Results 1 to 25 of 105
-
08-19-2006, 05:13 AM #1Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
Warning: Domain stolen. Huge security flaw.
I just had a domain stolen from my eNom account and eNom hide behind the ICANN transfer rules refusing to file a TDRP for the return of the domain.
How did it happen? I purchased a domain at Club Drop. The domain was duly pushed to my account. INCLUDING THE DOMAIN PASSWORD OF THE PREVIOUS OWNER. I don't use passwords on my domains preferring to manage them from the eNom account control panel, so never thought that they would push the old password which I would have to manually reset. Looks like the previous owner decided he wanted his domain back.
eNom don't see anything wrong with the way they push domains into your account. They don't see anything wrong with the theft which has taken place, either. They brazenly informed me how the theft was achieved without any compunction on their part. It's all my own fault.Signature Under Construction.
-
08-19-2006, 05:44 AM #2Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 61
Well, if you bought the domain recently, or you recently renewed it, You could do a chargeback and try and screw that guy over. Ohwell, It seems eNom is going down the drain.
-Sean
-
08-19-2006, 05:53 AM #3Personalized Service!
- Join Date
- Aug 2006
- Location
- CA/TX USA
- Posts
- 964
Originally Posted by frostbite██ UBERHOST
██ NEXT GENERATION HOSTING
Managed dedicated & shared hosting
-
08-19-2006, 06:31 AM #4Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 61
Well, I guess everybody has a bad experience with a certain domain company. I havent been on webhostingtalk for about 6months. Now I am reading sob stories about enon. Although, maybe enon is doing the best its ever been. Then again, I do like go daddy. Maybe people have problems with them, I never have, I guess the domain business hasnt changed a bit.
-Sean
Opinions are due to change. That's why we have the edit button.Last edited by frostbite; 08-19-2006 at 06:44 AM.
-
08-19-2006, 07:05 AM #5
With the millions of names registered at Enom, there's bound to be some bad issues like this...certainly not indicative of "going down the drain". Most often, only people that have a problem are going to make a point of posting about them.
-
08-19-2006, 08:06 AM #6Web Hosting Master
- Join Date
- May 2004
- Posts
- 4,076
Sorry to read what happened to you, Stu. Any luck with enom's legal?
-
08-19-2006, 08:15 AM #7Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
It's the same old mantra "we won't file a TDRP because the transfer followed ICANN transfer guidelines". I'm seeking legal advice. How idiotic is it to transfer the previous owners domain password? It potentially opens up a whole can of worms. Like this one.
Signature Under Construction.
-
08-19-2006, 08:29 AM #8Web Hosting Master
- Join Date
- Jan 2004
- Location
- South Park, Colorado
- Posts
- 3,522
My condolences about this, Stu.
- How long ago you purchased the domain?
- Are you absolutely sure this is the previous owner?
- Who's the current registrar of record?
- Any chance for us to have domain name (I already know the answer to this question though )Respect My Authoritah! - Eric Cartman (a friend of mine).
-
08-19-2006, 09:09 AM #9Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
I purchased the domain in April at Club Drop. It's taken me just under 2 months of patient diplomacy with eNom to get to this point. I have never felt they really cared to get to the bottom of my missing domain report or to resolve this problem after we discovered what the problem was. Their responses have always been dilatory. They just "don't get it" when I report this serious security flaw to them. They go as far as almost admitting (but not quite) they know the domain has been stolen (finally, yesterday). This was after much pressing for an explanation of what happened and not getting a satisfactory response.
Well I'm as sure as I could possibly be because who else would know the domain password and the domain name is his name (or so he claims). eNom point out that there was a domain password set on the domain and there hasn't been a domain password change since I acquired the domain. No other domains were stolen, so that points to the domain being accessed via access.enom.com
GoDaddy. It's not really they're problem. The transfer went according to ICANN regulations. But of course I have approached them. They kinda hinted that if I could get eNom to file a TDRP, they would see what they could do.
And you know the answerLast edited by stub; 08-19-2006 at 09:24 AM.
Signature Under Construction.
-
08-19-2006, 09:31 AM #10Web Hosting Master
- Join Date
- Jan 2004
- Location
- South Park, Colorado
- Posts
- 3,522
Stu, my personal solution to your problem:
- get ALOT of money.
- renew all your eNom domains for maximum term.
- transfer them away asap.
- file a chargeback for all your renewals.*
You won't get your domain back, but you'll feel good for scr^$%^$ng them off.
* - additional risks apply.
P.S. This is a joke.Respect My Authoritah! - Eric Cartman (a friend of mine).
-
08-19-2006, 09:37 AM #11Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
Of course. I almost laughed
Signature Under Construction.
-
08-19-2006, 09:46 AM #12Retired Moderator
- Join Date
- Jul 2002
- Location
- Kuwait
- Posts
- 10,620
what a scary bug, i dont even know which domains got pushed my me and which to monitor.
i think safest way is to push all perosnal domains to newer account and then do mass password update
password should automatically set empty when a domain is pushed!!Bashar Al-Abdulhadi - KuwaitNET Internet Services Serving customers since 1997
Kuwait's First Webhosting and Domain Registration provider - an ICANN Accredited Registrar
Twitter: Bashar Al-Abdulhadi
-
08-19-2006, 10:36 AM #13Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
How idiotic is it to transfer the previous owners domain password?password should automatically set empty when a domain is pushed!!Last edited by stub; 08-19-2006 at 10:48 AM.
Signature Under Construction.
-
08-19-2006, 11:57 AM #14Junior Guru Wannabe
- Join Date
- Apr 2006
- Posts
- 77
well i hope you get the mater sorted out soon.
oh and also this may sound really stupid but what exactly is a chargeback?
-
08-19-2006, 12:59 PM #15Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
A chargeback is when you ask for paypal or your credit card company to refund the payment for services rendered. Registrars/Resellers hate chargebacks with a vengence. They will suspend your whole account even if you threaten to do a chargeback on only 1 domain.
Signature Under Construction.
-
08-19-2006, 02:05 PM #16Dennis Johnson
- Join Date
- Jun 2001
- Location
- Kalamazoo
- Posts
- 33,412
Originally Posted by Bashar
They need to seriously address this flaw. And we need to be diligent when receiving pushes and set that password to 30 random characters until they do.There is no best host. There is only the host that's best for you.
-
08-19-2006, 02:27 PM #17Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
You would think so. But I believe the problem is with them setting a password for access through access.enom. Because, even if you push that domain to another account, the password you set so the domain can be accessed via access.enom is still vaild.
They need to seriously address this flaw. And we need to be diligent when receiving pushes and set that password to 30 random characters until they do.Signature Under Construction.
-
08-19-2006, 02:35 PM #18Dennis Johnson
- Join Date
- Jun 2001
- Location
- Kalamazoo
- Posts
- 33,412
I'm just surprised that more scams aren't perpetrated this way.
There is no best host. There is only the host that's best for you.
-
08-19-2006, 02:36 PM #19Away
- Join Date
- Jun 2002
- Posts
- 5,278
If they don't want to fix the problem then move your domains away *shrug*
-
08-19-2006, 02:57 PM #20Dennis Johnson
- Join Date
- Jun 2001
- Location
- Kalamazoo
- Posts
- 33,412
It's only a problem if you don't know about it. *shrug*
There is no best host. There is only the host that's best for you.
-
08-19-2006, 03:06 PM #21Web Hosting Master
- Join Date
- Mar 2002
- Location
- UK
- Posts
- 1,265
Actually two sides to the problem unless I'm mistaken - problem for the domain "catcher" who might have a password applied to his domain and not know about it - problem for the loser who might unwittingly be passing on knowledge of one of his passwords that could be used to his future loss.
Two good reasons for stopping this happening.
-
08-19-2006, 03:52 PM #22Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
Precisely my thoughts on this subject, grandad.
Signature Under Construction.
-
08-19-2006, 03:53 PM #23WHT Addict
- Join Date
- Jul 2006
- Location
- Lorem ipsum dolor sit ame
- Posts
- 162
stu2, you're saying your domain got stolen because eNom didn't reset the password to access.enom.com right?
in access.enom.com there is no Registrar lock/unlock option or push feature. So, how the transfer can be done ?
Even, if you're using API to access your domain name, yes, you can unlock the domain, but still, you must use the reseller login information where the domain is located.■ Need an eNom retail/reseller account? PM me
-
08-19-2006, 04:19 PM #24Web Hosting Master
- Join Date
- Jun 2005
- Posts
- 5,929
stu2, you're saying your domain got stolen because eNom didn't reset the password to access.enom.com right? in access.enom.com there is no Registrar lock/unlock option or push feature. So, how the transfer can be done ?
There is one mystery however. The domain was showing as locked right up to the day after the transfer was done.
Even, if you're using API to access your domain name, yes, you can unlock the domain, but still, you must use the reseller login information where the domain is located.Last edited by stub; 08-19-2006 at 04:33 PM.
Signature Under Construction.
-
08-19-2006, 05:43 PM #25Web Hosting Evangelist
- Join Date
- Jun 2005
- Posts
- 531
Wow. Tragic.
I filed six TDRPs a few weeks ago and am awaiting the decisions. From enom's point of view, if they "don't get it" then they're probably having a hard time justifying the fee for filing the TDRP. If they lose, it's money down the drain, and it ain't cheap. But if they win, the fee's paid by the other registrar. You may want to get your attorneys involved to help them do the right thing. All you need to do is document that the WHOIS information wasn't that of the person that took the domain. (It's not really quite that trivial, but that's the essence.)
When the transfer rules changed last year one of the first things we did was change our software so that intra-account pushes and all gaining transfers effected an immediate password change. We also assigned EPP passwords to every domain. We saw these sorts of scenarios as preventable with a little effort on our part. Too bad enom don't seem to place value on securing their customers' registrations.
I wish you the best luck with getting this resolved. If there's anything that I can do, PM me. Minimally I can (as a registrar) support the notion that it's irresponsible for a registrar to not change the passwords when a domain's registrants change. I'd be happy to do so if that helps.