Brief Explanation Of "Stolen Domains" Thread

On Monday, 12 August, 2002, DNF member "devolution" posted a detailed report of a (rather ingenious) hole he had found in domain name security...namely, a way domains with "invalid" admin contact email addresses could be fraudulently transferred.

It was decided by the mods and Dan that this post, because of its highly detailed description of this potential fraudulent methodology and the rather knavish way in which it was written (somewhat savouring the potential fraud, sort of the way movies like Ocean's Eleven portray their cinematic crimes in a positive light...but only somewhat), could not, in good conscience, be allowed on the board, and so they moved it to an area not accessible by the general DNF readership.

The new thread in which mod safesys announced he was moving devolution's thread became a debate about the pros and cons of this censorious decision, with members chiming in on both sides. It was decided by the mods, with Dan's apparent backing, that devolution's original thread should be kept off the board.

Since that thread contained what I and others think is useful information, I'll attempt to post the "main message" of that thread without treading into the "forbidden territory" of the original post.

Here goes (deep breath, brief kiss of St. Christopher's medallion):


If the admin contact email for your domain becomes "invalid," there are ways, depending on the means of "invalidation" (don't ask!...that's the forbidden part!), for unscrupulous persons to come into working possession of the invalid email, and use it to take control of your domain. As every domainer knows, the person who controls a domain's admin contact email, controls the domain.

Lesson: make sure the admin contact email address for all your domains is valid and in your control.

I hope this post passes muster with the DNF powers-that-be. If not, let me know and I'll work on it. If Winston Smith managed to find the right words (at least in the beginning), I suppose I can too.

Miles

 

[mole]

Thanks but that all, think?

How does one go about capitalising on an 'invalid' email?

Anyway, I agree that anyone who does not even know the basics of keeping the integrity of the admin email intact and separate from the domain itself deserves to lose the name. :dead:

 

Originally posted by mole
Thanks but that all, think?

How does one go about capitalising on an 'invalid' email?

Shhhhh!...Mole, I may have said too much as it is. Just be thankful you're getting this.

We've got to be careful...you never know what sort of bad element is loitering around the internet.

Miles

 

Miles, you know full well my original complaint was with the section that explained *where* to use the information - the original post details a specific area to go checking for this weakness.

 

Deserves to lose the name huh?

:weird: :upset: :depressed :evil: :depressed :upset: :weird:

 

Maintaining accurate whois details is extemely important for a number of factors, in addition to possible theft either by someone editing details on the original registrar or moving it to a new registrar there is also the issue of the registration agreement and that not maintaining accurate details would mean there is no valid contract between registrant and registrar so if it is stolen and has false details the registrar will not have a legal obligation to aid in its retrieval.

 

Originally posted by safesys
Miles, you know full well my original complaint was with the section that explained *where* to use the information - the original post details a specific area to go checking for this weakness.

Good thing there no unscrupulous people among the hundreds of thousands of international holders of C.S., Math and Engineering degrees, who could figure this out in...oh...about two mintues.

But hey...as long as my post at the top of this thread is within the DNF-approved areas of discourse, I'm happy.

Miles

 

Originally posted by safesys
Miles, you know full well my original complaint was with the section that explained *where* to use the information - the original post details a specific area to go checking for this weakness.

Also, your above cited concern doesn't seem to be entirely accurate. If memory serves, it seems you were concerned about more than just dry detail. This is how you put it in the other thread...

To my mind, it wasn't so much the content of the thread, as to the way it was delivered. It didn't read like an advisory - it read like an exploit.

That goes a little beyond *where*, don't you think?....

Miles

 

[Brujah]

Miles, is it important that we post details about how to scan in bulk to maximize the number of domain names you can steal ?

Isn't it really enough to just show how one name can be stolen, presented in the manner so that its a cautionary warning rather than an exploit ? If someone wants to steal domain names .. would you rather someone learn how here ?

However, if it matters.. I think the way you've rewritten the message intended works well.

 

Miles, I don't want to go round in circles arguing this same topic, but I don't see any contradiction or discrepency in the posts. It was the explaining where to use it which made the post seem like an exploit rather than an advisory.

 

[mole]

Maybe we should change the thread title to 'Honest Adults Only'

But thanks for clarifying its just the invalid email that one should watch out for. I was beginning to think there were some new hack tools around that steals your passwords or something.

 

Originally posted by safesys
Miles, I don't want to go round in circles arguing this same topic, but I don't see any contradiction or discrepency in the posts.

Okay.

Miles

 

[mole]

Originally posted by goh
Deserves to lose the name huh?
:weird: :upset: :depressed :evil: :depressed :upset: :weird:

Yes goh, its really like sticking your house key right up your front door with a big note screaming 'Steal Me'.

 

[buddy]

Thanks for posting it again in a "proper" version. A lot of domainers would otherwise have missed out on very useful info, which is too bad imo. If this is supposed to be the ultimate froum for domain speculators in the future, then people need to know about things like these. Heads up!! Keep up the good work Miles!!

Thanks!

 

Originally posted by mole


Yes goh, its really like sticking your house key right up your front door with a big note screaming 'Steal Me'.

I wrote "Please take me home" on top of my cardboardbox!

 

[AMERICAR]

The Chairman ... needs a new cardboardbox.com

 

[AMERICAR]

On that subject of the stolen domains .. the only good thing that i can say about the register dot com registration is that it is very hard to switch or steal a name from there.

The Admin is not the the billing email you cant transfer a name from there without knowing the billing email address .. it is not published on the whois.

 

[Luc]

There is multiple ways to steal a domain name. Getting away with it is a completely different story.

I would not recommend following the previous thread.

 

[MillerTyme]

It doesnt matter if you have an invalid email with VERISIGN, if you set your auth to crypt-pw or pgp key, instead of email authentication. But for some people its too much work. I learned the hard way to put more effort into keeping my domains secure with one of these two methods.

 

so many website service require setup account and password
for example : yahoo e.mal account : abc ; password is 123
for domain account most people might use same account abc and 123 for passward, if I creat you website ask people for creat account name and password , than I got all the infomation I need to change , It is so easy to steal domain name from other people
I wonder how many member in dnforum use same account and password, for they e.mail account and domain registrar