Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Rules Make Domain Hijacking Easier

Posted by timothy on from the and-ease-of-use-is-important dept.

Tanktalus writes "Netcraft seems to have a little ditty about new rules from ICANN that take effect on Friday making it easier to hijack domain names. Essentially, if someone tries to take your domain, and you don't answer within 5 days, they now assume you are okay with the transfer. Previously, the default answer was no, and you had to explicitly state your acceptance of the domain transfer. Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"

12 of 399 comments (clear)

  1. Some registrars will protect you by Anonymous Coward · · Score: 4, Informative

    As they point out in the article, GoDaddy (and others) have a domain locking feature that will still prevent these transfers.

    1. Re:Some registrars will protect you by gnunick · · Score: 5, Informative

      Someone else mentioned Joker.com, and I agree that they are a great registrar. I've used them since 2001, and have about 5 or 6 domains registered with them.

      The first thing I heard about these new rules was in some emails from Joker the other day telling me they were locking my domains for me. As far as tech support goes, I've honestly never needed any; I can control every aspect of my domains via a reasonably well designed web interface.

      --
      I have no special gift, I am only passionately curious. --Albert Einstein
    2. Re:Some registrars will protect you by Anonymous Coward · · Score: 5, Informative

      The way I do it is that I create a unique email address in my domain for each registrar I deal with (hostmasternetsol@mydomain.com, hostmastergodaddy@mydomain.com, hostmastergandi@mydomain.com, etc.).

      Then, on the server side, I set each of these email address to reject all emails not from those registrars themselves. For example, the Network Solutions one reject emails without any of the following in the "From:" line:

      Network Solutions
      netsol.com
      networksolutions.com
      VeriS ign.com

      The GoDaddy one rejects emails without:

      godaddy.com
      supportwebsite.com
      gandi.net

      And so on. Not a single spam email has made it through my domain contact email addresses since I set this up just under two years ago, and according to my stats, around 419 per week have been blocked (just over 41,000 total messages so far). And yet at the same time, I've gotten every email message when my domains have been coming up for renewal, or when I have made changes to them. So it seems to work well.

      You just need to make sure that you include all applicable domain names in the filters, because Network Solutions (for example) sends emails from several domain names.

      Of course spammers could get around this by spoofing the "From" line to pretend to be from a registrar. But, in practice, I haven't seen this happen yet. Hopefully SPF or some other such standard will become prevalent enough by the time that happens that it will be a non-issue.

    3. Re:Some registrars will protect you by Anthony+Boyd · · Score: 4, Informative
      Speaking of which, what kinds of experiences do people on slashdot have with domain registrars?

      Reading though this thread, I already am impressed with Joker, as they auto-locked everyone's domains, it appears. Very nice of them. I've used Verisign/Network Solutions, GoDaddy, Dotster, and one other I forget.

      Network Solutions is terrible. I admit, they do have customer support, and when I call, I rarely wait more than a minute to talk to someone. That's good. But they drag their feet on anything that will cost them money or lose them money (such as trying to transfer AWAY from them). Because of their long, long agreement (that took days for me to read through properly) and because they took soooo long to automate even the simplest of changes, I just transferred my last domain away from them 2 nights ago. What a mess -- the site was down, so I called and they couldn't do a thing, so I waited for it to come back up and then unlocked the domain myself, but even though it showed unlocked, they kept rejecting my attempts to move the domain! Eventually after more calls and waiting, it finally went through. Ugh.

      Dotster was fine, but I moved away from them about 2 years ago. I don't remember the major reason, but it may have been that GoDaddy was just cheaper then.

      GoDaddy is similar to Dotster, but with TONS of ads. I mean, so many that it will drive you insane. However, I found the trick: I've listed all my sites privately, so my email and address never appears in a listing. Also, I have no problem saying "no thanks" to all the ads that appear when I order something. And finally, I found all the knobs and switches that disable all the marketing emails, spammy offers, and other lameness that they try to email you. After doing all this, I'm fairly happy. I never get email unless it's something official, I have low rates, and everything seems to be automated. But this solution is not for people with a low tolerance for configuring and tweaking the ads off.

      For the company that I cannot remember, all I can say is: stay away from small registrars, especially ones that come with a Web hosting package. I bought a hosting package, needed a domain name, and used their little built-in registrar. What a mess. No features, and the registrar was tightly coupled with the hosting, so moving away was miserable. Stick to the known names you'll see mentioned a lot here.

      --
      My Greasemonkey scripts for Digg &
  2. Nothing has changed by WilliamX · · Score: 5, Informative

    Nothing has changed really. This has ALWAYS been the way the system ran, only some registrars choose to ignore it, and setup abusive transfer blocking mechanisms, and called them "Safety" measures for their customers instead of the lock-in attempts they really were. The problem with the old way was that some unscrupulous registrars (NetSol for instance)made it harder to get your domains away from them, forcing you to jump through hoops, and making them harder and harder to accomplish, and then deny them for wrong reasons. The new policy only sets out EXPLICIT rules about what are allowed reasons for a domain transfer to be rejected by the current registrar, and a process by which disputes over transfers will be handled. Other than that, nothing has changed really at all, and any news articles saying otherwise are less than properly informed, and listening to alarmist rhetoric instead of understanding how the system worked until now, and how it will work in the future. As a previous poster pointed out, the best thing to do is to lock your domains with your current registrar, just make sure that they provide an easy means to unlock them when you need to make changes, or when you really do want to go to a new registrar.

  3. Joker.com auto-locked my domain by hellfire · · Score: 4, Informative

    Joker.com is my registrar and they emailed me 3 days ago about the changes, and declared all domains under their service were auto-locked by default!

    I had no idea about the regulations until they emailed me first. First they helped me transfer my domain away from a bad registrar, now they help me through new regulations without me lifting a finger.

    Buyer beware of other services, but that's why you sign up with a reliable service with good references! :) Now if only I could get this kind of service from my credit card.

    --

    "All great wisdom is contained in .signature files"

  4. This is actually a good thing. by Savet+Hegar · · Score: 4, Informative

    I had a situation a while back with a hosting company. A client I maintain a website for decided to host their website through 1dollarhosting.com

    The sign-up form very cleverly asks you for the information to transfer your domain name TO them.

    When trying to renew the domain name, I was told by their employees that it is against their policy to release domain names. They let people transfer them in, but they will not release them to other registrars.

    After digging a little deeper, they are a partner of Register.com. It took hours (literally) to get someone with enough authority on the phone (at register.com) to release the lock that they had on the account so a transfer would work.

    Thankfully, the domain name was finally transferred and the guy at Register.com agreed that what they were doing was unethical....though that didn't stop them from making it a complete PITA.

    --
    Mod points are pointless when you browse at -1.
  5. Right. Mod parent up. by Animats · · Score: 5, Informative
    That's exactly right. This action was taken by ICANN because some registrars (notably Verisign/Network Solutions) were very uncooperative about transfers of domains out from their registry.

    Note that this isn't about transferring a domain from one owner to another. It's about transferring a domain from one registrar to another while keeping the same owner. Transfers of ownership come under different rules.

  6. Original poster didn't RTFA!! by xoboots · · Score: 5, Informative

    Damn, probably 90% of the posts in here need to be modded to -1. These rules relate to the transfer of a domain by the domain owner of that domain from one registrar to another. It is not about claiming (or hijacking) someone else's domain as the headline improperly entices you to think.

    This is a good thing people! It helps to ensure that domain owners can transfer their registrations when they so wish. In fact, the domain owner has to first request the transfer before it even gets this far.

    Sheesh.

  7. GOOD thing, not BAD thing. by feargal · · Score: 5, Informative
    There are four parties involved in the transfer process:
    • The registrant or domain owner;
    • The losing registrar;
    • The gaining registrar.
    • The central registry - central repository of records.
    Got that?

    Okay, the way a transfer was supposed to work was as follows:
    1. The domain owner submits a transfer request to the gaining registrar
    2. The gaining registrar was to seek confirmation of the transfer from the domain owner, based on existing whois information, and independent of the request.
    3. Having received such confirmation, they notify the central registry that the transfer is valid.
    4. The central registry notifies the losing registrar of the imminent move, to give them a chance to block it should there be unresolved billing issues or other disputes. Only in such a case was the losing registrar meant to block the transfer.
    5. If the losing registrar does not object, the transfer is executed.
    (Steps 2 and 4 actually run in parallel, but that's irrelevant.)

    The Problem
    However, a number of losing registrars put in a policy some time ago that they would also seek confirmation from the domain owner, despite the gaining registrar having already done so in step 2. They would object to all transfers unless they received authorisation to their liking from the domain owner.

    One registrar in particular required a copy of an Australian driving licence or passport, or a notarised letter for non-aussies. In this case it made the administrative cost of a transfer prohibitively high. The did not require this level of identification when a domain was being transferred to them. (Before you ask, yes the admin details were correct. They were just being berks.)

    Invariably this policy was put in by registrars to try to prevent customers moving to other registrars, by adding additional hoops. The 'excuse' put forward was to reduce exposure to legal actions.

    When one tries to cover ones ass too much, one's hands end up covered in shit.

    Not all registrars did this - the nicer ones honored the word of the gaining registrar and only interfered if there were billing issues etc.

    The Solution
    The new ICANN rules is a compromise - it now explicitly allows the losing registrar to seek the double confirmation, but they can no longer block the move just because the customer didn't jump through enough hoops for them
    It does not require the losing registrar to do so, so this is business as usual for the nice registrars.

    The important point is that the gaining registrar still has to verify the transfer in the first place, as it should be. The customer confirms their identity once, and no more.

    What's to stop a registrar faking authorisation? The loss of their ICANN accredidation, and hence their business.

    Final point: although this is a non-story, it *is* important to make sure your admin details, especially your email address, are correct and up to date. Just as you would check your entry in the phone book, check your whois data too.
    --
    "A goldfish was his muse, eternally amused"
  8. Security Risks from Bogus Whois Problem Reports by Ron+Bennett · · Score: 4, Informative

    Think transfer security is a problem ... there's a security problem far worse:

    (a post of mine reposted from ICANNWatch http://www.icannwatch.org/ - slashdot.org rejected it, but I'm used to that LOL!)

    -----

    Bogus "Whois Problem Reports" are increasingly going from being an annoyance to being a real security risk. Some recent incidents I've experienced due to Whois Problem Reports *merely* being filed:

    * Dotster, about two weeks ago, threatened to delete a domain if I didn't respond.

    * BulkRegister, just yesterday, threatened to suspend a domain if I didn't respond within 5 calendar days.

    What good are Whois Problem Reports when anyone can file one and there is virtually no screening performed to ensure such reports have any validitity to them; reports filed on some of my domains claimed everything was wrong, including the expiration date - what!? Talk about pure nonsense!

    As of now, if one wants to cause a registrant problems, all they need to do is file bogus reports at the Internic link below (it's so easy, it's frightening!) - heck, if someone really wanted to be deviant, they could spread a virus that sends bogus Whois Problem Reports from hijacked computers...

    http://wdprs.internic.net/

    In addition, some registrars, such as GoDaddy, charge a fee to the registrant for *merely* reviewing a Whois Problem Report for a particular domain, regardless of whether the report is valid - see links below for more details:

    http://www.dnforum.com/showthread.php?t=67862

    http://www.webhostingtalk.com/showthread.php?s=&th readid=328696&perpage=15&pagenumber=1

    There is much talk about the transfer policy changes and security, yet bogus Whois Problem Reports is a security risk many times worse.

    Some ICANN policy changes are needed pronto regarding Whois Problem Reports...

    1. Requiring more than just a name and email for people making complaints - they should have to provide a postal address that's verifyable and/or some other information.

    2. Screening of such reports - permit registrars, if they're not already, to toss out Whois Problem Reports that they feel are invalid without involving the registrant; stop wasting their time over this nonsense.

    3. A standard on how registrars handle Whois Problem Reports

    * including a reasonable time for the registrant to respond, such as 30 calendar days, before any action is taken ... as of now, some registrars do little while others suspend domains within only a few days - so if one goes away on holiday, they could very likely come back and find their domains suspended/deleted.

    Something needs to be done before bogus Whois Problem Reports get any further out of hand ...

    Ron Bennett

  9. Re:Lock it to block it! by 1u3hr · · Score: 5, Informative

    Just to restate this in even simpler terms:

    The Fucking Article (and even more so the editorial comments here) is WRONG.

    The linked Icann paper's first line is "Registered Name Holders must be able to transfer their domain name registrations between Registrars". NOTHING TO DO with transferring ownership of domains; but of the registrars. Could be nasty, and even a first step to having the domain hijacked, but the ownership of the domain is unaffected.