You are here

Business Technology

Evicting Cybersquatters

Colleges and universities have to protect their websites from those who try to poach traffic.
University Business, Mar 2007

Having the right web address means everything when running a website. A URL-that string of characters following the http://-should be easy to remember, or at least easy to guess at. In the world of higher ed, prospects, students, alumni, and other online visitors simply want to type in a school name, follow it with a .edu, and splash onto a desired homepage.

Imagine the frustration when a URL that seems to belong to a college or university really leads to some other website that serves up all sorts of unrelated banner ads or annoying popups. Unfortunately, more web users are having this experience, thanks to malevolent forces who want to reroute web traffic and garner bogus attention (and sometimes advertising dollars) at the expense of a college or university.

They are called cybersquatters, and they are exposing IHEs to the darker side of the World Wide Web, warns Morgan Davis, web director at Warren Wilson College (N.C.), who has had first-hand experience in dealing with cybersquatting.

Cybersquatters may have another motive, too. They sometimes want to annoy a CIO just enough to provoke the outright purchase of the registered domain name that is close to the original registrant's. Of course, the cybersquatter typically demands far more money than the modest few dollars it can cost to register an original domain name. Sometimes, though, the payment is worth it to clean up the mess.

Davis explains that Warren Wilson dealt with a cybersquatter last year.

"When someone searches on Google, we want him to find something that really comes from us." -Morgan Davis, Warren Wilson College

"It turned out that the college's name was showing up on some websites that were purporting to be blogs," he explains. The URL listed for the college in these blogs was, which is very close to the college's registered domain, Those who clicked in the links in these blogs were rerouted to a website that served up advertising sold by a cybersquatter based in Nevada, he adds.

The instance is not unusual in higher ed, according to Davis. While most web managers and CIOs know enough to register a .edu domain name, they will fail to register related domain names that can point to the .edu website. As a result of his experience, he advises registering as many permutations on a name as are reasonable. Purchasing domain names that end in .com, .org, .net, and .biz is a good start.

"These fake blogs were most insidious because they were showing up in Google searches," Davis says, recalling the frustration. He has no metrics to prove that the cybersquatter hurt interest in Warren Wilson, but he did fear that the rerouted traffic could hurt the college's reputation.

"When someone searches on Google, we want him to find something that really comes from us," Davis says. "We are trying to clean out these folks who are masquerading."

Two years ago, according to EDUCAUSE, another incident affected approximately 1,000 colleges and universities. A Minnesota-based company, BDC Capital, Inc., acquired a reported 23,000 URLs that included some type of reference to names of colleges and universities. BDC specifically held the names of many websites that referenced higher ed sports divisions.

For example, the cybersquater purchased, which is not at all related to the University of Notre Dame's (Ind.) official athletic site. (That URL is Currently, the false .com URL still points to a website that includes comments about Notre Dame sports, but which says in fine print at the bottom of its homepage that it is not affiliated with any college or university.

Another URL, www.Universityof, which was purchased by BDC, now points to nowhere. Marvin Krislov, vice president and general counsel at the University of Michigan, claimed at the time that the domain name was causing confusion with visitors who really wanted to see the official U Mich websites, and www, the website of the university's atheletics department. Krislov sent BDC Capital a cease and desist letter. He also threatened to take the matter up with the National Arbitration Forum, an organization that will issue decisions on various legal matters via a network of litigators, mediators, and former judges. BDC gave up the websites that mentioned U Mich, says Krislov.

In the case of Warren Wilson, Davis contacted North Carolina Independent Colleges & Universities, a group that advocates for its members, and found that this particular cybersquatter had registered domain names that mimicked 28 other independent colleges located in the state. At present time Davis continues to monitor activity, but he has not taken other legal action.

Higher ed victims of cybersquatting should know that there are options for booting troublemakers out of your virtual space.

The next step (after registering domain names that end in everything other than .edu) is to register names that would be logical permutations of a website address. "If your official name is University of X, you might want to register X University," advises Mitchell Stabbe, partner and head of trademark practice for Dow Lohnes PLLC, a Washington D.C.-based law firm that represents a number of colleges and universities.

Registering other variations that might be mistaken for your official website is a good idea, as well. This would include adding or deleting hyphens to a name that has some unusual element (much like Warren Wilson's official address), or guessing at usual typing mistakes that might reroute visitors. Doing so thwarts the "typosquatter," a variant of the cybersquatter, who counts on common keying mistakes to divert visitors away from one website and to another, says Stabbe.

"Of course you can't think of all the variations," says Stabbe. Still, it is important to do your best guesswork and then let go. "If someone then registers a name for the purpose of creating a problem, then I advise going after them."

Before taking that step, though, he notes that some cybersquatters can cause more damage than others. A URL that points to a bland directory page isn't going to be as harmful as one that brings the reader to a porn page, a gambling website, or some veiled commercial site targeting students and alumni for purchases, or trying to garner personal information. "I tell clients to pick their battles. You can't go after every domain name, but you have to watch others carefully."

If it becomes necessary to legally fight a cybersquatter the first place to turn is the Internet Corporation for Assigned Names and Numbers-more commonly known as ICANN-which administers something known as the Uniform Domain Name Dispute Resolution Policy.

For a $1,500 fee a holder of a domain name can file a complaint saying that the cybersquatter is causing confusion and harming the domain name to which the petitioner has legal rights. The complaint is filed in the form of a 10-page plea. (Of course, there may be additional legal fees for hiring an attorney to write the complaint.) Still, taking this route is less expensive and more expedient than bringing a case in federal court, notes Stabbe.

There are protections against those who can be proven to be behaving in "bad faith."

The entire process takes 60 days.

There is good reason to fight for a domain name. Thanks to a landmark trademark legal ruling in 1999, those who hold the rights to a domain name have protections against anyone who can be proven to be behaving in "bad faith" or deliberately creating confusion in cyberspace, says Stabbe.

In many cases the cybersquatter will offer to give up the domain name in exchange for a college or university dropping the case, says Stabbe. "I assume that many [cybersquatters] do not want to have a record of having a complaint against them."

Kevin Lowey, senior systems analyst at the University of Saskatchewan (Canada) fought a cybersquatter in a different way-with HTML code and ingenuity.

The cybersquatter had registered a number of domain names that were close to the university's official web address, which is The cybersquatter was going as far as taking content from the university's site and putting it onto other webpages that were framed with advertising and linked to a commercial company.

Lowey learned of the activity through an alumnus. He complained that the university's site was cluttered with all sorts of annoying advertising. "After speaking to him we realized he was actually viewing a different page," says Lowey.

Lowey's answer: frame-busting code that was embedded in the official site's content. The code contained instructions that enlarged content to the full size of the page, covering the frames created by the cybersquatter, says Lowey. The frame-busting software, which amounts to one line of HTML, proved enough to frustrate the cybersquatter who eventually stopped the shenanigans.