[gnso-rpm-wg] [Ext] RE: Action Items from 30 November Working Group Call

claudio di gangi ipcdigangi at gmail.com
Wed Dec 6 01:18:10 UTC 2017


hi George,

Whether that domain has active MX records was not really germane to my
larger point.

Let's use another example of a domain I just researched on the NAF site:

<XXXXXXXXXXXX.top>  (I redacted the second level domain); if you want to
research the specific domain on the NAF website, it is Case Number: 1621938

This domain: 1) was registered on May 23, 2015; 2) was suspended on June
21, 2015; 3) had its Whois updated on March 28, 2017; 4) is still
registered, and not set to expire until May 23, 2018;
5) is still sponsored by the same registrar (that appears in the URS
decision); 6) is still registered to the same registrant (that appears in
the URS decision); 7) the registrant has control over the Name Servers,
i.e. the Name Servers are a well known 3rd party, and not associated the
NAF's servers; 8) the Whois reflects the domain status is: "Domain Status:
ok https://icann.org/epp#OK"; 9) the domain is offered for sale online for
$1000.

Going back to Jon's original question (which I agree with), I think we need
to make an assessment on 1) to what extent does the URS permit renewal
and/or continued use of a previously suspended domain, and 2) to what
extent is renewal and/or continued use of a previously suspended domain
consistent with the intended purpose of the URS; and 3) to the extent it is
inconsistent, whether any policy recommendations should be implemented to
address the inconsistency.

Best regards,
Claudio


On Tue, Dec 5, 2017 at 6:30 PM, George Kirikos <icann at leap.com> wrote:

> Hi Claudio,
>
> On Tue, Dec 5, 2017 at 6:17 PM, claudio di gangi <ipcdigangi at gmail.com>
> wrote:
> > I referred to the Chrome browser display as evidence that it was in fact
> > renewed (you are correct though, there doesn't appear to be another
> phishing
> > site back up and running at the moment, with that said I didn't check
> the MX
> > records to see if email was being exploited)...although there is nothing
> in
> > the URS policy that prevents that from happening as far I as understand.
>
> The Chrome browser "evidence" is not proof of anything, except that
> Chrome is intercepting the domain name before it attempts to  resolve
> a site. WHOIS is better evidence. There'd be no MX records at present
> given the name appears to not even be in the zone file, i.e. do a "dig
> EXAMPLE.COM NS" but change "EXAMPLE.COM to the relevant domain name
> --- no nameservers at present. Also, even if the name was in the zone
> file, it would have adrforum.com (NAF) namesevers, i.e. from WHOIS:
>
> >> Name Server: ursns1.adrforum.com
> >> Name Server: ursns2.adrforum.com
>
> So it would presumably have the same URS Suspension webpage, had it
> been resolving, and presumably NAF isn't exploiting incoming emails to
> suspended domains.
>
> Sincerely,
>
> George Kirikos
> 416-588-0269
> http://www.leap.com/
> _______________________________________________
> gnso-rpm-wg mailing list
> gnso-rpm-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rpm-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rpm-wg/attachments/20171205/88634a6b/attachment.html>


More information about the gnso-rpm-wg mailing list