
Zoho.com CEO says domain with 40M users suspended for abuse complaint - achynet
https://twitter.com/svembu/status/1044265646739996673
======
svembu1
Zoho CEO here.

Our domain was abruptly blocked by our registrar this morning. Our NOC team
and myself tried to get in touch with them and they tell us "Contact our
legal". Even I could not get in touch with anyone beyond their phone operator.
The domain was restored, but as DNS takes time to restore, we are still facing
issues. They later claimed there were abuse complaints about Zoho.com emails
(which is our personal email service with millions of free and paid users). We
received a total of 3 complaints from them and two of them have been acted
upon and one is under investigation.

Once we dig our way out of this, we will find ways make sure no one takes down
our domain again this way.

~~~
KenanSulayman
You should consider using Google Domains. There’s literally no company that’s
more professional in this regard.

~~~
unstuckdev
Google is their direct competitor.

~~~
sudhirj
This isn't really a problem for companies the size of Google - while they may
well refuse service to competitors or prohibit usage via terms of service, if
they do allow a competitor on board there's no way they treat them any
differently - there will be huge legal ramifications of they do.

------
JohnTHaller
The importance of using a reliable registrar can't be overstated. tierra.net
looks like a small company, without 24hr support, and with an abandoned social
media presence. Why would a company with 40M users use a tiny registrar to
save 2 bucks on a domain name?

~~~
snowwrestler
I've been very happy with MarkMonitor. They have good customer service, a good
reputation, and best of all, they auto-renew domains and send an invoice. That
means that the failure mode is "domain is renewed, I owe them a check."

If your domains are riding on a credit card, you potentially have a failure
mode of "card was declined, my domain did not renew, everything is down."

~~~
sandGorgon
How much does markmonitor cost ? There is no pricing anywhere.

~~~
snowwrestler
My invoices say $20/yr per .com; other TLDs are more expensive. Because we
have a ton of domains we spend over $20k a year with them. I'm sure there is a
minimum but I don't know what it is these days.

I would not say MarkMonitor is a tool for startups. It's a tool for
organizations that would lose a lot if they lost a domain. I bet Zoho wishes
they could go back in time and spend $10k to avoid this problem they had.

------
Animats
Well, of course. Look what business Zoho is in.[1]

"Email marketing software that drives sales. Create, send, and track email
campaigns that help you build a strong customer base."

They don't have 40 million users. They have 40 million targets.

Of course they don't get many complaints. If you search for "zoho opt out",
you get sent to a page with a HTTP 400 error.[2]

[1] [https://www.zoho.com/campaigns](https://www.zoho.com/campaigns) [2]
[https://help.zoho.com/portal/kb/articles/what-does-email-
opt...](https://help.zoho.com/portal/kb/articles/what-does-email-opt-out-
field-mean-while-creating-contact)

~~~
anumita
Hi,

The "email opt out" [2] link is fixed now.

~~~
Animats
No, it's not. Nothing in "help.zoho.com" seems to work.

400 Bad Request in Firefox.

curl:

    
    
        curl https://help.zoho.com
        <html>
        <head><title>400 Bad Request</title></head>
        <body bgcolor="white">
        <center><h1>400 Bad Request</h1></center>
        </body>
        </html>

------
walrus01
This is a hard lesson for people that no matter how resilient your
authoritative DNS infrastructure is, for your own nameservers (plus route53 or
similar), your domain _registrar_ is absolutely a single point of failure.

If you have something with 40M customers I'd highly recommend going with the
same domain registrars used by some of the Fortune 100 companies.

Seizing a domain at the registrar level, by court order, is also how the US
government implements "seizure" of domains, if you've ever seen a torrent
index site that has suddenly been replaced with a big scary FBI page
(examples:
[https://www.google.com/search?q=this+domain+has+been+seized+...](https://www.google.com/search?q=this+domain+has+been+seized+fbi&num=100&client=firefox-b-1&source=lnms&tbm=isch&sa=X&ved=0ahUKEwizv5jHutTdAhW8IjQIHaefBf0Q_AUIDigB&biw=1788&bih=1227&dpr=0.9)
)

------
foo101
Honest question: What exactly does it mean for a registrar to block a domain?
I believed so far that for my browser to successfully connect to a web server
running on a domain or for a mail server to deliver email to a domain, there
should only be valid A, AAAA, MX, and/or CNAME records in the DNS.

Was it really a block at the registrar level or was it a block at the DNS
level, i.e., the registrar also ran DNS service and their DNS service refused
to return responses for zoho.com domains?

At what layer or at which stage of the protocol can a registrar disrupt this
and take a domain offline?

~~~
avens19
I assume the registrar was also the nameserver in this case

~~~
chrsstrm
Am I seeing things or is dig really telling me their NS records pointed to
vtitan.com? Who the hell is vtitan? Route53 with AWS would run them what, $100
a month for their level of traffic?

~~~
unstuckdev
Zoho appears to have funded it along with a few other companies.
Unfortunately, the Indian news page that reported on the launch is even worse
than news sites in the US with popups, pop-ins, pop-overs, pop-rocks, etc, so
I can't in good conscience link it here.

~~~
acct1771
Archive.org, for next time.

------
themihai
I believe DNS/domain name is really a problem that could be better served
using a blockchain technology. The registers can't be trusted

~~~
jamieweb
Namecoin is a good example of this - decentralised domain registrations using
the .bit TLD.

~~~
themihai
Namecoin is cool but I think there are still big issues to be fixed, like
renewals/pricing to avoid one person getting all the good domain/sane names.

~~~
jamieweb
Yeah you're right - Namecoin has a massive squatting problem. It costs only
pennies to register a name which doesn't help.

One possible solution is a proof of work for name registrations, similar to
the Onion Name System [1]. There is a short talk by Jesse Victors that
explains it nicely [2].

[1] [https://github.com/Jesse-V/OnioNS-HS](https://github.com/Jesse-V/OnioNS-
HS)

[2] [https://youtu.be/zZzOVKPcIMg](https://youtu.be/zZzOVKPcIMg)

------
lifty
I really hope [https://handshake.org](https://handshake.org) will catch on. It
has the potential to solve a few very hard problems (PKI and online identity)
without fundamental changes to the way the Internet works.

------
ttul
This is why you register your domain with MarkMonitor or Cloudflare. I cannot
comprehend why they were so stupid to use a registrar that is not corporate
oriented. This is just unreal.

~~~
toast0
The domain was registered in 2004; MarkMonitor was around then, but Cloudflare
wasn't. I was involved in moving a domain to MarkMonitor in 2013; at that
time, they had a rather steep minimum spend to get on their platform, and they
barely wanted to talk to us.

~~~
LeonM
You can transfer a domain name to a different registrar.

------
sandGorgon
What is the startup friendly markmonitor alternative here ? I don't see
pricing information at a lot of these services ...so I'm guessing they are
$$$$$$.

Anything which startups can use and is $$ ?

------
sreenadh
Couple of things about Zoho that I don't understand.

\- Why use the same domain for the free service, which is usually more prone
to abuse?

\- Zohocorp.com is hosted on GoDaddy. Why not move all your domains to a
single company so that they value your business more and give you a better
level of customer service?

I hope once this is all over, Zoho just shares their feedback and some advices
that will help small businesses.

~~~
donmcronald
I’ll add another. Why do they use the same domain for both MX records? Why not
use mx.zoho.com, mx.zoho.net so that if one domain gets busted at the registry
level the backup MX still works?

~~~
Symbiote
Perhaps a reliable CCTLD for the alternative, so it's not under the US
government.

I noticed Amazon use a UK domain for one of the four Route 53 nameservers they
specify.

------
zorkw4rg
Its not like Zoho is known for their high availability anyways, their domain
not being reachable is just par for the course.

Also since it said "suspended for abuse complaint", I would almost immediately
assume the Zoho just didn't properly handle abuse claims and its their fault.

Needless to say I have a incredibly low opinion about their "service" based on
having used their mail product for almost a year (switched to google
afterward).

------
TekMol
So as a domain owner you are completely at the mercy of your registrar?

What is considered a reliable registrar in Europe?

~~~
kevingrahl
For private or business use?

Privately I’m pretty happy with Namecheap, they never failed to provide the
support I needed in a friendly and precise manner. For business purposes with
high value domains MarkMonitor seems to be the industry leader.

~~~
kweks
I love namecheap - customer for over 10 years - but a recent incident has me
rethinking my patronage. We recently received a "lawyer DDOS" \- where a law
firm sent multiple letters claiming /alleged/ trademark infringement. Without
proof of identity, proof of subpoena, judge's order - whatever - namecheap
rolled over on their WHOIS protection. There was no dialog, no email from
legal, nothing.

I was dismayed to see that someone can literally send one email, get your
personal info, and impact your company.

Very disappointed in namecheap.

~~~
automated_toast
I am also on namecheap and this freaks me out. can you provide more info?

~~~
highclass
Read my comments too. Namecheap definitely is just as bad.

------
noja
Incredible. Their registrar (TierraNet) has some explaining to do.

------
jtl999
I hope they move to a proper domain register after this...

The lack of decent options of domain registers for technical people that don't
need their hand held and have decent security, while not being $$$$ enterprise
options is depressing...

I use Uniregistry which has TOTP support and what seems to be a competent
team, and a friend swears by AWS's Route53 domain registration, but more
choices with actual good policies and aren't just a reseller would be welcome.

------
anonymous5133
I've had similar issues when operating my business. The bottom line is your
company is only as strong as your vendors. If you pick weak vendors then your
business is harmed as a result. If you find that you have a weak vendor then
you must dump that vendor immediately and replace them with someone who is a
strong vendor. Period.

------
unstuckdev
A whole lot of people are learning about the hazards of centralization in
email lately. First Google turns GMail into a slow-loading nightmare for
weaker computers like mine, then they announced the closure of Inbox. Now 40
million people are without email because Zoho couldn't keep up with registrar
consolidations
([https://news.ycombinator.com/item?id=18060013](https://news.ycombinator.com/item?id=18060013)).

Zoho is fine as a service, but a domain suspension shouldn't cut tens of
millions of people off from email.

~~~
chooseaname
> A whole lot of people are learning about the hazards of centralization in
> email lately.

What is the alternative?

~~~
unstuckdev
I don't know, I'm not an email geek. Lots of smart people run their own email
systems and report good delivery rates going by past threads here. Maybe they
can work together on something more accessible.

~~~
tomschlick
[https://mailinabox.email/](https://mailinabox.email/) has worked well for me
in the past

------
ai_ia
This is pretty bad service from Tierra registrar. I am taking this as a
cautionary tale for everyone. Domain registrar have way too much power. A back
up domain in case things go south, should be a must.

------
TheMagicHorsey
I really don't understand why any enterprise service would use these kinds of
bargain bin registrars. Is using a reputable registrar with professional,
enterprise-grade service not worth it given the scale of someone like Zoho?
Optimizing to save a tiny amount on your registrar while you have millions
pouring in from customers seems like a really poor decision.

I really believe in running a lean business, but running lean means cutting
the fat, not cutting out your muscles and tendons and running with a naked
skeleton that is fragile.

------
ksec
Reading through the thread, people have similar problems with namecheap,
name.com.

So if you cant afford something enterprise like MarkMonitor, and you don't
want something super cheap $9.99 per year. What sort of good quality middle
ground choices do we have?

------
mesozoic
40M users doesn't really give a good idea of how significant 3 complaints are.
Still it sounds like some additional screening and protection against phishing
needs to be implemented on Zoho's side.

------
casper345
ZOHO went down and hundreds of thousands of business went down...feel like
this should be a bigger warning of how dependent we are to handful of
companies?

------
sbr464
I feel that once you’ve passed a certain size you should move the domain to a
more professional service, no matter the cost. MarkMonitor etc.

------
gibsonf1
Wow, Zoho is down a second time today now with a 400 Bad Request...

------
ddingus
Direct IP?

Got a major sales push today, looking for a bandaid.

------
glglwty
Is there a blockchain for DNS?

~~~
yjftsjthsd-h
I believe OpenNIC was something like that.

~~~
hsk0823
Like namecoin? or [https://handshake.org](https://handshake.org)

------
teilo
Running their DNS on a 2-bit registrar is exactly the kind of thing I have
come to expect from Zoho. I am forced to use this company for a handful of
services at my company. If I started to tell you the idiocy I've had to put up
with from these guys, I'd never stop ranting. I'll save it for DevRant.

~~~
svembu1
The domain was registered over 22 years ago, and it kept moving through
registrars who were acquired. We do have a solid record of reliable services,
and have kept growing in spite of never taking a dime in outside capital.

~~~
brianmurphy
To me this is even worse than choosing a bad registrar once by mistake. You
keep choosing companies who can't stay in business and let your domain float
around like it didn't matter. The second or third buy-out of your name
registration should have been an alert to switch to a top tier company for
stability. On the internet, your domain name is literally the crux of your
services.

Thank you for sharing your story. It should serve as a warning to others who
may need to audit their infrastructure.

------
WC3w6pXxgGd
This is terrible.

