Wednesday, January 19, 2005

The Great Domain Robbery of '05

The Great Domain Robbery of '05:
By Larry Seltzer
Have the new rules already failed, or have the registrars failed their customers?
A lot of people lost e-mail, access to Web administration and even their porno accounts over the weekend. Yes, it was a momentous and stressful couple of days.

Several domains were stolen, including, the home domain of Internet service provider Panix, the oldest ISP in the New York area (or so they say about themselves). This particular thievery is what raised most of the attention, because Panix customers who use a e-mail address stopped getting their mail.

According to this message on ICANN's message boards by George Kirikos, and (both of which, I think, are car-related sites), as well as, appear to have been stolen as well. In fact, all three of these domains seem now to have the same whois data and point to the same Web site. Some serious traffic was diverted, and the new sites are spyware-infected. (Perhaps the old ones were too, I can't say.)

It may be the first great test of the response of ICANN and the domain registrar industry to a violation of their new policies implemented late in 2004. I expressed concern about these new policies at the time, but was reassured that one of the strengths of the new system was the well-defined mechanism for dealing with disputes.

But there's a good chance here that the central issue is not so much disputes between registrars but sloppy procedures at some registrars that allowed an unverified transfer through. Panix says on its home page (as of Monday morning, EST) that Melbourne IT, the Aussie registrar to whom the domain was illegitimately transferred, has reverted the domain back to them. This does indicate that there was no real dispute once Melbourne IT woke up Monday morning and realized what had happened. Incredibly, Melbourne IT, not a teeny company, has no support available over the weekend. The hijackers may have counted on this fact.

The motivation behind the ICANN rule changes was actually to streamline domain transfers between registrars. Some registrars (cough! Verisign! cough!) had a reputation for sitting on valid requests for transfers to other, almost certainly less-expensive registrars. The new rules create a presumption that the transfer will proceed after some period of time unless it is denied for some valid reason. The registrars still have to contact the owner of the domain, presumably through the whois records was concerned on two fronts: 1) that a "rogue registrar" could more easily steal domains this way, and 2) that so much data in whois is inaccurate, intentionally on the part of the owners, that notifications could go unnoticed by legitimate owners.

I still think phony whois data is a problem in this regard, but I was assured that the rogue registrar scenario wasn't credible, and this incident doesn't seem to be an example of it. On the other hand, it does appear to me that at least one registrar was delinquent in some way, in that I can't believe that all these domain owners didn't see a notification of a transfer request, not to mention changes in the whois records themselves.,1759,1751981,00.asp?kc=ewnws011805dtx1k0000599
con·cept: The Great Domain Robbery of '05