Uniregistry : Sequential WHOIS shield emails attract unscrupulous spammers

I never had any issues with Uniregistry that were not dealt with swiftly.

As part of a group of people that beta-tested the domain registry platform before its launch, I assisted with the initial round of debugging its processes. As a systems analyst and UX professional, I made suggestions about the flow and presentation of the registry’s online services, before it launched.

There’s a thorny issue, however, that I have not seen any action upon. It’s not vital to Uniregistry’s functions, but for several reasons it is important to address effectively.

The WHOIS shield info is sequential, using the “privacy-link.com” email address and a number before it. That number, is increased with every domain that uses it.

The use of sequential numbers, particularly in accounts or usernames, is inherently dangerous. Fourteen years ago, I assisted GoDaddy patch a security hole that used sequential numbering for its accounts.

In the case of Uniregistry, the issue is not that of security, but that of easy access to thousands of email addresses by unscrupulous spammers. They take the range from 1 to a recent high number, and append “privacy-link.com” to it, spamming their content to the registrants of these domains.

It’s a spammer’s wet dream.

How is this issue addressed: with the use of  “hashing” these public email addresses so that they are seemingly random. While anyone can harvest these email addresses directly from the WHOIS, they would need to get the domain name first, an extra step that not many spammers engage in.

A hashed email address under WHOIS shield would look like this: 8860333562115bb34ac@privacy-link.com. The amount of spam would be lowered tremendously, because by using this method there is no “next” number up or down; everything is stored internally in a reference matrix at Uniregistry.

Additionally, such email addresses can and should be changed automatically every 30 days, to make the old ones, harvested from the WHOIS, obsolete.

I’m confident that now that I’ve explained the issue, that Uniregistry will implement these changes to further improve their otherwise flawless platform.


  1. Great idea!

  2. We’re changing this going forward, but not seeing any sequential abuse yet

  3. Thanks, Frank. I think that’d be a great improvement, even if there is no apparent abuse at this time.

  4. I am getting spammed over an over again, and all of the spam is addressed to xxxxxx@privacy-link.com. The same spammers are emailing different numeric usernames (the “xxxxxx” in the example), each of which is associated with a different domain in my account. I started researching, and I found this article. I can say definitively that this IS IN FACT A PROBLEM. What’s incredibly ironic is that Uniregistry’s Registation Agreement states in paragraph 3.1, “Privacy.Link is intended to protect you from spam, unsolicited commercial email, and similar unwanted solicitations.” Not only did it not protect me from these things, it enabled them.

  5. David – Unfortunately the numbers are sequential, so spammers go from 000001 to 999999 etc. It’d be interesting to see how they get away with it. The only way to avoid this type of spam is per my suggestions in this article.

  6. I’ve gotten one spam email offering web design service sent to a privacy-link.com email after registration of a .com with Uniregistry.

Speak Your Mind