eNom contact??? Urgently need to get a hold of them - stolen domains

Steen · Nov 3, 2006

Please, if anyone has a direct line to someone at eNom it would be greatly appreciated right now. At least one of my domains has been stolen from my account and eNom support is not picking up the phone...

Does anyone have another number I could try? A direct line?

Thank you!

katherine · Nov 4, 2006

I kept this from an old post if it can help:

Kim Shin
Enom legal department

kim {AT} enom.com

Mr. Pim · Nov 4, 2006

mg_smile:

I hope you get your domain back Steen !

ray:

Ehsan · Nov 4, 2006

Any update to that stolen domain ? ot still no answer from enomers

Steen · Nov 4, 2006

I called (eNom) frantic at 4 PM on Friday. No one would answer the phones. All the contacts I knew must have left when eNom was bought out, as none could be found in the directory nor were their extensions working. Finally I started making up extensions and got a hold of someone, who transferred me to a live technical support person. Unfortunately he was useless, giving me textbook answers and telling me to email account-security then transfer-disputes. After it was clear this was going no where we ended the conversation, I sent the emails knowing I would be lucky if they took action even by Monday.

Friday night I contacted an IP law firm in Riyadh to pursue the thief. Since then the thief has bought eNom privacy protection for my domain and changed the WHOIS on all his.

Here is the thief's info:

Contact: [email protected]
Visit: http://www.abo-rawan.com

Domain name: abo-rawan.com

Administrative Contact:

Ameen Alshangiti ([email protected])
+966.566333112
Fax: +966.566333112
21573
Jeddah, 966
SA

I have contacted his web host via email asking them to point the domain name back to my server IP, so at least the site and email will work again. MURABBA.COM, his host, has not responded to my emails nor have the answered the phone when I called two of their lines probably 25 times last night. I am beginning to wonder if perhaps the web host is involved in the theft.

The law firm in Riyadh has been instructed to contact both the thief and his host. Hopefully they will do so efficiently and with success.

If anyone has any further information it would be greatly appreciated. The thief and his web host appear to be members of several Arab web hosting and domain name forums.

Likely most concerning is that my password at NSI was changed yesterday without my knowledge. This would make the web host's cooperation extremely helpful if not vital in the short term. For once now, I wish nameservers still took 48 hrs to change

My webhost has said that someone tried to login to my email through Horde from IP 212.107.116.246 which is in Saudi.

sdsinc said:
I kept this from an old post if it can help:

Kim Shin
Enom legal department

kim {AT} enom.com

Thank you very much.

Warren.Davis · Nov 5, 2006

I had some domains stolen in April. A few were moved to eNom and the others moved to Go Daddy. Enom was extremely helpful and returned the domains to me after I provided them with a signed statement and proof of ownership. Go Daddy basically told me to call them once I had a court order. No help at all.

So anyway, you should have no trouble getting support from eNom. They are a solid company when this happens.

Steen · Nov 6, 2006

Warren.Davis said:
I had some domains stolen in April. A few were moved to eNom and the others moved to Go Daddy. Enom was extremely helpful and returned the domains to me after I provided them with a signed statement and proof of ownership. Go Daddy basically told me to call them once I had a court order. No help at all.

So anyway, you should have no trouble getting support from eNom. They are a solid company when this happens.

Thank you for your take on the experience.
Hopefully eNom will take action before the domain is transferred out. I can only imagine the headaches if it ends up with an Arab registrar, or any registrar for the matter which isn't helpful.

Monday morning... bright and early... eNom legal can expect me.

GT Web · Nov 6, 2006

It always seem to be the Arabs who are hacking, stealing, etc.

Anyways, good luck getting the name back. Is there any reason it has particular value to you? It doesn't seem like a name I would be going crazy over, but maybe I'm missing something...

dcristo · Nov 6, 2006

GT Web said:
Is there any reason it has particular value to you? It doesn't seem like a name I would be going crazy over, but maybe I'm missing something...

What kind fo response is that man. He owns the domain and wants it back!

Best of luck getting it back, Steen.

Rockefeller · Nov 6, 2006

I dont think that abo-rawan.com was steen's domain name, just the domain name that is listed on that whois of his stolen name..

Maybe not?

Also, the whois for that domain name has changed:

Saudi Coder ([email protected])
+966.5666666666
Fax: +966.5555555555
00966
Jeddah, 00966 00966
SA

With that email I've found this post on a music forum:

and this post:
ØªÙ Ø§Ø®ØªØ±Ø§Ù Ø§ÙÙÙÙØ¹ ÙÙ ÙØ¨Ù Devil Hacker & Saudi Coder Ø±ÙØ¶Ø§Ø§Ø§Ø§Ø§Ø§Ø§Ù ÙØ±ÙÙ ÙÙÙÙÙÙÙÙ Ø¬ÙÙØ¹ Ø§ÙØ§Ø®ØªØ±Ø§ÙØ§Øª Ø¨Ø¯Ø¹Ù ÙÙ Ø§ÙØ§Ø³ØªØ§Ø° Ø³Ø¹ÙØ¯Ù ÙÙØ¯Ø± ÙØ§ÙÙÙ ÙØ§ÙØ¹Ø±Ù ÙØªÙÙ ÙÙÙØ¹Ù ÙØ±Ø¹Ù Ø¨ÙØ± Ø§ØªØ³Ù ÙÙ

and brags to be a hacker.

Steen · Nov 6, 2006

Rockafeller said:
I dont think that abo-rawan.com was steen's domain name, just the domain name that is listed on that whois of his stolen name..

Maybe not?

Also, the whois for that domain name has changed:

Saudi Coder ([email protected])
+966.5666666666
Fax: +966.5555555555
00966
Jeddah, 00966 00966
SA

With that email I've found this post on a music forum:

and this post:
ØªÙ Ø§Ø®ØªØ±Ø§Ù Ø§ÙÙÙÙØ¹ ÙÙ ÙØ¨Ù Devil Hacker & Saudi Coder Ø±ÙØ¶Ø§Ø§Ø§Ø§Ø§Ø§Ø§Ù ÙØ±ÙÙ ÙÙÙÙÙÙÙÙ Ø¬ÙÙØ¹ Ø§ÙØ§Ø®ØªØ±Ø§ÙØ§Øª Ø¨Ø¯Ø¹Ù ÙÙ Ø§ÙØ§Ø³ØªØ§Ø° Ø³Ø¹ÙØ¯Ù ÙÙØ¯Ø± ÙØ§ÙÙÙ ÙØ§ÙØ¹Ø±Ù ÙØªÙÙ ÙÙÙØ¹Ù ÙØ±Ø¹Ù Ø¨ÙØ± Ø§ØªØ³Ù ÙÙ

and brags to be a hacker.

Yes you are right. Right after stealing my domain name, my domain's WHOIS changed to [email protected]. Now after repeated legal threats from lawyers in Riyadh and back in the US he has masked the WHOIS on my domain and changed his other domain names to false information. Thank god for DomainTools.com history.

To clarify, [email protected] is the email used in my stolen domain's WHOIS. Abo-rawan.com is the suspected thief's domain. My domain is of considerable value.

Thank you for the help.

GeorgeK · Nov 6, 2006

Did eNom help today, assuming you were able to reach them?

I wonder if the hacker might have used password info from when DNForum was hacked recently?

Theo · Nov 6, 2006

GeorgeK said:
Did eNom help today, assuming you were able to reach them?

I wonder if the hacker might have used password info from when DNForum was hacked recently?

Shhhhhh. When did that happen? :-D

GT Web · Nov 6, 2006

dcristo said:
What kind fo response is that man. He owns the domain and wants it back!

Best of luck getting it back, Steen.

Settle down, I wished him good luck getting it back as well. It just didn't make sense he would have spent that much time on a meaningless domain. But of course, since the domain stolen was different then it obviously doesnt matter...

BTW Steen congrats on post 5000

Steen · Nov 6, 2006

GeorgeK said:
Did eNom help today, assuming you were able to reach them?

I wonder if the hacker might have used password info from when DNForum was hacked recently?

I tried every contact I had available via telephone today to no avail. Kim from legal did respond to my email. She stated that my email was forwarded to transfers@enom and noted "Fortunately the domain already has a lock enabled and further changes to the domain have been disabled." This statement is reassuring to some extent, however the thread regarding transfers and "locks" also in this Lounge forum has me still a bit concerned.

So far I have come to this conclusion: no one at eNom answers their phone, with the exception of Kim this issue was not addressed within 24 hours. Kim forwarded the email to [email protected], I have emailed transfer-disputes@, account-security@, left several voice mails and have a trouble ticket open. All these actions were taken on Friday the third towards the end of the business day. Currently the domain is still at eNom, resolving to the thief's Arabic website and still using eNom's private WHOIS service.

I understand that eNom is getting to be a mid-sized company but in such serious cases I would expect action to be taken within a 24 hour time frame. Very disappointed. Personally, I will not be holding any "critical" domain names at eNom after this week. The amount this has cost me in lost business in staggering, not to mention legal fees and time on top.

GT Web said:
BTW Steen congrats on post 5000

Thanks GT.

I wonder if the hacker might have used password info from when DNForum was hacked recently?

This would be very frightening, however now that you mention it, in this case it *would* make sense and *could* be a possible source of the security breach.

Premium Domains · Nov 13, 2006

Steen, empty your PM box - I tried sending you a PM but the message did not go through as your PM box is full.

Steen · Nov 13, 2006

Premium Domains said:
Steen, empty your PM box - I tried sending you a PM but the message did not go through as your PM box is full.

Sorry about that. PM box cleaned out.

Digital Address · Nov 18, 2006

GT Web said:
It always seem to be the Arabs who are hacking, stealing, etc.

Now I may have a hijacking being attempted:

Support @ Get SLD <[email protected]>
reply-to [email protected]
to Anwaar Hussain <[email protected]>
cc [email protected]
date Nov 17, 2006 6:31 PM
subject RE: nameservers pointing

By copy of this e-mail, we have forwarded your request to Customer Service
at eNom.com where the owner of each domain name has direct administrative
access to change such information.

You should have received a login and password from the previous owner (the
party that you purchased the domain name from). You should also follow up
by requesting them to change the registered owner information to reflect
your data.

eNom will only send login and password information to the owner of record.
At this point it still says "THIS DOMAIN NAME MIGHT BE FOR SALE".

The Team at Get SLD

> -----Original Message-----
> From: Anwaar Hussain [mailto:[email protected]]
> Sent: Friday, November 17, 2006 3:20 AM
> To: [email protected]
> Subject: [SPAM] nameservers pointing
>
> Dear Sirs,
>
> I have recently bought the rights to domain name
> www.globaltruths.com <http://www.globaltruths.com/> .
> However, the nameservers are not pointing to Dot5Hosting. You
> are, therefore, requested to please unlock my domain name and
> disable any WhoIs Privacy and also point the nameservers to
> Dot5Hosting. Please change the nameservers to the following:
>
> ns1.dot5nameservers.com
> ns2.dot5nameservers.com
>
> Thanking you,
>
> Anwaar Hussain

> PS : The last 04 digits of the credit card with which I made
> the purchase are 2206 with an expiry date of 03/09. Please
> feel free to ask for any further verification

Even though it is a rather lame attempt!!