the special sauce writes
"A few months back, our customers (we run a regional ISP) started receiving deceptive domain renewal notices from Verisign and Verisign partners such as Interland. A couple of our customers temporarily lost their domains in the process as the registrant, contact information and hosting company was all changed. Yesterday, I received an e-mail from a customer. He was forwarding a "reminder" e-mail he had received. It was an SSL certificate "renewal" notice from a UK company, Comodo. It instructed him to "upgrade" his current certificate (issued by Equifax) before it expired." More information on this charming practice follows...
the special sauce Continues:
"For those who don't know, Equifax was just bought out by GeoTrust, who offers a QuickSSL product. Comodo's e-mail was advertising an "InstantSSL" product, which I myself mistook for the GeoTrust product on first reading the e-mail. When I realized my mistake, I contacted Comodo and inquired as to their relationships with Equifax and GeoTrust and how they came by my customer's information. The response: "We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate." My interpretation: Comodo is harvesting contact information from certificates in bad faith, to market a competing product. Furthermore, I think they have targeted Equifax customers because the company was just bought out. In any buyout, confusion exists as to the "new" company's identity. I think they are offering a product whose name is confusing similar to a GeoTrust's product. The language in their e-mail does everything possible to obfuscate the fact that they are not affiliated with Equifax, encouraging customers to "renew" and "upgrade" their certificates. In reality, if my customer had clicked the links in the e-mail, he would have been purchasing a new certificate from a company with which he had no previous relationship.
So I ask, is this not cert slamming? I don't expect this to be as big a problem as Verisign's domain slamming: we simply host less certificates than domains so it is easier to warn all of our customers with secured web sites. Nevertheless, I've reported the practice to the FTC."
Slashdot Mirror
There was a recent ruling against Verisign for this activity. Because of their deceptive mailings I will _NEVER_ consider using them as my registrar.
scott
Don't customers have to have their service provider actually changed (w/o authorization) for the practice to be considered slamming?
I mean, what's described here is disgusting, but I don't know that the terminology fits.
- DDT
So long, michael. Don't let the door hit you...
What exactly does this story have to do with VeriSign?
If we're going to start working slams against companies we don't like into unrelated stories, we should at least cover all the bases by saying something tangential about Microsoft or an RIAA member while we're at it.
--
Mod up a post Rob doesn't like and you'll never mod again
Verisign only complains if anything takes money from them. If they don't lose money, they don't care.
I spoke with a person at Verisign about an obvously false whois registration, that belongs to a spammer. This clearly violates ICANN rules, but Verisign does not want to hear it.
Fight Spammers!
Well, once you OPEN one of the psuedo-offical enevlopes you can usually figure out it's just an ad, the offical looking stuff is just to get you to open it (although those 'checks' are a rip). But this, from what I have seen, looks like an actual renewal notice, much more sleazy IMHO.
"Everyone is entitled to their own opinion, but not their own facts."
Sure it's Cert slamming. There's no doubt about that. The problem is though, that to date there is no law against it. That's right, perfectly legal. For example I have on my desk a letter from "The Admiistrative Office of RPR/OFV Records Division". It looks vaguely like something from the IRS, certainly it is from some government agency. When I open it, it looks like a check for $1600 and a ticket for a cruise. Of course, it is all a bogus marketing scam. Probably trying to sell time shares. It's totally and intentionally misleading but, at the same time it is still legal.
Furthermore I wouldn't look for a law against it any time soon. Things like certificates and how they work are a bit on the technical side, at least for our poor overworked legislators. They have a lot of catching up to do and are currently bogged down trying to stop the MP3 swappers from being the scurge of humanity that they are.
While I don't condone the spam advertising methods here, this is NOT comparable to Versign's shady practices. Verisign was sending out notices that tried to make people believe they were renewing their domains, but were actually switching providers.
There is no deception here. It's a simple advertisement asking you to switch.
Nothing to see here.
Sometimes it's best to just let stupid people be stupid.
Verisign partners such as Interland
Is it just me or are these internet companies' names getting more cheesy everyday?
Soon we'll have CutCo, EdgeCom, and the ever waiting CompuGlobalHyperMegaNet joining the leagues of crap companies im sure.
Anyone know if Comodo's cross-signed with another provider? I dont' see Comodo listed with their own top-level pre-trusted root in Konq 3.0 or Mozilla 1.0, so I sure hope they are cross-signed with someone.
That would be truly unfortunate for the victim to fall for this and end up with a cert that nobody's browser trusts.
Comodo is a spam-laden organization. I run a web hosting and network management firm in Edmonton and we've received countless offers for "CHEAP SSL" and other services from Comodo!
It's been thoroughly discussed in other location such as WebHostingTalk.com which I suggest anyone interested in pursuing a Comodo service look at first. These guys actually responded in the forum with a nice show that they don't actually care who they spam provided it makes a buck.
Sincerely,
-Matt
--- Need web hosting?
- A company uses publicly-available vehicle registration information to pitch extended warranties.
- A tax company uses public appraisal tax rolls to offer their assistance in filing appraisal appeals.
- A company sends a homeowner a form and fee request to file a homestead exemption, again using information from public tax rolls.
- An insurance company sends a "reminder" about homeowner insurance renewal, using information publicly available in some states (usually loan information).
- A doctor's office uses publicly-available information to notify a pilot that it's time for he/she to renew their medical certificate.
In all these cases, companies are pitching their wares using public information, knowing full well that a small percentage of the population will choose not to check the details. Exploitive? Maybe...but certainly not illegal. And it can't even remotely be considered slamming.It even looks like Comodo was very straightforward with you when you requested additional information. I see no attempt by Comodo to obfuscate their purpose.
If this company is UK based i would advise you to report them to the Office of fair trading and the UK Trading Standards , these kinds of practices are despicable and the OFT and TS do not take kindly to this sort of behaviour
I cannot even count the number of bogus faxes / emails I have received telling me one of my domains (or some clever spelling thereof) is about to expire.
Gee, marketing people are creepy slimeballs. I'm stunned. No. Really.
Cheers,
-- RLJ
So Comodo spams website owners. As a result, the website owners might get tricked into buying this cert "renewal".
But who makes the Certificate Signing Request for website owners? In most cases the company hosting the web site. (Unless it's co-location).
I expect competent tech support personnel to filter out these bogus certificate renewals immediately.
-------
Warning: Slashdot may contain traces of nuts.
Yup, even in the southern hemisphere it's happening.A 53F05EC FC6CC256ABF00090DE4
E A2 77DCC256BC9000CA1D2
Internet Name Group (no URL any more that I can find) and Internet Registry have both been trying it on in Ausralia and New Zealand. The ACCC (commerce department in Aus) and the Commerce Commission in NZ are both keeping an eye on the matter.
Stories on the subject here:
http://www.idg.net.nz/webhome.nsf/nl/D6AC0
and here:
http://www.idg.net.nz/webhome.nsf/nl/A8539751DE
apologies for the evil links... goddam Notes.
I am a leaf on the wind
Don't you think that calling their offering a RENEWAL is deceptive? It is a new and different certificate from the one that is expiring. It is not a renewal, it is a replacement.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
SSL and crypto in general is all about trust. Would you trust someone who engages in deceptive marketing? Then again, so does Verisign, with their domain stuff. Are there any good certificate issuers?
It's becoming clear that we need spam laws which provide for a penalty against the beneficiary of a spam, even if they did not originate it. An acceptable defense would be that the beneficiary had taken legal action against the spammer. That would make third-party spam actionable. (It may be, anyway, but it's a bigger legal battle under current law. I've been talking to an an anti-spam lawyer, and he's unwilling to take on Verisign because they have too much money.)
So Mr. Coward worked for VeriSign? This explains the penis bird and the goat trolling.
- RLJ
I personally like the term "poaching" when referring to these types of practices. Strip mining is nasty, but not necessarily illegal (though it should be.) Poaching, by the very definition is:
To take or appropriate something unfairly or illegally.
I can't think of a better way of describing this type of information THEFT, for the gain of the THIEF.
Correct me if I am wrong but
Registar information was ruled as non public..ie you cannot use for mass mailings through postal office, mass caling telemarketing, and mass emailing..
Would not cert information be on the same plane?
Don't Tread on OpenSource
They went to all the trouble to blur out the customer's address and items on the invoice, and then missed his info in smaller print, just plain as day.
I wonder how this guy feels about that:
Scott Rogers
Cape Cod Computer Wholesalers
P.O. Box 2842
Orleans, MA 02653-6842
Dumbasses.
In Soviet Russia, Chuck Norris will still kick your ass.
Just to clarify, Equifax sold just the small part of its business that was concerned with certificate management to GeoTrust. Equifax is still an independent company with lots of other businesses. (Yes, I work for Equifax).
So can I use my list of UUnet customers to market to them network connectivity from a company not entering into bankruptcy? It is public information.
now we need to go OSS in diesel cars
The words renew, remind, upgrade, and expire (or variants thereof) occur 15 times
The words switch, transfer, move (or variants) do not occur.
The word new does occur once, but in relation to the certificate, not the issuer."I'm not impatient. I just hate waiting." - My Dad
"We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."
They aren't trying to 'inform', they're hard selling, in bad faith. They're misleading consumers into thinking there is no alternative. It's opportunistic, and pretty close to criminal.
An insurance company sends a "reminder" about homeowner insurance renewal, using information publicly available in some states (usually loan information).
I get notices from insurance agencies, credit card companies and any number of other bulk mailers. The difference is, they are out in the open about wanting to sell me a product i don't have, or informing me i have an alternative to the products i may already be using.
These companies are playing dumb. "aww shucks, you mean folks didn't realize they didn't HAVE to re-up with us? well, gosh golly, i guess we'll be more careful next time." A mailing could just as easily be sent out that says "we noticed that your domain name / cert is about to expire. Please consider us as an alternative when you renew." That'd be a company hawking their wares. What they're doing now is a clearly deceptive business practice. Slamming just happens to be the closest description.
There are some people that if they don't know, you can't tell 'em.
I was kind of surprised to see this assertion. So I did a little due dilligence (I looked at the web sites of both parties). Nothing whatsoever in their press releases. I finally found it here http://www.equifax.com/DigitalCertificates/dc_pres s09252001.html
Equifax sold their SSL Certificate business, not anything else, close to a year ago... They're still the same credit reporting, marketing and so forth company they've always been.
IANAL. Now, of course you have to consider that it's up to a court to determine whether a servicemark or trademark is being infringed upon, but "confusingly similar" certainly meets the standard for infringement. However, the special sauce got a different reading than I did - no doubt coloured by the fact that Comodo [brings visions of flushing to mind] spammed his customers for competing (and probably lame) products. I'd be pissed too.
However, my reading of the spam was that it's pretty straightforward. There's obsfucation, but it's arguable that they consider their product an "upgrade" in much the same way Microsoft salesdrones consider W2K Server an "upgrade" to your favorite Unix/Linux distro. Companies often offer "renewals" or "competitive upgrades" to entice users to switch from Brand X.
IMHO, what Verisign has done in its spam "renewal" campaign is fraudulent. In a related anecdote, I've found it next to impossible to move my domains to another registrar; hell, I've had problems just moving them between hosting services.
But, back to the topic, Comodo [flush] ain't slamming, I've experienced that joy on two occasions. BellSouth got a new Access app that had a *required* a selection from a lookup table of long distance providers. The default at the time was AT&T. I went from *no long distance* (I *PAID* a monthly fee for disabling long distance. Not that it mattered, because BellSouth was perfectly happy to sign me up with AT&T for my non-existent long-distance service at a $15 a month fee. I still haven't found out how much they got for it, but after repeated phone calls and legal threats I enjoyed 8 months of free local phone service to settle the matter. Of course, that was after about 8 weeks of haranguing dozens of people - your mileage may vary.
Second was when I ordered DirecTV DSL for one of my company's East Texas offices. As in most places, the local Bell does the actual activation - molasses slow for competitors' customers, blazing quick (in comparison) for Bell customers. But I signed up for DirecTV DSL and SouthWestern Bell *canceled* that work order, telling DirecTV DSL that we'd already signed up with SouthWestern Bell; a blatant lie. Still dealing with that one.
__
Choose mnemonic identifiers. If you can't remember what mnemonic means, you've got a problem. - Larry Wall
There's also the "Domain Registry of Canada" and the "Domain Registry of America". Wonder if it's the same outfit... they make 'em look like official govt. documents.
My attorney told me that if a contract exists, and I become aware that a competitor is trying to win my customer's business *prior* to the expiration of the contract between me & my customer, then the competitor can be sued for damages due to "tortious interference"...
Most of the time, the competitor would back off until the contract was within 3 months or so of expiring. There were a couple of times, though, that we went to court - & got money both times for damages (customer for breach of contract, competitor for "TI").
So how is this situation different from VeriSign, et al, slamming domain registrations? Why aren't the lawyers having a field day with this? Or are they, & I just missed the cloobus?
"He who throws mud, loses ground." - proverb
And here we have a certificate authority (CA) who's masquerading as a competitor, in order to slam "subscribers" and certify their identity to end users.
PJRC: Electronic Projects, 8051 Microcontroller Tools
And on top of that, they gave me an extra year for free for transferring to them. How nice of them :)
Names4Ever is another pretty good registrar. Decent config options and no spam.
Being located in the same city as I helps too... I believe they were the first Registrar in CA...
Hire a Linux system administrator, systems engineer,
If you currently have any domains registered by Verisign, immediately change to a different registrant and notify Verisign's customer service department as to exactly why you are doing it. Don't just threaten to do it, really do it. Even if you can't get a refund and have to shell out another $20 to somebody else, even if Verisign offers you incentives not to leave. Leave. And unless it makes you feel better don't waste your time crafting an eloquent manifesto, because they don't care about you or your moral arguments. They care about your money. Be clear, be blunt, and just take your business elsewhere.
Did you read the email? Sorry, I guess this would certainly qualify as a "company I don't want to do business with" but they plainly state that they are Comodo, and offer a supposedly better service/deal than you're getting now, etc. Shady, maybe, but you'd have to be a complete idiot (and hence maybe not the best network admin) to be fooled for even a second. It plainly states the company name "Comodo" many times. "Upgrade to Comodo's product" implies, to me, switching vendors.
Given that it's obviously a sales email from a company with whom i do not do business, I would file it immediately in the spam bin, no further thought required. But I see no fraud.
We used to use Veri$ign/NetworkSolutions as our Registar, but due to too many problems (changing freeforms/faxforms, parking domainnames for no reason, fscked up database[*], and so on) we are moving all our domains to Tucows/OpenSRS and BulkRegister (trust me, we are not the only hosting provider in NL who does this).
;(.
It also looks to me as if Veri$ign/NetworkSolution has made a pact with NameZero, since every domain which we host and has been registered through NameZero has become "parked" at NetworkSolutions.
This can be very irritating for our customers (help! my domain doesn't work!), and the worst thing is that they never notify anyone about this (it's even worst because I get all these customers on the phone
[*] A simple domaintransfer could take 3 months, only because Veri$ign/NetworkSolutions couldn't find the domain in it's database.
In my personal opinion: Don't do business with Ver$ign/NetworkSolutions.
Does this sound like any company you currently do business with? Most companies I do business with sound like this when you're not a customer. Once you're a customer, it's "Here's your bill for next year."
Move along, nothing to see. This is nothing more than a solicitation for business and an oversensitive recipient. There are enough valid targets for our annoyance with corporate lack of ethics without targeting a company which did nothing more than find people whose certs are expiring and let them know they have a choice.
Equifax should have no hand in your credit rating. They collate the information about your credit HISTORY and let finance companies access that data to score you on how high a risk you are. If your credit history sucks, you caused it. If it is wrong, challenge it. All "credit agencies" have a legal obligation to correct the information, if it is brought to their attention as incorrect.
"I love deadlines. I love the wooshing sound they make as they fly past" Douglas N Adams
If you believe this is fraud and/or computer crime committed by a UK individual or company you can report it here:
http://www.nationalcrimesquad.police.uk/nhtuc/n
The problem is though, that to date there is no law against it.
Maybe not in the US, but as they are based in the UK I'm sure this would come under decpetive marketing.
I'd report them to the UK Trading Standards.
(Miss representing yourself and products like that is very illegal. Quite a few of the electricity commpanies have been fined in the UK for deciving customers to sign for information, but in reality changing there electricity suplier)
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
I had this with one of the afore-mentioned companies a few months ago. (I'm a coward and don't want to get into trouble, so I won't mention names.) They got e-mail addresses for every listed contact from our whois record, and sent off letters to anyone for whom they could find an address, warning that our domain name registration was about to expire.
Including our CEO.
Who, not understanding what it was, and also not realizing that I'd only just renewed the domain name for five years and we weren't in any danger of losing our domain name until 2007, passed it on to the secretary with instructions to pay the bill.
Now, in fairness, the letter is cunningly worded, and probably can't be technically construed as slamming; it gives you the option. But, hoo boy, is it slimey!
The first I knew about it was when I started getting automated e-mails from our original registrar asking me to go through certain steps to authorize the name transfer. I tracked down what was happening, and got on the phone to Dom. Reg. of ***.
Forget the long, boring, tedious arguments. And the appalling insolence and downright rudeness of their people. Just a few points...
* They're used to complaints. Despite their protestation that I was only the second person who'd ever complained about this, as soon as you mention the word slamming they've got a rehearsed speech about the wording of paragraph five which they quote to prove it's not slamming. Uh-huh. Try doing a Google search on them and see if it's that rare a complaint.
* They're unhelpful buggers. No matter when I called, I was always told that nobody who was there could help me with my complaint, and I'd have to call back.
In the end, it works out okay. All you have to do is not authorize the transfer and they can't do anything about it, and they have to refund your money. Except for a processing fee. Trust me -- I argued and bitched and generally made a nuisance of myself by pointing out there was nothing in any of the correspondence we'd received or on their website about a processing fee, and we got the money back.
But believe me; there is one company who is now boycotted for life in my books.
Companies of the future will mix astronomical names with technical jargon: for instance, "Uranus-Hertz."
!#@%*)anks for hanging up the phone, dear.
If you're receiving a lot of unsolicited advertising faxes, you may want to check out http://www.junkfax.org/ to see how to fight back.