
My .in domain has been transferred to another registrant without notification - susam
https://twitter.com/susam/status/1200678538254393345
======
zenexer
Additional information and discussion:
[https://gist.github.com/susam/3cb42e571c4ab12987b286791bdfe9...](https://gist.github.com/susam/3cb42e571c4ab12987b286791bdfe9d2)

Commenters have speculated that the domain was seized by law enforcement due
to participation in a malware campaign. The domain in question may have been
used by malware that was phoning home, perhaps because the Linode server
hosting it was compromised. This stems from the fact that the domain's new
nameservers are Shadowserver's sinkholes:

    
    
        Name Server: sc-c.sinkhole.shadowserver.org
        Name Server: sc-d.sinkhole.shadowserver.org
        Name Server: sc-a.sinkhole.shadowserver.org
        Name Server: sc-b.sinkhole.shadowserver.org
    

Edit: When querying the domain in RiskIQ, one of the Linode IP addresses
formerly associated is tagged with `emerging_threats` and `kaspersky`. Other
domains/subdomains associated with the same IP address have similar tags.

One such domain is MathB.in, which is a public pastebin. It's conceivable that
malware was phoning home by creating pastes on that site.

Susam, I don't have much experience recovering domains in this state, but it's
conceivable that Namecheap will be able to put you in contact with someone who
can help resolve the matter. However, if there's something like a sealed court
order involved, you may find that you're stonewalled at first. I don't know if
there's any available recourse for this, especially since this appears to be
an international effort.

~~~
hsivonen
At least as of a couple of years ago, Shadowserver could accuse you of botnet
participation on such flimsy evidence that it was way too easy to frame
someone else as being a botnet participant. I don't want to give ideas how,
but it happened to me. Since then, I've configured my firewalls to block
traffic to Shadowserver IPv4 space. I'm more worried about getting framed
again than actually getting a botnet infection and not getting notified.

------
CaliforniaKarl
Important to note here that the Registrar (Namecheap) is working the issue[1],
and that the domain was pulled from them outside of their control[2].

[1]:
[https://twitter.com/namecheap/status/1200682593500483584?s=2...](https://twitter.com/namecheap/status/1200682593500483584?s=21)

[2]:
[https://twitter.com/namecheapceo/status/1200714718610153472?...](https://twitter.com/namecheapceo/status/1200714718610153472?s=21)
(This is from Namecheap’s CEO)

------
propter_hoc
Yeah, unfortunately, domain squatters have poisoned the well for .com domains.
There are many, many domains which should be available for use, but are being
squatted indefinitely for speculative purposes. This has caused pretty much
every new company to migrate to TLDs like .co, .ly, .me, .ai, .in, and .io.
Since these are almost all ccTLDs run by countries, governance is not great.
.io has been particularly bad;

* [https://news.ycombinator.com/item?id=15293578](https://news.ycombinator.com/item?id=15293578)

* [https://www.theregister.co.uk/2019/05/27/io_domains_uk_un/](https://www.theregister.co.uk/2019/05/27/io_domains_uk_un/)

~~~
endorphone
People who lawfully own a domain -- even if in a speculative fashion -- are
not domain squatters.

If you had a hot new product called CyberTrk and someone ran and registered
cybertrk.com, that is arguably squatting and can be legally enforced as such.

If you have what you think is a great new online notepad and notes.com is
sitting registered but dormant, the inelegant but reasonable way to respond to
your situation is "tough shit". Keep looking.

99% of the time that people rant about "squatting" they're talking about the
latter case. Yet they are not entitled to a domain because of some imagined
better use for it.

Sorry for the rant, but misclaims about "Squatting" lead to an iffy area where
people have a profound misunderstanding about property rights. I have zero
"parked" domains, but contemplating the issue long ago made me less outraged
when I lazily searched for the most blatantly obvious domains.

~~~
propter_hoc
Thanks for the reply, but this is quite a tangent to my point. I am not
arguing that it is not legal to hold a domain indefinitely for investment
purposes; I'm saying that since so many domains are being held this way,
startups are being forced to sketchier ccTLDs.

It also paradoxically means that .com domains are not quite what they used to
be: as more cool new companies have a .ai or .co, the public has stopped
thinking that "only .com matters". Like I said, the holders of the .coms are
just poisoning the well for the TLD.

To address your point directly, I do personally disagree with you that
"squatting for speculation" or "parking" as you prefer is harmless. Since
ICANN (or Verisign, I guess) controls the TLD, I do think they should
disincentivize this holding behavior with some kind of property tax. It's as
if vast tracts of Manhattan were just empty fields - not really in anyone's
best interest, in the long run, not even the property investors, who are at
risk of property developers going to more-hospitable jurisdictions.

~~~
endorphone
I referred purely to the incorrect use of the term squatting. They aren't
squatting.

Further, nowhere did I say that it was "harmless", or pass any value judgment
at all on it. I just said that it's not squatting (cyber, domain, or any other
prefix). Those people pay the same domain fees as anyone else.

"I do think they should disincentivize this holding behavior with some kind of
property tax"

They are paying the same domain fees as everyone else. However let's imagine
that they change it to charging some sort of "how lucrative is the domain
name" property tax, like Google hilariously tried to do with some of their
failed TLDs: We're currently talking about parked domains that cost an
absolutely negligible amount...I imagine a lucrative fee would be a bit more
disliked by these imaginary startups ready to fill all the good domains.

Sidenote - there was a rush to .io, .ly and other TLDs -- against all
reasonable caution -- because people thought they were cool and new, not
because they were their last resort

------
yowlingcat
Fascinating. The NameCheap CEO is in the replies, and seems to be saying that
the registration was pulled at the registry level for some "perceived
violation or legal request" \-- I'm kind of curious regarding what protocol is
for these kinds of situations, and how much they vary from TLD to TLD. I think
about the once-popular .ly TLD becoming less popular after instability hit
Libya, but I'm curious about what the other case history is here.

~~~
belorn
I work at a registrar and as far I know there are no protocols. We are an
intermediary between the registry and registrant (in those TLDs which have a
registry/registrar/registrant model), but the business relations involved are
a bit more complex. The registrar's job is mostly set to only handle the
technical and billing aspect, while the legal relationship is between the
registry and registrant. Who owns a domain and which registrar handled the
billing and technical aspects is a legal decision which is outside the control
of the registrar.

The variation between TLD and TLD is massive. Practically all ccTLDs have
their own home made rules and more often than not their own technical
solutions to match. A big reason why the more exotic ccTLD's can cost a lot of
money is the hoops that registrars need to jump through, both legal and
technical, and the "workarounds" for both.

~~~
walrus01
There are even ccTLDs like .af (afghanistan) where the root zonefile is edited
by hand for every new domain, in this case by some persons at the "ministry of
communications" in kabul.

------
FfejL
I had this happen to a .com domain I own, also at Namecheap.

In my case it was actually a trademark infringement legal action. My domain
got listed as hosting a site that sold knock-off sunglasses[1] . The plaintiff
in the case got a court order to transfer all the suspected domains to them, a
list of about 1,000 domains. I got no notice, my domain just suddenly
disappeared.

I had my lawyer contact the plaintiff, in which we apologized, told them we
had no idea this had happened, and promised to up the security (in reality I
just nuked the WP site.) About a week or so later they transferred the domain
back. For me this was annoying and cost a few hundred bucks in legal fees, but
not that big a deal. Obviously not the case for Susam.

[1] My (largely abandoned) self-promotion Wordpress site got hacked, and was
used to host an e-commerce site. Weirdly the domain was ${my_real_name}.com,
hardly an obvious choice for selling knock off sunglasses.

~~~
anon1m0us
I actually think wordpress has contributed significantly to the decline of the
web. It's not secure. It proliferates so it's easy to hack. It's easy to embed
untested plugins in it that are also vectors. It's plagued by all the same
problems as microsoft windows.

------
frou_dh
If someone steals your domain registration, they can then change the MX
records and start receiving your email. In some scenarios, I think that could
be a more serious consequence than the website being down or replaced.

Same reason that deliberately letting domain registration lapse for a domain
that was used widely for email is a scary prospect.

------
sandGorgon
This is a malware takedown. And must definitely have happened at international
law enforcement level.

NIXI is regulated by Indian law and is the cctld registrar of .in . The domain
records show a registry lock and the new owner being "The Verden Public
Prosecutor's Office".

This is not common in India.

------
onetimemanytime
More or less in a lot of countries with fishy legal system you have zero
protections with their .cctlds. Even then the courts might rule that the name
is not property or whatever.

In a lot of countries you will lose the name if the well connected person
there wants. They'll find a justification that doesn't pass any smell test but
you're out of luck. Nothing, absolutely nothing can be done. So use them, but
be prepared to lose your names. Everything is fine, until it isn't.

------
putlake
The same thing happened to my .cm domain with Namecheap a few weeks ago. They
were eventually able to recover it. But there was no communication from them
for quite a few days.

~~~
susam
I was able to recover my .in domain too. Here is the full complete story:
[https://susam.in/blog/sinkholed/](https://susam.in/blog/sinkholed/)

------
Avamander
In order to reduce risk I really wouldn't recommend running any service that
hosts any user content on the same domain and TLD you host your personal
stuff.

~~~
tzs
I've sometimes wondered if it would be worth getting something like
4e4eee247a69fab841ec36eabc95eee9.com [1] and only using it for email hosting
to host my contact emails and for my other services.

The idea is:

1\. By having no other services on it that minimizes the chances that it could
get hacked and used for nefarious purposes that might get it seized by law
enforcement.

2\. By using a meaningless name like 4e4eee247a69fab841ec36eabc95eee9 there is
no chance someone will come along with a trademark claim or an accusation that
I'm squatting on a name that they have a better claim to.

[1] dd if=/dev/urandom bs=1 count=16 | xxd -g 16

~~~
Avamander
I have a domain name like that, I primarily break login forms with it but that
was the initial idea, yes.

------
whalesalad
I just bought a .in domain for a side project and was a little worried about
this sort of thing being possible based on my experiences with registration.

~~~
nnain
There's an update on susam.in. He got the domainname back.

------
foob4r
Seems like the most likely case is that law enforcement clawed the domain for
suspicious activity.

Which brings up the question, is this problem limited to ccTLDs or TLDs like
com, net as well?

~~~
CydeWeys
You have much more protections on gTLDs than on ccTLDs (where you have none).

I've always wondered why so many people are using .io domains (and now .ai
domains).

~~~
marcosdumay
> You have much more protections on gTLDs than on ccTLDs (where you have
> none).

Hum... No. On ccTLDs you have the protections the issuing country gives you.
On gTLDs, you have the protections the US gives you.

Some countries won't protect your domains at all, others will protect it even
more than the US.

~~~
jefftk
What ccTLD would you describe as more protected than .com?

~~~
Permit
It depends what you're hosting. bodog.com is a legal Canadian-owned online
gambling website. But since online gambling isn't legal in the United States
they had their domain seized: [https://www.cbc.ca/news/world/bodog-gambling-
site-shut-down-...](https://www.cbc.ca/news/world/bodog-gambling-site-shut-
down-canadian-owner-indicted-1.1159011)

It looks like after going through the courts they have had their domain
returned.

~~~
CydeWeys
That's a bit of a different situation though. They were illegally running a
gambling operation in the United States at a time when that wasn't legal, and
they lost a lengthy court case to that effect. The domain seizure was
incidental.

Contrast with the situation in the linked post, in which a .in domain was
randomly seized without warning, and crucially, without due process. Bodog had
the benefit of due process.

------
lazylizard
So. Namecoin? Onion domains? Opennic? Ipfs? How else can u opt out of icann's
influence?

------
instakill
Which TLDs are immune to this kind of takedown request?

~~~
RKearney
.onion

~~~
mirimir
If I could magically put this at the top, I would.

There are other options, but they require hosting on overlay networks, and
running your own name servers. But then people must install suitable gateway
routers to reach your sites. Those can be VMs, but it's nontrivial for most
people.

------
onetimemanytime
malware is my guess. New registrant is The Verden Public Prosecutor's Office
which shows up on:

" _Over the following years, the Luneberg police and the Verden Public
Prosecutor’s Office, in combination with the BSI, FKIE, BFK, and numerous
other law enforcement and industry partners, continued investigating the
Avalanche network, discovering a massive operation responsible for controlling
a large number of compromised computers across the world_.

[https://www.symantec.com/connect/blogs/avalanche-malware-
net...](https://www.symantec.com/connect/blogs/avalanche-malware-network-hit-
law-enforcement-takedown)

------
block_dagger
I’ve run a .in site through Namecheap for 6 years. Glad they are responding to
the issue.

------
a3n
> I owned this domain for 12 years ...

Rented. They _rented_ this domain for 12 years.

Not to excuse the appropriation. But no one _owns_ their domain, except
possibly govs and mega-corps by virtue of mass.

~~~
mr_toad
Legally it’s neither. It’s more like paying for a listing in a phone book.

------
gesman
That's a problem with all country-specific TLD's. At any moment country 'X'
can decide to take over '.xx' and nothing anyone can do.

------
dooglius
I wish we could switch to a system like Tor's onion services where each URL
has an embedded key, it would solve so many problems!

------
chatman
I think he should change his name and get a new domain. It must be hard to
have a name like that and trying to live a normal life.

------
pragnesh
I have purchased domain on namecheap based on yc feedback. Looks like i have
to rethink.

------
leetsec
The OP here is also the author of MathB.in, a popular math pastebin. He has
decided to shut down MathB.in now as a result of this incident. Quoting from
[http://mathb.in/6](http://mathb.in/6) below:

> I have considered shutting down this website several times in the past. But
> when another of my domain, susam.in, where I used to host my personal blog
> (archive) was seized and transferred to a law enforcement organization
> without any notification or authorization, it was the last straw. I do not
> wish to spend my weekends worrying about spam and unlawful content. I do not
> wish to maintain constant vigilance on my online servers to maintain
> ownership. It consumes time, more time than I can afford.

This is sad for WWW. We need more independently run websites, not less. The
web of early 2000 is rapidly disappearing.

~~~
anon1m0us
It's time for a new search engine -- and no, ddg is not it. We need a search
engine that doesn't search the new internet. The instagrams, the pinterests,
the wikihows, the seemingly every single blog on the internet that is designed
to take your time away from you by hydrating you in droplets between sweat
lodges.

We need create a new internet on the internet that does not search the new
internet. DDG brings back content from the same sites google and bing does.

I want a new search engine focused on the passionate creatives who produce for
the web. The early adopters of the web who have been overshadowed by the
adwords and the interstitials and lightboxes.

I want content. I want a recipe site with the ingredients at the top and a
list of instructions below it. Not 6 paragraphs of why you want to eat this
food because of your grandma making it and then people come NO, just tell me
what to put in it and how to do it and that's it and load in .1 seconds
instead of 100 seconds and then stall every time I try to scroll because you
need to tell your advertisers which part of your page is looked at the most.

Your advertisers are more important than your readers and it's not cool.

~~~
mchristen
Serious question: Would you be willing to pay to access/consume the content
found on the search engine?

~~~
hollerith
I would. I know that because I spent a lot of time on the internet in 1992 and
1993, when the vast majority of internet content was produced by people not
expecting any monetary reward.

Today we have the concept of "user-contributed content", which means content
produced without expectation of monetary reward, then uploaded to a site
operated by an organization _with_ an expectation of monetary reward. In 1992
these for-profit organizations did not exist: the services through which
people accessed the content were created and operated without expectation of
monetary reward, too.

It was glorious. There are some valuable content and valuable services that
weren't produced in 1992 and would not be produced in the future if it became
impossible to profit from producing it, so I don't want to remove the profit
motive from the internet. But search results from Google ( _and_ its
competitors) are now almost completely dominated by for-profit actors, and I
agree with grandparent that we need a new search engine that essentially
specializes in content produced without expectation of monetary reward.

~~~
yesenadam
> 1992 and 1993, when the vast majority of internet content was produced by
> people not expecting any monetary reward.

I don't have any figures - that would be interesting - but I guess even today
the 'vast majority of internet content' is produced not expecting any monetary
reward. It depends how you count the stuff what exact figure you'd arrive at.
99.9% seems closer to what it might be than 50%. Maybe I'm super-wrong about
that.

~~~
hollerith
Good point. The big difference between 1992 and today is the profit-seeking
middlemen between the reader and most of the user-contributed content. These
middlemen show ads, track people, require people to sign in and force people
to shift their attention to the task of getting rid of modal dialogs (e.g.,
"sign up for our newsletter") before they will display the user-contributed
content. They make it hard for the reader to concentrate on the current web
page by showing many links to other web pages on the site or on the sites of
the middleman's commercial partners. (Even Stack Exchange, named by another
comment in this thread as one of the good middlemen, does that.) In contrast,
navigating Usenet and the web of the 1990s was a lot more streamlined; to a
greater extent than is possible today, a reader could stay focused on the
user-contributed content or on his or her reading goal.

Of course there are middlemen today like Hacker News and Wikipedia that pretty
much stay out of the reader's way, but they are the middlemen for closer to
0.1% of the user-generated content than 50% of it.

~~~
yesenadam
Very graceful disagreeing, thank you! I appreciate it. I have a book called
_Talking Philosophy_ that says that when a philosopher at Oxford wishes to
express disagreement they say "Quite. But at the same time...", and that one
in Sydney says "Bullshit!" p.s. I'm in Sydney :-)

------
susam
The domain susam.in has been transferred back to me. I've updated the original
Gist post with recent updates on why this issue occurred and how it was
resolved:
[https://gist.github.com/susam/3cb42e571c4ab12987b286791bdfe9...](https://gist.github.com/susam/3cb42e571c4ab12987b286791bdfe9d2#updates)
(see the "Updates" section).

Summary: The Shadowserver Foundation contacted me by email and informed me
that my domain name was sinkholed accidentally as part of an operation they
were performing. They have now examined my domain name and found that my
domain name should be excluded from their operation. They worked with NIXI to
transfer the domain name back to me.

Thank you, everyone, for your support as well as for the great quality of
discussion on this thread.

------
rhizome
Capitalist interests prefer less competition, the end goal is monopoly. People
are trying to raise the prices of .org domains too, so I feel like a hammer is
about to fall as far as the practical level of involvement and presence on the
internet goes for individuals the world over. Keep an eye on the canary in the
coal mine, or even deploy several of them.

~~~
dang
Please don't take HN threads on generic ideological tangents. They lead to
generic ideological flamewars, which are all the same.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

We detached this subthread from
[https://news.ycombinator.com/item?id=21671771](https://news.ycombinator.com/item?id=21671771)
and marked it off-topic.

------
ur-whale
One more reason why DNS must as quickly as possible be migrated to a
decentralized blockchain.

I'd say DNS is the poster-child example of why - in spite of all the naysayers
- blockchain is a desperately needed technology.

~~~
zelly
DNS is already a decentralized database, much more efficient than a
blockchain. A blockchain only works for time series data.

~~~
ananonymoususer
I think the original (down-voted) poster meant that DNS should be
decentralized to something more than 13 servers, from which any government can
decide to seize a domain. A decentralized DNS system would improve free
speech, and it would help with due process when it comes to the involvement of
law enforcement.

~~~
zamadatix
There are 13 well known logical servers (~1000 physical) but they all
synchronize the root zone from ICANN just as anybody can
[https://www.internic.net/zones/root.zone](https://www.internic.net/zones/root.zone)

If it's authentication of authoritative response data you're looking for then
that's what
[https://en.wikipedia.org/wiki/Domain_Name_System_Security_Ex...](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
is for.

