Domain Name Wire

Domain Name Wire

  • A big website is going to go dark thanks to ICANN’s new Whois verification

    1. BY - Dec 12, 2013
    2. Policy & Law
    3. 41 Comments

    New verification requirement is bound to ensnare some notable websites.

    ICANNICANN’s 2013 Registrar Accreditation Agreement is slowly going into effect at major domain name registrars.

    The biggest change that people who register domain names will notice is whois verification.

    Starting January 1, when you register a domain name, you will have to verify your contact details with the registrar. Most registrars will send a verification email to you with simple verification instructions.

    The domain name registration will be suspended if you fail to respond with 15 days. Practically speaking, this means your domain name registrar is likely to change the nameservers on your domain name to point it to a warning page, similar to what happens when a domain expires.

    If a newly registered domain name is suspended, it’s no big deal. It’s unlikely to receive much traffic yet, anyway.

    But the new RAA also requires verification if you change the name or email address of the registrant. That’s where things get tricky.

    After reading the relevant sections of the RAA and speaking to a few knowledgeable people in the industry, it sounds like how the update verification and suspension will be handled is open to some interpretation.

    eNom sent a notice to its resellers today informing them of how it will handle changes to the registrant. If the first or last name or email address changes, eNom will send a verification email. If the domain owner fails to click a link in the email within 15 days, the domain will be suspended and the nameservers changed.

    It’s not hard to see where this is headed.

    At some point in the not-to-distant future, a fairly big website is going to go down due to lack of Whois verification. A company will make a small change to the contact information but fail to verify it. Perhaps the verification email gets flagged as spam. Or an IT admin thinks its a phishing scheme. Or an intellectual property manager at a big company makes the change, then goes on vacation before receiving the verification email.

    It’s bound to happen, and a lot of people are going to scream and point fingers when it does.

41 Comments
  • Ah, and I thought you had a particular “big web site” in mind. But “big web sites” don’t change admin emails that often, and when they do, they are not employee but rather, role based.

  • When they change DNS, I hope they don’t put up PPC advertisements and add unknown UDRP / lawsuit risk unbeknownst to a domain owner.

  • I am wondering what may happens when one will push a domain to someone and this person will push it himself to another person within a short delay (before he receives the email asking for identity confirmation).
    This may be a real problem for escrow services, attorneys or marketplaces/brokers playing the middle man or simply domainers flipping domains. This should produce many hassles…

    • “I am wondering what may happens when one will push a domain to someone and this person will push it himself to another person within a short delay (before he receives the email asking for identity confirmation).
      This may be a real problem for escrow services, attorneys or marketplaces/brokers playing the middle man or simply domainers flipping domains. This should produce many hassles”

      You just hit the biggest problem with this.
      I am a domainer and I flip domains under 15 days of ownership many times and like you said brokers and escrow who may act as a middleman and take hold of a domain temporarily to secure a transaction could be in for a buttload of problems.
      Just another headache to take on.

  • In a side note your title is missleading, I changed in domaning.com to:
    Many websites may going to go dark thanks to ICANN’s new Whois verification

    • Your changing the title? What gives you the right to change someones title? I no longer read your blog because you’re an idiot

  • That it’s “missleading” is your opinion. This blog is editorial in nature and not strictly a “news” site. I’d call the title “catchy”.

  • Hopefully registrars will batch large groups of domain names into one email should someone make a Whois change to hundreds or thousands of domains at the same time.

  • So if I register 10 domains in one day at the same registrar using the same whois data, will they send 10 verification emails or will I be considered verified after the first confirmation? How will this effect drop catching services using dozens of registrars…

  • totally retarded. what does this even accomplish?

    • It somewhat keeps law enforcement at bay, who have been pressuring registrars to do something.

      • i hope it won’t be a huge pain for those who own large numbers of domains. i haven’t read much about this but all it seems to do is ensure a working email address. i don’t see how it stops people from putting in other fake information.

  • John Berryhill says:

    December 12, 2013 at 8:32 pm

    Andrew, you are 100% spot-on. Someone is going to be taken down, and then find out there is no recourse for consequential damages.

    Actual cyber criminals will find ways to pass verification like shit through a goose. Bona fide website operators with a typo in their Whois data, or who miss an email for any of the reasons you mention, are goin to get hit with this.

    This is not a data-driven policy change. There was no impact assessment of this change on either cybercrime or unintended consequences.

    We’ve already seen how the current Whois verification emails led to compromises by spoofing, just as the fake renewal notices have done. The relevant policy actors have that rare mix of ignorance, arrogance, and power.

  • There was a VERY easy and sensible solution to that issue. The fact that they chose suspending the domain instead can only mean that there was something to gain, esp. by registrars. Anyway, if they are so concerned about verification, the could make e-mail validation obligatory to process registrant’s details change. Without clicking the verification link, the details simply wouldn’t change, which seems way better than letting the change through and then suspending the domain…

    As for new domain registrations, it would be a little more tricky, because every second can matter – but with new domain they might as well stick to their “verify or suspend” policy, since – as you wrote – it wouldn’t do as much harm. But again, if they are really so concerned about using the domains for spam, phishing etc. – they should make e-mail validation obligatory to enable delegation of the domain. 15 days is plenty of time if someone wants to use the domain for spam and then dump it.

    • @ pb – the registrars didn’t want any of this. Law enforcement pushed ICANN into doing this.

      The idea of email verification to make a change is interesting. I know law enforcement wanted verification to occur before a domain could be used, but that would have been a mess in the typical domain name registration process. I think the issue with email verification to make a change is that adapting control panel systems to do this would be a pretty big burden. It wouldn’t be a burden on big registrars, but it would be to small registrars.

  • John is right, this will not refrain scammers but will adds the huge risk to stupidly lost a domain, plus additional work and worries.
    Plus, what about unscrupulous registrars trying to take advantage of this new rule to get valuable domains from owners.

    On top of that put the problem most registrars emails use to land into spam box, for Moniker for example it’s always!!! So if someone have a tip to avoid it he is welcome to share it there (I use GMAIL).

    Worst! Some networks like AOL simply do not deliver emails if it contains a domain “blacklisted”, and trust me it happens often and for names you will not even imagine hos is it possible. So in this case you will never
    receive the email notification.

    Plus people are not aware of this. Yesterday I received an ENOM email 1 mile long about policy changes that for sure I did not read (imagine people that have a poor english knowledge) and moved it directly to the trashcan, so if it was the announcement then I missed, and like me a lot did probably the same.

    Will come January and certainly most domain owners will not be aware of this:
    In the past we all use to receive such identity checking notifications but because there was no obligation or no risk then we did not take care.
    What will happen when one will receive such notice and will delete it like always without even read it?

    It can be catastrophic for a LOT of sites owners!!!

    I invite all domain bloggers to relay this information, I will also give more exposure to this to help.

  • 1. I’m sure Godaddy will charge a fee for non-compliance.

    2. As stated above, registrars will find a way to take ownership of the more valuable domains.

    3. It is very easy to set up blind ownership email addresses. As well as, blind ownership addresses and phone numbers. I’m sure someone will set up a business/service just to aid in the continuous of safe, blind ownership.

    4. As it was implied above, this new rule is only going to hurt the innocent (or the unknowledgeable about domain ownership rules). The bad guys will adapt and thrive.

    5. Registrars will increase registration/renewal fees using the excuse of increased domain verification procedures.

  • “In the past we all use to receive such identity checking notifications but because there was no obligation or no risk then we did not take care.”

    I actually have a filter in my mailbox that puts all those WDRP mails directly to trash, where they belong… I wonder how many people do he same. Or even worse – mark them as spam. That would explain why Gmail and other mail operators treat them such as you wrote.

  • The identity checking emails dont make sense, if the address is wrong, they are sending an email to the wrong address to see if its wrong…..so bad address dont get fixed and you only get emails on names that have the correct address.

  • If Icann wants to push the moronity button further with this, then it is best for everyone that Registrars start building a notification control panel just for this, so that people don’t need to click on phishing emails, because I certainly won’t click.
    If I have a message from my registrar, I have to have a notification inside my control panel to solve it out…

    • I think some registrars will send a code to you that you then have to login and use. There has to be some way for your to verify your email address (provided that is what you changed).

      • Andrew, in case of a domain transfer, that’s just adding another step to the process. If not, people need that notification panel and the code could be a nice idea. If you are changing an email and it’s not a domain transfer, you had to have the email at some point I guess.
        But will they send the new email address an email as well?
        Anyway, if something goes wrong, it won’t actually be the registrars fault, and that’s the scary part…

  • Totally pointless, no one’s going to register a domain with an email address they can’t access so what’s this going to change/prove? People can still easily put fake whois details in the forum and verify it with an email they have access to!

    If any of my sites or clients sites go down due to this they can expect a letter from the solicitors for loss of earnings! And I’m sure many other sites and companies will feel the same!

  • If any of my sites or clients sites go down due to this they can expect a letter

    Who is, “they?” The registrars? You indemnify them by signing up. Is it Verisign? Ditto. How about ICANN? ICANN operates with zero liability. Who is. “they?”

  • “the registrars didn’t want any of this. Law enforcement pushed ICANN into doing this.”

    Are you quite certain? They made ICANN do *something* but who devised the method? And why did they go with this one, of many possible options?

  • As an operator of a registrar, I can assure you we certainly did not want any of this. I was personally on multiple webinars presented by ICANN for registrars, and I can tell you many people representing their registrars, including myself, objected loudly. These new verification requirements will cause many more problems than they will solve (some of which have been pointed out above). There is a major disconnect between those that set policies and those of us that run businesses. Further, related to these new rules, registrars were “represented” by a group of registrars (comprised almost entirely of the largest registrars in the world), and that group claims to have reigned in further problematic new rules. Of course, this group of registrars has their own motivations that many times do not reflect what is best for all registrars, or, more importantly, domain registrants and web site operators. There are many more changes ahead as more registrars implement the 2013 RAA. These changes seem to be a mixture of ICANN and the registrar working group keeping law enforcement temporarily satiated, and extreme over-reactions and useless rules to problems that largely do not exist. I feel sorry for many smaller registrars with limited capacity, and registrars and registrants whose native language is not English. There are also many new rules governing data collection and retention – some of which have already proven to be illegal in several countries. Registrars are also now required to maintain 24/7 resources for “legitimate” fraud/abuse complaints. There are also several changes regarding how resellers operate which will have a severe impact on many of their current business models. Hopefully the complaints get loud enough from the Internet community that ICANN retracts some of the 2013 RAA requirements. We have made the decision to not sign it until the very last minute possible.

  • What will happen after we click on the link in the verification email?
    All what we should do is to click on the link? is there any further verification steps or pages to fill? or just a simple click.?

    • It’s up to each domain registrar to implement it. Some registrars might just have you click in an email. Others might give you a code you need to enter after logging back in to your registrar account. Watch out for phishing attempts.

      • Thx Andrew,
        Is there any chance that the registrar will send a code as SMS to the registrant phone or call the registrant to tell him the code? I think I read this in the ICANN as an option, “email or phone”?

        • Yes, SMS and phone calls are allowed per the RAA. As Andrew said, it is up to each registrar to determine their authentication mechanism(s). We will likely be using email and SMS with a fallback for phone calls.

          • What will happen if one my customers uses an outdated phone number? Is the registrar will allow me to update the Whois data and change the phone number to a a valid one.. or the registrar will suspend the domain directly?

  • Well here is a sample. Happened to me today. I am a reseller for a registrar. One large client transferred their email to another provider. When this happened, the Whois contact for one domain out of 36 they had was a person no longer with the company. ICANN sent the notice, 15 days go buy and bam, site goes down. We reinstated the email, the registrar resent the verification, we performed the steps and here we are 30 hours later and the site is still pointing to a St. Petersburg Russia DNS awaiting reinstatement. I am sure this is going to happen again with a large domain. It is a very bad system.

Leave a Reply