Whois verification is just begging for phishers.
A lot has been made about the new requirement this year for domain name registrars to verify certain aspects of Whois contact information provided by registrations.
Over a million domain names have been suspended due to the failure by the owner to click a link in an email sent by the registrar for a domain name.
But don’t click to quickly. It might be a phishing attempt.
In fact, the way it’s set up, this verification process was basically begging for phishers to get on board. Here’s an email I received this morning:
As of Dec 1, 2014, the Internet Corporation for Assigned Names and Numbers (ICANN) has mandated that all ICANN accredited registrars begin verifying the WHOIS contact information for all new domain registrations and Registrant contact modifications.
You have registered one or more domains from Godaddy Inc. and verification of the Registrant email address is required for these domain name(s) to remain active. Please click the link below to verify the email address. You have until 01/01/2015 to verify this email address. After this date, the domain name(s) will be suspended until the email address is verified. please cut-and-paste the following URL into an open web browser to complete the verification process:
service-godaddy.com/raaverification/verification/VerificationCode=[a bunch of numbers and letters]
Once you click the link, your email address will be instantly verified and there is nothing further for you to do on the following domains:-dnw.com-
Sincerely,
GoDaddy Inc.
That link is for service-godaddy.com, a domain name registered at eName. Similar emails are also making the rounds using the domain name serviceS-godaddy.com.
Fortunately, most major browsers have these labeled as phishing sites already.
The verification currently in place is really stupid. It does not stop a criminal from running their operation, it does make it easier for people to run phishing expeditions and it does cause websites to be suspended with no good reason.
Mike says
Yes total waste of time and still they do not really know the identity of registrant any better than they did without verification. Look at arevamines (com) for example I saw. That can’t be right can it ?
Graeme says
Sure it’s horrible for users, and detrimental to the internet as a whole, but lets not forget that somewhere, some IP lawyer or LEA person is putting their feet up on their desk, satisfied that they can tell someone up the chain that the internet is ‘safer’.
Volker A. Greimann says
You are preaching to the choir…
Sadly ICANN is not interested in common sense, just dotting the i’s on these all-important law-enforcement requests. I bet not one life has been saved by this…
George Kirikos says
I don’t think email or telephone verification is stupid, but some of the implementations might fall into that category.
Instead of asking users to click on a link, a superior implementation would be to just send a code to the email address or telephone number (e.g. A8539BH242), and ask the user to login to their control panel to enter the code.
It’s not as “user friendly” as simply clicking on a link, but it’s a better way of teaching users not to click on links blindly.
Andrew Allemann says
It would reduce the chances of people clicking blindly, but I think the registrars realized that even more domains would be suspended if they made it more difficult to complete.
George Kirikos says
I think the “trick” is to verify the email address and/or telephone number before registration/activation of the domain name. Then, there’s no issue of suspending an active site — the domain wouldn’t be activated with unverified WHOIS.
Andrew Allemann says
That’s true, but if you ran a domain registrar, your conversion rate would be way down. Ultimately, I think that would mean that most of us would get stuck paying more for domain registrations in the long run.
Dan says
Sadly it’s not quite that simple though, because then you have a lot of customers not happy that the domain isn’t active, more support telling them it’s because they need to click a link… and this doesn’t resolve one of the most common issues a domain gets suspended – An existing domain with an old email which bounces.
Jay says
Completely agree with George.
That is how it should be done.
You can register the domain as now but before it is turned on you verify this ICANN bureaucratic hurdle.
And you would have to only do it once per email so register/transfer domains to that registrar using the once verified email as much as you like and further verification emails would NOT be launched.
Volker A. Greimann says
That would work if there were only one control panel for each registrar. onc e you add Resellers to the deal, there is no single unified place the registrant could log in, unless you add loads of implementation all the way up and down the chain.
domain names says
I do not trust the domain name services-godaddy(com)
Robbie says
Most whois verification emails have been blocked by spam filters, causing them to be totally toxic
Joseph Peterson says
ICANN is a global organization with more funds at its disposal than ever before.
Rumor is, there are some bright people alive on planet earth at the moment. I’m guessing that the combined intellects of a few of those folks could have anticipated this debacle and devised a safer alternative.
We can already probe the human brain to view dreams as they happen. Visiting Mars and splitting the atom are old news. Preventing dumb email phishing schemes shouldn’t be impossible for the human race.
Volker A. Greimann says
They are spending it faster than they can rake it in though. We learned at the last meeting that due to overly optimistic earnings estimations, they had to step on the break and introduce cuts to avoid blowing up the budget when forecast revenues failed to materialize.
jon says
I think it is more about “big brother” keeping track of your IP address and location, than it is information verification anyway. The annoying thing is the more domains a person owns, the more of a time wasting problem this has become especially if you like me tend to spread your business amongst
many different domain registrars.
Jay says
Bureaucracy gone out of control.
There should be one click when you register your first domain using a certain email address and after that there should be no verification emails.
Volker A. Greimann says
That is the case if correctly implemented. An email address only needs to be verified once upon registration, and again in case of an inaccuracy complaint or bounce of an automated message.
So register as many domains with your email and you will only be verified once in most cases.
Unless the registrar chose to do per-domain verification…