…or other shenanigans.
OK, the headline is a bit sensational. But the truth is if you let a domain name expire that is tied to any sort of online accounts, you’re putting yourself at extreme risk.
Why the soapbox? I just finished reading this post from Ben Reyes about how he used an expired domain to get access to someone’s entire history of Gmail, Google calendar, contacts, etc., and this gave him a key to unlock the person’s other online accounts like Amazon.
Basically, Reyes tried to use his newly registered domain for a Google Apps account. When he did so he was told sorry, the domain is already in use with Google Apps. That’s because a previous owner used it. Reyes went through an Apps account reclaiming process and voila — he was in.
Expired domains also make it easier to steal domain names. People will look for expired domain names that are used as part of the email in the whois contacts for other domain names. They register the expired domain, set up an email to copy the whois record email domain, then request a transfer out. That’s what happened to ChicagoRestaurant.com.
An easier approach to steal a domain? Look for expired Hotmail usernames tied to existing domain registrations. Open an account with that same Hotmail name. And you’re in.
Be careful.
theo says
It goes even a lil further then that.
When i register a name that has been dropped i setup a catch all email record into the DNS.
I also setup an auto response where i catch that email with message that the domain name changed owner. This alone scrambled previous owners into gear getting the domain back after all..
I am not sure of the legal implication of this.. I do not read the emails that where send. The auto reply just kicks in.. Usually with the auto reply on i generate alot of spam heading towards me. So after 2 weeks or so i kill the email box. And rinse and repeat with another email box when i get a new domain name.
Ed Muller says
So I sign up for a service using my real name and credit card, steal a domain name, email account, and any other private information, and should assume it is perfectly legal? Well at least I made it easy for lawyers and governments to find and prosecute me.
No way will you find anyone with sense taking this route to the bottom of the pile.
Andrew Allemann says
Ed, this guy didn’t steal the domain name — he registered it after it expired.
As for people using expired domains/email address to steal domains, unfortunately there are people out there who do it.
Acro says
While picking up a domain after it expired/dropped might be legal, it’s not legal to use it as a trojan horse to access other personal items the previous owner managed or still manages.
Read what happened to one such case I covered last year: http://acro.net/blog/domains/namejet-as-a-trojan-horse-the-sacking-of-four-valuable-domains-while-paying-for-only-one/
Ms Domainer says
*
Not hard to do at all, even for the non-savvy.
I registered an expired domain and set up an email address. I started getting the former owner’s email.
I didn’t do anything with it, but it was a sobering discovery.
*
Ed Muller says
Andrew,
I was commenting on the concept of theft in general, which Ben actively took part in. Whether it’s stealing domains or stealing data, you’ve left yourself wide open for any further legal action.
“…he used an expired domain to get access to someone’s entire history of Gmail”
Show me where the government can’t call this a federal offense if they were so inclined. Or the victim’s lawyer could claim irreparable, and intentional, harm.
Way too dangerous, and not a subject I would post about, if you ask me.
FarmerJohn says
Ms. Domainer you raise a good issue.
For instance, what if you reg an expired name, set up an email account (with a catch-all for example) and start getting emails with illegal content/images. Yikes.
John Berryhill says
“Ed, this guy didn’t steal the domain name — he registered it after it expired.”
That’s fine. However, using data obtained from the re-registration to effectively impersonate another in the course of accessing other internet services is impersonation and unauthorized access.
A lot of this is the result of the unexamined assumption that domain name registration is a recurring billing opportunity. The registration of a domain name is really a one-time act. The RESOLUTION of a domain name is what you are really after but, oddly, that comes free.
Staci says
I also setup catch-all email accounts for all my domains and have received emails with all types of personal information regarding the previous owner(s).
I think that this is a great article to alert webowner’s to this danger.
I use a personal email address when registering for affiliates, etc, instead of an email address associated with a domain name for this very reason.
willi828 (@willi828) says
Anyone using this tactic will be swiftly caught and prosecuted. Not sure what the point of this article is.
Knut says
The problem is that Microsoft does not allow a Hotmail account to “expire” and be used by others. Very simply: register an account, send some messages, and then ask for it to be DELETED. Try then to re-register and you will be denied.