Page 1 of 5 1234 ... LastLast
Results 1 to 25 of 105
  1. #1
    Join Date
    Jun 2005
    Posts
    5,929

    Exclamation Warning: Domain stolen. Huge security flaw.

    I just had a domain stolen from my eNom account and eNom hide behind the ICANN transfer rules refusing to file a TDRP for the return of the domain.

    How did it happen? I purchased a domain at Club Drop. The domain was duly pushed to my account. INCLUDING THE DOMAIN PASSWORD OF THE PREVIOUS OWNER. I don't use passwords on my domains preferring to manage them from the eNom account control panel, so never thought that they would push the old password which I would have to manually reset. Looks like the previous owner decided he wanted his domain back.

    eNom don't see anything wrong with the way they push domains into your account. They don't see anything wrong with the theft which has taken place, either. They brazenly informed me how the theft was achieved without any compunction on their part. It's all my own fault.
    Signature Under Construction.

  2. #2
    Join Date
    Mar 2004
    Posts
    61
    Well, if you bought the domain recently, or you recently renewed it, You could do a chargeback and try and screw that guy over. Ohwell, It seems eNom is going down the drain.

    -Sean

  3. #3
    Join Date
    Aug 2006
    Location
    CA/TX USA
    Posts
    964
    Quote Originally Posted by frostbite
    Ohwell, It seems eNom is going down the drain.
    Links? Facts? That's quite a statement to make without backing it up IMHO.
    ██ UBERHOST
    NEXT GENERATION HOSTING
    Managed dedicated & shared hosting

  4. #4
    Join Date
    Mar 2004
    Posts
    61
    Well, I guess everybody has a bad experience with a certain domain company. I havent been on webhostingtalk for about 6months. Now I am reading sob stories about enon. Although, maybe enon is doing the best its ever been. Then again, I do like go daddy. Maybe people have problems with them, I never have, I guess the domain business hasnt changed a bit.

    -Sean
    Opinions are due to change. That's why we have the edit button.
    Last edited by frostbite; 08-19-2006 at 06:44 AM.

  5. #5
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,090
    With the millions of names registered at Enom, there's bound to be some bad issues like this...certainly not indicative of "going down the drain". Most often, only people that have a problem are going to make a point of posting about them.

  6. #6
    Sorry to read what happened to you, Stu. Any luck with enom's legal?

  7. #7
    Join Date
    Jun 2005
    Posts
    5,929
    It's the same old mantra "we won't file a TDRP because the transfer followed ICANN transfer guidelines". I'm seeking legal advice. How idiotic is it to transfer the previous owners domain password? It potentially opens up a whole can of worms. Like this one.
    Signature Under Construction.

  8. #8
    Join Date
    Jan 2004
    Location
    South Park, Colorado
    Posts
    3,522
    My condolences about this, Stu.

    - How long ago you purchased the domain?
    - Are you absolutely sure this is the previous owner?
    - Who's the current registrar of record?
    - Any chance for us to have domain name (I already know the answer to this question though )
    Respect My Authoritah! - Eric Cartman (a friend of mine).

  9. #9
    Join Date
    Jun 2005
    Posts
    5,929
    I purchased the domain in April at Club Drop. It's taken me just under 2 months of patient diplomacy with eNom to get to this point. I have never felt they really cared to get to the bottom of my missing domain report or to resolve this problem after we discovered what the problem was. Their responses have always been dilatory. They just "don't get it" when I report this serious security flaw to them. They go as far as almost admitting (but not quite) they know the domain has been stolen (finally, yesterday). This was after much pressing for an explanation of what happened and not getting a satisfactory response.

    Well I'm as sure as I could possibly be because who else would know the domain password and the domain name is his name (or so he claims). eNom point out that there was a domain password set on the domain and there hasn't been a domain password change since I acquired the domain. No other domains were stolen, so that points to the domain being accessed via access.enom.com

    GoDaddy. It's not really they're problem. The transfer went according to ICANN regulations. But of course I have approached them. They kinda hinted that if I could get eNom to file a TDRP, they would see what they could do.

    And you know the answer
    Last edited by stub; 08-19-2006 at 09:24 AM.
    Signature Under Construction.

  10. #10
    Join Date
    Jan 2004
    Location
    South Park, Colorado
    Posts
    3,522
    Stu, my personal solution to your problem:

    - get ALOT of money.
    - renew all your eNom domains for maximum term.
    - transfer them away asap.
    - file a chargeback for all your renewals.*



    You won't get your domain back, but you'll feel good for scr^$%^$ng them off.

    * - additional risks apply.

    P.S. This is a joke.
    Respect My Authoritah! - Eric Cartman (a friend of mine).

  11. #11
    Join Date
    Jun 2005
    Posts
    5,929
    Of course. I almost laughed
    Signature Under Construction.

  12. #12
    Join Date
    Jul 2002
    Location
    Kuwait
    Posts
    10,620
    what a scary bug, i dont even know which domains got pushed my me and which to monitor.

    i think safest way is to push all perosnal domains to newer account and then do mass password update

    password should automatically set empty when a domain is pushed!!
    Bashar Al-Abdulhadi - KuwaitNET Internet Services Serving customers since 1997
    Kuwait's First Webhosting and Domain Registration provider - an ICANN Accredited Registrar

    Twitter: Bashar Al-Abdulhadi

  13. #13
    Join Date
    Jun 2005
    Posts
    5,929
    How idiotic is it to transfer the previous owners domain password?
    password should automatically set empty when a domain is pushed!!
    Aha! Finally someone else sees the problem (sometimes I get tongue-tied). Perhaps you could put in a request to fix also. (They don't see a problem and won't listen me).
    Last edited by stub; 08-19-2006 at 10:48 AM.
    Signature Under Construction.

  14. #14
    well i hope you get the mater sorted out soon.

    oh and also this may sound really stupid but what exactly is a chargeback?

  15. #15
    Join Date
    Jun 2005
    Posts
    5,929
    A chargeback is when you ask for paypal or your credit card company to refund the payment for services rendered. Registrars/Resellers hate chargebacks with a vengence. They will suspend your whole account even if you threaten to do a chargeback on only 1 domain.
    Signature Under Construction.

  16. #16
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,412
    Quote Originally Posted by Bashar
    ..

    password should automatically set empty when a domain is pushed!!
    You would think so. But I believe the problem is with them setting a password for access through access.enom. Because, even if you push that domain to another account, the password you set so the domain can be accessed via access.enom is still vaild.

    They need to seriously address this flaw. And we need to be diligent when receiving pushes and set that password to 30 random characters until they do.
    There is no best host. There is only the host that's best for you.

  17. #17
    Join Date
    Jun 2005
    Posts
    5,929
    You would think so. But I believe the problem is with them setting a password for access through access.enom. Because, even if you push that domain to another account, the password you set so the domain can be accessed via access.enom is still vaild.
    That is exactly the problem.

    They need to seriously address this flaw. And we need to be diligent when receiving pushes and set that password to 30 random characters until they do.
    Precisely.
    Signature Under Construction.

  18. #18
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,412
    I'm just surprised that more scams aren't perpetrated this way.
    There is no best host. There is only the host that's best for you.

  19. #19
    If they don't want to fix the problem then move your domains away *shrug*

  20. #20
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,412
    It's only a problem if you don't know about it. *shrug*
    There is no best host. There is only the host that's best for you.

  21. #21
    Join Date
    Mar 2002
    Location
    UK
    Posts
    1,265
    Actually two sides to the problem unless I'm mistaken - problem for the domain "catcher" who might have a password applied to his domain and not know about it - problem for the loser who might unwittingly be passing on knowledge of one of his passwords that could be used to his future loss.
    Two good reasons for stopping this happening.

  22. #22
    Join Date
    Jun 2005
    Posts
    5,929
    Precisely my thoughts on this subject, grandad.
    Signature Under Construction.

  23. #23
    Join Date
    Jul 2006
    Location
    Lorem ipsum dolor sit ame
    Posts
    162
    stu2, you're saying your domain got stolen because eNom didn't reset the password to access.enom.com right?
    in access.enom.com there is no Registrar lock/unlock option or push feature. So, how the transfer can be done ?
    Even, if you're using API to access your domain name, yes, you can unlock the domain, but still, you must use the reseller login information where the domain is located.
    ■ Need an eNom retail/reseller account? PM me

  24. #24
    Join Date
    Jun 2005
    Posts
    5,929
    stu2, you're saying your domain got stolen because eNom didn't reset the password to access.enom.com right? in access.enom.com there is no Registrar lock/unlock option or push feature. So, how the transfer can be done ?
    Login to the domain at access.enom.com, change the contact info, request a transfer from another registrar. As simple as that. This was not a push away to another account, it was a transfer away to another registrar. I have a lot of transactions daily and I do periodic global updates to lock all domains. Especially at that time when I was mass transferring hundreds of domains to eNom.

    There is one mystery however. The domain was showing as locked right up to the day after the transfer was done.

    Even, if you're using API to access your domain name, yes, you can unlock the domain, but still, you must use the reseller login information where the domain is located.
    I don't use the API and I'm an ETP and don't have resellers, so I don't understand this comment. I only login to my account and use their control panel.
    Last edited by stub; 08-19-2006 at 04:33 PM.
    Signature Under Construction.

  25. #25
    Join Date
    Jun 2005
    Posts
    531
    Wow. Tragic.

    I filed six TDRPs a few weeks ago and am awaiting the decisions. From enom's point of view, if they "don't get it" then they're probably having a hard time justifying the fee for filing the TDRP. If they lose, it's money down the drain, and it ain't cheap. But if they win, the fee's paid by the other registrar. You may want to get your attorneys involved to help them do the right thing. All you need to do is document that the WHOIS information wasn't that of the person that took the domain. (It's not really quite that trivial, but that's the essence.)

    When the transfer rules changed last year one of the first things we did was change our software so that intra-account pushes and all gaining transfers effected an immediate password change. We also assigned EPP passwords to every domain. We saw these sorts of scenarios as preventable with a little effort on our part. Too bad enom don't seem to place value on securing their customers' registrations.

    I wish you the best luck with getting this resolved. If there's anything that I can do, PM me. Minimally I can (as a registrar) support the notion that it's irresponsible for a registrar to not change the passwords when a domain's registrants change. I'd be happy to do so if that helps.

Page 1 of 5 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •