
How we nearly lost our domain, and how to prevent this - jitbit
http://www.jitbit.com/news/198-how-we-nearly-lost-our-domain-and-how-you-can-prevent-this/
======
ilamparithi
Another experience with NameCheap. It was April 2014. I got a domain expiry
notification mail from them. I just saw that subject. The date mentioned was
4/6/2014\. I am lazy and procrastinate a lot. So I saw the subject and decided
that I'll renew later as I have two more months. On 6th April I got the
message that my domain expired. Then I realized it was not Jun 4th as I
originally thought. Not only the domain was expired, all the config details
were lost. Luckily it was only entries pointing to Linode. So I quickly
renewed the domain and added the entries. Still there was a considerable
downtime and panic. I think companies which operate internationally should use
unambiguous date formats. (Even if I had opened the email, I wouldn't have
interpreted the date in any other way. It was the same format everywhere. I
did give a feedback to them. Not sure whether they changed it or not).

~~~
JonoBB
US date format deserves a special place in hell under any circumstances.

~~~
Pxtl
Seriously. It's the best here in Canada where there is no consistent
convention between Euro-style or US-style dates. Officially Canada uses Euro-
style dates, but we're so intertwined with the USA that it's basically random.

yyyy-MM-dd or die.

~~~
bushido
It's definitely random.

I remember having to fill a Canadian form (govt.) that had three date
formats(in the same form), i.e.:

dd-mm-yy

mm-dd-yy

yy-mm-dd

------
yardie
Remember when ICANN used to not care about these things and we'd ask for
better enforcement of? Look, now they have.

If you've registered a domain name you should get an email every year like
clockwork saying to verify the information or you may lose the domain. It
takes 10 seconds to do a whois query. If you have more than a few dozen
domains then it is a business, treat it like one. The IRS or HMRC doesn't care
you didn't receive their notice. They'll fine you the same as if you ignored
it intentionally. ICANN is in the DNS version of them. Ignore them at your own
peril.

And $DEITY help you if you are using a DNS anonymizer. You are begging to get
your name highjacked.

~~~
rwallace
'DNS anonymizer' \- is that the same thing as a whois privacy service?

~~~
thenomad
And if it is - any recommendations for protecting your privacy whilst also
securely owning your domain?

~~~
kijin
1\. If possible, use a whois privacy service that keeps your full name exposed
and only hides your contact info. This removes much uncertainty about your
actual ownership of the domain. Gandi.net does this. Internet.bs also has an
option to do this, although I'm still not sure if I want to trust them at all.
NameCheap and GoDaddy hide everything, as do most of the other similar
services.

2\. When you sign up with a whois privacy service, thoroughly test the email
address that they put in the whois on your behalf. It should reliably forward
all non-spam to your real email address, including ICANN notices and any email
that you might need to check if you ever decide to transfer away.

Many registrars/webhosts are abysmal at managing their mail servers, so any
mail that transits through them might go straight into your Spam folder or
even disappear into thin air. Both Gandi.net and NameCheap are OK in this
regard, though sometimes the emails are delayed by a few minutes. Avoid any
company that puts more emphasis on webhosting than on domain registration.

3\. Some registries hide your contact info by default, so there is no need for
whois privacy. If you're okay with unusual TLDs, try finding out what their
policies are and whether you meet their requirements.

For example, as a citizen of South Korea, I am able to register .kr domains
without exposing my mailing address or phone number, but I can't hide my name
and email address. Corporations, on the other hand, aren't allowed to hide
their whois. Similar policies apply to .eu and a bunch of other European
ccTLDs.

------
sadris
ICANN doesn't block your domain. That landing page/DNS hijack is a Namecheap-
specific "feature".

~~~
z92
That makes sense. I was wondering why didn't I hear about it earlier?

------
jacquesm
It should not be too hard to search the whois registry data for all instances
of support@namecheap.com that are not for a namecheap.com owned domain but
simply registered through them.

That would turn up the companies that are at risk of having the same happen to
them.

~~~
chrisBob
Or, even better: I bet namecheap could do that search pretty easily themselves
and let their customers know.

~~~
claar
Good idea! They could email the domain's contact person! Oh wait..

~~~
jitbit
Well, they do have the email of the user-account the domain belongs to...

------
bowlofpetunias
Rule #1 I've tried to tell people since the 90's: _if the contact email on
your domain is not yours, it 's not your domain_.

It may be legally yours, but that's pretty f-ing useless if you go out of
business whilst trying to gain actual control over it.

In a practical sense, nothing else matters more on your domain registration
than controlling the email-address on the admin-contact, and actually reading
the damn email. (Which also means, no spam filtering that you don't control
and by which important notifications may be filtered out as false positives.)

Legal ownership of the registration comes a distant second.

If you can't handle that, outsource your domain management to a trusted party,
and don't bitch about "but registrar X is soooo much cheaper". You don't pay
them for registering your domain, you pay them for making sure your domain
remains yours 24/7.

Managing your domain registrations is a way too important to neglect, but most
organizations are ridiculously careless about them, even though one day of
being unreachable may lose them a shitload of money.

------
omh
I've just checked, and I have this for one of my .com namecheap domains but
not the other.

I suspect that this is a side effect of Namecheap's "WhoisGuard" feature. This
hides your Whois details, and I think there was a free trial of it when I
moved my domain across.

As I understand it, for WhoisGuard domains you'll get the annual checkup email
from Namecheap rather than ICANN[1]. Potentially in this case Jitbit missed
the email because it didn't look important, or perhaps the way that Namecheap
and ICANN are interacting has changed and has some loopholes?

[1]
[https://www.namecheap.com/support/knowledgebase/article.aspx...](https://www.namecheap.com/support/knowledgebase/article.aspx/9305/34/new-
icann-whois-validation-process)

------
philbarr
That's a very useful tip that I will bear in mind. Are there any other common
sense rules that we should remember when owning / transferring domains? I only
own one so it's not something I deal with a lot.

~~~
dwd
Number one rule would be when letting someone register a domain on your behalf
that you have access to retrieve the authcode/domain password and preferably
can change name servers. I've lost count of how many time I've had to argue
with web designers who register a domain for a client and keep it in their own
account (a violation of some TLDs T&Cs).

Another situation is the "promotional domain" where you prepay hosting and
receive a complimentary domain but not full access to modify it or you have to
pay to have it unlocked.

Also be careful with which registrar you check for availability as if you
don't buy immediately you may find the domain on their premium list the next
day at an inflated price.

~~~
jafaku
> Also be careful with which registrar you check for availability as if you
> don't buy immediately you may find the domain on their premium list the next
> day at an inflated price.

I have always been scared of that kind of thing, though in the end it never
happened to me. So it is a thing then?

~~~
dspillett
_> So it is a thing then?_

I've not heard of it happening to anyone in recent years, but Network
Solutions were definitely accused of it in 2009, using the 5-day "tasting"
period. See [http://en.wikipedia.org/wiki/Domain_tasting#Anti-
Domain_Tast...](http://en.wikipedia.org/wiki/Domain_tasting#Anti-
Domain_Tasting_Measures) for a mention. I would very be surprised to find that
it doesn't go on in various places to this day, so for paranoia's sake only
search for names you want using known reputable providers.

Way back in is mists of time (~1999/2000, while at University) I had it done
to me. We were going to register a name for our student house (and a few other
people) and searched for two options both of which were available at the time.
A week later when we came back both were registered by the same individual
(not directly linked to the company from what we could gather) with a "buy
this domain! (for several times the usual cost)" page present. This could have
been a coincidence of course, so we looked up a collection of other
convincingly real names (from various locations so it wasn't a block of
lookups from the same address). A short while later they were all registered
the same way, and not on the "5 day" thing either because they all still were
a while later. We could have been cruel and search a great many more (had we
actually cared about the name(s) we "lost" we might have done) to waste their
money but didn't as we had far more important and/or fun things to be getting
on with at the time.

------
underline
My local (Czech Republic) registrar accidentally deleted mandatory e-mail
contact on one of my .cz ccTLD domains this month. I could not receive zone
operator’s communication and was not able to change anything, especially NS I
needed (that’s how I found out). The domain could’ve been lost, as it could
not technically be registered without valid e-mail address.

Set up checks for your whois records, just in case your otherwise legit
registrar messes up. Also, know your TLD’s rules. As “bowlofpetunias” already
mentioned, nothing is more important than owner’s e-mail contact.

It took my registrar’s support sloths one week to manually type in the e-mail.
They did so without verifying my identity or contacting the owner (me, but
they could not know that). E-mail address is all it takes to change the owner
of .cz. The owner can’t be possibly changed without zone registrar’s
verification code or notarized letter.

“Hi, I’m so and so and I need you to change the owner of this domain name.
Don’t bother contacting the owner [even though you are required to do so by
zone operator]. Just type in whatever I tell you, okay? Thanks, bye!“

It’s shocking how easy it is to steal a domain name registered there. Their
technician contacted me (or the former owner) only once the owner has been
changed.

They did not even apologize and certainly did not realize their severe
misconducts. They also shrug off a bug I reported last year without fixing it.
(I should probably warn other customers thinking about it, as they are the
second biggest registrar in the country now, soon to be first.)

------
james_pm
Couple of tips for domain owners:

1\. Don't turn off the reminder emails from your registrar. I know they can be
annoying and you probably get too many of them, but turning them off means
that you won't know when your credit card expires and your domain isn't going
to renew automatically (for example).

2\. Use a valid, real email address for your owner contact. Use WHOIS Privacy
if you are concerned about spammers harvesting WHOIS for emails. Don't use
support@ or webmaster@ unless you check those emails regularly. ICANN now
requires your registrar to verify your email address and a single bounced
email to the owner contact triggers that process. If you don't see it, you'll
be offline in 15 days.

3\. Treat your domains as the valuable assets they are. Yes, $15/year...not
expensive in the grand scheme of things. But the value of that domain is
likely much, much higher to you and your company.

ps. More on the new ICAAN registrant verification process which started on
January 1, 2014 can be found here:
[https://help.hover.com/entries/25406514-Registrant-
verificat...](https://help.hover.com/entries/25406514-Registrant-verification)

~~~
danielweber
I argue that your email address for registrars should be secret[1], and every
time an email goes to it an alarm bell should ring until someone reads it.

[1] So don't use "domain@mycompany.com", use "domain-
manager-481234@mycompany.com". Recognize that this is purely an obfuscation
layer, not meant to provide security in and of itself, but to cut down on the
noise so that you always examine every mail to it very closely.

------
unreal37
I'm not impressed with Namecheap over this. Suspending people's businesses
over a missed email is outrageous.

What other business requires users to validate their identity so frequently?
Not my car dealer, not my dentist, not my web host, not Google, not
Facebook.... nobody.

I have received two of these emails from Namecheap, but none from Godaddy or
enom. May be time to move back to GoDaddy.

------
bitJericho
Might I recommend Gandi.net. Their slogan is why I pay the extra bucks.

~~~
thenomad
How many extra bucks are we talking? I register quite a lot of domains...

~~~
bitJericho
15-17 for .com, .net, .org. 15 percent discounts on 3 year or more
registrations. Bulk discounts too I believe.

If you're a mega buyer/seller, gandi is probably not for you, although it can
be if you can take advantage of the included services. If you have a handful
of important domains that run thriving websites than Gandi is for you.

With domains you get free dns, free access to dns api, free email, free
website builder (I use those for gag sites, eg,
bitcoinsexchange.itmustbetrue.com). A few other included services, but most
importantly, no bullshit.

------
dspillett
I and a bunch of others have checked all our domains that are with or have
been with namecheap and found the contact details to be as we expect them, so
this certainly doesn't seem to be a universal issue.

I wonder what the cause/catalyst is for those domains/accounts that _are_
affected?

------
ANH
FYI, here's a Namecheap page that should show domains pending verification:
[https://manage.www.namecheap.com/myaccount/WhoisContactsVeri...](https://manage.www.namecheap.com/myaccount/WhoisContactsVerification.aspx)

------
devanti
Don't use Namecheap.

I bought a domain from them once. Later during that same day, I forgot my
password so I typed it incorrectly like 3 times. This automatically puts my
domain BACK IN THE OPEN MARKET. I was appalled. When I emailed their support,
they said I had to verify my identification by sending them personal documents
-- I believe it was two pieces of ID. Total BS.

I simply bought the same domain through Gandi and never looked back.

What could have happened: I could have bought a domain and someone else could
have typed my password incorrectly, losing my domain. That person could then
steal my domain by registering it else where. Crazy.

~~~
devanti
For those who are downvoting - I have a Namecheap Order Summary email so I
technically bought the domain. Maybe in their system it wasn't acquired yet,
but I still had the right to it at that time.

~~~
pavel_lishin
The "technically" in your comment is jumping out and glaring at me; what do
you mean you "technically" bought the domain?

~~~
devanti
It means I put in my credit card and the payment went through and I got a
confirmation email of my order.

------
mantrax5
Had the same happen to me, but since I'm a cynical sob, I check all my data on
transfers, so I noticed and changed it immediately.

Other info that gets damaged during NameCheap transfers may include company
name, phone and fax.

I reported it to them. More than a year ago. We've spoken about this. Look how
much of a fuck they've given.

------
dueprocess
Namecheap swapped my contact info with theirs too (I just checked).

Seems to me Namecheap have been sketchy lately. Time to move to Gandi.

~~~
gioele
Not related to the article posted here, but yes, move to Gandi.

Gandi is expensive but Gandi is the best registrar you will ever find (if you
do not have to deal with DNS records every day but only seldomly).

Gandi support is great. And they did never advertise:
<[http://www.gandibar.net/post/2014/03/26/Why-Gandi-doesn-t-
ad...](http://www.gandibar.net/post/2014/03/26/Why-Gandi-doesn-t-advertise>).

~~~
johnchristopher
There is a typo in the url and it turns out to be funny _:

Document not found

The document you are looking for does not exist.

[http://www.gandibar.net/post/2014/03/26/Why-Gandi-doesn-t-
ad...](http://www.gandibar.net/post/2014/03/26/Why-Gandi-doesn-t-advertise)

_ Sigh... I wouldn't dare to use the word 'ironic' on the internet ever again.

~~~
gioele
> There is a typo in the url

Argh, that HN parsing bug again.

The HN parser has problems with angle brackets: if you write < URL > (without
spaces), HN will leave the opening angle bracket untouched (good) and attach
the closing angle bracket to the URL (very bad), so the URL written in the
@href attribute will be wrong.

Using < URL > (without spaces) is the way URLs are meant to be written in the
middle of a sentence. It is sad that HN has problems with that syntax.

