RE: [ga] Domain Transfers

["John Berryhill" <john@johnberryhill.com>]

>
> Agreed.  The best solution is the one that currently exists.


No, it isn't.  Not by a long shot.  The main obstacle to obtaining a decent
solution is the fact that the ICANN process puts policy making power into
the hands of people who do not face the technical realities on a daily
basis, and generally have no idea of what is really going on out there in
the real world.

One problem with NSI is the legacy problem of confirming via email contacts.
What typically happens is a domain name registrant will change ISP's, and
only later realize that they no longer have access to the email address at
which NSI will seek to verify a transfer.  It's their own fault?  Uh, no.
Last week 4.1 million AT&T broadband customers had their email address
changed when Excite@home dumped AT&T broadband.  Each and every single NSI
domain registrant among those 4.1 million people is now screwed.  Big time.
Incidentally, this is a reason why, in at least one UDRP dispute I defended,
the complainant was claiming the domain name was "not being used" and "the
contact details are false".  The ripple effects of this NSI legacy problem
are wide and thoroughly not appreciated by people who should not be running
this system, but are.

There is a flip side to NSI's alleged "stickiness" in not letting domain
names go, and that is the real problem of hi-jacking (forget "slamming" for
the moment).  Asking Company B to verify that I am the authorized customer
of Company A is an idea so dopey, that it could only have come from an ICANN
"consensus" process.  The way hi-jacking used to work was pretty simple.
You would go to a registrar, request a transfer of some NSI registrant's
domain name, and if NSI didn't get an answer in five days, the transfer
would go through.  So, you could steal any domain name from anyone who had
either lost access to the relevant email address, or from anyone who had a
five day lapse in reading email from the same address which gets all of the
spam pursuant to having an email address in a domain name registration.

Okay, well, the registrars caught on to that, and if a hi-jacking victim
complained loud and long enough, the domain name would be transferred back.

So, the hi-jackers got smarter, and this is how the game works now.  This
happens more often than you would believe.  First, you sign up with someone
like SnapNames to "backorder" a domain name, or you acquaint yourself with
the timing of intentional name deletions and registry drops (which is
different from normal expiration drops).  Then, you go and do something
along the lines of the first method.  However, this time when you get the
domain name transferred to the new registrar, you immediately delete the
domain registration (using a registrar which permits deletions).  Finally,
what you do is you then hope that SnapNames snags it, or you snag it
yourself on the basis of your accumulated deletion timing data.

The beauty here is three-fold.  First of all, the old registar can't come to
the new registrar and claim that there was a transfer error.  What transfer
error?  This is a NEW registration, not a transfer!

Secondly, under the rules a new registration CAN'T be transferred back to
the old registrar, because new domain names can't be transferred to another
registrar for 60 days.  So not only did you steal the name in a manner which
helped you cover your tracks and avoid getting it transferred back to the
old registrant, but the registrars need to get the registry's permission to
break a rule in order to fix the problem.

Third, many of the registrars don't like each other very much.  They are,
after all, in competition with each other - they aren't supposed to
cooperate.  Fixing this sort of hi-jacking requires cooperation.  There are
no policies requiring any of these people to lift a finger to get that
domain name back, and if the original registrant is successful in doing so
without having to hire a lawyer to deal with this kind of three-ring circus,
then I'd like to shake their hand.

And, if the domain name was registered with OpenSRS, and you can't get all
of the other registrars involved to sing the same tune within thirty days,
and to sign a legal document OpenSRS requires (and which some other
registrars do not understand beyond the concept that they are being asked to
sign a legal document) then OpenSRS will tell you very clearly to get lost.
Several months ago, I watched some twenty or so domain names become
permanently registered with OpenSRS because the point person at the original
registrar - BulkRegister - was spending more time working on his career move
to Neulevel while lying to me than working on his job.  I hope he's reading
this, because he knows who he is.

The only advice to those wishing not to have their domain names stolen is to
steer well clear of BulkRegister.  Not only have I found them to be the
least cooperative of all of the registrars I have dealt with on this issue,
but their people are so astoundingly incompetent that they recently
transferred a domain name to a UDRP complainant who LOST the dispute.  The
moron in charge of implementing UDRP decisions at BulkRegister is unable to
comprehend what "complaint denied" means.  That is the level of people they
hired since their re-organization several months ago.  I have seen more
domain names stolen from those unresponsive idiots than from anyone else in
the business.

The same new BulkRegister employee sent me a message promising to "look
into" a domain name that had been hi-jacked from them, and then "get back to
me".  That was, oh, about two and a half months ago.  Thank goodness I found
a way to work around them.  You will get nowhere with them until you contact
their outside counsel and keeper of the magic phone numbers.  And, no, I
will not give you the magic BulkRegister phone numbers.

I've got five bucks in my pocket that says the overwhelming majority of the
folks on the TF task force have never seen, dealt with, or even heard of
this common scenario, even among those members who are able to understand
it.  It would be amusing to know who among them has ever registered a domain
name, or transferred a registered domain name.  There are some good people
on that TF, though, and they know who they are, too.

Asking a bunch of "competitors" to come up with a "consensus policy" will,
in all likelihood, simply hand another road map to hi-jackers.  My concern
about the ease with which someone might save themselves twenty bucks over
the course of a year pales next to my concern about how I have seen domain
name registrants permanently lose their domain names to thieves because the
people steering this ship have never seen an iceberg.

Cheers,

John




--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html