawhed.net
Creation Date: 2009-07-19
Registration Date: 2009-07-19
Expiry Date: 2012-07-19
Organisation Name: ESAM ALUTAIBE
Organisation Address:  PO Box 61359 Sunnyvale 94088 CA, US
Admin Name: Admin PrivateRegContact
Admin Address: PO Box 61359 registered post accepted only Sunnyvale 94088 CA, US
Admin Email: [email protected]
Admin Phone: +1.5105952002
Tech Name: TECH PrivateRegContact
Tech Address: PO Box 61359 registered post accepted only Sunnyvale 94088 CA, US
Tech Email: [email protected]
Tech Phone: +1.5105952002
Name Server: ns159.ip-asia.com
Name Server:  ns160.ip-asia.com

Bab-Ul-Islam.net Bab-Ul-Islam.net is a forum that emerged from the merger (in March 2012) of the Ansarullah website and the Bab-ul-Islam forum.  It publishes content consisting of Al-Qaeda and its affiliated media releases in English, Urdu, Arabic, and other languages.[11] Its Whois information is registered with Network Solutions.

Full WHOIS for BAB-UL-ISLAM.NET (using Network Solutions):
Administrative Contact:
Proxy, Proxy
[email protected]
ATTN BAB-UL-ISLAM.NET
care of Network Solutions
PO Box 459 Drums, PA 18222 US
Phone: 570-708-8780
Technical Contact: Proxy, Proxy [email protected]
ATTN BAB-UL-ISLAM.NET care of Network Solutions
PO Box 459
Drums, PA 18222 US
Phone: 570-708-8780

Jhuf.net JHUF.NET, or Jamia Hafsa Urdu Forum, is a pro-Taliban, jihadi forum. It draws its name from the name of the women’s madrassa in Islamabad – known as Jamia Hafsa – adjacent to the Red Mosque in Islamabad, Pakistan. Both were the site of the 2007 military operation ordered by General Pervez Musharraf. The forum publishes jihadi messages from the Taliban and Al-Qaeda. Its WHOIS information is registered with PrivacyProtect.org.

Full WHOIS for JHUF.NET (using PrivacyProtect.org):
Registration Service Provided By: WWW.HOSTING24.COM
Contact: +68.67568314
Domain Name: JHUF.NET
Registrant: PrivacyProtect.org
Domain Admin    ([email protected])
ID#10760, PO Box 16
Note – All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null, QLD 4218 AU
Tel. +45.36946676
Creation Date: 18-Sep-2010
Expiration Date: 18-Sep-2012
Domain servers in listed order: dns2.site5.com dns.site5.com
Administrative Contact: PrivacyProtect.org
Domain Admin  ([email protected])
ID#10760, PO Box 16
Note – All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null, QLD 4218 AU
Tel. +45.36946676
Technical Contact: PrivacyProtect.org
Domain Admin    ([email protected])
ID#10760, PO Box 16
Note – All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null, QLD 4218 AU
Tel. +45.36946676
Billing Contact: PrivacyProtect.org
Domain Admin    ([email protected])
ID#10760, PO Box 16
Note – All Postal Mails Rejected, visit Privacyprotect.org
Nobby Beach
null, QLD 4218 AU
Tel. +45.36946676

Theunjustmedia.com Theunjustmedia.com is identified as the official website of the Islamic Emirate of Afghanistan, according to the September 2011 issue of the jihadi magazine Nawa-i-Afghan Jihad. Its WHOIS information is registered with register.com.

Full WHOIS for Theunjustmedia.com (using www.Register.com):
Information for www.theunjustmedia.com on Host Depot’s website.
Registrant:  REGISTER.COM, INC.
Whois Server:  whois.register.com
Referral URL:  http://www.register.com
Status:  clientTransferProhibited
Expiration Date: 2012-10-26
Creation Date: 2001-10-26
Last Update Date: 2011-10-25
Name Servers: ns1.hostdepot.com  ns2.hostdepot.com
IP: 66.242.136.130
IP Location: Pompano Beach, United States
Website Status: active
Registrant:  Name: Khurram Siddiqi
Street Address: PO BOX 90560
Scarborough, CA  55555
Phone: 9543403527
Email: [email protected] Administrative
Contact:  Name: Khurram Siddiqi
Street Address: PO BOX 90560 Markham Eglinton
Scarborough,  CA 55555
Phone: +1.9543403527  Email: [email protected][email protected][email protected]                              Technical  Contact:  Name: Host Depot, Inc.
Street Address: 12524 West Atlantic Boulevard
Coral Springs, State: FL  33071
Phone: +1.9543403527
Email: [email protected]

*Note: NetStrategies, a DC Web development company, served as a technical advisor for this report.

*Steven Stalinsky is Executive Director of MEMRI.

Endnotes:

[1] All information in this report was current as of May 15, 2012.

[2] See MEMRI Special Dispatch No. 2638, “U.S.-Born Yemen-Based Imam Anwar Al-Awlaki on His CA-Hosted Websites: Fort Hood Shooter ‘Nidal Hassan Is A Hero,'” November 9, 2009, http://www.memri.org/report/en/0/0/0/0/0/0/3737.htm

[3] Namecheap.com, 11400 W. Olympic Blvd. Suite 200, Los Angeles, CA 90064, [email protected]

[7] MensNewsDaily.com, July 22, 2004; also see Dailymail UK, October 17, 2004

[8] Daily Beast, October 2, 2009

[10] See MEMRI Special Dispatch No. 3960, “Minbar Al-Tawhid Wal-Jihad – Major Jihadi Website Inciting Attacks on the U.S. – Hosted in NJ,” July 1, 2011, http://www.memri.org/report/en/0/0/0/0/0/0/5423.htm