ICANN's new policies [webmasterworld.com] make it easy for this to happen.
My Question: what is my recourse? Is there some place I can file a complaint against this company? This company may have tried to steal something from me!
[edited by: tedster at 11:19 pm (utc) on Dec. 18, 2004]
[edit reason] fix link [/edit]
If there's someone you should complain about, it's the one who started the request with the
gaining registrar. But that's almost close to impossible.
As long as you don't reply at all to the gaining registrar's request, no transfer will take place.
Was it a .com?
2. Report it. Make a record. Again, it becomes part of an evidence trail in case you get jacked. A) Ask/demand the registrar where the transfer request came from to identify the person/company making the request. Some do. B) Notify your registrar and ask they provide any transferee identity info.
3. If you can already identify who done it send them a nastygram.
4. If you actively buy/sell/transfer domains you can get fooled by a well timed interloper's request from one of the 'we handle all transfers' service companies. (There's only one generic that I can think of and it's transfer system lacks transparency.) I was once moving a few hundred domains from a few dozen registrars to one central registrar. In the midst of this someone 'snuck one in'. It took me a few days to catch on. Literally a domain that I was moving was requested by someone else at the same time. Makes you wonder, doesn't it? The person on the receiving end wasn't a domain neophyte either and just didn't quite understand how it happened. At least that was the explanation I got after firing off a round of "I'm a lawyer, I'm ready willing and able to travel anywhere to enforce my rights. Etc. emails, faxes and letters." This is the only time a domain got away from me. Moral of the story: When handling bulk transfers don't hit yes for transfers that aren't entirely transparent, i.e., domain+requesting registrar. (The generic transfer service only confirmed the domain, not the receiving registrar.)
ICANN's new policies make it easy for this to happen.
Just to repeat what davezan said... no it doesn't. You still have to reply affirmatively to the email in order for the transfer to go through. And then you get another 5 days to deny it.
I wouldn't worry about it -- just keep the domain locked, and/or keep checking your email. They haven't committed a crime, as far as I know.
[icann.org...]
In the event that a Transfer Contact listed in the Whois has not confirmed their request to transfer with the Registrar of Record and the Registrar of Record has not explicitly denied the transfer request, the default action will be that the Registrar of Record must allow the transfer to proceed.
the default action will be that the Registrar of Record must allow the transfer to proceed.
Yes, but that's only after the gaining registrar has explicitly granted the request, as a result of approval from the owner.
A few weeks ago, I tried to steal a recently-expired domain by entering a transfer request. I tried writing to the contact first, and found that the address was no longer valid. The transfer didn't go through.
As posted in an announcement at my registrar, the only way to abuse this new policy would be for the gaining registrar to falsely claim that they received explicit approval from the owner, and they would probably lose their ICANN accreditation if they did that.
A request is made. (I guess anyone can request it.)
A note to approve the transfer is sent to the Owner of record's email address.
If the Owner does not respond in the affirmative from that email address, the transfer is dead.
If the Owner responds in the affirmative, that's when the request is sent to the Registrar of Record (the old registrar).
If the Registrar of Record decides to ignore the request, or even if they deny it, the new rule you cited kicks in, essentially saying, "Hey Old Registrar of Record, you have no choice. The Owner approved the transfer, and there's nothing you can do to keep getting their money. Transfer is approved."
The key is that the Owner must approve the transfer from the email address of record, or nothing happens after that. And once they do approve, the transfer goes through within 5 days.
This is different from the past only in that an old Registrar of Record used to be able to prevent an authorized transfer from going through by failing to acknowledge the request or by denying it.
Now the Owner is in control of everything, as long as they have access to that Owner's email address of record. If the Owner no longer has control of the email address, then there are the usual, stringent, meatspace processes available to identify themselves as the true Owner and to make the transfer happen.
We can expect to see a rash of this type of activity (fraudulently trying to transfer domains) as crooks become more desperate and for as long as people continue to be confused about the process.
Common sense says: Don't approve any transfer you did not request. Period.
So the key is that the gaining, NEW registrar must get a confirmation from the email address of record. And if they do get that confirmation, then the losing, old registrar cannot obstruct the transfer.
So in the above quote from the policy:
In the event that a Transfer Contact listed in the Who is has not confirmed their request to transfer with the Registrar of Record...
...we're talking about a SECOND confirmation being unneeded - the one sent to the old registrar that confirms the transfer request. But there is a FIRST email, sent by the new registrar to the email address of record, and that email still must be confirmed for the transfer to go through.
Then again, most registrars went crazy and locked everyone's domains by default, so that makes it even more difficult than before to transfer; I guess they don't get it.
I don't like that there's no way to immediately confirm the second email. You have to wait for the 5-day timeout.
I don't like this '5-day time-out' rule neither, it's only slowing the process, IMO.
My Question: what is my recourse? Is there some place I can file a complaint against this company? This company may have tried to steal something from me!
I researched this a bit and did not find any information. Seems like an odd thing. Maybe there's a place for at least something like a "Hall of Shame".
I have the domain in registrar lock thankfully
Hmm. I just tried to transfer one of my locked domains to another registrar, and it wouldn't even let me make the request:
...com is not transferable. (Domain status REGISTRAR-LOCK does not allow for transfer)
Again, I wouldn't worry -- just keep your domains locked like your house.
I forwarded the email to a popular deleted domain / auction site (4 letter domain). I bought the name from them almost exactly one month prior. They acknowledged that the company was well known for initiating these requests. Seems they have striked before, and are likely going after your names.
I don't like this '5-day time-out' rule neither, it's only slowing the process, IMO.
Not really. It's just made things more definite.
Originally there were hardly any limits set on how long the gaining registrar should keep
the request open 'til it decides to close due to no response. At most it's up to 14, 15
days.
Imagine being told to wait up to 14 days for the request to cancel out in case it can't
go thru because, say, the admin contact email was just updated, and the registrar can't
resend the auth email to the new one on record.
It's no worse than registrars sending out misleading expiration notices, trying to get you to switch to them (DROA comes to mind). They're stealing business from more reputable registrars.
It's called "cherry picking". And that's probably one of the main reasons for the new
transfer policies.
