If you are new to domains and looking to buy, sell and learn about domains then you have come to the right place. DNForum is the largest domain name community on the internet and continues to grow every day. There are over 105,000 domainers on DNForum doing everything from buying domains, selling domains, learning about domains and discussing domains. Take a minute and Register.
Register Today on DNForum IT'S FREE!
Warning: Domain stolen. Huge security flaw.
I just had a domain stolen from my eNom account and eNom hide behind the ICANN transfer rules refusing to file a TDRP for the return of the domain.
How did it happen? I purchased a domain at Club Drop. The domain was duly pushed to my account. INCLUDING THE DOMAIN PASSWORD OF THE PREVIOUS OWNER. I don't use passwords on my domains preferring to manage them from the eNom account control panel, so never thought that they would push the old password which I would have to manually reset. Looks like the previous owner decided he wanted his domain back.
eNom don't see anything wrong with the way they push domains into your account. They don't see anything wrong with the theft which has taken place, either. They brazenly informed me how the theft was achieved without any compunction on their part. It's all my own fault.
Did enom refund your payment?
JOES.com.au Graduate of the DNF College
We shall see. I've only just asked for my money back.
Preoccupy.
Please call enom.
CONTACT US
eNom, Inc.
15801 NE 24th St.
Bellevue, WA 98008 USA
Phone:
425.274.4500
Support Fax:
425.974.4791
Operations Fax:
425.974.4796
:playball:
General Email:
info@enom.com
Which is more valuable? Domain ? or Telephone Bill?Originally Posted by stu
If you want pay back for your telephone charge, then you can hire attorney and sue enom.com(lawyer fee high?).
You can receive compensation for both enomic loss and metal suffering or more then you expecting (inclding lawyer fee, If you win...)
But, please keep all legal documents !
One more, if you read dnforum.com, you can find a lots of people like your case.
Maybe, this one can be possible " Class Action" as Yahoo.com.
Please, read this thread, complaint finally took back the domain without any compensation. !
http://www.dnforum.com/thread172371.html
That is what I am trying to point out to you. That enom and their reseller's problems. That is why you should try and contact them. Also, although the thread is not relevant to your case, I was trying to show you that they have other problems. If you want, there are other people's thread under enom's section. Maybe you can try and find one more similar to yours. Also, if you are worried about phone bills, maybe it might be cheaper with an internet calling system (VOIP)... Look around and see what is best for you. You can try and contacting them by email or fax too. Or try to look for the enom reps in dnforum. Maybe you can PM them and get your problem solved. It will be solved much faster if you look around and contact them directly. It seems like they are the only ones that can actually get this solved.
Can I also ask you questions?
1. I thought that after changing registrar, the domain couldn't be transferred out. Doesn't it mean that the domain is still in enom or in enom's reseller?
2. Didn't you ever try to login to your account after the transfer? If you couldn't login since it was with the old owner's password, why didn't you do something about at that time?
Don't worry, I don't use enom. I had a similar situation too. Enom's reseller had stole my domain and when I called enom, they told me that I had to deal it with the reseller. After constantly contacting the reseller, he just said "sorry it was a mistake" and gave me back my domain. I still don't undertand how a reseller could steal my domain and how enom did nothing about the reseller's mistake. But I don't understand you clearly. Did you want the domain back or your money back? I hope you get something... :Confused:
Did you see the "TRANSFERS" rule at enom? I thought that even if a domain is transferred within the same registrar, (push to another account), it cannot be transferred out to another registrar. Since when the domain comes into your account, the whole contact info, and owner info would have been changed. Doesn't it mean that the 60 days apply to you?
http://www.enom.com/terms/agreement.asp
TRANSFERS: You agree that transfer of your domain name(s) services shall be governed by ICANN's transfer policy, available at http://www.icann.org/transfers/, as this policy may be modified from time to time. You agree that we may place a "Registrar Lock" on your domain name services and that this will prevent your domain name services from being transferred without your authorization, though we are not required to do so. By allowing your domain name services to remain locked, you provide express objection to any and all transfer requests until the lock is removed. To transfer your domain name(s) you should first login to your account to lock or unlock your domain name(s) and/or to obtain the EPP "AuthCode" which is required to transfer domain services in an EPP registry (such as .org). Alternatively, you should contact your Primary Service Provider to have your domain name(s) services locked or unlocked or to obtain the EPP "AuthCode." If your Primary Service Provider is unresponsive, you may contact us to have your domain name(s) locked or unlocked or to obtain the EPP "AuthCode" though we may first contact your Primary Service Provider to request that the Primary Service Provider address the request. Only the registrant and the administrative contacts listed in the WHOIS information may approve or deny a transfer request. Without limitation, domain name services may not be transferred within 60 days of initial registration, within 60 days of a transfer, if there is a dispute regarding the identity of the domain name registrant, if you are bankrupt, or if you fail to pay fees when due. We will follow the procedures for both gaining and loosing registrars as outlined in ICANN's transfer policies. Transfer requests typically take five business days to be processed. A transfer will not be processed if, during this time, the domain name registration services expire in which event you may need to reinstate the transfer request. You may be required to resubmit a transfer request if there is a communication failure or other problem at either our end or at the registry. AS A CONSEQUENCE, YOU ACKNOWLEDGE THAT YOU ASSUME ALL RISK FOR FAILURE OF A TRANSFER IF THE TRANSFER PROCESS IS INITIATED CLOSE TO THE END OF A REGISTRATION TERM.
I think you should take a look at the ICANN transfer rule too.
http://www.icann.org/transfers/policy-12jul04.htm
Upon denying a transfer request for any of the following reasons, the Registrar of Record must provide the Registered Name Holder and the potential Gaining Registrar with the reason for denial. The Registrar of Record may deny a transfer request only in the following specific instances:
Evidence of fraud
UDRP action
Court order by a court of competent jurisdiction
Reasonable dispute over the identity of the Registered Name Holder or Administrative Contact
No payment for previous registration period (including credit card charge-backs) if the domain name is past its expiration date or for previous or current registration periods if the domain name has not yet expired. In all such cases, however, the domain name must be put into "Registrar Hold" status by the Registrar of Record prior to the denial of transfer.
Express written objection to the transfer from the Transfer Contact. (e.g. - email, fax, paper document or other processes by which the Transfer Contact has expressly and voluntarily objected through opt-in means)
A domain name was already in “lock status” provided that the Registrar provides a readily accessible and reasonable means for the Registered Name Holder to remove the lock status.
A domain name is in the first 60 days of an initial registration period.
A domain name is within 60 days (or a lesser period to be determined) after being transferred (apart from being transferred back to the original Registrar in cases where both Registrars so agree and/or where a decision in the dispute resolution process so directs).
I see, I just had one question. When the old owner changed the contact information, didn't you receive any email from enom that the information was changed? If you didn't receive any emails, then you are right about enom's security flaw. Can you tell me the name of the domain? I or some people can do a history check on the domain name.
For example, GoDaddy.com, if we change the name or nameserver, or email address, or any personal information, they said that it goes into the initial 60 days period. If we change owner name, nameserver, email address, lock/unlock, they (GoDaddy.com and Dotster.com) send us emails saying that these has changed. What about enom.com? When do they send you email? I just want to compare them against the ICANN rules.
Did you pay with a credit card? Or any other payment method?
Please read this for accessing your account.
http://www.enom.com/terms/agreement.asp
ACCESSING YOUR ACCOUNT AND AN IMPORTANT LIMITATION OF OUR LIABILITY: In order to change any of your account or domain name WHOIS information, you must access your account with your Primary Service Provider (if any), or your account with us. Please safeguard your account login identifier and password from any unauthorized use. You agree that any person in possession of you account login identifier and password will have the ability and your authorization to modify your account and domain name information. We will take reasonable precautions to protect the information we obtain from you from loss, misuse, unauthorized access or disclosure, alteration or destruction of that information and that such reasonable precautions include procedures for releasing account access information to parties who claim to have lost account access information. You agree that, if we take reasonable precautions in relation thereto, that IN NO EVENT SHALL WE BE LIABLE IF SUCH REASONABLE PRECAUTIONS DO NOT PREVENT THE UNAUTHORIZED USE OR MISUSE OF YOUR ACCOUNT IDENTIFIER OR PASSWORD AND THAT, EVEN IF WE FAIL TO TAKE REASONABLE PRECAUTIONS, THAT OUR LIABILITY UNDER ANY CIRCUMSTANCES SHALL BE LIMITED BY THE LIMITATION OF LIABILITY PROVISION FOUND BELOW IN THIS AGREEMENT. If you contact us alleging that a third party has unauthorized access to your account or domain names, you agree that we may charge you administrative fees of $50 (US dollars) per hour for our time spent in relation to the matter, regardless of whether or not we return control over the account and/or domain names to you.
Please, report here : http://reports.internic.net/cgi/regi...lem-report.cgi
If you have a problem with one of the registrars, you should first try to resolve it with that registrar. Contact information for the registrars is posted at < http://www.internic.net/contact.html>.
And then please report to any law enforcements and keep your documents well!
Good luck, now, game has started........
It is same as calling "911" to report when you have any accident and prove for future legal action, if you want to file lawsuit !
What a good ideal! I agree with in your opinion.
Dear mjreine,
First of all, sorry to hear that ! :sadness:
Do you konw the "Broken Windows Theory".....
Even though your case passed few years, I think it is better to file a complaint against the registrar.
Although time has passed, if you leave a record of your case, maybe it won't happen to someone else. If this type of problems happen constantly, then maybe there could be a class action against the registrar like Yahoo.com.
But I'm not sure if there is a time limit but you should ask or report it: http://www.internic.net/contact.html
I don't how long it was happend, but you can combine legal action.
Even if you decide not to report the previous registrar, I think this site is a good one to keep in reference.
The old adage says, "There is a will, there is a way "
I hope after hearing this, you feel better
Good Luck!!
Best Regards,
preoccupy
After reading your story, it is really depressing...
One thing I want to know is if putting a password on a domain is legal or part of their policy or something but if they transfer a domain with the previous password, and not delete it or reset it, I would think that it is negligent from their part.
I also have an enom.com account but I don't use them because I have a bad experience with them.
However, I think it will be hard with just one case to win a lawsuit. If you started a class action, then maybe it might be easier. Also a class action is not to get a lot of compensation but to prove that the company is doing something wrong and that they should either change it or fix it. It will be hard to win them or even to try and fix something on your own or even on my own but with a lot of consumers maybe...
After reading your story, an old adage comes to mind: "two heads are better than one".
Good Luck
Best Regards,
Preoccupy
Although time has passed, if you used a credit card, try and call them up and ask if you can do a charge back on the charges... or if you had used another payment method, you might want to look into that and see if you can do a charge back. At least if you don't get the domain, you will get your money back!
Dear stu,
Well it is all up to you. I hope we can hear you smile... and say that it has been resolved! Good Luck! :angel_smile:
Best Regards,
preoccupy
Dear stu,
Congratulation!
By the way, if you still have any question about this case, then please contact below " Office of the Attorney General":
Washington
State Offices
Office of the Attorney General
(see Regional Consumer Resource Centers)
1125 Washington St. SE
Olympia, WA 98504-0100
Toll free: 1-800-551-4636
www.atg.wa.gov/
Regional Offices
Bellingham Consumer Resource Center (Island, San Juan, Skagit and Whatcom Counties)
Office of the Attorney General
103 East Holly St., Suite 308
Bellingham, WA 98225-4728
360-738-6185
Toll free in WA: 1-800-551-4636
Fax: 360-738-6190
www.atg.wa.gov
Kennewick Consumer Resource Center (Southeast Washington)
Office of the Attorney General
500 N. Morain St., Suite 1250
Kennewick, WA 99336-2607
509-734-7140
Toll free in WA: 1-800-551-4636
Fax: 509-734-7475
www.atg.wa.gov
Seattle Consumer Resource Center (King, Snohomish, Clallam and Jefferson Counties)
Office of the Attorney General
900 Fourth Ave., Suite 2000
Seattle, WA 98164-1012
206-464-6684
Toll free in WA: 1-800-551-4636
Fax: 206-464-6451
www.atg.wa.gov
Spokane Consumer Resource Center (Northeast Washington)
Office of the Attorney General
1116 West Riverside Ave.
Spokane, WA 99201-1194
509-456-3123
Toll free in WA: 1-800-551-4636
Fax: 509-458-3548
www.atg.wa.gov
Tacoma Consumer Resource Center (Pierce, Mason, Grays Harbor and Kitsap Counties)
Consumer Protection Division
Office of the Attorney General
PO Box 2317
Tacoma, WA 98401
253-593-2904
Toll free in WA: 1-800-551-4636
Fax: 253-593-2449
E-mail: cynthial@atg.wa.gov
www.atg.wa.gov
Vancouver Consumer Resource Center (Southwest Washington)
Office of the Attorney General
1220 Main St., Suite 549
Vancouver, WA 98660-2964
360-759-2150
Toll free in WA: 1-800-551-4636
Fax: 360-759-2159
www.atg.wa.gov
That's a good idea !
Thank you for the great informaiton, sir!
Have a great weekend !
Dear Stu,
I want to help you further with your problems but I have my own international lawsuit that I am preparing so I am kind of busy. Here is what I am doing (maybe you should do so too)
1. Report the situation to correct authorities (keep all documents, save, capture, record all proof)
2. Give them time to fix, change and correct the errors. (Prevent dismissal once in court)
3. Check and see if there are any illegal act that they are involved in and report to correct authorities. (don't forget to capture, save, have legal documents)
4. Find a good attorney (You need to check if the defendant is able to pay the compensation. For example: suing an employee is not worth it, suing an employer has a better chance for receiving compensation)
5. Even after reasonable time period, there is no response, correction, etc... file a lawsuit.
Last edited by scorpio; 08-27-2006 at 03:11 PM.
sounds tough though Enom should refund you based on its TOS.
good luck
Always buying .COM revenue type-ins. PM me!
Are you an eNom representative? Who should I speak to. It's a long distance overseas call for me. I don't really appreciate playing telephone tag on my dime. Will they accept reverse charge calls?Please call enom
Of course I'd rather have my domain back :(
His password allowed access to YOUR account (where the name was residing)? His password should be completely irrelevant to the domain name (post transfer) or your account ... or else I read this an enom technical blunder.
Whatever the case, enom should be eager to help. They should offer suggestions and look into the theft. My regard for enom has been low since 2002 and I've casually observed other people's experiences dealing with them. Some domainers like them and some have had problems.
I'd definitely like to know the outcome. Will enom support their customer in matters of theft/fraud or look the other way?
PremiumDomains.biz BLOG | PremiumDomains.US | Memphis.info | Miami.biz | DETROIT.US
I don't see any relevance in that thread to the situation I'm mentioning. The complaint was spam and the domain was at eNom. In my situation, eNom left the old owner's domain password on the domain when they pushed it to my account, and the old owner used his domain password, changed the contact info, and stole the domain by transferring it to another registrar. It's an eNom system problem. I don't think old domain passwords should be pushed with the domain. They should be blanked out.
Exactly. It's an eNom system problem. I've been trying to get this resolved for nearly 2 months (by using their support ticket system). Quite frankly, their responses have been dilatory. Finally, yesterday, they all but admitted the domain had been stolen (told me how they did it), but still refuse to issue a TDRP to recover the domain because the transfer was consistent with ICANN's transfer guidelines. It's ridiculous. They compromise my domain, it gets stolen, and they wash their hands.
This could happen to you (anyone reading this thread) too if you ever have domains pushed to your account at eNom. It's a hugely serious security flaw.
1. It was pushed to me from another eNom account so there was no transfer of registrar until the domain got stolen.1. I thought that after changing registrar, the domain couldn't be transferred out. Doesn't it mean that the domain is still in enom or in enom's reseller?
2. Didn't you ever try to login to your account after the transfer? If you couldn't login since it was with the old owner's password, why didn't you do something about at that time?
2. Of course I could login to my account. I could even see the domain in the account after the transfer was completed (lame excuse from eNom). The thief used the domain password to login to that domain via access.enom.com and change the contact info. I had no idea it had been stolen until I noticed 1 less domain in my account.
I'd prefer my domain back, but it seems unlikely eNom has any intention of correcting their error and recover it.Did you want the domain back or your money back?
That 60 day hold on transfers in the eNom Tos is only for transfers from another registrar into eNom, not for a push from one eNom account to another eNom account, where there has been no transfer of registrar.
That ICANN rule is for denying a transfer request, not for recovering a domain which has already been successfully transferred.
I received no email, and yes, it's a security flaw. My account is safely secured. eNom explained to me they used the existing domain password to access the account. It's just plain crazy they transfer the old owners password to the new owner.
It does sound like a major flaw in Enom's security.
I would suggest you contact someone at the top, at least to let them know
about the flaw. Also let them know that you have told the domain industry.
And, they are watching to see what Enom is going to do to protect their customers.
I will send you the VPs email address by PM.
Preoccupy,
I sure wish I knew about that internic form a few years ago...I had a registrar transfer in a domain for me (a good one too) and they emailed me that it was transferred and that the domains expiration was now about a year out in advance... THEN the worst happened...the name suddenly dropped!
I contacted them as there must be some mistake... yeah there was. The owner told me that it was MY responsibility to make sure the domain actually did transfer to this new registrar properly by periodically checking whois instead of relying on their companies email which clearly stated that the domain was safe until next year. As unbelievable as it may seem, apparently they even had something hidden in their TOS which waived their responsibility should the customer not manually check the whois data. Which the owner quickly pointed out to me making this fiasco somehow my fault.
What a costly lesson that was... I lost one of my good domains by this pitfall a few years ago. I would name the registrar in question (they are a smaller one...NOT netsol,enom,GoDaddy,moniker) but they seem to have redone their website and are now much more reliable. Apparently my freaking out once this happened might have pushed them to fix the issue.
Either way domainers, make sure you do look at whois info instead of relying on registrar emails saying all is ok. Oh...and use a GOOD software app that shows your expiry dates for whois.
Last edited by mjreine; 08-22-2006 at 11:13 AM.
Yes it's a sad story indeed. I have contacted their General Counsel, who blew me off again, and now their VP. I apologise if this is against the rules, but you can find a much more informative thread here http://www.webhostingtalk.com/showth...=540531&page=4. It is almost impossible for me to repeat all that is said in that thread, here. This 4th page encapsulates the whole story, but the whole thread makes interesting reading.
I have no intention of making a chargeback.
Yes. I believe Club Drop (eNom) have been negligent in pushing the domain to me with a password known by a third party which allowed a third party access to my domain.
It's up to eNom to do the right thing and file a TDRP to recover this domain (which currently they are reluctant to do).
Posting Permissions
Copyright © 2001-2011 DNForum.com™ / DNF.com™
Whois Domain Registration .com.au registration Website Designed by DCG.com
View Profile
View Forum Posts
View Forum Threads
View Friends
View Blog Entries
Reply With Quote
Bookmarks