Are You Tired of the Domain?

SMS Text

Are you tired of typing into your browser “”? Would you like to enter something else, but still get the same results as if you went to … How about

Heather Paulson noticed something odd during a test of the SEM/SEO/AM research service Syntryx, which is currently in beta.

She stumbled across a site at the domain that shows weird stuff in the Who-Is records of domain name registrars. The other odd thing about the site is that it appears to be the search engine The main part of the Who-Is record also seems to confirm that this site belongs to Google.

The site is hosted on a server with a number of other sites that have questionable content, to say it carefully. This is of course very unlikely. Another thing that is odd, is the fact that the site does not show the universal search navigation bar, but the old links above the search box to select the type of search you want to do (Web, Images, etc.). It also does not show a “sign-in” link to logon to your Google account and it has a link beneath the search box to and the anchor text “Go to”.

You can do searches and browse around to most of the content of the website while actually being on the site. That this is confusing, even for search marketers is not surprising.

I think that there are only two possible explanations for this. The first and most likely one is that the site IS pulling the code from It looks like a simple DNS forwarder to Google’s data center 39-GV (IP The sites DNS Server is DNS1.NAME-SERVICES.COM.

If you ping the domain, it shows the real IP, which is and not he Google data center IP. “No reverse DNS set” for that IP is the response, if I try to do a reverse lookup via online tools like the ones from or by using the Windows tool “nslookup” on my local machine.

You can do a domain forwarding to any other domain (website) you want to, even if you don’t own the domain. There are common uses for this, most of the times for sub domains. Like this one. It is a sub domain of and even looks like my site. However, it is not my site and actually hosted and operated by somebody else. The “Branded Feed” option from (now Google’s) FeedBurner is another example of that.

It is not limited to sub domains and can be done with the top domain as well. A common use for that is the domain forwarding of other domains you own (e.g. your brand names and/or trademarks or TLD variations of the same domain name (e.g. .org, .net, .info)) for your business to your primary website domain (e.g.
The registrant of the domain is a person in Zimbabwe.

High Av Video co
cosomer lee (123user AT hiavgirl DOT net)
Fax: +263.123456777
West wood street 213# linken road
mogan, 432229

It does not seem to be a malicious attempt by that person to do something sneaky. He just does not use that domain yet and instead of having a parking service throwing up some stuff (e.g. ads) does he simply redirect to Google.

However, that Google (the site code) allows that the site is pulled via a different domain name that is not owned by Google is a big oversight by Google. Somebody with malicious intentions could use it for bad things. The Google site uses relative URLs, which keeps the user on the different domain.

I checked the logins, they redirect to, which is good, and because that prevents that, the login cookie is being created on that non-Google domain.

In addition, a link appears on the Homepage that reads. “Go to”, but that is not enough IMO. Google should (301) redirect any request to their sites if the domain is not the real Google domain or at least if it is not one of their domain properties.

This is not that easy, if the second explanation is true. This explanation of the site would not explain the weird information in the Who-Is record for that domain though.

It could be the case that the a script is running on that domain that takes all requests, then does a HTTP request to Google in the background on the server side and then returns the results as is or as an altered version to the end user in his browser.

I doubt that this is happening though. It redirects to Google from some of the links, I mentioned already the login links and other links that do not refer to secured sections of the site, such as the links on the Google products page, link to the actual Google domain. A scripter would have caught those and changed to local URLs on his domain.

If there is another plausable explaination that explains these things and a reason why Google would allow this to happen, I am curious to learn about it. What do you think?

Update 8/5/2007 11:00 pm PST: Important! Read the comments to this post below. It is getting even fuzzier.


Carsten Cumbrowski

Free Internet Marketing Resources Portal.

Carsten Cumbrowski
Carsten Cumbrowski has years of experience in Affiliate Marketing and knows both sides of the business as the Affiliate and Affiliate Manager. Carsten has over... Read Full Bio
Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • Heather Paulson

    Great post Carsten, I found this using the new beta which will be out in a month.

    I saw some amazing stuff, this is one of many interesting things I found using Syntryx… Total transparency ..

    Great post Carsten!

  • CarstenCumbrowski

    Thanks for the info Heather (and for the kudos 🙂 )

  • Tomche

    Wow, now that is some information. sounds like a spammy domain name. Redirecting, archiving? wat is tis exactly?

  • David Wolf

    Carsten – the IP address for “” is different than “”. The IP coming from the “www” subdomain is definitely hosted by Google’s infrastructure…is there a rogue somewhere.

    David Wolf

  • David Wolf

    Hey Carsten – any ideas for the GWS server return on the HEAD request?

    200 OK
    Cache-Control: private, x-gzip-ok=””
    Date: Sun, 05 Aug 2007 20:14:31 GMT
    Server: GWS/2.1
    Content-Length: 0
    Content-Type: text/html
    Last-Modified: Sat, 06 Jan 2007 00:35:21 GMT
    Client-Date: Sun, 05 Aug 2007 20:14:36 GMT
    Client-Response-Num: 1
    Set-Cookie: PREF=ID=450c2d0395e6ee65:TM=1186344871:LM=1186344871:S=rWjVMoL9wkaI1
    9FZ; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/;

    Versus this:

    200 OK
    Cache-Control: private
    Connection: close
    Date: Sun, 05 Aug 2007 20:15:26 GMT
    Server: Microsoft-IIS/6.0
    Content-Type: text/html; charset=utf-8
    Client-Date: Sun, 05 Aug 2007 20:14:43 GMT
    Client-Response-Num: 1
    Client-Transfer-Encoding: chunked
    X-AspNet-Version: 1.1.4322
    X-Powered-By: ASP.NET

    David Wolf

  • Heather Paulson

    No Problem Carsten I am afraid to post the other URL’s I am seeing.. really explicit.. I’ll send to you privately.

  • CarstenCumbrowski

    You are right David. and have different IPs. The one without the www is the none Google IP and belongs to ENOM in BELLEVUE/WASHINGTON.

    Country Code: US
    Country Name: UNITED STATES
    Region Name: WASHINGTON
    City: BELLEVUE
    Latitude: 47.6052
    Longitude: -122.17
    Zip Code: 98008
    ISP Name: ENOM
    Domain Name: NAME-SERVICES.COM

    That “site” does a 302 redirect to the address, which has the Google IP

    Country Code: US
    Country Name: UNITED STATES
    Region Name: CALIFORNIA
    Latitude: 37.3956
    Longitude: -122.076
    Zip Code: 94043
    Domain Name:

    The reverse IP shows that there are 21 domains using the same Google IP address.

    Look at the sites, especially, that is another Google “clone”. Even better, that site, or better subdomains of the site are referenced by the Russian Wikipedia.

    1. from this article

    The article means in English: Dozory.Forbidden Games and references to, which looks like the “Russian Firefox” site.

    The second reference is from the Wikipedia article about Firebug.

    That one references to

    Now, which looks like the Russian Google has a funny registration record (It loads the English version of Google for me, probably because I am from the US and the site recognizes that. I have not tested it yet with a proxy, idealy a russian one. I don’t have a proxy server list handy at the moment hehe)

    Here is the Who-Is record for

    Domain ID:D144168060-LROR
    Domain Name:CKOPO.ORG
    Created On:22-Apr-2007 19:09:45 UTC
    Last Updated On:22-Jun-2007 03:51:32 UTC
    Expiration Date:22-Apr-2008 19:09:45 UTC
    Sponsoring Registrar:Directi Internet Solutions d/b/a PublicDomainRegistry.Com

    Sponsored by “Directi Internet Solutions”? Privacy protector enabled? What is that?

    I am not a DNS crack to be able to give you an answer to that mess. I know that you can do funny stuff with hacked/unsecured DNS servers…. Shoot, I am now back in Fresno. This would have been something for DefCon, where I just got back from. There were rooms full of wizkids from around the world, who would have taken this apart.

    I got Heathers call yesterday night asking me what the heck that is and I had not much time for deep digging. That’s why did I do some checking to realize that there is something fishy and posted it this morning.

    It did not look like a big deal to me, compared to what I saw at the conference, where a guy who is (maybe) legal drinking age showed a room full of hundreds of people “how cool” the new security add-ons to online banking are (enforced by governmental regulations). You might noticed that pretty much every bank changed their authentication forms and procedures over the last few months. Those changes, caused by the new regulations are basically aiding hackers to break into your online account. If I spent a few days with it, I would probably able to hack my bank as well. Its that bad (and I am not a hacker, trust me). Different story. I am sure that over the next weeks stuff will surface in the news. Too much people saw this, not the detailed instructions how to break in, but the way the system works, or better, not works (he would have broken the law and go to jail, if he would have hacked somebody elses bank account in front of hundreds of witnesses).

  • CarstenCumbrowski

    Quick note: Regarding the other story I mentioned, check out my recent post at my personal blog.

  • Darknight

    Interesting 🙂 But The New Domain doesn’t sound great, just like an adult domain 🙁 That’s terrible

  • Petro

    Pretty weird stuff comes up if you investigate the domain at Alexa, and if you just type “” into Google.
    Further, did you try to type “” in your address bar?

    What is that?

  • Heather Paulson

    Search on Google for the domain pulls up in natural search with Google as title –

  • snapshot

    the last google

  • yreike


  • hairloss treatment

    Nice post!

  • cristhian becerra

    soy una persona soñadora y muy renovadora

  • cristhian becerra

    soy una persona investigadora y renovadora