RE: [registrars] Grave Robbing and SEDO Fencing
Thanks Donny. You're right, it does say *may.* So perhaps that's another thing the RC should consider trying to change. I realize it may pose an inconvenience for customers who want to flip names as you describe, but it wouldn't prevent it. What it would do is add a layer of protection against hijacking. I think the raven.com issue illustrates the potential problem with assuming that if someone has the authcode, the name must be theirs. I thought the same way about the authcode at one time, but various experiences have changed my mind. I think authcodes are a good tool, but only one piece of the security issue. Tim -------- Original Message -------- Subject: RE: [registrars] Grave Robbing and SEDO Fencing From: "Donny Simonton" <donny@intercosmos.com> Date: Tue, August 07, 2007 6:27 am To: "'Tim Ruiz'" <tim@godaddy.com>, "'Registrars Constituency'" <registrars@gnso.icann.org> Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there. Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours. Donny
Hi, Although I welcome initiatives, I don't think that a 60 days obligatory lock after every transfers, modifications will help registrars, it will only complicate transfers by adding an unnecessary burden. The authinfo code has proved to be effective, even if exceptions are possible, such the raven.com case. The 60 days automatic lock done by Godaddy and others is an internal registrar rule that neither ICANN nor the registries are requesting(at the recent exception of PIR, if I'm right). In case of exceptional cases, we still have the Transfer dispute policy, which allow the registries to reverse wrong or fraudulent transfers that occurred in the past 6 months. In addition the ICANN radars is providing the direct email of people handling transfers and usually such cases are solved in a timely manner. I don't see the need to act in this specific case, we only need to increase the already well working communications between registrars (yes there are exceptions...). Best regards, Paul Lecoultre Tim Ruiz wrote:
Thanks Donny. You're right, it does say *may.* So perhaps that's another thing the RC should consider trying to change. I realize it may pose an inconvenience for customers who want to flip names as you describe, but it wouldn't prevent it. What it would do is add a layer of protection against hijacking.
I think the raven.com issue illustrates the potential problem with assuming that if someone has the authcode, the name must be theirs. I thought the same way about the authcode at one time, but various experiences have changed my mind. I think authcodes are a good tool, but only one piece of the security issue.
Tim
-------- Original Message -------- Subject: RE: [registrars] Grave Robbing and SEDO Fencing From: "Donny Simonton" <donny@intercosmos.com> Date: Tue, August 07, 2007 6:27 am To: "'Tim Ruiz'" <tim@godaddy.com>, "'Registrars Constituency'" <registrars@gnso.icann.org>
Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there.
Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours.
Donny
Hi, Although I welcome initiatives, I don't think that a 60 days obligatory lock after every transfers, modifications will help registrars, it will only complicate transfers by adding an unnecessary burden. The authinfo code has proved to be effective, even if exceptions are possible, such the raven.com case. The 60 days automatic lock done by Godaddy and others is an internal registrar rule that neither ICANN nor the registries are requesting(at the recent exception of PIR, if I'm right). In case of exceptional cases, we still have the Transfer dispute policy, which allow the registries to reverse wrong or fraudulent transfers that occurred in the past 6 months. In addition the ICANN radars is providing the direct email of people handling transfers and usually such cases are solved in a timely manner. I don't see the need to act in this specific case, we only need to increase the already well working communications between registrars (yes there are exceptions...). Best regards, Paul Lecoultre Tim Ruiz wrote:
Thanks Donny. You're right, it does say *may.* So perhaps that's another thing the RC should consider trying to change. I realize it may pose an inconvenience for customers who want to flip names as you describe, but it wouldn't prevent it. What it would do is add a layer of protection against hijacking.
I think the raven.com issue illustrates the potential problem with assuming that if someone has the authcode, the name must be theirs. I thought the same way about the authcode at one time, but various experiences have changed my mind. I think authcodes are a good tool, but only one piece of the security issue.
Tim
-------- Original Message -------- Subject: RE: [registrars] Grave Robbing and SEDO Fencing From: "Donny Simonton" <donny@intercosmos.com> Date: Tue, August 07, 2007 6:27 am To: "'Tim Ruiz'" <tim@godaddy.com>, "'Registrars Constituency'" <registrars@gnso.icann.org>
Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there.
Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours.
Donny
The Transfer Dispute Policy does not apply in cases like Raven.com where the Admin Email was changed at the Losing Registrar. The TDP looks at whether the Gaining Registrar verified that the controller of the domain had permission to move the domain. Since the Admin Email had already (allegedly) been fraudulently changed at the Losing Registrar, the Gaining Registrar did the Transfer by the book and thus the Transfer would not be reversed. Am I wrong? (Please, someone, tell me that I am). Richard -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Paul Lecoultre (CORE secretariat) Sent: 07 August, 2007 1:39 PM To: 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing Hi, Although I welcome initiatives, I don't think that a 60 days obligatory lock after every transfers, modifications will help registrars, it will only complicate transfers by adding an unnecessary burden. The authinfo code has proved to be effective, even if exceptions are possible, such the raven.com case. The 60 days automatic lock done by Godaddy and others is an internal registrar rule that neither ICANN nor the registries are requesting(at the recent exception of PIR, if I'm right). In case of exceptional cases, we still have the Transfer dispute policy, which allow the registries to reverse wrong or fraudulent transfers that occurred in the past 6 months. In addition the ICANN radars is providing the direct email of people handling transfers and usually such cases are solved in a timely manner. I don't see the need to act in this specific case, we only need to increase the already well working communications between registrars (yes there are exceptions...). Best regards, Paul Lecoultre Tim Ruiz wrote:
Thanks Donny. You're right, it does say *may.* So perhaps that's another thing the RC should consider trying to change. I realize it may pose an inconvenience for customers who want to flip names as you describe, but it wouldn't prevent it. What it would do is add a layer of protection against hijacking.
I think the raven.com issue illustrates the potential problem with assuming that if someone has the authcode, the name must be theirs. I thought the same way about the authcode at one time, but various experiences have changed my mind. I think authcodes are a good tool, but only one piece of the security issue.
Tim
-------- Original Message -------- Subject: RE: [registrars] Grave Robbing and SEDO Fencing From: "Donny Simonton" <donny@intercosmos.com> Date: Tue, August 07, 2007 6:27 am To: "'Tim Ruiz'" <tim@godaddy.com>, "'Registrars Constituency'" <registrars@gnso.icann.org>
Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there.
Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours.
Donny
Richard: You might be wrong. I don't want to get into the specifics of a pending matter, especially on a public list, but I didn't want to leave your statement hanging out there. Thanks. Jon -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Lau Sent: Tuesday, August 07, 2007 9:17 AM To: 'Paul Lecoultre (CORE secretariat)'; 'Registrars Constituency' Subject: RE: [registrars] Grave Robbing and SEDO Fencing The Transfer Dispute Policy does not apply in cases like Raven.com where the Admin Email was changed at the Losing Registrar. The TDP looks at whether the Gaining Registrar verified that the controller of the domain had permission to move the domain. Since the Admin Email had already (allegedly) been fraudulently changed at the Losing Registrar, the Gaining Registrar did the Transfer by the book and thus the Transfer would not be reversed. Am I wrong? (Please, someone, tell me that I am). Richard -----Original Message----- From: owner-registrars@gnso.icann.org [mailto:owner-registrars@gnso.icann.org] On Behalf Of Paul Lecoultre (CORE secretariat) Sent: 07 August, 2007 1:39 PM To: 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing Hi, Although I welcome initiatives, I don't think that a 60 days obligatory lock after every transfers, modifications will help registrars, it will only complicate transfers by adding an unnecessary burden. The authinfo code has proved to be effective, even if exceptions are possible, such the raven.com case. The 60 days automatic lock done by Godaddy and others is an internal registrar rule that neither ICANN nor the registries are requesting(at the recent exception of PIR, if I'm right). In case of exceptional cases, we still have the Transfer dispute policy, which allow the registries to reverse wrong or fraudulent transfers that occurred in the past 6 months. In addition the ICANN radars is providing the direct email of people handling transfers and usually such cases are solved in a timely manner. I don't see the need to act in this specific case, we only need to increase the already well working communications between registrars (yes there are exceptions...). Best regards, Paul Lecoultre Tim Ruiz wrote:
Thanks Donny. You're right, it does say *may.* So perhaps that's another thing the RC should consider trying to change. I realize it may pose an inconvenience for customers who want to flip names as you describe, but it wouldn't prevent it. What it would do is add a layer of protection against hijacking.
I think the raven.com issue illustrates the potential problem with assuming that if someone has the authcode, the name must be theirs. I thought the same way about the authcode at one time, but various experiences have changed my mind. I think authcodes are a good tool, but only one piece of the security issue.
Tim
-------- Original Message -------- Subject: RE: [registrars] Grave Robbing and SEDO Fencing From: "Donny Simonton" <donny@intercosmos.com> Date: Tue, August 07, 2007 6:27 am To: "'Tim Ruiz'" <tim@godaddy.com>, "'Registrars Constituency'" <registrars@gnso.icann.org>
Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there.
Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours.
Donny
Lau wrote:
Am I wrong? (Please, someone, tell me that I am).
The subtlety that tends to get missed is that the transfer policy hinges on whether or not the registrant, or the admin at the behest of the registrant, approved the transfer of registrar. I am not sure why this has been interpreted as "if the admin approved it, it must be good", but this has been the case since the policy was implemented. If the registrant hasn't agreed to it, even if the admin has, it is technically a bad transfer. -- Regards, Ross Rader Director, Retail Services Tucows Inc. http://www.domaindirect.com t. 416.538.5492
Ok, let me rephrase... If the Registrant and Admin are fraudulently changed, and then a Transfer is processed, then according to the TDP and the Gaining Registrar, the transfer is fine. If however, the Losing Registrar agrees that the listed Registrant was not actually the Registrant due to an internal error or fraudulent change, then yes, I can see that the TDP would apply. Any real world experiences where the Losing Registrar admits to a fraud happening on their end when the Gaining Registrar is fighting the TDP (claiming that all process was followed)? Thx Richard -----Original Message----- From: Ross Rader [mailto:ross@tucows.com] Sent: 07 August, 2007 2:55 PM To: Lau Cc: 'Paul Lecoultre (CORE secretariat)'; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing Lau wrote:
Am I wrong? (Please, someone, tell me that I am).
The subtlety that tends to get missed is that the transfer policy hinges on whether or not the registrant, or the admin at the behest of the registrant, approved the transfer of registrar. I am not sure why this has been interpreted as "if the admin approved it, it must be good", but this has been the case since the policy was implemented. If the registrant hasn't agreed to it, even if the admin has, it is technically a bad transfer. -- Regards, Ross Rader Director, Retail Services Tucows Inc. http://www.domaindirect.com t. 416.538.5492
Again, another fallacy. Changing the name of the registrant in a database doesn't change who the legal registrant is. Whomever entered into the original agreement with the registrar is the registrant, unless those rights are legally assigned to another third party (i.e. as part of a sales transaction). I am not sure why a transfer dispute provider would rule against the legal owner in a situation like this (assuming that the registrant was able to prove ownership, etc.). I can understand a "no finding". The TDRP shouldn't be examining whether process was followed, but rather, that the wishes of the registrant have been executed. I can understand why resolution providers might examine process, but to rely on it solely to determine outcome seems shortsighted. Lau wrote:
Ok, let me rephrase...
If the Registrant and Admin are fraudulently changed, and then a Transfer is processed, then according to the TDP and the Gaining Registrar, the transfer is fine.
If however, the Losing Registrar agrees that the listed Registrant was not actually the Registrant due to an internal error or fraudulent change, then yes, I can see that the TDP would apply.
Any real world experiences where the Losing Registrar admits to a fraud happening on their end when the Gaining Registrar is fighting the TDP (claiming that all process was followed)?
Thx
Richard
-----Original Message----- From: Ross Rader [mailto:ross@tucows.com] Sent: 07 August, 2007 2:55 PM To: Lau Cc: 'Paul Lecoultre (CORE secretariat)'; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing
Lau wrote:
Am I wrong? (Please, someone, tell me that I am).
The subtlety that tends to get missed is that the transfer policy hinges on whether or not the registrant, or the admin at the behest of the registrant, approved the transfer of registrar. I am not sure why this has been interpreted as "if the admin approved it, it must be good", but this has been the case since the policy was implemented. If the registrant hasn't agreed to it, even if the admin has, it is technically a bad transfer.
-- Regards, Ross Rader Director, Retail Services Tucows Inc. http://www.domaindirect.com t. 416.538.5492
Ross wrote: "Changing the name of the registrant in a database doesn't change who the legal registrant is." It all depends on the stone-walling nature of the Registrar. For a $10 registration, many registrars simply point to the Domain Registration Agreement where invariably it says something along the lines of "The person named as Registrant on the Whois shall be the registered name holder." Therefore, if the Admin Email is compromised at the ISP level, or via social engineering at the Registrar Level, which then leads to the Registrant being changed (prior to the transfer out), many Registrars will tell their (now former) customer "sorry, you allowed your Registrant information to be changed, and the whois-listed Registrant is the registered name holder, therefore the Transfer-Out was valid." I have an example of a domain where the Admin Email was an IMAP account on a hosted webserver. The Admin Email IMAP account password was given to a hijacker in Iran as a result of social engineering. The domain Registrant was changed. The domain transferred out. Was then sold to an Innocent Purchaser. Typically at that point, a Losing Registrar is unwilling/reluctant to indemnify the current Registrar against the Innocent Purchaser suing, and the real Registrant is told that they are SOL since they allowed their Registrant information to change, and the domain is now owned by an Innocent Purchaser. And they are told to settle the matter in court. I have more examples where the stolen domains are currently sitting at GoDaddy. But unfortunately these occurred before the TDP, and the real Registrants have all but given up hope. Richard -----Original Message----- From: Ross Rader [mailto:ross@tucows.com] Sent: 07 August, 2007 3:30 PM To: Lau Cc: 'Paul Lecoultre (CORE secretariat)'; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing Again, another fallacy. Changing the name of the registrant in a database doesn't change who the legal registrant is. Whomever entered into the original agreement with the registrar is the registrant, unless those rights are legally assigned to another third party (i.e. as part of a sales transaction). I am not sure why a transfer dispute provider would rule against the legal owner in a situation like this (assuming that the registrant was able to prove ownership, etc.). I can understand a "no finding". The TDRP shouldn't be examining whether process was followed, but rather, that the wishes of the registrant have been executed. I can understand why resolution providers might examine process, but to rely on it solely to determine outcome seems shortsighted. Lau wrote:
Ok, let me rephrase...
If the Registrant and Admin are fraudulently changed, and then a Transfer is processed, then according to the TDP and the Gaining Registrar, the transfer is fine.
If however, the Losing Registrar agrees that the listed Registrant was not actually the Registrant due to an internal error or fraudulent change, then yes, I can see that the TDP would apply.
Any real world experiences where the Losing Registrar admits to a fraud happening on their end when the Gaining Registrar is fighting the TDP (claiming that all process was followed)?
Thx
Richard
-----Original Message----- From: Ross Rader [mailto:ross@tucows.com] Sent: 07 August, 2007 2:55 PM To: Lau Cc: 'Paul Lecoultre (CORE secretariat)'; 'Registrars Constituency' Subject: Re: [registrars] Grave Robbing and SEDO Fencing
Lau wrote:
Am I wrong? (Please, someone, tell me that I am).
The subtlety that tends to get missed is that the transfer policy hinges on whether or not the registrant, or the admin at the behest of the registrant, approved the transfer of registrar. I am not sure why this has been interpreted as "if the admin approved it, it must be good", but this has been the case since the policy was implemented. If the registrant hasn't agreed to it, even if the admin has, it is technically a bad transfer.
-- Regards, Ross Rader Director, Retail Services Tucows Inc. http://www.domaindirect.com t. 416.538.5492
participants (5)
-
Lau -
Nevett, Jonathon -
Paul Lecoultre (CORE secretariat) -
Ross Rader -
Tim Ruiz