Invalid Whois Email? There Goes Your Domain…
Domain registrar GoDaddy recently deleted the domain FamilyAlbum.com simply because the domain registrant, Eric Roach, didn't respond to an email they sent him.
While it is not entirely clear whether the email bounced or whether the domain owner chose not to respond, Eric had in fact been using a valid mailing address and phone number in his domain registration details.
However, GoDaddy did not bother to contact him through either of these means before concluding that the whois information was invalid and deciding to delete the domain.
After GoDaddy canceled FamilyAlbum.com, they made it available on their expired domain auction service TDNAM. The domain was snapped up by a new registrant - quite possibly the same person who had instructed GoDaddy to contact the previous owner to confirm his whois information.
Domain Name Wire described this innovative way of effectively "stealing" a domain as follows:
"Person tries e-mailing domain owner with Whois information and e-mail bounces. Person backorders domain and then sends complaint to GoDaddy. GoDaddy tries to contact only via e-mail, which bounces. Domain is cancelled and given to person with backorder."
Important lessons for domainers:
- Don't use GoDaddy. They seem to do whatever they want and they have grown too big to care about bad press.
- Keep your administrative email address current and respond to your registrar if they send you an email.
Further reading:
Update: Ron Bennett posted the following alarming comment over at Domain Name Wire:
More and more savvy drop catchers have stumbled upon a long known, but obscure security flaw of “Whois Data Problem Reports”…
I’ve gone out of my way over the years to publicize the security flaw and push for reform of how such reports are handled … perhaps this latest incident will be the push to get ICANN to address the issue.
Filing a “Whois Data Problem Report” at internic.net (ICANN) can allow one to legally, though unethically, obtain ownership of a domain despite it being locked down tight.
Technically, even having a missing country code in the phone number can potentially be enough for a registrar to take action … though more typically a “Whois Data Problem Report” is filed in regards to the email address…
At this point, some are thinking “My email is up to date, so nothing to worry about.”
WRONG!
Here’s why … when one files a WDPR, the complaint is forwarded by ICANN to the registrar who is then supposed to notify the owner … but if the registrar doesn’t for whatever reason, the domain owner could potentially still their domain despite having a correct email address.
In short, Whois Data Problem Reports is an obscure, but long known security flaw that allows one to potentially “steal” a domain in mere days with little to no notice whatsoever to the true owner … ICANN needs to address this issue to improve security before more domains are “stolen”.
Ron
We just had a customer whose website was “suspended” by GoDaddy.
SITENAME.COM
This domain name has been suspended due to invalid Whois information.
If you are the registrant of this domain name please contact us at:
invalidwhois.
When we approached GoDaddy all they (invalidwhois) said was the domain information needed to be updated. They did not respond to requests to advise how this happened and what steps they had taken to verify the report before proceeding with the suspension.
The details for the site were like many people’s entries - third party resellers.
The site owner updated his information to be his own personal details and although it has been over 48 hours the site is still suspended.
He has been out of business now for over a week.
If you now Google the site, it does not exist.
We suspect it was a dis-satisified customer who reported the site to GoDaddy.
It is getting a bit much when an customer can have a business “closed” like this. A hammer to crack a nut much like the take down notices available under the DMCA.
"Don't use GoDaddy. They seem to do whatever they want and they have grown too big to care about bad press."
And what can be used instead? I mean some proven service. We are now also experiencing big problems with GoDaddy and would wish to change the registrar but I am afraid all registrars are similar. If you recommend some pro-customer service which does not delete/suspend your domain name on the first notice even without going further into details, I would really appreciate that. Thank you in advance.
2. Keep your administrative email address current and respond to your registrar if they send you an email.
This is the perfect advice for godaddy users…
You need to understand that domain owners MUST provide accurate registrant details or else they are in violation of TOS. GoDaddy did the right thing here and it was the fault of the registrant for failing to provide accurate details in the first place. The whole point of registering a domain is to provide accurate details for accountability. Otherwise domain owners could hide in the shadows while they host nefarious websites. If someone else comes along and takes a domain, so be it. It could have been avoided if the registrant was more responsible.