Slashdot Mirror
New Rules Make Domain Hijacking Easier
Tanktalus writes "Netcraft seems to have a little ditty about new rules from ICANN that take effect on Friday making it easier to hijack domain names. Essentially, if someone tries to take your domain, and you don't answer within 5 days, they now assume you are okay with the transfer. Previously, the default answer was no, and you had to explicitly state your acceptance of the domain transfer. Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
Speaking of which, what kinds of experiences do people on slashdot have with domain registrars? Are there any that won't screw you over, on this and other issues?
You can also rest easy since the registrar originating the transfer is required to validate the request with the current registrant, using the information in whois, and get an affirmative resposne from them before even initiating the transfer. All this new policy does it set out the reasons why a losing registrar can deny an outgoing transfer. In domain transfers, since the registry/registrar split happened, the gaining registrar has ALWAYS been responsible for validating the transfer request with the proper registrant, and not assume that the data given in a transfer order is corrent. The article is not thorough or complete in explaing what is really happening here.
I used to work on that support floor. Its not all that great if you don't want to buy something from them. Their support ethics were getting worse and worse everyday I worked there.
Subject: From the Honorable Janissary Robert M. Jacobson
Hello sirs,
Writing this letter comes at a times of great anguishes to my community. We have obtained funds in the amount of US$3,000,000 from the Nigerian government, after the passing of Prince Montebu Wilson, to whom we are the singlest heirs. However, due to political difficulties we are unable to secure the actual cash moneys ourselves. We require your assistance, for which we would thankfully provide a commission of $500,000 for your troubles. In order for this transaction to be completed, we hereby requests that your domain, www.coolinternetstuffthatisgreatandfun.com, be transferred to us immediately. Lack of action will be assumed as an affirmative response after five days.
Do YOU ever read more than a few words into those?
-- I prefer the term "karma escort."
Might it be that ICANN is trying to force people to keep their WHOIS information current (or at the very least have a correct contact email address)?
First off, anyone who has a clue (and granted that's definitely not everyone) has their domains set to "Registrar-lock" already - this means when a transfer request is made it is automatically denied by the registrar right away. This stops all sortsa fun and games, in the past mainly to stop assholes like DROA (Domain Registry of America) and Register.com from "slamming" my (and other's) customers. See these assholes send REALLY OFFICIAL looking "renewal notices" to domains expiring soon by postal mail, with instructions to simply return a check for $25 or fill in CC info and if someone isn't paying attention, or clueful, they just transferred their domain to these bastards without a clue.
So I started years ago setting registrar lock to ON for everything I register.
However one bonus is, maybe this will make a FEW transfers INTO me a little easier. The assholes at itsyourdomain.com pop into mind, they will absolutely deny any transfer no matter how much their customer screams "I WANT TO TRANSFER THIS DOMAIN AWAY FROM YOU GODDAMNIT". Complaints to ICANN, and others go unheeded.
So in short - ICANN SUCKS, this rule doesn't really suck THAT bad but I'm sure there's going to be at least a few horror stories about lost domains next week.
--- www.f-theocean.com
The scary thing isn't for people who don't notice the letter - it's for people who don't have the correct contact information to begin with. If you gave incorrect details when you registered the domain, it can be taken by anyone that puts their mind to it.
I don't think for a minute that they haven't considered this - it looks like a deliberate move against people who don't want to tell the world who they are. ICANN would love to force these people to list their details.
Some of the naster email viruses out there don't even need you to click on a link in order to own your machine.
Sooo, what's to stop someone from sending email to the "Administrative Contact" of the domain with such a virus, and sending out a fake confirmation email that, yes, they do indeed want to transfer the domain? To the Registrar, it will look like a real transfer request. It might even hold up in court.
I suppose if one uses a Registrar which has a lock in place, this might offer some protection. But Heaven help the Administrative Contact if he/she has the password info written down in a file on the box which has now been hijacked.
Hmmm. I wonder if this "thought experiment" even applies to Microsoft? Odds are that the Administrative Contact there is using IE with all of its holes.
Suddenly, Microsoft's consistent ignoring the value of security in their products really can come back to bite them in a very nasty way.
Not that I'm suggesting anyone do this of course. But this setup, along with the security flaws in Windows, can expose a lot of sites to a new form of domain hijacking.
Addendum:
Registrar-Lock (domain "locking") offers ZERO protection in regards to one's domain possibly being suspended / deleted due to a "Whois Problem Report" merely being filed.
Policy on Transfer of Registrations between Registrars, I don't find the part that states that the transfer is approved if the domain owner (i.e. the administrative contact) does not respond in time.
I do find language that states the transfer will be approved if the Registrar of Record does not respond within 5 days. This, however, is a Good Thing, as it makes it harder for the losing registrar to prevent you from transfering your domain. Of course, they can still just deny your request and hope they get away with it.
The way I see it, this gives domain owners (a little) more control over their domains. I don't see what's wrong with that. I never understood why transfers need to be approved by the losing registrar anyway - why would they ever approve losing a customer?
Please correct me if I got my facts wrong.
For .de domains, this has been the procedure ever since I've been in the domain business. The way that most registrars have implemented it is that they will send an automatic NACK (not acknowledged) to any incoming transfer request that their customer hasn't specifically asked them to authorize. Many registrars then send a notification to their customer after the transfer has been denied, giving them the opportunity to send a LATEACK, which overrides the previous NACK, but this way the rules are reversed again. If the registrar doesn't offer this LATEACK, it's "allow and try again" if you really want the domain to be transferred. What this does achieve is that if a registrar goes out of business silently, you can still get your domains transferred from them because there won't be anybody or anything sending NACKs anymore...
I have strong recommendations for Joker. I know a lot of this comes standard with a lot of places, but lemme list the talking points: Cheap ($~12), good support, free nameservers, easy administration interface, and if you use their nameservers they'll let you use their MX forwarding, and if you do, you can use their spam filters. I have a lot of clients who have never heard of a DNS entry much less the process for domain administration, and none of them has ever had issue with using their site to create and use an account.
I suppose my one catch is, they seem to be somewhat Euro-centric (this, of course coming from my US-centric mind), so some of my new users are confused by if they need to pay VAT, or why some of the transfer processes are bound by German (I think) telecom laws designed to protect the consumer (e.g., for one action on a domain, you used to be required to sign a form and fax it to them). It works out well, though, since they protect the user from any sort of fudgery as mentioned above.. like five day steals.
You can fix their little red wagon easier than that. Just don't pay attention to them.
Nobody HAS to listen to ICANN or any of the lackeys they delegate their power to. They're not actually providing anything that anybody else with the motivation to take over the job and some big iron can't provide, they're just the default body everybody goes to because they're SUPPOSED to be a convenient place for centralized governance of the various things that make the internet tick.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
"Stacy" at the Register.com LivePerson chat just told me this:
I am sorry to inform you that the domain transfer request will be approved within 5 days if you fail to respond to the confirmation email. Register.com may provide the facility of locking domain names in the near future.
You continue to use spam assassin, also for reasons I will soon explain.
I personally take this individual e-mail address for registrars a step further. I use it for anything I sign up with that uses my e-mail address. ebay@example.com, paypal@example.com, slashdot@example.com, pornsite@example.com, etc, etc.
The catch here, is if they distribute my e-mail address to spammers, I know who did this (when you receive viagrar pills addresses to slashdot@example.com, you know someone from slashdot is harvesting or using your e-mail address).
You then discontinue your usage of the service, and instruct spam assassin (or your choice spam filter) to block all e-mails to that address, so you never have to filter based on predicting what will be in the body of the mail (essentially you henceforth KNOW any mail to slashdot@example.com is spam, so get rid of it).
Good times. It's also slightly fun to see which companies give out your e-mail address when they claim they don't.
Joker.com is also one of the registrars that is most uncooperative when you try to leave them. Of which this is added proof. "Auto-locking" is just their way of saying "we don't implement icann policy, their default won't be ours".
It's like a spammer saying "we will only send you e-mail you opt in for, but we'll opt you in by default, as a service".
SCO employee? Check out the bounty
If you go read the ICANN Policy on Transfer of Registrations between Registrars http://www.icann.org/transfers/policy-12jul04.htm it's quite explicit regarding the circumstances in which a registrar (aka Network Solutions, Dotster, Tucows, GoDaddy, etc - not the Registrant, billing or technical contacts) could deny a move request as well as under what circumstances they could not deny such a request (Nonpayment, No response from the Registered Name Holder or Administrative Contact, etc).
I'm no rocket scientist but the policy clearly intends to prevent Registrars from hijacking the domains of their clients, as some have been wont to do, or simply refusing move requests by passively ignoring said requests.
Here is some of the verbiage of the policy that indicates its clear intention to anyone who is capable of reading above a 5th grade level.
"Registered Name Holders must be able to transfer their domain name registrations between Registrars..."
"The Administrative Contact and the Registered Name Holder, as listed in the Losing Registrar's or applicable Registry's (where available) publicly accessible WHOIS service are the only parties that have the authority to approve or deny a transfer request to the Gaining Registrar."
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.
Thus spake the SysGoddess