Slashdot Mirror
New Rules Make Domain Hijacking Easier
Tanktalus writes "Netcraft seems to have a little ditty about new rules from ICANN that take effect on Friday making it easier to hijack domain names. Essentially, if someone tries to take your domain, and you don't answer within 5 days, they now assume you are okay with the transfer. Previously, the default answer was no, and you had to explicitly state your acceptance of the domain transfer. Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
As they point out in the article, GoDaddy (and others) have a domain locking feature that will still prevent these transfers.
*waits for the slashdot editors to take a week's vacation*
someone give me a sample of the email notice and I'll whip up 4 lines of perl to take care of that.
Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!
This advice is a bit extreme... you can rest easy so long as you turn on domain locking at your registrar. That'll default all requests for transfer to a fail until it's removed... so all you need to do is keep your password to your domain registrar accout from falling into enemy hands.
Maybe this is a good time to educate the casual website operator about the domain locking feature, and what it's useful for. The new system's assumption is if your domain is unlocked, you're sending out a signal that you're intending for a transfer to happen soon. Maybe the rules should have locking as a default-on thing, but they don't so it's buyer beware for now.
People with small domains should beware?
Size isn't everything, you know...
500GB of disk, 5TB of transfer, $5.95/mo
Comment removed based on user account deletion
The upside is this will all end after the first lawsuit against ICANN.
Which should be in about 7 days.
You never know who could go down...someone could steal their name!
Cache
I realize that the primary use of tracking graphics is for spam, but wouldn't something like that be useful here?
If someone is unable to read the email in a way that loads the tracking image, then the server can just assume that the email was never received. Once the image has been downloaded, the request countdown can begin at T-minus 5 days.
This wouldn't even affect pico mail users because the image wouldn't load in the first place, thus the countdown would never begin. If they receive the email, they can always respond, even if the tracking image does not get loaded and the countdown does not get started.
If send ICANN a letter and a dollar saying im buying their corporation , and they dont tell me no before friday, im rich?
Whuhu. New busisness model.
1. Send letter
2. Wait 4 days.
3. Suck the profits out before next guy sends letter....
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Can you imagine waking up one day and finding Slashdot full of articles praising Bush and promoting school prayer?
Nothing has changed really. This has ALWAYS been the way the system ran, only some registrars choose to ignore it, and setup abusive transfer blocking mechanisms, and called them "Safety" measures for their customers instead of the lock-in attempts they really were. The problem with the old way was that some unscrupulous registrars (NetSol for instance)made it harder to get your domains away from them, forcing you to jump through hoops, and making them harder and harder to accomplish, and then deny them for wrong reasons. The new policy only sets out EXPLICIT rules about what are allowed reasons for a domain transfer to be rejected by the current registrar, and a process by which disputes over transfers will be handled. Other than that, nothing has changed really at all, and any news articles saying otherwise are less than properly informed, and listening to alarmist rhetoric instead of understanding how the system worked until now, and how it will work in the future. As a previous poster pointed out, the best thing to do is to lock your domains with your current registrar, just make sure that they provide an easy means to unlock them when you need to make changes, or when you really do want to go to a new registrar.
I swear to god, as soon as some huge website run by billionaires gets its domain transferred out from under them, heads will roll and this assinine "rule" will get changed.
Or perhaps someone at icann.org is asleep at the switch themselves? (hint hint)
Of course, I just doublechecked that warrenernst.com has the correct contact info. ;-)
I was thinking more Passport.com and Hotmail.co.uk
Join moola.com, play games to earn money.
Joker.com is my registrar and they emailed me 3 days ago about the changes, and declared all domains under their service were auto-locked by default!
:) Now if only I could get this kind of service from my credit card.
I had no idea about the regulations until they emailed me first. First they helped me transfer my domain away from a bad registrar, now they help me through new regulations without me lifting a finger.
Buyer beware of other services, but that's why you sign up with a reliable service with good references!
"All great wisdom is contained in .signature files"
I'm not bothered by this. I never had any faith in ICANN in the first place. They seem to be good for nothing except taking expensive vacations.
More importantly than the crap ICANN spews is your choice of a registrar. At least once a month, I end up in a wrestling match over a client-domain that is being held hostage by a fly-by-night, cheapie registrar. The latest happened about two weeks ago where this dumbass registrar decided to deactivate domains a month before they were set to expire if they weren't renewed. ICANN has done nothing to crack down on unethical registrar behavior. They're good for NOTHING.
Choose a solid registrar that has a good track record. My choice is Dotster, but even NSI is better than most of the crap registrars out there. Friends don't let friends get held hostage by $4.95 domain registrars.
If I read correctly, I think this rule pertains to TRANSFER requests, which you can make at any time during the year.
-- I prefer the term "karma escort."
How about just hijacking icann.org?
Suppose we sent a transfer request every minute, on the minute.
If we submitted ENOUGH of them, surely they'll forget to reply to ONE of them. And we'll have the domain name, cleanly by their own policies. They'd have no means of recourse.
I guess this is good. At least now i can easily get a domain name I want, if the sucker don't use it. I now quite a few domain names that are not really used but registered "just in case"
May Peace Prevail On Earth
Like it or not, the big fish MS forgot to do this and had their domain handed back to them in a nice manner by some dude who was clearly too harmonious with nature.
... for no other reason than some random name script generates the domainname names that they monitor.
Hey, I think people should know when their domains are expiring; maybe somebody could make a cute 'whois' plugin for firefox that tells you when the tab's->URL's->domain expires. I can imagine some marketers monitor expiration dates, and register them the moment they expire
Its the Hedge Wars all over again. Only now it can happen in real time.
So I ultimate say screw this. 5 days is not nearly enough time.
"Old man yells at systemd"
This isn't about your domain expiring and someone else purchasing it. This is about transfering domain names.
For example, you own abcxyz.com. I want it. I submit paperwork and/or a form saying you are selling it to me and that it should be transfered to me. If you don't respond within 5 days saying it should not be transfered, the domain becomes mine - even if it's YEARS from expiring.
1. Use a DDOS on the ICANN's website so they can't respond for 5 days. :D
2. Ask to buy their domain
3. Wait 'till they can't answer....
4. You're done!
unfortunately, people can't register domains as they expire. There's a time period of at least 30 days where the domain is locked by the registrar / registry to allow the current registrant the option to renew the domain name. What they fail to tell you is that it costs you your first born, an arm and half a leg to re-register a domain that's gone into redemption. Depending on the registrar it could range between $80 - $500 just to get it back for 1 year.
Subject: From the Honorable Janissary Robert M. Jacobson
Hello sirs,
Writing this letter comes at a times of great anguishes to my community. We have obtained funds in the amount of US$3,000,000 from the Nigerian government, after the passing of Prince Montebu Wilson, to whom we are the singlest heirs. However, due to political difficulties we are unable to secure the actual cash moneys ourselves. We require your assistance, for which we would thankfully provide a commission of $500,000 for your troubles. In order for this transaction to be completed, we hereby requests that your domain, www.coolinternetstuffthatisgreatandfun.com, be transferred to us immediately. Lack of action will be assumed as an affirmative response after five days.
Do YOU ever read more than a few words into those?
-- I prefer the term "karma escort."
...would "Didn't RTFA" = "Insightful"
I went through all of their administrative pages and couldn't find a thing. Nor have I received any email, as others have, pertaining to this development. I made sure the contact info for my domains were pointing at a human being and hopefully they'll address the issue soon.
From the usual shitfights I've gone through trying to get a domain transferred even though I own it.
Network solutions has an outdated email address listed for the admin and technical contact, and in order for you to change it the require faxed copies of a passport, credit card, finger prints, a 500ml sample of your blood and any children or pets you might have as hostages.
2 years and several attempts later and, although they occassionally manage to transfer the domain OK, the email address is still fricken wrong. These new ICANN rules could make my life much easier next time we change ISPs.
:wq
Might it be that ICANN is trying to force people to keep their WHOIS information current (or at the very least have a correct contact email address)?
Who actually benefits from this? What problems does it solve? And maybe most importantly: Who gets rich?
I'm more concerned with them requiring accurate contact info.
I used to have my real name, address and phone number in my whois info. I used to get tons of junk mail, and I even had people PHONE me to ask if I'm selling my domain, and then say they don't actually want ot buy it. One time a guy called when I wasn't home, and got my ex. She wouldn't tell him where I was (duh). When he called later and got me he told me that my secretary was very rude.
I do have a real Email address in the contact, and frankly I think that's really all that should be required.
In the land of the blind, the one-eyed man is kinky.
If anyone registers www.microsoft.com
I would recommend having your lawyers ready...
12 billion in lawyers is a good start...
The truth shall set you free!
but icann.org is MY domain! I'd better go reclaim it...
I had a situation a while back with a hosting company. A client I maintain a website for decided to host their website through 1dollarhosting.com
The sign-up form very cleverly asks you for the information to transfer your domain name TO them.
When trying to renew the domain name, I was told by their employees that it is against their policy to release domain names. They let people transfer them in, but they will not release them to other registrars.
After digging a little deeper, they are a partner of Register.com. It took hours (literally) to get someone with enough authority on the phone (at register.com) to release the lock that they had on the account so a transfer would work.
Thankfully, the domain name was finally transferred and the guy at Register.com agreed that what they were doing was unethical....though that didn't stop them from making it a complete PITA.
Mod points are pointless when you browse at -1.
I think it applies to "org", since I just registered that as my domain. Now if I can just get "com" and "edu", I'll bet set. I don't want mil or gov, since I expect to be pretty busy.
It's mine, all mine!
sigs, as if you care.
No one has made jokes about a little Diddy yet? I'm disappointed!
________________________________________________
suwain_2
It would seem that this time, Netcraft really did confirm it.
Bravo.
The "Insert Quote Here" line is almost as predictable as inserting an actual quote.
I wonder if people are hired at the Yahoo HQ's to monitor their notices of people raping them of their domain... hmm... This could be a good thing for some people. I can only hope it works in my favour, or I'll be rather pissed.
IANAL but I thought silence could not be used as an agreement to a contract. I learned this in my Business Law class but I guess this doesn't apply here?
this doesn't affect other countries domains, like .tk's, does it?
Note that this isn't about transferring a domain from one owner to another. It's about transferring a domain from one registrar to another while keeping the same owner. Transfers of ownership come under different rules.
It would require all the operators take a 5 day COMPURTERLESS vacation!
You know this is slashdot and chance of that happening is ZERO.
[for mathematicians, it is zero, not a near zero but a real zero.]
Emacs is good operating system, but it has one flaw: Its text editor could be better.
Or perhaps someone at icann.org is asleep at the switch themselves? (hint hint)
Just tried it using PairNIC. It didn't show up as available. Slashdot.org however is available. =)
'nuff said.
Domains can be transferred at any time before a domain expires. Not just when it's up for renewal.
Obviously you've never dealt with totalnic.net.
First off, anyone who has a clue (and granted that's definitely not everyone) has their domains set to "Registrar-lock" already - this means when a transfer request is made it is automatically denied by the registrar right away. This stops all sortsa fun and games, in the past mainly to stop assholes like DROA (Domain Registry of America) and Register.com from "slamming" my (and other's) customers. See these assholes send REALLY OFFICIAL looking "renewal notices" to domains expiring soon by postal mail, with instructions to simply return a check for $25 or fill in CC info and if someone isn't paying attention, or clueful, they just transferred their domain to these bastards without a clue.
So I started years ago setting registrar lock to ON for everything I register.
However one bonus is, maybe this will make a FEW transfers INTO me a little easier. The assholes at itsyourdomain.com pop into mind, they will absolutely deny any transfer no matter how much their customer screams "I WANT TO TRANSFER THIS DOMAIN AWAY FROM YOU GODDAMNIT". Complaints to ICANN, and others go unheeded.
So in short - ICANN SUCKS, this rule doesn't really suck THAT bad but I'm sure there's going to be at least a few horror stories about lost domains next week.
--- www.f-theocean.com
The scary thing isn't for people who don't notice the letter - it's for people who don't have the correct contact information to begin with. If you gave incorrect details when you registered the domain, it can be taken by anyone that puts their mind to it.
I don't think for a minute that they haven't considered this - it looks like a deliberate move against people who don't want to tell the world who they are. ICANN would love to force these people to list their details.
Damn, probably 90% of the posts in here need to be modded to -1. These rules relate to the transfer of a domain by the domain owner of that domain from one registrar to another. It is not about claiming (or hijacking) someone else's domain as the headline improperly entices you to think.
This is a good thing people! It helps to ensure that domain owners can transfer their registrations when they so wish. In fact, the domain owner has to first request the transfer before it even gets this far.
Sheesh.
- The registrant or domain owner;
- The losing registrar;
- The gaining registrar.
- The central registry - central repository of records.
Got that?Okay, the way a transfer was supposed to work was as follows:
- The domain owner submits a transfer request to the gaining registrar
- The gaining registrar was to seek confirmation of the transfer from the domain owner, based on existing whois information, and independent of the request.
- Having received such confirmation, they notify the central registry that the transfer is valid.
- The central registry notifies the losing registrar of the imminent move, to give them a chance to block it should there be unresolved billing issues or other disputes. Only in such a case was the losing registrar meant to block the transfer.
- If the losing registrar does not object, the transfer is executed.
(Steps 2 and 4 actually run in parallel, but that's irrelevant.)The Problem
However, a number of losing registrars put in a policy some time ago that they would also seek confirmation from the domain owner, despite the gaining registrar having already done so in step 2. They would object to all transfers unless they received authorisation to their liking from the domain owner.
One registrar in particular required a copy of an Australian driving licence or passport, or a notarised letter for non-aussies. In this case it made the administrative cost of a transfer prohibitively high. The did not require this level of identification when a domain was being transferred to them. (Before you ask, yes the admin details were correct. They were just being berks.)
Invariably this policy was put in by registrars to try to prevent customers moving to other registrars, by adding additional hoops. The 'excuse' put forward was to reduce exposure to legal actions.
When one tries to cover ones ass too much, one's hands end up covered in shit.
Not all registrars did this - the nicer ones honored the word of the gaining registrar and only interfered if there were billing issues etc.
The Solution
The new ICANN rules is a compromise - it now explicitly allows the losing registrar to seek the double confirmation, but they can no longer block the move just because the customer didn't jump through enough hoops for them
It does not require the losing registrar to do so, so this is business as usual for the nice registrars.
The important point is that the gaining registrar still has to verify the transfer in the first place, as it should be. The customer confirms their identity once, and no more.
What's to stop a registrar faking authorisation? The loss of their ICANN accredidation, and hence their business.
Final point: although this is a non-story, it *is* important to make sure your admin details, especially your email address, are correct and up to date. Just as you would check your entry in the phone book, check your whois data too.
"A goldfish was his muse, eternally amused"
How would you notice?
(this is meant as a lighthearted jest).
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Almost got it right...
1. Use a DDOS on the ICANN's website so they can't respond for 5 days.
2. Ask to buy their domain
3. Wait 'till they can't answer....
4. ???
5. Profit
Fahrenheit 9/11?
:)
"Sit down, son. We don't read most of the bills that pass through here. Have you any idea what that would entail?"
Substitute "bills" for "articles" and you have slashdot. At least we're up to the US Congress standard
Kjella
Live today, because you never know what tomorrow brings
While acknowleding that this is a joke, I will point out that this doesn't affect .uk domains at all, or any other ccTLD for that matter.
"A goldfish was his muse, eternally amused"
It doesn't matter - the gaining registrar will still has to get explicit confirmation from the icann.org owners in the first place.
"A goldfish was his muse, eternally amused"
No. The gaining registrar still has to get explicit confirmation from the domain owner.
"A goldfish was his muse, eternally amused"
First, if your registrar charges you for domain locking (which none do), move to one that doesn't.
Second, this applies *only* to confirmation sought by the losing registrar.
The gaining registrar still has to seek explicit confirmation from the domain owner in the first place.
"A goldfish was his muse, eternally amused"
Some of the naster email viruses out there don't even need you to click on a link in order to own your machine.
Sooo, what's to stop someone from sending email to the "Administrative Contact" of the domain with such a virus, and sending out a fake confirmation email that, yes, they do indeed want to transfer the domain? To the Registrar, it will look like a real transfer request. It might even hold up in court.
I suppose if one uses a Registrar which has a lock in place, this might offer some protection. But Heaven help the Administrative Contact if he/she has the password info written down in a file on the box which has now been hijacked.
Hmmm. I wonder if this "thought experiment" even applies to Microsoft? Odds are that the Administrative Contact there is using IE with all of its holes.
Suddenly, Microsoft's consistent ignoring the value of security in their products really can come back to bite them in a very nasty way.
Not that I'm suggesting anyone do this of course. But this setup, along with the security flaws in Windows, can expose a lot of sites to a new form of domain hijacking.
Think transfer security is a problem ... there's a security problem far worse:
h readid=328696&perpage=15&pagenumber=1
... as of now, some registrars do little while others suspend domains within only a few days - so if one goes away on holiday, they could very likely come back and find their domains suspended/deleted.
...
(a post of mine reposted from ICANNWatch http://www.icannwatch.org/ - slashdot.org rejected it, but I'm used to that LOL!)
-----
Bogus "Whois Problem Reports" are increasingly going from being an annoyance to being a real security risk. Some recent incidents I've experienced due to Whois Problem Reports *merely* being filed:
* Dotster, about two weeks ago, threatened to delete a domain if I didn't respond.
* BulkRegister, just yesterday, threatened to suspend a domain if I didn't respond within 5 calendar days.
What good are Whois Problem Reports when anyone can file one and there is virtually no screening performed to ensure such reports have any validitity to them; reports filed on some of my domains claimed everything was wrong, including the expiration date - what!? Talk about pure nonsense!
As of now, if one wants to cause a registrant problems, all they need to do is file bogus reports at the Internic link below (it's so easy, it's frightening!) - heck, if someone really wanted to be deviant, they could spread a virus that sends bogus Whois Problem Reports from hijacked computers...
http://wdprs.internic.net/
In addition, some registrars, such as GoDaddy, charge a fee to the registrant for *merely* reviewing a Whois Problem Report for a particular domain, regardless of whether the report is valid - see links below for more details:
http://www.dnforum.com/showthread.php?t=67862
http://www.webhostingtalk.com/showthread.php?s=&t
There is much talk about the transfer policy changes and security, yet bogus Whois Problem Reports is a security risk many times worse.
Some ICANN policy changes are needed pronto regarding Whois Problem Reports...
1. Requiring more than just a name and email for people making complaints - they should have to provide a postal address that's verifyable and/or some other information.
2. Screening of such reports - permit registrars, if they're not already, to toss out Whois Problem Reports that they feel are invalid without involving the registrant; stop wasting their time over this nonsense.
3. A standard on how registrars handle Whois Problem Reports
* including a reasonable time for the registrant to respond, such as 30 calendar days, before any action is taken
Something needs to be done before bogus Whois Problem Reports get any further out of hand
Ron Bennett
now I'll be able to get that domain I've been waiting for!
now i can get my spam-domain! :)
since most of their whois information is fake, spammers won't receive (e-)mail.
all their domain are belong to me.
after one week i change the ip-number attached to the domain to 127.0.0.1 and they're owned
Privacy is terrorism.
A duct-tapeable gun-sight for Doom3 of course!
Everyone RTFA. This is not domain hijacking. This is a rule that allows a registrar to transfer your domain to another registrar. So you don't have to worry about someone "stealing" control of your domain or replacing your website or engage in fantasies about gaining control of microsoft.com cause that's not gonna happen. Microsoft will still control the domain, but if the rule is invoked, it may be at a different registrar.
Stupid rule if you ask me. All this does is put more pressure on Registrars to respond to frivolous requests by other (unethical) registrars phishing for business.
"And then I visited Wikipedia
As a little guy(TM), how I can give my feedback to ICANN?
ICANN seems like a big machine, run by... who knows? Who decides on these rules? Didn't they learn anything from the sex.com case? (perhaps that is too long ago and they have forgotten already) If they expect a big spike in appeals (as mentioned in the article), shouldn't that be indication enough that this rule change be reconsidered?
RTFM; please, I beg you.
This is transfers between registrars not between domain ownership.
It does help you actually if you need to move domains along swiftly.
Also many of these still use an antiquainted technology called facsimile because for some reason, this is a highly secure method of doing business, oh, and a rubber stamp helps.
If someone hijacks a domain, then it will stil be fraudulent, remember no security thorugh facsimile, I mean, obscurity.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Policy on Transfer of Registrations between Registrars, I don't find the part that states that the transfer is approved if the domain owner (i.e. the administrative contact) does not respond in time.
I do find language that states the transfer will be approved if the Registrar of Record does not respond within 5 days. This, however, is a Good Thing, as it makes it harder for the losing registrar to prevent you from transfering your domain. Of course, they can still just deny your request and hope they get away with it.
The way I see it, this gives domain owners (a little) more control over their domains. I don't see what's wrong with that. I never understood why transfers need to be approved by the losing registrar anyway - why would they ever approve losing a customer?
Please correct me if I got my facts wrong.
It has been exploitet too just two months ago, when ebay.de was hijacked by a 19yo kid.
It seems that Tucows (the domain registrar) messed up by not responding to DENIC's inquiry.
http://www.heise.de/newsticker/meldung/50661
Here's a situation where everyone who gets screwed out of their domain should sue (ICANN plus whomever else).
* Dotster now almost immediately swaps DNS to their servers and puts up a LAME "This domain has expired" and "search engine" type page. I didn't expect them to do something that lame.
* If you don't re-register within a grace period, they charge you a HUGE fee to renew the domain. I am not pleased with that at all. There've been times where I couldn't afford to renew a domain exactly when it was due. More suckage.
Registrars suck.
First, the current registrar must approve a transfer of domain without obtaining the registrant's approval. This is contrary to common sense. If the purpose is to stop registrars from unreasonably holding domain names, then the appropriate response is to require the current registrar to approve a transfer request when the registrant has approved it. If the registrant approves, and the current registrar rejects, that's an appropriate cause for complaint.
After all, isn't it more important to protect existing domains from unscrupulous transfers, than to prevent rogue registrars from accepting legitimate transfers? I may have one legitimate reason to move my domain from one registrar to another but there are a large number of scammers who would gladly capture my domain for fraud or other purposes.
It's a bit ridiculous that every registrar should be forced to implement a locking function, and every domain holder should be forced to lock every domain, all at once, in order to protect themselves from fraud.
Secondly, the "unlock" action required prior to a legitimate transfer opens a window of time in which a domain can be stolen - in programming parlance, a race condition. It's a problem with the protocol.
Just the other day I transferred several domains from Joker to GoDaddy. Joker isn't very easy to deal with, and GoDaddy is cheaper, so I decided to move the Joker ones to GoDaddy.
When I jumped through the Joker hoops to tell them that I wanted to transfer my domain name, they opened a "transfer window". I was shocked when they said that, during the transfer window, _any_ registrar could grab my domain. Not just GoDaddy. Not just me. Any user of any other registrar could have issued a transfer request for my domain name, through their registrar to Joker, and Joker would have accepted it, if the request arrived before my legitimate request from GoDaddy. Indeed, any user of GoDaddy could have done the same thing, because there's nothing in the request itself to say that it was me who instigated that request.
What happened to the good old days when a request for a transfer resulted in an email from my registrar to me, asking for my approval. If I approve, the transfer will go through. If I'm not there or indisposed, overseas or not reading my email, then the transfer will not happen.
Duh. This is about approval of transfers, not expiration. Transfer requests can happen at any time.
Flood Network Solutions with notices that icann.org ownership is being transferred to someone else.
If there are enough of them, then there got to be at least one which isn't answered within the 5 day timeout.
And whoever wins, wins control of the Internet! Whoot!
Get emailing, theres no bigger competition than this!
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
You're right. Shiit, I was trying to do five things at one time so I didn't read carefully.
:-)
I can imagine they made the rule that way because before it was _hard_ to transfer domain because workflow of the approval procedure was screwed up.
I had problems transfering my own domains because online forms and customer service made at the old registrar made it very difficult to allow transfer (as that allowed them to keep customers longer).
Now that the default is Yes, it's much more customer-friendly, but if someone steals your identity (mobile phone, email account password, etc.), yes, you're definitively screwed.
Overall I think the new default is better.
If the article highlighted the identity theft problem (not the new rule), I think I would have read it correctly
I've had only horrible experience with register.com. After they completely screwed up the 5th domain I registered with them, and took over a month to get it to work, and then screwed up their web site with buggy programming, I decided to transfer all my domains away. As expected, that took over a month, too. Just about everyone there was clueless, including whoever managed their own DNS servers for their own domain as I found errors in that, too. So from now on, I always recommend to all my friend, partners, and clients, to never use register.com, ever.
now we need to go OSS in diesel cars
For .de domains, this has been the procedure ever since I've been in the domain business. The way that most registrars have implemented it is that they will send an automatic NACK (not acknowledged) to any incoming transfer request that their customer hasn't specifically asked them to authorize. Many registrars then send a notification to their customer after the transfer has been denied, giving them the opportunity to send a LATEACK, which overrides the previous NACK, but this way the rules are reversed again. If the registrar doesn't offer this LATEACK, it's "allow and try again" if you really want the domain to be transferred. What this does achieve is that if a registrar goes out of business silently, you can still get your domains transferred from them because there won't be anybody or anything sending NACKs anymore...
... ever
@
their little red wagon can be fixed easily.
time to have someone start jacking big domains like google, microsoft, ibm, etc...
I'm thinking that getting ICANN sued into a pile of dust by some big guns would solve this problem in a hurry.
This is the Litigation Age, Let's use it to our advantage.
Do not look at laser with remaining good eye.
They re-turned all domains on (I mean blocking so this crap won't happen to anyone)- they turned it on by default on Oct 31 for all domains, at least according to an e-mail I got some time ago.
No reason to freak out unless, perhaps you are with some registrar that doesn't offer the blocking service.
Don't panic. This can only be attributable to human error.
Then your employers policies are screwed up.
The ICANN position has *always* been that the gaining registrar must verify the request.
If your company doesn't do this, then it's not fulfilling it's responsabilities, and should have it's ICANN accredidation removed.
ICANN, until now, *never* asked losing registrars to double-check the veracity of the transfer.
Companies like yours which did so introduced needless delays for the customer.
this new system is going to turn out very badly for everyone
This system has been in operation for years!
Registries like Tucows don't require confirmation from the domain owner for transfers away. So, if as you say you don't verify transfer requests you receive, then I can use you to hijack (unlocked) Tucows domains. That is the situation at present, but the fault is with your employer, not Tucows.
Of course, if ICANN don't follow through with enforcement by removing the accreditation of operators like your employer, then it'll all go to hell anyway, new system or old.
(I should note, Tucows does notify of transfers away, but don't require you to okay it. They know the rules, and follow them.)
"A goldfish was his muse, eternally amused"
What pisses me is the whole "opt-out" approach. Have spammers and CANSPAM proponents taken over ICANN?
ICANN screw you over unless you explicitly tell me no?
Jeez.
Ignorance is curable, stupid is forever.
Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!
Owners of small domains beware? The big ones should fear just as much. They never answer email as it is.
Also all those spammer networks too. Hmmm they don't answer I guess it's time to transfer their domain name...
I thought the exact same thing :-)
Check out my sysadmin blog!
Isn't this going to be a fun time, Most people enjoy long holidays over Christmas.
Why doesn't normal contract law apply to domains? This is much like allowing anyone to transfer ownership of your home without your explicit permission.
You can fix their little red wagon easier than that. Just don't pay attention to them.
Nobody HAS to listen to ICANN or any of the lackeys they delegate their power to. They're not actually providing anything that anybody else with the motivation to take over the job and some big iron can't provide, they're just the default body everybody goes to because they're SUPPOSED to be a convenient place for centralized governance of the various things that make the internet tick.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
Oh man, if indeed: "The FOA should be sent by the Registrar of Record to the Transfer Contact as soon as operationally possible, but must be sent not later than twenty-four (24) hours after receiving the transfer request from the Registry Operator. Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer." Oh man, oh man. As a sys admin for a hosting comapny, I can tell you everyone is going to hate this. The only thing that really needs to be fixed is when registrars like Bulk Register block trasnfers to competing companies like enom. This is such a pain for so many folks. Rats, I hope this does not go through, what a mess :(
photoplankton
Hey people do you know how a domain name lock works?
If you do nto then myabe you should find out..
Story conclusion only works for those who do not lock their domain names
Don't Tread on OpenSource
If you only have 12 billion, you'll be at nearly a 6 to 1 disadvantage. Billy & Co. have 65 Billion in cash just lying around.
Aside: That sounds like a lot of money, doesn't it. But then, the US federal governement spends about thirty times that amount each year, and has to borrow that much every 6 weeks just to stay afloat.
Is it just my observation, or are there way too many stupid people in the world?
Network Solutions is terrible. I admit, they do have customer support, and when I call, I rarely wait more than a minute to talk to someone. That's good.
Is there a secret phone number? I have a friend who has a problem with them (hijacked domain, actually!) and he's literally been trying to get something done for _months_. Network Solutions ignores his e-mails and faxes, and the only phone numbers we can find only play recordings telling you to submit requests by e-mail. Please, let me know what number you're calling!
Thats just plain wrong. Nothing like this should default to 'YES'.
However, I bet the first high profile case, and this is reversed..
5 days.. sure taht's ok..
---- Booth was a patriot ----
Owners of small domains, beware: no more computerless vacations that last more than 4 days at a time!"
I could see this happening to larger domains easier than smaller ones. Microsoft has already lost domains because the re-registration got "lost in the mail". Maybe the next time, the one who snags it won't be as nice to return it so promptly and without a legal battle.
Next thing you know you'll be bolting your domains to the floor.
I don't read AC A human right
These changes will mostly effect how the .com and .net domains are transferred (and possibly some other lesser ones). It all comes down to how the registrars used to transfer domains between registrars and how they will now.
.com and .net was that an individual went to a registrar to transfer their domain to, that registrar would then initiate a transfer request for that domain (some would verify that the person asking for a transfer is the person who ownes the domain by sending the admin in the whois an email, BUT THIS WAS NOT A REQUIRED STEP). The registry then alerted the current registrar that a transfer request for the domain has been initiated. It was then the current registrars responsibility to verify that the owner was the one wanting to transfer. If there is no response from the current registrar (to either accept or reject the transfer) after 5 days, then it would automatically accept.
.net and .com.
A main difference is how they used to be transferred, which for
All the new rule does is change the verification step from the current registrar to the requesting registrar.
With other TLD's this has already been implemented through a different system for quite some time. In this system, there is an authorization code assigned to every domain name (most times the owner doesn't know it and the registrar does so the owner needs to ask the registrar for it). The only way for a registrar to even start a transfer is for the person requesting the transfer to give them the authorization code. This in effect, then verifies that the person ownes the domain because they have the private passcode. This is in most TLD's with the exception of
Dear Microsoft Employees:
As your Fearless Leader, you've all been given a two-week holiday to commence next Monday. To make sure you get the most out of this holiday, please do not take any work home or respond to e-mail messages. Those that login to check their e-mail will be terminated.
signed,
Bill
signature pending slashdot approval
"Stacy" at the Register.com LivePerson chat just told me this:
I am sorry to inform you that the domain transfer request will be approved within 5 days if you fail to respond to the confirmation email. Register.com may provide the facility of locking domain names in the near future.
Do you know if Dotster will protect you? ... or I need to move to GoDaddy.
Simpy
Unfortunately this isn't possible. .Org domains use transfer authorization codes. Basically the .Org registry requires a domain specific password to allow a transfer request to be submitted. You can't request the transfer with out the password.
I know it's already been covered by other posts, but not much has actually changed with the registrar transfer policy. There's nothing new to worry about.
-XO
I've found that when transferring .ORG domain names from one registrar to another the PIR gets involved, and requires an authorization code from the losing registrar, so I think we can stop chortling about the idea of hijacking icann.org or slashdot.org. We would need to obtain the authorization code, and I don't think the registrar would hand that over to just anybody.
I have to admit that this story through me into a panic, I mean a full-on tingling-up-the-spine near-freakout, since I use a registrar that's about the worst one on the planet (and I'm in the process of moving everything over to one that I actually like). But it looks like my fears were pretty much unfounded. But there's still a shroud of doubt hanging over me. It's still not clear to me what happens if I am unable to respond to an email requesting authorization on a transfer from my old registrar.
And another thing that weirds me out is that in one part of the ICANN page it says that registrar-locked status will protect the domain name from being transferred, and then in the next section they say it won't. What's the distinction they're making?
You are in error. No-one is screaming. Thank you for your cooperation.
If you only have 12 billion, you'll be at nearly a 6 to 1 disadvantage
1 I assume they won't burn all their assets on one case.
2 I assume they won't spend more than the original poster mentioned for selling it back to them.
That's where I got the 12 billion figure. It's true they might spend 65 billion to defend against a 12 billion website takeover, but I doubt it would require that much to squash you.
The truth shall set you free!
Congrats to ICANN to bring slamming(act of switching providers without customers approval) to domain name registration. Another thing to worry about, I can't wait till my domains get moved over to whatever registar that charges $25 a year without my permission.
Have you ever been to a turkish prison?
I cannot emphasise enough, do NOT use DotRegistrar!!
I was trying to send a spam complaint to one of the domains registered through them, and the e-mail kept getting bounced. According to ICAAN rules, the contact information must be correct. So I used the only method DotRegistrar has to contact them, their tech support form. For my e-mail address, I used an address with 'dotregistrar' in it (myname.dotregistrar@mydomain.com), I use this technique often to track the dissemination of my email address (e.g. myname.amazon@mydomain.com, myname.ebay@mydomain.com, myname.zdnet@mydomain.com, etc.).
Not only did I get no response from them, but within a week, I started getting a flood of spam to that exact e-mail address! The bastards sold the address that was used exclusively for a complaint (it has never been used for anything else, not even to register a domain) to spammers! Their (no) privacy policy states that they will release collected information "to third parties or to the public at large, for any purpose," but it does not indicate this includes complaints. I guess they got me, eh?
TZO.COM automatically locks domains for their customers (and unlike the other registrars, they have real human beings staffing the phones).
I suspect all registrars offer domain locking as a feature. Some may not enable it by default.
this is a test
Several people have mentioned that this is about changing registrars, not hijacking. However, having worked at a cheap registrar, let me tell you how a hijacking can and sometimes does take place.
To start, let me explain how domain sales usually worked at this registrar. First, there was a fee to change ownership, even though it could be done by simply modifying the whois information. There was another fee to transfer to a new registrar. Since the person buying the domain name rarely wanted to use the same registrar, many sales would take place by simply transferring the domain to a new registrar. Then they would not have to pay both the name change fee and the transfer domain fee. It used to work something like this.
The new registrar supposedly verified the information before submitting the transfer request to the old registrar. However, if the information did not match, it was assumed that a domain sale was taking place. Only if there were blatent red flags did anyone stop to question a transfer.
Can you see how someone might try to use the new rule to complete a "sale" of a domain? I am sure that there are now more checks to prevent this since I have been away from that cheap registrar for a couple of years. Just to be on the safe side, I will check a few domains to make sure they are locked.
KnarflingGreat civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Besides a lock by the registrar, how about an autoresponder to the official registrant's email on file saying "No, This domain, [domain], is not approved for transfer to any other party." Or some-such. Granted, lotsa spam will get answered, but wouldn't this constitute response?
-- @rjamestaylor on Ello
Talk about a protection scam. Make it easy for someone to steal from you, then offer protection if you pay. Is the mob running ICANN now?
I noticed on http://www.godaddy.com/ you can go through the transfer proccess for seemingly any domain you want without entering any information regarding the current owner. If you do this(and pay the few $$), then the real owner doesnt shootdown godaddy's request for transfer, it'll be transfered to godaddy correct?
... I think I'm missing somethin here...
At that point who would have access to the account details/ownership? The owner would need an account with godaddy in order to make changes, but if they are unaware of the transfer.. what then? Would godaddy create an account automagically and perhaps email the owner the account login/pass? If that is the case and the owner had bad contact info listed then the domain would sit stagnant for the next forever years wouldnt it?
Stealing is stealing; with a gun, or a computer.
e rpol. If the calvery won't, or can't help you; Then, well, recourse is up to you.
I've paid for the use of something for a specific period of time. If someone has taken this from me then it is theft. Solution? call the police/sherif/marshal/f.b.i./homeland-seurity/int
You really can't change the way a bad guy thinks, but you can introduce outcomes that would cause the bad guy to reconsider actions in a constructive direction.
For engineers, that's equivalent to a very small value of zero.
~Idarubicin
Spammers often register their domains without proper contact details. They can't get the notice. Some spam vigilantes could, (um... theoretically, of course...) hijack these domains to teach the spammers a lesson.
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Thanks to y'all for pointing out the fact. I'll go eat my crow a la mode now. :-)
asking him if he would give me a billion $. If I haven't heard from him in 4 days, I'll tell the bank to assume he's OK with it and to give me the money. I like this new rule.
Jump in, if you think this is a bad idea! Here's the letter I just sent to icann@icann.org:
Good afternoon:
I stringently oppose the new ICANN Policy on Transfer of Registrations between Registrars, specifically the section 3 line:
"Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer. In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed."
This policy is an extraordinarily bad idea, for several reasons:
1) It puts more responsibility on registrar to wade through spurious domain transfer requests, many of whom will not take the pains to actively sort legitimate from non-legitimate requests.
2) It will mean trouble for domain owners who don't closely manage their records. Domains with incorrect e-mail addresses and outdated administrative contact information are at particular risk of hijacking.
Please reconsider this decision. Domains have become far too valuable to companies to introduce such a disruptive and potentially damaging policy.
What does it mean to wake out of a dream
and be wearing someone else's shorts?
BNL, Born on a Pirate Ship (1998)
Section 3 5th paragraph: "Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer."
Hey I know, I'll make an offer on your house... and if you ignore me, I'll proceed to move all my things in and toss all your things out!
Bzzt, sorry. Doesn't work like this.
Take your tinfoil hats off, because this will not happen.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Well, that doesn't make sense -- if I respond it's yes but if I don't it's yes? That won't fly.
-- @rjamestaylor on Ello
check out http://despammed.com/
It's a free e-mail forwarding service that does a GREAT job filtering SPAM. I've used it for years as my email address for anytime I have to register somewhere and know I'll get a ton of SPAM for doing so (like domain registrations, Ebay, online vendors, etc.)
This time I'll admit it.
I wanted to change a domain name (one a friend of mine legitimately owns, and had asked me to change). I started calling around... I first called names4ever. They went through the process of looking up the actual registrar, which was "In Just a Minute." I then called up IJM and they redirected me to their DNS services guy. I got ahold of the guy (name protected) on the phone and asked him to change the authorized zoneholder... he did it immediately, without asking for any kind of information.
In fact at no time during this process did I ever tell anyone my name or the name of their original client. All I ever said was the domain name (also protected, you evil blackhats).
So... it's not too hard to steal a domain anyway...
FAQ chapter 3.4. Outgoing transfer (leaving Gandi) indicates that there is no any lock. I think.
I think the point of this is not to push out people that use fake contact information but to keep registrars from holding domains from users. If a deliberate move was made by a registrar before to keep their paying customers from leaving by holding the domain, there was nothing the customer could do. Now, the registrar must relinquish control and allow the transfer. I think this is a welcome regulation change as I have had problems transfering domains in the past.
All you have to do is make sure your contact information is up to date. And if a domain gets taken, you can always dispute it.
Bullish Machine Tzar
They've been very good to me.
"NOTICE... November 2004 ICANN Transfer Policy Email
;)
From November 8-10, we are sending an email to all domain customers informing you of a new domain transfer policy, enforced by ICANN (The Internet Corporation for Assigned Names and Numbers). This policy dictates that we must honor any transfer requests, even if you do not personally confirm them. To prevent unauthorized transfers, lock your domains. This service is free and takes only a minute."
I'm a happy customer
VIVA1023.com | Political Fashion.
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
Umm, this says Registrar of Record not Registered Name Holder. Correct me if I'm wrong, but a Registrar of Record would be EasyDNS, Register.com, networksolutions.com, etc. A Registered Name Holder would be me. I think this has more to do with you trying to transfer your domain to a different register, and your current register not responding because they don't want you to move it.
If you go read the ICANN Policy on Transfer of Registrations between Registrars http://www.icann.org/transfers/policy-12jul04.htm it's quite explicit regarding the circumstances in which a registrar (aka Network Solutions, Dotster, Tucows, GoDaddy, etc - not the Registrant, billing or technical contacts) could deny a move request as well as under what circumstances they could not deny such a request (Nonpayment, No response from the Registered Name Holder or Administrative Contact, etc).
I'm no rocket scientist but the policy clearly intends to prevent Registrars from hijacking the domains of their clients, as some have been wont to do, or simply refusing move requests by passively ignoring said requests.
Here is some of the verbiage of the policy that indicates its clear intention to anyone who is capable of reading above a 5th grade level.
"Registered Name Holders must be able to transfer their domain name registrations between Registrars..."
"The Administrative Contact and the Registered Name Holder, as listed in the Losing Registrar's or applicable Registry's (where available) publicly accessible WHOIS service are the only parties that have the authority to approve or deny a transfer request to the Gaining Registrar."
Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer.
In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.
Thus spake the SysGoddess
Many DN registrars have an option to "lock" your domain, to prevent it from being transfered to another registrar.
The new ICANN rules specifically state that such a locked domain is not subject to transfer.
I think that most people here are misinterpreting the new rules.
From what I can see, they're not to make DNs easier to steal from their owners; they're to make it easier to transfer DNs from one registrar to another.
The problem is that the new rules make it easier for one registrar to steal a DN from another (although the owner does not change).
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Whois contact addresses are supposed to be public. They are not contact addresses for your registrar. If they are agressively filtered they might be considered invalid (perhaps if several attempts are made to contact them from several to test validity.) If they are tested for validity and found to be invalid (i.e., not accepting any email) then the domain might be taken from you (for publishung invalid contact info).
I use a sneakemail address on my whois record. I can easily change it to another sneakemail address (only I'm too lasy. I still get only about one spam message a day on that address. I get more spam on the sneakemail address I publish on slashdot posts and I still haven't replaced that one...)
An address published on whois is not immediately spammed. It takes several weeks until spammers scan the database and distribute updated mailing lists, so if you replace your whois address every week, or even just every month, you should be quite spam-clean (at least on these addresses). Of course you might be unlucky and your address harvested just after you publish it, but then, email addresses are cheap.
One thing that might be useful would be a protocol automatically update all whois contact addresses and tools to autopmate the process of creating new addresses, updating them, and then blocking the old ones (ideally, if you want to receive all mail that might be sent to an address, you would want the old address to be kept active and then automatically blocked after about a week (to account for mail delivery delays, plus perhaps a couple of days a possible sender might delay a draft before finally sending it to you).
BTW, widespread use of multiple email addresses, especially if combined with effective methods to automaically change and block old ones, can prove as a very big problem to spammers. They rely on very low response rate from mailing lists that have a reasonable percentage of valid addresses (I would call 5% valid reasonale here). If you throw in a factor of something like 99 out of 100 addresses being automatically invalidated by receiving spam (i.e., most addresses used by spammers becoming invalid soon after they start to receive spam) tehn it might make spam unprofitable. At leasy it would make life much harder for spammers,having to clean up their lists all the time.
Well, so far I haven't had anything but good experiences with them; same for other folk I know using them. But if I have bad experiences in the future, I'm not married to them, and don't have a problem changing hosts (at the moment I'd probably look at godaddy, and maybe lunarpages since I've observed they have good stability).
~REZ~ #43301. Who'd fake being me anyway?