[registrars] Grave Robbing and SEDO Fencing

Lau richard at lau.com
Tue Aug 7 15:06:56 UTC 2007 

Ross wrote: "Changing the name of the registrant in a database doesn't
change who the legal registrant is."

It all depends on the stone-walling nature of the Registrar. For a $10
registration, many registrars simply point to the Domain Registration
Agreement where invariably it says something along the lines of "The person
named as Registrant on the Whois shall be the registered name holder."

Therefore, if the Admin Email is compromised at the ISP level, or via social
engineering at the Registrar Level, which then leads to the Registrant being
changed (prior to the transfer out), many Registrars will tell their (now
former) customer "sorry, you allowed your Registrant information to be
changed, and the whois-listed Registrant is the registered name holder,
therefore the Transfer-Out was valid."

I have an example of a domain where the Admin Email was an IMAP account on a
hosted webserver. The Admin Email IMAP account password was given to a
hijacker in Iran as a result of social engineering. The domain Registrant
was changed. The domain transferred out. Was then sold to an Innocent
Purchaser.

Typically at that point, a Losing Registrar is unwilling/reluctant to
indemnify the current Registrar against the Innocent Purchaser suing, and
the real Registrant is told that they are SOL since they allowed their
Registrant information to change, and the domain is now owned by an Innocent
Purchaser. And they are told to settle the matter in court.

I have more examples where the stolen domains are currently sitting at
GoDaddy. But unfortunately these occurred before the TDP, and the real
Registrants have all but given up hope.



Richard

 
-----Original Message-----
From: Ross Rader [mailto:ross at tucows.com] 
Sent: 07 August, 2007 3:30 PM
To: Lau
Cc: 'Paul Lecoultre (CORE secretariat)'; 'Registrars Constituency'
Subject: Re: [registrars] Grave Robbing and SEDO Fencing

Again, another fallacy. Changing the name of the registrant in a 
database doesn't change who the legal registrant is. Whomever entered 
into the original agreement with the registrar is the registrant, unless 
those rights are legally assigned to another third party (i.e. as part 
of a sales transaction).

I am not sure why a transfer dispute provider would rule against the 
legal owner in a situation like this (assuming that the registrant was 
able to prove ownership, etc.). I can understand a "no finding". The 
TDRP shouldn't be examining whether process was followed, but rather, 
that the wishes of the registrant have been executed. I can understand 
why resolution providers might examine process, but to rely on it solely 
to determine outcome seems shortsighted.

Lau wrote:
> Ok, let me rephrase...
> 
> If the Registrant and Admin are fraudulently changed, and then a Transfer
is
> processed, then according to the TDP and the Gaining Registrar, the
transfer
> is fine. 
> 
> If however, the Losing Registrar agrees that the listed Registrant was not
> actually the Registrant due to an internal error or fraudulent change,
then
> yes, I can see that the TDP would apply.
> 
> Any real world experiences where the Losing Registrar admits to a fraud
> happening on their end when the Gaining Registrar is fighting the TDP
> (claiming that all process was followed)?
> 
> Thx
> 
> Richard
> 
> -----Original Message-----
> From: Ross Rader [mailto:ross at tucows.com] 
> Sent: 07 August, 2007 2:55 PM
> To: Lau
> Cc: 'Paul Lecoultre (CORE secretariat)'; 'Registrars Constituency'
> Subject: Re: [registrars] Grave Robbing and SEDO Fencing
> 
> Lau wrote:
> 
>> Am I wrong? (Please, someone, tell me that I am).
> 
> The subtlety that tends to get missed is that the transfer policy hinges 
> on whether or not the registrant, or the admin at the behest of the 
> registrant, approved the transfer of registrar. I am not sure why this 
> has been interpreted as "if the admin approved it, it must be good", but 
> this has been the case since the policy was implemented. If the 
> registrant hasn't agreed to it, even if the admin has, it is technically 
> a bad transfer.
> 


-- 
Regards,

Ross Rader
Director, Retail Services
Tucows Inc.

http://www.domaindirect.com
t. 416.538.5492

More information about the registrars mailing list