This happened to me and I found this tool super helpful to get my site unblocked: https://dnsblacklist.org/
I purchased a valuable premium domain to host a personal art collection (of anime cels). For some bizarre reason, the site was inaccessible from my work computer and it was de-listed from Google even if I typed the url itself into search.
I hired a square space specialist to figure out why, to no avail. I then begged our company’s CISO to investigate and it turns out we had some firewall setting on UniFi that blocked the domain because it appeared on a list. Once I checked way back, it turns out that it was as an anime porn aggregator years back. I personally reached out to all the web filters out there (Google, Symantec, bing) and one by one filed tickets for them to mark it as art instead of pornography and it worked. I am now properly crawled on Google but still MIA on Bing, search console is giving me some BS error that’s incomprehensible, typical of MSFT.
If you can set up your own domain why would you need someone that specializes in a super limited non technical frontend for customizing prebuilt web templates?
Another "haunted domain" check is by trying to post about it on social media. I ran into this with my current project's domain name. After building an MVP and trying to test the social sharing functionality, I found that Facebook was blocking the domain outright. Turns out there was some spamming from it years ago. Getting it unblocked was extra fun, as the page to request manual review was itself broken! Thankfully I knew someone on the inside who alerted the relevant team, but the whole experience was quite the novel speedbump.
> Ideally, search engine algorithms would give new domain owners a fresh start.
Sadly, I think this would be instantly gamed by abusers. They would release the domain name and attempt to register as a new owner or start repeatedly doing handoffs. It's difficult to tell who the owner is changing between and whether or not the new one is a better actor than the former.
Some time ago I noticed that my side project (with a domain that is not haunted) shows up fine on Google but not Bing/DuckDuckGo.
So I checked the Bing Webmaster Tools. URL Inspection says "Discovered but not crawled - The inspected URL is known to Bing but has some issues which are preventing indexation. We recommend you to follow Bing Webmaster Guidelines to increase your chances of indexation."
That's quite unhelpful. What's more, when I open the "Live URL" tab, it says, in green: "URL can be indexed by Bing."
It's a simple static Hugo site hosted on Cloudflare R2 (DNS mapped directly to bucket). https://pagespeed.web.dev gives it a score of 100 in every category.
Another variant of this is cached or preloaded security configurations.
HSTS (which forces browsers to validate HTTPS when connecting) asks browsers to cache the configuration for a set "max-age". Some sites set huge values here, like Twitter's 20 year max-age[1]. There's also the preload lists [2] to consider. This creates a problem if you want to serve non-HTTPS/unencrypted HTTP on your new domain and the previous owner didn't.
MTA-STS [3] is another variant that's becoming more popular. It limits which mail servers your domain uses and enforces TLS certificate verification. "max_age" is capped to a year by the RFC. If you don't set your own policy, then the previous domain owners policy would impact any senders who previously cached the policy.
Thankfully HPKP (key pinning) is obsolete, otherwise you'd also need to worry about old pinned keys too. That RFC recommended, but did not enforce, a 60 day max-age limit.
These are especially tricky as the old security policy only lives in the caches of any end-user devices that previously connected to the domain. Double haunted.
A client of mine once swapped over to a new domain that was coincidentally one letter away from another major domain. It wasn't an attempt to typosquat or anything nefarious, but Chrome started automatically showing everyone a big scary warning page before entering the site. We looked into appealing it but there was no guarantee of it getting whitelisted in a timely manner, so we ended up canceling the domain migration before they lost too much traffic.
This can also happen with IP addresses. We recently moved one of our sites to a new IP and got a trickle of complaints about it being inaccessible from various authoritarian countries. After some digging, the new IP was used as a Tor bridge (not even an exit node) over _ten years ago_. I gave up any hope of fixing that and just ordered a different IP address.
If it was easy to reset reputation with search engines what's stopping people from saying "under new management" every once in a while for an existing poor reputation domain? Probably better to just cut their losses and find another domain.
> It wasn’t until I had redirected all of my musicboxfun.com traffic to musicbox.fun that I noticed that something wasn’t right: my web traffic from organic search dropped to zero.
Some practical advice here: do not change your canonical domain[1] name unless you really really have to.
If he had just set his fun new domain to redirect to the existing domain, instead of making the new domain the canonical, it likely would have had no negative effect.
I’m not saying this is how things should work. But the practical reality is that your domain name is like a Social Security number: it’s the basis for assigning a type of reputation score, even though it was not intended to do that originally.
[1] The domain at which your web pages finally load, after all redirects have completed.
I've had an opposite experience. One domain I bought was used for an entirely different purpose in the past, which got linked on a Wikipedia article in references. This gives me some good link juice and at least matches the geo area of the previous business. Since it's an extremely niche entry and low on the list of references, I decided to be slightly naughty and not touch it for a couple of years. Not sure what's the opposite of haunted in this case, but it was just as surprising.
I have a lot of sites (all saas) and more and more people send me cease and desists and lawyer threats because they go to google, enter 'something' that's remotely phonetically similar to a domain I run and then click on my site. They paid on some site that sounds a LITTLE bit (if you squint) like my domain and now they are scammed and want to sue me. Now I understand scammers do this as well, but I had actually someone turnup at our office (which is my business partner his home) with bank receipts with a really not so similar name, however if you type it in google we pop up first even though our businesses are not at all related.
"Ideally, search engine algorithms would give new domain owners a fresh start."
I don't think it's possible to fix this problem without also helping bad actors. Maybe it's a problem that just isn't worth fixing. Just don't buy preexisting domains unless it's a project big enough to justify the necessary cost of due diligence.
This happens with physical addresses too, for similar reasons. The ABC (Alcoholic Beverages Commision) tracks complaints against physical addresses, and too many violations will get an address banned from permits. Then a new owner comes in with a new business and gets mysteriously denied for a liquor license, even years later.
Basic SEO stuff, you have marketplaces that check history, you have domain search engines aggregating data from multiple sources - not only ahrefs.
Checking web archive is a basic operation to test if site was hosting anything fishy - not only pirated stuff or porn - often websites has been hacked and changed into link farms or simply were bought on aftermarket simply to use it's SEO value to pass the strength to other domains.
Interesting. Domain as a unit of trust makes sense until it doesn't. Buying a second hand domain is like a second hand car. But you may not know it is second hand!
I think the mistake here is the redirect old to new. That is always risky so only do it if deseprate. In this case I would have done the redirect from new to old. Then just use the new as a vanity url.
one other thing i would suggest is to set up a catch-all email for the domain and see what gets sent to it, sometimes you can access accounts associated with the domain, socials etc
This sort of thing is also an issue for phone numbers, some other company could have used your new number for robocalls and gotten it spam blocked on Truecaller and similar services.
Years ago I bought the carelessly discarded domain of a defence contractor that was acquired by another one. And set up a catch all email forwarder. Had weeks of fun reading all the emails that I got sent. There was nothing "secret" but plenty of social and business stuff still going on.
One risk of pre-validating a domain before purchase is that it's not a good idea to tell strangers about your interest in such a property.
Even automated queries are likely to spill the beans. Someone else could snag the purchase before you, or bid up the price. But it's a risk you may need to calculate.
Conversely when you drop domain don’t forget you might have accounts on emails or some DNS verification in services that you better explicitly discontinue before just dropping domain.
My very first domain was haunted. The warning sign was firewall blocks against the domain at both school and the public library. As it turned out... a previous owner in the early 2000's was running a sort of proto-Netflix, but with VHS instead of DVD, and that was exclusively targeting the... erm... "adult entertainment" market.
Wayback machine would've saved me there, had I done my due diligence!
Not quite haunted but I've had people report that my website hosted on a .quest domain is blocked on their work computer. My best guess is that their filter thinks it's gaming related (it's not) or maybe they just block all "weird" domains.
Calling a domain “haunted” is an awful, terrible way to frame it. It places all the badness of the domain on the domain itself, as if the domain name had something with it which could be removed or fixed by the domain owner. Instead, what has actually happened is that the domain is blacklisted by entirely too powerful entities. The problem lies with these blacklisting entities, not with the domain, and the solution must be done there, too. It should not be a domain owner’s responsibility to get out of being unfairly blacklisted.
It’s like when cars took over the streets, and instead of blaming cars for being dangerous for regular people using the streets for walking, the concept of “jaywalking” was invented by car companies to place the blame on people for daring to obstruct cars. Or the concept of “personal carbon footprint”, commonly used to move blame from companies to individuals, when in reality whatever individuals, even in aggregate, could do is utterly insignificant compared to what companies and legislation could accomplish.
This happened to me and I found this tool super helpful to get my site unblocked: https://dnsblacklist.org/
I purchased a valuable premium domain to host a personal art collection (of anime cels). For some bizarre reason, the site was inaccessible from my work computer and it was de-listed from Google even if I typed the url itself into search.
I hired a square space specialist to figure out why, to no avail. I then begged our company’s CISO to investigate and it turns out we had some firewall setting on UniFi that blocked the domain because it appeared on a list. Once I checked way back, it turns out that it was as an anime porn aggregator years back. I personally reached out to all the web filters out there (Google, Symantec, bing) and one by one filed tickets for them to mark it as art instead of pornography and it worked. I am now properly crawled on Google but still MIA on Bing, search console is giving me some BS error that’s incomprehensible, typical of MSFT.
I'd be somewhat interested in seeing the cels. :)
> I hired a square space specialist
I had no idea such a thing existed.
If you can set up your own domain why would you need someone that specializes in a super limited non technical frontend for customizing prebuilt web templates?
It’s wild how these past associations can stick and haunt a domain, even after it’s changed hands entirely.
[flagged]
Another "haunted domain" check is by trying to post about it on social media. I ran into this with my current project's domain name. After building an MVP and trying to test the social sharing functionality, I found that Facebook was blocking the domain outright. Turns out there was some spamming from it years ago. Getting it unblocked was extra fun, as the page to request manual review was itself broken! Thankfully I knew someone on the inside who alerted the relevant team, but the whole experience was quite the novel speedbump.
I faced the same issue with one of my project. But, as i don't know anybody at Facebook, I left the domain and buy a new one.
I had that one happen as well, after launching a project. I could even post in a messages to friends.
> Ideally, search engine algorithms would give new domain owners a fresh start.
Sadly, I think this would be instantly gamed by abusers. They would release the domain name and attempt to register as a new owner or start repeatedly doing handoffs. It's difficult to tell who the owner is changing between and whether or not the new one is a better actor than the former.
Some time ago I noticed that my side project (with a domain that is not haunted) shows up fine on Google but not Bing/DuckDuckGo.
So I checked the Bing Webmaster Tools. URL Inspection says "Discovered but not crawled - The inspected URL is known to Bing but has some issues which are preventing indexation. We recommend you to follow Bing Webmaster Guidelines to increase your chances of indexation."
That's quite unhelpful. What's more, when I open the "Live URL" tab, it says, in green: "URL can be indexed by Bing."
It's a simple static Hugo site hosted on Cloudflare R2 (DNS mapped directly to bucket). https://pagespeed.web.dev gives it a score of 100 in every category.
Anyone else had something like this happen?
Another variant of this is cached or preloaded security configurations.
HSTS (which forces browsers to validate HTTPS when connecting) asks browsers to cache the configuration for a set "max-age". Some sites set huge values here, like Twitter's 20 year max-age[1]. There's also the preload lists [2] to consider. This creates a problem if you want to serve non-HTTPS/unencrypted HTTP on your new domain and the previous owner didn't.
MTA-STS [3] is another variant that's becoming more popular. It limits which mail servers your domain uses and enforces TLS certificate verification. "max_age" is capped to a year by the RFC. If you don't set your own policy, then the previous domain owners policy would impact any senders who previously cached the policy.
Thankfully HPKP (key pinning) is obsolete, otherwise you'd also need to worry about old pinned keys too. That RFC recommended, but did not enforce, a 60 day max-age limit.
These are especially tricky as the old security policy only lives in the caches of any end-user devices that previously connected to the domain. Double haunted.
[1] https://alexsci.com/blog/hsts-adoption/
[2] https://hstspreload.org/
[3] https://alexsci.com/blog/smtp-downgrade-attacks-and-mta-sts/
A client of mine once swapped over to a new domain that was coincidentally one letter away from another major domain. It wasn't an attempt to typosquat or anything nefarious, but Chrome started automatically showing everyone a big scary warning page before entering the site. We looked into appealing it but there was no guarantee of it getting whitelisted in a timely manner, so we ended up canceling the domain migration before they lost too much traffic.
This can also happen with IP addresses. We recently moved one of our sites to a new IP and got a trickle of complaints about it being inaccessible from various authoritarian countries. After some digging, the new IP was used as a Tor bridge (not even an exit node) over _ten years ago_. I gave up any hope of fixing that and just ordered a different IP address.
Not always the easiest thing to do. A haunted domain could have been haunted 15 years ago. And Google refuses to tell you why or fix their system.
Just one more place where the web gets screwed by a company too big to have to do basic customer service.
The usual version of this is the popular SEO technique of buying an aged domain with a few backlinks and slapping a wordpress on it.
If it was easy to reset reputation with search engines what's stopping people from saying "under new management" every once in a while for an existing poor reputation domain? Probably better to just cut their losses and find another domain.
> It wasn’t until I had redirected all of my musicboxfun.com traffic to musicbox.fun that I noticed that something wasn’t right: my web traffic from organic search dropped to zero.
Some practical advice here: do not change your canonical domain[1] name unless you really really have to.
If he had just set his fun new domain to redirect to the existing domain, instead of making the new domain the canonical, it likely would have had no negative effect.
I’m not saying this is how things should work. But the practical reality is that your domain name is like a Social Security number: it’s the basis for assigning a type of reputation score, even though it was not intended to do that originally.
[1] The domain at which your web pages finally load, after all redirects have completed.
I've had an opposite experience. One domain I bought was used for an entirely different purpose in the past, which got linked on a Wikipedia article in references. This gives me some good link juice and at least matches the geo area of the previous business. Since it's an extremely niche entry and low on the list of references, I decided to be slightly naughty and not touch it for a couple of years. Not sure what's the opposite of haunted in this case, but it was just as surprising.
I have a lot of sites (all saas) and more and more people send me cease and desists and lawyer threats because they go to google, enter 'something' that's remotely phonetically similar to a domain I run and then click on my site. They paid on some site that sounds a LITTLE bit (if you squint) like my domain and now they are scammed and want to sue me. Now I understand scammers do this as well, but I had actually someone turn up at our office (which is my business partner his home) with bank receipts with a really not so similar name, however if you type it in google we pop up first even though our businesses are not at all related.
"Ideally, search engine algorithms would give new domain owners a fresh start."
I don't think it's possible to fix this problem without also helping bad actors. Maybe it's a problem that just isn't worth fixing. Just don't buy preexisting domains unless it's a project big enough to justify the necessary cost of due diligence.
This happens with physical addresses too, for similar reasons. The ABC (Alcoholic Beverages Commision) tracks complaints against physical addresses, and too many violations will get an address banned from permits. Then a new owner comes in with a new business and gets mysteriously denied for a liquor license, even years later.
For running a mail server every new domain is haunted.
Basic SEO stuff, you have marketplaces that check history, you have domain search engines aggregating data from multiple sources - not only ahrefs.
Checking web archive is a basic operation to test if site was hosting anything fishy - not only pirated stuff or porn - often websites has been hacked and changed into link farms or simply were bought on aftermarket simply to use it's SEO value to pass the strength to other domains.
Anyways good point regarding email filters.
Interesting. Domain as a unit of trust makes sense until it doesn't. Buying a second hand domain is like a second hand car. But you may not know it is second hand!
I think the mistake here is the redirect old to new. That is always risky so only do it if deseprate. In this case I would have done the redirect from new to old. Then just use the new as a vanity url.
one other thing i would suggest is to set up a catch-all email for the domain and see what gets sent to it, sometimes you can access accounts associated with the domain, socials etc
This sort of thing is also an issue for phone numbers, some other company could have used your new number for robocalls and gotten it spam blocked on Truecaller and similar services.
Years ago I bought the carelessly discarded domain of a defence contractor that was acquired by another one. And set up a catch all email forwarder. Had weeks of fun reading all the emails that I got sent. There was nothing "secret" but plenty of social and business stuff still going on.
One risk of pre-validating a domain before purchase is that it's not a good idea to tell strangers about your interest in such a property.
Even automated queries are likely to spill the beans. Someone else could snag the purchase before you, or bid up the price. But it's a risk you may need to calculate.
I wonder if there’s a market for rehabilitating domain names
IP addresses can be haunted too, like if they were previously used for spamming.
Conversely when you drop domain don’t forget you might have accounts on emails or some DNS verification in services that you better explicitly discontinue before just dropping domain.
My very first domain was haunted. The warning sign was firewall blocks against the domain at both school and the public library. As it turned out... a previous owner in the early 2000's was running a sort of proto-Netflix, but with VHS instead of DVD, and that was exclusively targeting the... erm... "adult entertainment" market.
Wayback machine would've saved me there, had I done my due diligence!
Automattic.com was bought (no idea if it was unregistered / acquired) by Matt Mullenweg when he set up the company. He also bought https://a8c.com.
Here in the UK with EE/BT that correctly redirects to automattic.com, but it might not for you depending on your ISP.
The wayback machine shows adult content links prior to the domain being put on sale, hence the blocking.
Not quite haunted but I've had people report that my website hosted on a .quest domain is blocked on their work computer. My best guess is that their filter thinks it's gaming related (it's not) or maybe they just block all "weird" domains.
I've had this with anti-virus flagging domains and VirusTotal was helpful: https://virustotal.com
But it does require manually reporting false positives to each vendor
I’ll add: and if you lease a VPS, check out its address reputation and reverse DNS record.
> search engines treat links to your site as a massive signal of relevance and trust
I am admittedly a bit distant from SEO. The above is not true and hasn't been true for a long time.
Haunted is a weird way to call them, these are stigmatized domains.
I feel like this should be the registrar's responsibility. Least they could do is give a disclaimer and/or a heavy discount.
The domain could also have been used to run spam email campaigns, meaning that it is blacklisted by email servers
A risk that’s easy to overlook until it bites you
sounds like the makings of a business service
Also be careful connecting new domains to cloudflare. It has a habit of adding old info from presumably a previous owner.
Managed to get a takedown notice thanks to that idiotic "feature" while not even aware the domain is serving anything
that is amazing
Yet another valuable use for the WayBack Machine, glad it got a mention.
Calling a domain “haunted” is an awful, terrible way to frame it. It places all the badness of the domain on the domain itself, as if the domain name had something with it which could be removed or fixed by the domain owner. Instead, what has actually happened is that the domain is blacklisted by entirely too powerful entities. The problem lies with these blacklisting entities, not with the domain, and the solution must be done there, too. It should not be a domain owner’s responsibility to get out of being unfairly blacklisted.
It’s like when cars took over the streets, and instead of blaming cars for being dangerous for regular people using the streets for walking, the concept of “jaywalking” was invented by car companies to place the blame on people for daring to obstruct cars. Or the concept of “personal carbon footprint”, commonly used to move blame from companies to individuals, when in reality whatever individuals, even in aggregate, could do is utterly insignificant compared to what companies and legislation could accomplish.
[dead]
Especially on an .io TLD; it's haunted by the lovely US taking advantage of Chargossian exploitation.
TLDR: when you rent anything, double check who rented it before you and what they did with it to make sure it’s in good condition.
As someone who knows what active persecution on this site is I relish the opportunity to say what I really know under a pseudonym.