Hacker News new | past | comments | ask | show | jobs | submit login
ICANN has taken my site hostage (levels.io)
127 points by pieterhg on Feb 17, 2017 | hide | past | web | favorite | 90 comments

Strange to see everyone sticking up for ICANN here. I'm of the opinion that their rules about WHOIS are harmful. Even if you think that the information should be kept accurate and up to date, is the appropriate recourse for ICANN to really have the site taken down until its resolved? Maybe as a measure of last resort. I would personally wait until they try to renew the domain and make them update the info then.

Another problem is that since WHOIS data is public it's not effectively possible to run a website anonymously. I'd be okay with sharing contact info with limited parties (ICANN, registrar) but forcing people to share this info with the public is nuts. It makes running a website as an individual much more personally risky.

As far as I can tell from the article, this issue came up due to a change in the contact information. The changed involved an error that resulted in placeholder contact information being replaced by outdated personal contact information. This error was due to the registrant or registrar.

That left ICANN in a tricky situation. The registrar was pushing them this modified contact information, so they needed verification. Waiting until the next time the domain name is renewed is not a good option because that can be years down the road. That is especially true if this happened immediately after renewal. (The article was not clear whether the auto-renewal of the privacy service occurred during domain name renewal.) This opens up an opportunity to abuse the system.

Of course refusing to changed the DNS records until the updated contact information was verified is an option. It is probably a process error on ICANN's part, a process that is probably more a result of changes to policies than malice. Still, changing the policy does not change things all that much. In that case the registrar would have to take action because the privacy service was not renewed. They would probably end up doing the same thing as ICANN. If they didn't, the system would be ripe for abuse yet again.

The issue is that ICANN shouldn't have to verify that information.

As a customer I only want to interact with my registrar. Why do I even have to talk to ICANN? My registrar can then interact with ICANN if necessary.

To your second point, isn't that exactly what services like Whois Privacy offer? Certainly not fully anonymous but your actual contact info is limited to the registrar and the privacy service (not even ICANN).

So they artificially create a precarious situation and then charge you money for it (or at least, allow registrars to do so). If they just didn't disclose the information publicly without your consent, the whole privacy-as-a-product wouldn't be necessary. But then people would be less rich, I guess.

The issue with that is that from Icann's POV, the privacy service is the owner of the domain. It's not an ideal solution

Aye, and it works well. But I don't think it should have to, and I think ICANN should behave more tactfully when it fails.

Absolutely true re: ICANN's process. I skipped your first point because at first glance your solution didn't seem helpful, but then I couldn't really think of the value/purpose of the current solution, hah.

What makes this complex is that there is ICANN the company and the ICANN community and registrars that offer anonymising service that are not supported by the community.

(Note there is plenty to complain about how ICANN or the community functions.)

For a lot of reasons, it is nice to know who owns a domain and privacy is just an annoying detail. So it is long standing practice that WHOIS information has to be accurate. In theory, the ICANN community can change this. In practice I doubt you would get consensus on that.

That's rules you have to deal with and ICANN (the company) is tasked with enforcing those rules.

Knowing that ICANN enforces these rules, it doesn't make sense for a registry to make random changes to the WHOIS of a domain. If there should be any blame, if a registrar is violating community principles as a service, then be way more careful.

Or as a domain holder, if you want to violate community principles don't complain if that backfires.

And you can think about the other way round: and if a site is doing something wrong, like distributing software, spreading a copy of your book, sharing unconsented nudity, and the list goes on... should you be able to hide behind anonymity?

I would be consider allowing the records to be made available in court by judicial order (i.e. a subpoena). Still not public.

Also, what the servers are doing isn't the domain's business. Traceroute the IP and bring it up with their ISP. Killing the domain isn't going to kill the availability of the content.

... Enter CloudFlare. You're now dealing with a scammer hiding behind Anon-DNS and a Server behind CloudFlare.

The situation is now this:

> what the servers are doing isn't the domain's business

> what the servers are doing isn't CloudFlare's business

The Anon-DNS provider doesn't feel responsible, CloudFlare doesn't feel responsible (while at the same time hosting the authoritative DNS). I can't even tell which jurisdiction these spammers operate from, so it's kind of impossible to do anything about it.

God I hate receiving these stupid "We are just a reverse proxy, we are not responsible" emails from CloudFlare. They most these clowns will do is forward my contact info to the ISP running the criminals' backend servers, which might very well be these same criminals.

Thanks for nothing CloudFlare.

I'm curious, have you ever been mailed a rotting dead rat in a plastic bag before?

Some people have legitimate reasons to not want to be found and the police aren't going to do much with that kind of harassment either.

Similarly, if there is legitimate evidence a "crime" was committed via the website they can seize the domain or the registrar can. "Anonymous DNS" information doesn't get you very far if there is a legitimate court case.

> Some people have legitimate reasons to not want to be found

That's definitely true!

But let's say a crime has been or is being committed (and I am not sure why you're putting it in quotes) via a website who's contact information is available via WHOIS and which is served from a legitimate ISP.

The usual route to take is to contact the registrar and the ISP with the info that this-and-that is happening. Usually, after a short period of time the registrar or ISP will agree (or not!) that whatever is going on is not acceptable on their network, and then take appropriate action. That even works for privacy oriented ISPs in Island, where they are under not legal obligation to do anything.

This is what I've been doing for many years when I come across illegal content, spam, botnets, phishing, and so on.

Sometimes networks do not cooperate and then usually it possible to block their net ranges as a means to make them realize hosting botnets isn't maybe so great.

But with the combination of ButtFlare and certain Whois privacy hosters, this is not possible. ButtFlare is too large to just block, and ButtFlare just doesn't give any fucks. They aren't a beacon of light upholding freedom of speech on the internet, they are just too cheap to actually have anyone deal with these sort of reports seriously, so they, instead of reading what I report to them, report with the same canned response:

> We are just a proxy. We are responsible for nothing.

The absolute maximum they are willing to do, is forward my request to the upstream ISP, which for safety reasons is unacceptable.

So you see, I do understand the legitimate need to not be found.

I just think that if you run a service as your main business, then you are responsible for what your service is offering.

Ebay somehow manages to not be a marketplace for anonymous heroin deals, I'm holding CloudFlare to the same standard.

> ButtFlare

+1 for that alone. I've fond memories of the Cloud2Butt extension.

note to self: this extension changes the text in textareas ...

To play devils advocate many other publishers must publicly acknowledge who they are and who owns them - why should the internet be diferent.

As do public companies.

If a site is doing something that's illegal in one jurisdiction and protected in another, then what?

(e.g. sharing Falun Gong material, or for a more controversial example Wikileaks)

That is a loaded question, but still the answer is "of course".

If ICANN can seize a domain for a clerical error, they can seize one for a crime. If measured by the American standard of innocence first, then a 3rd party would make & prove their claim and the 3rd party would have the domain seized or defend themselves.

Also, I could beat the current system with a gmail account and a vanilla visa gift card.

What about this loaded question, which is also as absurd:

Shouldn't piracy claims and "alleged" victims of revenge-porn post and a continually update their contact info publicly online. Should you be able to hide behind anonymity(1).

1. There is a difference between anonymity, and non-public.

People sharing illegal things are likely to sign up with bogus information.

The authorities have access to that information anyway.

There's nothing wrong with distributing software or spreading a copy of my book.

As somebody who worked for a company selling domain-names and being responsible for the registration and renewal of domain names; this sadly enough is a very familiar situation.

ICANN in my humble opinion has no blame in this, they are simply following the rules that they set out and OP agreed with when he registered the .com domain name. As stated in other comments keeping your WHOIS information is the sole responsibility you have when owning a domain name. That and timely renewing the domain of course.

In my somewhat limited experience the WHOISGUARD system is something that only causes problems. It's a pain to work with when transferring or trading a domain name and upon expiration can result to the exact situation that OP currently in. To add, I'm somewhat weary of a site that hides it's owner. The whois data can create a certain form of trust and serve as a verification to ascertain the owner of the site is who he claims to be. I'm not sure why you would want to hide this data.

A .com domain has the option to register the domain in the name of a corporation, thus removing the personal data of the owner (name and email) and only showing the name of the company, it's data and a administrative e-mail address in a minimal setup. As OP has; and I quote; "about a hundred domain names", I'm not sure why no company has been formed to solve this problem for all these domain-names.

I personally think that the WHOIS system is one of the best ways to solve the problem that domain name registration poses. It's accessible for anyone, anywhere, in plaintext and without the need for special software. It's actually pretty great.

Edit: typo's

We're not criticizing ICANN based whether or not they can follow the rules they imposed. We're criticizing them for creating such strict rules that seem to cause more damage than good. There are so many scenarios where this can go wrong, and some websites/domains are the most valuable things people have. There's also no way easy to protest this either.

> has no blame in this, they are simply following the rules that they set out

That's a nice piece of dissonance they have and which you are rebroadcasting into the aggregate. I don't agree at all, and would point out all of us should be doing anything we can to figure out how to establish a decentralized governance for the Internet...for the world's unheard.

Thank you for your insight. I mean this comment seriously, because it is the only reason i don't run more websites:

what happens when my site gets very popular and lucrative, and someone uses my whois info to rob me in my home?

Don't use your home address in whois, period. Use a business address. If you have a site that is lucrative then you have enough to pay for a PO box or an office space. There are plenty of companies that will provide on demand office space and take and forward mail for a couple hundred dollars per month or less.

You don't have to get popular for this. All kinds of people can be the victim of targeted harassment campaigns. Such as indie game developers.

Thank you very much, I completely agree. The arguments that people should either pay up for WHOIS protection or use a publishing platform is like choosing between being extorted by the crips or the bloods!

I respect the information you have provided, but there is no reason in my mind that I should need to pay a couple hundred dollars for an address, or registration for a business etc

the reason for this is that I am a non-Serbian citizen living in Serbia right now, where most people have monthly expenses of $300!! :)

Does it realistically matter if you don't use a correct address?

I ask because I have a number of domains still registered to an old home address. I have never bothered to update them due to laziness and privacy concerns - but the domains keep working.

There has never been an attempt to verify the address.

> what happens when my site gets very popular and lucrative, and someone uses my whois info to rob me in my home?

You form a company around it and use the business address? Or use your domain registrar’s privacy guard if you can’t/won’t form a company.

By that point it's too late? If I want to register a domain, but have no money or time, I'm not going to incorporate just to do it. If a year later it goes viral and starts making enough money to be worth incorporating, my information is already public.

If I then move it to a business address, that will prevent casual snoopers but you can buy access to historical whois records...

Yeah, I see your point.

Thankfully (though not helpful in your case) the UK registry does allow “non trading individuals” to opt out of the public record. You can also change the registrant type from individual to company later.

I appreciate your response! I responded to another poster above. sure the prices arent exorbitant, but it feels like being offered a choice on how youd like to be extorted

> I'm not sure why you would want to hide this data.

Imagine I find your domain now and because I don't like what you wrote, I'm going to start contacting you on your private phone and start sending you mail at home. Would you still want to keep your real data on whois? Guess when I stopped.

> A .com domain has the option to register the domain in the name of a corporation [...] I'm not sure why no company has been formed to solve this problem for all these domain-names.

Isn't paying a company to do this basically the same, and less hassle?

> I have about a hundred domain names. How can you expect me to check my inbox daily and click a link for all these domain names. It’s not 1995. This is not realistic. The consequence of shutting down someone’s business if they don’t confirm their email is way too crazy.

I'm not a particularly big fan of ICANN's process here either, the same thing has happened to me before and it was very annoying. But "I have lots of domains" and "who uses email anyway" are extremely poor excuses. Having lots of domains seems like about the most logical reason one should be on top of this sort of thing.

If the government required you to click a link every time you bought something online, and upon failure to click, they confiscated it, would you feel the same as you do now?

But here's the thing, you don't actually buy a domain name; in other words it's not property. Also, your registering a domain name is contingent on agreeing to the registrar's conditions, and some of those conditions are required to be there by the registrars agreement with ICANN. So you are entering into a contract.

If you buy a car and park it directly in front of a fire hydrant and forget about it, then the government will seize your car until such time as you pay your fine, the towing fee and storage fee. If you register a domain in contravention to the agreed contract then ICANN will seize your domain until such time as you correct it (including the time it takes to confirm that you have complied). It really isn't that strange.

But what if the contract is unreasonable? Blocking a fire hydrant is an understandable problem and is handled in a decentralized manner (either a ticket you can plea to after the fact, or someone tells you to politely move your car)

seizure and then negotiation is an unnecessary show of force in my opinion, unless the site was doing something criminal

> But what if the contract is unreasonable?

What is unreasonable about requiring accurate and up-to-date contact information for the registrant?

I would say that the net positive having this information provides the ICANN is not outweighed by the net negative to website owners (hassle to manage admin if you own 100s of domains like some superusers here do, privacy concerns, identity theft, physical intimidation)

That's perfectly fair. I don't think we needed government intervention or fire hydrants to get there (: I do like the public nature of this information and have used it for legitimate purposes on many occasions, but privacy concerns are valid. Not sure how to solve that one.

Anyway as I stated originally, I am no fan of ICANN's process here, but currently it is what it is so the responsibility, particularly of superusers, is to understand and have systems in place for compliance. I simply do not buy the "too many domains" and "who uses email" excuses presented in the post.

I agree with you, especially on your last part, when we apply the analogy to cars as well

"i have too many cars, so i shouldn't need to worry about if i park some of them in front of fire hydrants"

i would say that im struggling to understand a situation where the confiscation of a domain or a car is ever warranted, unless something criminal and clearly urgent (a fire, a drug running operation) needs to be stopped, rather than just as bureaucratic overreach to ensure payment and compliance

I'm in the registrar space. A few observations.

The process overall is not great, but ICANN's process didn't fail this customer. The customer needs to keep contact information up to date. If you own 100+ domains you should be very familiar and have your own process for managing this.

Its been this way since 2013.

The process to shut down a site is quite thorough in that many attempts at contact need to be made.

I'm a little surprised a phone call wasn't generated. By the time we've emailed you 3 times - we are making a phone call - we don't want to shut down a site if its at all avoidable.

This "24-48" hours stuff is nonsense - The suspension/un-suspension of a domain can be done almost immediately.

It remains to be seen but NameCheaps only potential issue here is whether they failed to renew the WHOIS privacy service.

>> "The customer needs to keep contact information up to date."

I own a few domain names and they ask me to update this info one per year. I've never understood why they need it at all though. Why should they have my address/contact info and why should it be publicly available? I'm sure the answer is obvious but I can't figure it out.

First, thats the way it is - so knowing that you need to keep the information up to date.

Regarding Why - ICANN runs on a multi stakeholder model, meaning governments and legal entities get a seat at the table too.

They have an interest in knowing who is behind a domain - its that simple.

Also whois privacy is not the protection everyone thinks it is. Its a lock on a door. It keeps casual looks out - spammers, scammers, etc.

If a government or police organization wants that information and they have legitimate need to do so, they will get it.

"I forgot to pay a bill basically because I forgot to check it was set on auto renew. It was for the landlord of my office space. She emailed me but I forgot to give her my up to date email address a while back - I never hear from her normally, and tbh communications about this sort of stuff are pretty low level so I shouldn't have to worry about it. Each week I need to do about two things to do with the admin of my tenancy here in the office building, the landlord emails me about trivial stuff - checking things, making sure that that new guy who said he worked for me didn't get a set of keys to my office space, updating things. TWO THINGS A WEEK! I don't have time for that. So now I'm super pissed off and people are starting to say I'm maybe not all that professional for letting stuff like this slide."

Honestly I'd blame Namecheap, not ICANN. My registrar was much more relaxed - I did not need to take any action

Please take a moment to view the WHOIS listing for each of the domain names you currently have registered through us. Please verify your mailing address, email address, and the administrative and technical contacts assigned to each domain name are correct. If your WHOIS information has changed or is inaccurate please log into your account manager and update accordingly. If your WHOIS information is correct, you do not need to take any action.

This is a bit different, and it's possible your registrar is not yet using the latest RAA (Registrar Accreditation Agreement). Specifically, the email you're talking about is the once-a-year verification email that all compliant registrars must send. The OP was dealing with a new rule which is part of the RAA 2013, which adds the requirement for verifying emails within 15 days of any registrant change that impacts either the name or the email address of the registrant.

(Edited to fix typo for RAA)

"I didn't update my contact information, so now I can't be contacted. How dare you"

"Why didn't any of ICANN's 340 employees who manage 6.5 million domains (~18571/person) call me personally to discuss how I would like to work through my fuck up? The monsters."

If I understood correctly:

- the user has made some mistake about some auto-renew feature, so that it didn't work smooth and has fallen to the previous known state (=using his real information)

> For some reason, WhoisGuard wasn’t set to renew and it expired.

- because of that, he didn't notice he was receiving e-mails, since it was an e-mail address he hasn't used for years.

> Because I’ve been using WhoisGuard for years, I haven’t used the old email (...) that USED to be set as the contact BEFORE (...) This email wasn’t connected to this domain for 3 years. So when it switched back, I never got ANY of ICANN’s verification request emails.

- Well, his old e-mail probably got the e-mails. He just didn't check it because he didn't access the old e-mail. ICANN now verifies every change in the whois information by sending an e-mail (something that I regard as a safety measure, because, well, when you register, you must inform a way to be reached, and e-mail is a reasonable way to do it):

> The problem is (1) their emails look like SPAM and often end up in SPAM folders (2) who uses email these days anyway? (3) they often send them to old email addresses.

Or, in other words, my e-mail provider filters e-mails automatically (samp rules), who should use e-mail when e-mail is the official way to be contacted about your site (huh?) and ICANN send e-mails to the old address (which is the one he informed when he registered his site).

I'm not sure, perhaps I misunderstood something, but the problem seems to be caused:

- by the user: now using auto-renew, not updating the whois information, not checkin the e-mail regularly (or having some forwarding rule to the e-mail he uses today)

- by the WhoisGuard, if the auto-renew was disable by mistake of the site, not from the user

- by Gmail (?), by having spam rules (?)

And I don't know where it wa a ICANN error.

Sorry, but I don't see a real problem here. The user lost his site for few days, ok, but due to some mistakes he made.

One thing you forget though, any email I've had that has been public on whois receives around 100+ spams per day, so the fact that their confirmation email looks like spam and is also often automatically filtered to the spam folder is a problem because it's lost in a sea of useless emails that no one checks.

In principle having whois records is fine and keeping them up to date is fine but because of bots and people who send spam to public addresses like that it doesn't make sense nowadays especially if you have multiple domain names for different businesses...

I do agree with you that spam is a problem. I'm not sure how good filters are, nowadays, if you create a rule to store emails from @icann, @whoisguard or so on, in a specific folder, whether this will or will not be mixed up with spam (I don't know if whoisguard, for example, always send some specific wording that could be filtered in to mark as "not spam").

My only point is that ICANN specifies that you should have a contact. Almost every site that I know don't have public information anymore, all information is hidden behind some service like whoisguard.

In general it's a paid service. If don't pay/renew/etc, each one will have a procedure. In the case of whoisguard, it's to provide the information he had about the real owner. Good, that's what whoisguard did.

(side note: was the OP checking his e-mail about informations sent from whoisguard, since it was a very old e-mail? Did he missed something by not checking it?)

ICANN tried to confirm this change by sending e-mail to the e-mail they had. No luck.

Officially, whoisguard wasn't in the circuit anymore, I don't know if ICANN should have contact them, and given that whoisguard had exactly the same address that they provided to ICANN whois (that old e-mail), don't think it would have made difference.

Namecheap should have stepped in? Don't know. Perhaps, if they were diligent enough, they could know that whoisguard was expiring and be in contact with the OP. OTOH, they are separated companies, probably there wasn't any legal obligation in doing so, and I don't know if it suits their business model to be kind to their costumers.

ICANN should have contacted namecheap? Don't think so. They had an e-mail address. They contacted it, as I understood. The OP didn't check it because.... it was an old e-mail and "who uses e-mails anyway".

Yes, it had impact in one of his sites. Yes, nobody likes that. Yes, probably the OP is in anger right know, and might or might not read all these comments in a different mood in the future.

I read this thread as lessons learnt: if you depend on something for your business, like ICANN, I'd take some steps to be sure that a bad "configuration" (the miss of auto-renew) doesn't add up with another problem (having an old e-mail as a contact) and with another one (don't checking that e-mail, don't having a forward rule, don't trying to filter it out outside spams)... to have such a problem.

Even a kind of heartbeat if the site was alive or not seems to be important: weren't for some costumers complaining, how long would the site be out before the OP noticed?

> The user lost his site for few days, ok, but due to some mistakes he made.

Only if you take ICANN's procedures as a given. They could have adapted one of dozens more customer friendly ways of dealing with this, but they don't have to because they're ICANN and they can do this with impunity.

Exactly. There's lots of ways to do this better. For example contacting the registrar (NameCheap) and finding another contact on the domain (or my NameCheap's official account's email) that does work.

There's ways besides shutting down somebody's entire business. Which seems like a power move, if anything.

> And I don't know where it wa a ICANN error.

OP didn't say ICANN made an error, he says ICANN has a stupid and/or badly implemented policy.

:) I choose "made an error" to be more subtle. He original words were:

> "This is an short story on how ICANN acts like mafia and has taken my site, Nomad List, hostage for 2 days now."

That implies malicious activity, or some other kind of wrongdoing like extortion or something like that.

I don't even get why would would need any contact info on a domain in the first place? It's just supposed to map ips to names, it should be registrable without anything but an email address to recover it if needed.

In practice the contact info is so that some companies can spam you with offers for SEO services and other stuff along with all the other typical spams you get.

The best one is I own a domain that is basically <my name>.Com

A couple of times a year I'll get an email asking me if I'm interested in buying a domain like <mky name>.com for (the one that quoted a price) $1000.

Usually just ignore them.

Aliyun asked me via email to send them ID copy, credit card copy, credit card statement for last 3 months in 24 hours otherwise my account would be shut down.

I did so in 39 hours because I don't check that email account very often.

All my running instances were shut down in 2 weeks without additional warnings. Only emails I got from them were about 20$ coupons for referral. As support later explained, I did not meet 24 hours deadline.

(AWS haves me as customer last 4 years with 10's of thousands USD spent yearly and never asked for ID or credit card copies).

Wow. I wonder if that's a PCI violation to ask for a credit card copy via email... Doesn't sound very secure to me.

Simply put, you need a better registrar. Namecheap should step up and edit your contact info to whatever you want, push out that ICANN email again, and let you ack it. We've done this many times for customers. We also don't charge $5/yr for domains. But you get what you pay for. Sorry if this sounds harsh, but these things happen all the time with cheap i-services. If your business is a little more important, you need to pay a little more for exceptional cases like this.

While I understand the sentiment, the author's analogy is bit off. ICANN is not the maffia, they are however in effect an institutional bureaucracy. Throwing a Medium hissy fit probably won't make them move any faster to resolve this.

Is this particular implementation of the email verification mechanism really required by ICANN? My registrar (OVH) sends an email that requires no action if the contact information is correct.

So, not only did you let the subsciption lapse, you didn't keep the crucial and important contact information up to date? The information you're informed how crucial is for your continued ownership of the domain?

Owning a domain is not a right, it's a business relation. Treat it as such and know the what and how of it. If I don't pay the yearly fee on my car, they'll take the plates - should I make an angry blog post about they should "ask me nicely"? And hey, you can preorder my book btw...

> If I don't pay the yearly fee on my car, they'll take the plates - should I make an angry blog post about they should "ask me nicely"?

Renewing a passport at my city hall used to take several visits, often with a long wait, during business hours. After enough people complained the procedure was mostly moved online, with optional Fedex delivery of the passport.

So, you see, these business relations are not set in stone, it's just that they were formulated for maximum convenience of ICANN, without consultation of domain owners...

I compeletely agree, but in this case the OP did not stay on top of the contact information, and it cost him a lot of issues and lost work. ICAAN does many things wrong, but this was not one of them. Keep the contact information updated, it is not that hard.

> So, not only did you let the subsciption lapse

No, where do you read this? I paid for my domain. NameCheap's WhoisGuard expired, contacts changed to old ones I didn't use from 3y ago. The domain was paid for. My "business relation" with ICANN was paid for.

> If I don't pay the yearly fee on my car, they'll take the plates.

No, I paid for the domain. They took it hostage because my 3-year old email wasn't confirmed. That's not about a business relation. That's bad "business" behavior.

You let the WhoIsGuard lapse, you explicitely write so. It's your responsibility to ensure that your contact information stays updated in this case. I really don't see the problem. ICAAN does many things wrong, but this was not one of them.

ICANN as a whole is a pain in the ass to deal with.

We had one of our domains taken hostage because the whois information pointed to our support@ address, and the support staff thought it was spam.

What it's supposed to help, I don't know - because accurate registration information really doesn't seem to be a whole lot of help to anyone except perhaps ICANN themselves.

Anonymising services or not, nothing on WHOIS needs to work except the email address, and that can be a random gmail address, the only thing you ever need respond to is ICANNs email.

It certainly doesn't help in trying to identify or contact the real owner of domains.

Another gripe with ICANN is that they're zero help when trying to take down scamming/spamming domains. Adding to that, many registrars simply don't give a shit about what their customers are doing with the domains they register.

At work we own <ourcompanyname>.com and the local equivalents in pretty much every country.

Some scammer purchased <ourcompanyname>.<new-generic-tld> and used that in fake job ads (the 'We need a support person in <country> to process payments' etc type). The ads get taken down pretty quick (job boards are familiar with this) but not before enough people are emailing jobs@ the scammer's domain. We only heard about this because a few people emailed us pissed about the scammy behaviour.

We contacted the hosting company, domain registrar (both the reseller and the actual registrar), and Donuts, all of whom either completely ignored us, or said fuck off talk to ICANN. Even having our lawyers send a C&D letter to all the various parties got us nowhere. (Hosted in Russia, registered to a fake address in NYC, etc).

ICANN won't touch it without us spending up to submit a dispute, which we did, but it takes them months to process and each domain costs something like USD$1500 to dispute. In the months while the scam was active, we got something like 100 people contacting us to report it, god knows how many actually fell for it.

While we're in the process of disputing that, the smartass registers a couple of new generic-tld domains and starts using those.

It's easier to just put fake name and address in the required fields. Only the email is used for verification.

This is a stupid requirement anyway. The fact that whoisguard exists is testament to it.

I am disgusted by ICANNs approach here but not to spare NameCheap:

If WhoisGuard expired, shouldn't they update the domain WHOIS data with his current contact details. I can't imagine levels not having up to date email address with his account.

So if I am correct, WhoisGuard expired, record reverted to original one. But domain is still registered via NameCheap. NameCheap should use levels current details. Not the one from 5y ago.

> I have about a hundred domain names. How can you expect me to check my inbox daily and click a link for all these domain names.

Why would you have those mails go to your inbox? Why not have something in your incoming mail filters that looks for them and moves them to a mailbox dedicated to domain admin mails? It's way easier to monitor that way, and harder to miss something in the noise.

Good news is a bunch of people just checked their WHOIS email address.

Other than the click-baity headline and book plug at the end, I think it's spot on.

I've encountered a similar situation where I never received an email or written letter (my contact information was correct in WHOIS). Suddenly I noticed I'm not receive emails for the affected domain, I check the site and is down.

I reach out to my registrar who tells me it's a new ICANN policy and that I should have gotten an email...

> No Pieter, you should read your email more carefully, this is a consequence of your messiness.

Yep. End of story.

Idk... it seems kinda fair of ICANN. Using something on top of your domain like WHOISGUARD rather than... just the one that's included at your registrar is odd, let alone not keeping email addresses alive. Annoying, yes, but this happens to everyone!

whoisguard is namecheap's whois anonymization service: https://www.namecheap.com/security/whoisguard.aspx

While this stucks ICANN clearly states that the email used here must be working. Even when privacy is enabled it just redirects to the set email. If that is not available i dont really see the issue when they shut it down.

Didn't Obama give complete control of ICANN to the United Nations recently? Was he just feeling super generous to other countries because I suse wasn't on board with that idea. :(

This is not true: https://qz.com/761219/in-44-days-the-us-will-no-longer-overs...

The entire overview of the decision is in the article. Essentially, one piece of how the Internet was managed was handed over from the U.S to ICANN. The reason is fairly straightforward; the federal gov did not feel the need to manage this thing for which there was no need for them to manage it.

Given the realities, automation is the only real solution.

You misconfigured your domain and as a result did not receive important communication sent to it. What's the controversy?

I'm not sure if this is a genuine question, but if so, the controversy is this: Why should ICANN have the power to suspend your domain name in the first place? How does the Internet get better by having an organization that can terminate your key business (or personal) asset just because you missed (or misread, keeping in mind not everyone is fluent in English and everyone is wary of scams) an email they sent you?

NameCheap did the same thing to me, except it was even worse because it was on a domain name I purposefully let expire (I didn’t want it anymore). But instead of letting it expire with the Whois Guard data they changed it to my real data and essentially doxxed me right before it expired.

Here is the email I got from the support:



Thank you for contacting Namecheap Support!

Please accept our sincere apology for any frustration this issue may have caused you. Let us just clarify the issue: WhoisGuard protects domain contacts 7 days after expiration. After that WhoisGuard is disabled and depending on TLD contact details may or may not be displayed. Therefore these details are not mentioned in the quoted message. We would like to assure you that we have forwarded your feedback regarding the issue to the corresponding department and they will consider implementing it as soon as possible.

The TLDs provided below usually have their contact details revealed in 7 days: .us.com ; .de.com ; .pw ; .website ; .press ; .host ; .online ; .space ; .io ; .co ; .me ; .info ; .biz ; .link ; .xyz ; .site ; .london ; .club ; .design ; .rent ; .college ; .tech ; .cn.com ; .eu.com ; .gb.com ; .gb.net ; .uk.com ; .uy.com ; .hu.com ; .no.com ; .qc.com ; .ru.com ; .sa.com ; .se.com ; .se.net ; .za.com ; .jpn.com ; .ae.org ; .kr.com ; .ar.com ; .us.org ; .com.de ; .wiki ; .fans ; .com.se ; .gr.com ; .jp.net ; .la ; .rest ; .bar ; .ink ; .co.com ; .love ; .br.com ; .uk.net ; .hu.net ; .in.net ; .mex.com ; .theatre ; .security ; .protection ; .cloud ; .top ; .us ; .bid ; .trade ; .webcam ; .men ; .black ; .pink ; .blue ; .red ; .kim ; .shiksha ; .lgbt ; .poker ; .pro ; .accountant ; .download ; .loan ; .racing ; .win ; .review ; .date ; .party ; .faith ; .cricket ; .science ; .mobi ; .voto ; .vote ; .green ; .mom ; .porn ; .adult ; .vegas ; .global ; .sex ; .irish ; .bz ; .vc ; .game ; .asia ; .stream ; .com.bz ; .net.bz ; .com.vc ; .net.vc ; .org.vc ; .krd ; .film ; .one ; .sydney ; .melbourne ; .study ; .audio ; .blackfriday ; .christmas ; .click ; .diet ; .flowers ; .gift ; .guitars ; .help ; .hiphop ; .hiv ; .hosting ; .juegos ; .lol ; .photo ; .pics ; .property ; .sexy ; .tattoo ; .xxx

As a possible work-around it is possible to have an active domain removed from your Namecheap account. So if you have any non-expired domains in the account and you do not wish to renew them, you can just contact us and we will remove them. As a result, your contact details will be substituted with the ones of Namecheap and they will be shown in Whois.

Should you have any questions please do not hesitate to contact us again.


Needless to say I won’t do business with any company that doesn’t take privacy of their customers seriously.

They don’t even warn you Whois Guard is about to expire.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact