Home / Blogs

ICANN Complaint System Easily Gamed

ICANN’s WDPRS system has been defeated. The system is intended to remove or correct fraudulently registered domains, but it does not work anymore. Yesterday I submitted a memo to the leadership of the ICANN At-Large Advisory Committee (ALAC) and the greater At-Large community. The memo concerns the details of a 214-day saga of complaints about a single domain used for trafficking opioids. For those who are familiar with the cycle of WDPRS complaints, the time frame is supposed to be 45 days at a maximum. The 45-day window was defeated by the domain owner who constantly transferred the domain and changed the data which took it out of the hard-structured view of complaints processing. This is part of an ongoing series of articles and research into online opioids traffic and effectiveness of different enforcement procedures. The first complaint was submitted 4 August 2016 and the most recent response from ICANN on 6 March stated in part:

ICANN considers this matter now closed.

Wonderful. We should all feel so much safer. Unfortunately, this is just the continuation of a very long process failure. The domain in question, DRUGS-ORDER.NET (which I refer to in my handwritten notes as “DONT”) is still online and used for selling opioids without a prescription and without displaying a pharmacy license. The memo I submitted in response to these events is an analysis of the ICANN complaint system (WDPRS). The analysis uses this domain with false WHOIS as an example to better understand the issues with ICANN policy and procedure. In short, the ICANN WDPRS has been effectively circumvented. The domain has had 3 different sets of false WHOIS and simply transferred their domain each time a complaint was filed. The domain has been transferred to 4 different registrars and is currently operating selling narcotics. With nearly 3000 registrars there is no practical limit. In each case, the registrar largely followed the process and complied with ICANN. So ultimately it’s not a registrar issue, it’s an ICANN issue. The failure of the organization to understand how the process can be manipulated makes the process useless. ICANN compliance will likely respond by stating they are constrained by the contract. However, they are also apparently constrained by process innovation as well as real-world context.

This is an extremely urgent issue. Yesterday, here in Copenhagen at the CC session towards effective DNS abuse mitigation prevention mitigation some very smart and passionate experts (including APWG and global LE) discussed various threats on the Internet. One fact is clear from this discussion: the ability of criminals to obtain domains far outpaces the current ability to contain them. Even concerned and proactive registrars at the session complained that their compliance and cooperation with abuse mitigation is hampered by other factors out of their control. The various issues can be summed up in one word: complexity. The data is complex, but the process cannot accept that complexity.

All criminal and abusive operations should follow this cycle to stay in business: Obfuscate, Wait, Transfer, Repeat.

I will be presenting on these issues at the joint session of the Public Safety Working Group (PSWG) and the Verified TLD (vTLD) constituency. This meeting is scheduled for Tuesday 14 March from 18:30 to 19:30 (CET) in Hall B4.1 at ICANN58.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Garth Bruen, Internet Fraud Analyst and Policy Developer

Filed Under

Comments

When dealing with a domain like this, Todd Knarr  –  Mar 14, 2017 9:44 PM

When dealing with a domain like this, shouldn’t a decision to lock the domain down or take it away from the owner go through the registries as well as the registrars? If the .NET registry un-delegated the domain and rejected any registrar trying to re-delegate it, that should be the end of the matter as far as the domain goes. That should be doable under current registry agreements.

Registry rejects responsibility or obligation Garth Bruen  –  Mar 15, 2017 11:57 AM

Verisign is in receipt of your email below. Verisign is the top-level registry operator. As such, Verisign has no relationship, contractual or otherwise, with the registrant of a domain name nor does Verisign provide any services to the registrant or the webhost. Therefore, Verisign will not take any actions pertaining to a domain name absent an order from a court of competent jurisdiction directing it to take actions that are within its technical capabilities. I recommend that you contact the relevant registrar or hosting service, who may be able to assist you with this request.
The registrars in some cases did suspend the domain but nevertheless allowed them be immediately transferred and reactivated elsewhere. Hosts have responded similarly. There is an obvious difference between registries in the acknowledgement of widespread abuse and criminality in the DNS. Many registries take immediate action with the understanding that the ICANN contract and the law will protect them from liability if they take proactive action. There is no court order required when the issue is within scope of the terms of service. This is analyzed in detail here: http://knujon.com/onlineopioidsUSfeb2017.pdf

This seems like an easy fix:Institute an Doug Mehus  –  Mar 14, 2017 10:06 PM

This seems like an easy fix:

Institute an immediate change to the domain registration agreement registrants sign/to which they agree that prohibits transfers out of domain names for 60-90 days, essentially placing the name into “transfers prohibited status” like it would when it gets renewed or when it is first transferred to a new registrar. This may seem unfair on the registrants but, if the WDPRS is being misused, the domain registrant should be entitled to file, for free, an appeal to an ICANN team member who has the authority to determine whether the complaint is valid or whether the WHOIS information is inaccurate/not disclosed and whether the WDPRS should proceed. :)

Cheers,
Doug

Difficult but not impossible Garth Bruen  –  Mar 15, 2017 12:07 PM

Yes, a contract change could enhance procedure but this is a VERY long road. Many of the parties who would be required to approve such a modification would be dead set against it. Changes to the contract have been made over the years to great benefit of Interest users, but this was very long and hard work. Additionally, contracted parties are usually allowed to wait to sign on to a new contract until their current contract has expired. By the way the memo can be found here: https://community.icann.org/display/atlarge/ALAC+Top+10+Issues?preview=/2262135/64076614/DONT_analysisoficannwdprs.pdf

Seems like this shouldn't require a contract Todd Knarr  –  Mar 16, 2017 9:10 PM

Seems like this shouldn't require a contract change. ICANN can set policy, eg. saying that any domain that receives a valid WDPRS complaint may not be transferred until the registrar has responded to the complaint. Then when the automated notification is sent to the registrar, the registry gets a copy. The registry's required by existing contract to comply with ICANN policy, so they aren't supposed to accept a domain transfer if the registrar ignores policy and allows a transfer out. If the registry won't accept the transfer, nothing the registrars can do will transfer the domain or alter the WHOIS information. As Charles noted, doing this locking-down at the registry level isn't a hard problem since the software to do it already exists (that a registry might not want to make the effort to use the software is Not ICANN's Problem, only whether they comply or not). No, I'm not being naive. I fully understand the political problems involved. I just feel they should be handled by simply ignoring them as irrelevant to the point at hand.

Great points, Todd. :) Doug Mehus  –  Mar 18, 2017 8:19 PM

Great points, Todd. :)

Would mostly agree, problems still exist Garth Bruen  –  Mar 21, 2017 7:19 PM

saying that any domain that receives a valid WDPRS complaint may not be transferred until the registrar has responded to the complaint.
In at least one of these complaint cycles the registrar responded in a timely manner and suspended the domain. The registrant then transferred the domain.
doing this locking-down at the registry level isn't a hard problem since the software to do it already exists
Yes, it's a choice, an apparently unenforceable choice. Even if it is found that a registrar acted improperly by allowing an outbound transfer, punishing the registrar will not suspend the domain which is now at a new registrar. ICANN does not have a mechanism that I am aware of to remove a domain. At this point only the registrar can lock under their "Malicious Conduct" policy, but Verisign has made it clear that domains used for trafficking narcotics do not qualify as malicious.

It's more that ICANN doesn't want to Todd Knarr  –  Mar 21, 2017 7:42 PM

It's more that ICANN doesn't want to enforce things. The registrar you mention should've had their ability to be a registrar terminated on the spot, for instance, by either the registry or ICANN, and information recorded to keep the owners from ever operating any registrar ever again. As for Verisign, transferring the registry for .com to another operator would deliver the message clearly. ICANN controls the root nameservers, if it changes the configuration so they refer .com queries to someone other than Verisign there's not much Verisign can do about it. And Verisign's definitely one of the worse operators out there. They are, after all, the ones who caused the delegation-only configuration to be added to Bind to block them from returning false DNS responses (which blocks second-level hosts in all new TLDs without custom configuration by sysadmins). None of this requires any new technical capability or legal authority. It just requires the will to actually enforce the rules, which is where ICANN's lacking.

Yes, but let's say they did.... Garth Bruen  –  Mar 21, 2017 7:56 PM

Let's just assume ICANN wanted to enforce here, they actually don't have many options. ICANN compliance issues breach notices with the intent to cure the breach, meaning there is an issue which the registrar must fix or face termination. For example, they have to pay an outstanding bill to ICANN, they have to restore a removed WHOIS service, they have have to provide some document etc, etc. So in this case, the domain is already transferred. What condition would need to be cured calling for a breach? You see there is no "court' here which finds acts of wrongdoing. As for ICANN taking .COM from Verisign, we'll hear Gabriel's Trumpet first (in the Biblical AND the mathematical sense)

The breach to be cured is the Todd Knarr  –  Mar 21, 2017 8:36 PM

The breach to be cured is the failure of the registrar to reject the transfer out of the domain after it's been suspended and they know the transfer isn't allowed. The cure is to not do that again. Second time, they've failed to cure the breach and they lose their status for breach of their agreement with the registry and with ICANN. And probably, because ICANN doesn't want to or is afraid to, which one makes no difference. Failure to use the tools they have doesn't make those tools not exist.

> You see there is no "court' Charles Christopher  –  Mar 21, 2017 8:46 PM

> You see there is no "court' here which finds acts of wrongdoing. ICANN policy is being ignored, THAT is the wrongdoing. Registrars and registries pointing fingers at each other does not change that fact.

I have to agree with Todd and Doug Mehus  –  Mar 21, 2017 8:44 PM

I have to agree with Todd and Garth here, Charles, in that there's clearly a problem here. I don't necessarily think we should terminate a registrar's contract on ONE mistaken permitted transfer of a domain name under a WDPRS dispute but I think that should qualify for a "warning letter" to be issued and I do think ICANN needs a mechanism of some sort to issue a sort of "notice of continuance for Whois Data Problem Report for " in the case of these mistakenly permitted transfers so that for domain names with past, unresolved or repeated WDPRS problems, ICANN can simply force the new registrar to "lock down" the name and for the registry to lock it down as well. Whether this would require a contract change or not, it seems it may even possible for something ICANN can deal with directly between it and the registry through a sort of "rules change" (with appropriate notification to the registrars). :)

>I have to agree with Todd and Charles Christopher  –  Mar 21, 2017 8:58 PM

>I have to agree with Todd and Garth here, Charles, >in that there's clearly a problem here. We all agree. > I don't necessarily think we should terminate a registrar's >contract on ONE mistaken permitted transfer of a domain name You never heard me say such a thing. The problem is the transfer itself should have been IMPOSSIBLE, and is IMPOSSIBLE with other TLDS ... So what is that telling you? Please see the ICANN policy text and FAQ answers, I quoted in this post to this thread: http://www.circleid.com/posts/20140314_icann_complaint_system_easily_gamed/#11667

>Yes, it's a choice, an apparently unenforceable Charles Christopher  –  Mar 21, 2017 8:32 PM

>Yes, it's a choice, an apparently unenforceable choice. No. Its registry and registrar pouting their fingers at each other saying "You do it!". And everyone else looking on saying "I dunno". Do what Afilias did HARD CODE IT! Look, if we really give a damn about the registrant, and DOMAIN THEFT was the original motivation for all of this, code the policy and be done with it. >At this point only the registrar can lock under their "Malicious Conduct" policy, but Verisign >has made it clear that domains used for trafficking narcotics do not qualify as malicious. ServerTransferProhibited is under Registry control NOT registrar, just talk to ICE and their relationship with Versign to see how they see to have little problem getting Verisign to lock domains for them AND take them out of a registrars account .... Watched it happen many times, as each time I saw news of the this I look at the domain whois. So lets dig deeper: https://www.ice.gov/narcotics "The National Security Presidential Directive/NSPD-25 directs U.S. government agencies to attack the vulnerabilities of drug trafficking organizations by disrupting key business sectors and weakening the economic basis of the drug trade. The illegal drug market in the U.S. is based on illegal narcotics grown or manufactured in foreign countries and smuggled across our nation's borders. ICE agents enforce a wide range of criminal statutes including Title 18 and Title 19 of the U.S. Code. These statutes address general smuggling issues as well as customs violations. ICE also enforces Title 21, which covers the importation, distribution, manufacture and possession of illegal narcotics." So then why is ICE allowing these sites to remain resolving given their own website says there responsibility covers distribution of narcotics. So now we have two problems: 1) The "system" is not enforcing the ICANN 60 day transfer lock. 2) Some are claiming there is no way to shut down the domains of narcotics websites Selective enforcement is just that, "Nothing new, under the sun", our tax dollars hard at work .....

Couldn't ICANN time the contract change with Doug Mehus  –  Mar 18, 2017 8:17 PM

Couldn't ICANN time the contract change with the expiry of their registrar agreement in a "take it or leave it" approach? Hard bargaining for sure but one I'd support. :) What's the longest expiry date for any registrar's agreement? I'm guessing not more than 5-7 years so, if the new RAA's implementation was "staggered," sure it'd take time but, eventually, we'd get there and have a better WHOIS reporting system because of it. Cheers, Doug

Contracts generally favor contracted parties Garth Bruen  –  Mar 21, 2017 7:22 PM

ICANN does not exist without the money flowing up from contracted parties. There is very little interest here in protecting the consumer.

"ICANN does not exist without the money Charles Christopher  –  Mar 21, 2017 8:40 PM

"ICANN does not exist without the money flowing up from contracted parties. There is very little interest here in protecting the consumer." Agreed, and worth repeating. At the Sydney ICANN meeting a number of us via the webcast asked the question "How does ICANN serve registrants needs?" The question was taken and publicly asked, and the response was to shame us for even asking ... And the guy that presented the question is no longer with ICANN, what a surprise. A peer once asked the ICANN members "How many domains do each of you own?" ... Similar result.

Hi Garth,Your post is very interesting, because Charles Christopher  –  Mar 16, 2017 12:36 AM

Hi Garth,

Your post is very interesting, because what you present should be impossible as everything is now setup.

I saw something like this many years ago, and then saw it resolved. I had ASSuMEd other registries fixed this …. And I am NOT surprised to find Verisign did not.

What I am referring to is the 60 transfer hold that is required when a domain is transferred (ICANN Policy). Keep in mind much of this “complexity” you speak of can manifest in one of two ways:

Contract / Policy (NO technology)
Technology

So lets take .INFO as an example as it is precisely what I saw many years ago (*). Afilias was implementing the transfer holds by POLICY and registrars were ignoring it. Thus Afilias moved this requirement into the EPP backend code (technology). Yes, its still policy, but being in the EPP backend it is now a policy that can’t be ignored.

I just contacted Verisign, as I am a Registrar, and verified that Verisign is still not implementing this POLICY as EPP TECHNOLOGY.

So, strictly speaking your post and conclusions are incorrect. There ARE rules being broken right now.

What is happening here is this registrant KNOWS which registrars IGNORE the policy requirement and then transfer the domain when it should not be allowed. Since you and others are not registrars this implementation issue of Policy versus Technology gets missed. These days I would imagine most registrars would be compliant of the policy (the registRAR is coding the 60 day hold in their code, versus relying on the registry) so there are not 3000 registrars to cycle domains through …. But I agree there are likely enough to cycle through.

So let me try to sharpen my point a bit. It is impossible to do what this seller is doing with a .ORG domain. It is because Verisign does not implement the requirement in the EPP backend that COM/NETs can be used to “defeat” WDPRS.

But ….

The correct solution here is to GO AFTER the registRARS involved that are out of compliance with their contracts. And there should be two prongs here, going after them being out of compliance with their registry and ICANN contracts as the ICANN contact requires the Registries to duplicate these policies in their registrar contract = You can’t be out of compliance of just one contract.

Charles

(*) I am so sensitive to this policy/tech issue because I once had a registRAR attempt to steal a domain they were sponsoring, and they tried it inside the 60 day hold thinking I would not notice. Oooooops, I noticed. Had they waited until day 61 they would have been successful because it was ONLY the policy violation that got my domain back …. And that Garth is one of many reasons I became a Registrar, because the backend games played in this industry are mind numbing. And most of the policies protect registrants from honest registrars, which make no sense. And no, in this case it was a registrar other than RegFly …..

RegFly also tried to steal some of Charles Christopher  –  Mar 16, 2017 12:47 AM

RegFly also tried to steal some of my domains, but they were different domains and that is a story for another day.

LOL, I, too, remember RegisterFly. Shudder. eNom Doug Mehus  –  Mar 18, 2017 8:21 PM

LOL, I, too, remember RegisterFly. Shudder. eNom wasn't much better. Hopefully, Tucows will merge eNom's system onto its own, superior system. I went with RegisterFly on cost and it took forever to get them transferred over to GoDaddy (I'm now with Uniregistrar). However, that's a great example of a hard-lined negotiating approach by ICANN created WHOIS data escrow. :)

>Hopefully, Tucows will merge eNom's system onto Charles Christopher  –  Mar 19, 2017 2:05 AM

>Hopefully, Tucows will merge eNom's system onto its own, superior system. Tucows is notorious for keeping expired domains for themselves. No auctions, no nothing, from customers account into their own account. GoDaddy started doing that and then stopped once publicly exposed. Given eNom is one of the preferred registrars of dominers, i can see expired domains alone being motive for Tucows to gain access to that domain base ... Again, the backend stuff that goes on in this industry is far beyond what most good people are aware of.

That's true, I hadn't thought about Tucows' Doug Mehus  –  Mar 20, 2017 5:27 PM

That's true, I hadn't thought about Tucows' somewhat sleazy tactics at "gobbling up" expired domain names as well as their "owned" domain name portfolio (what did they brand it as..."YummyNames" or something?). I just meant...I like Tucows' domain name registration system and database over eNom, which still refuses to "purge" my username from their system. :(

>However, that's a great example of a Charles Christopher  –  Mar 19, 2017 2:13 AM

>However, that's a great example of a hard-lined negotiating >approach by ICANN created WHOIS data escrow. :) I would suggest its the opposite. Yes it was created due to the RegFly fiasco but: A registrar may "escrow" privacy whois! In other words the data escrow protects registrants from honest registrars, which they need little if any protection from. EVIL registrars can just escrow privacy whois and then ICANN his NO IDEA who the registrant is! The data escrow provide the ILLUSION of safety to registrants, but in actuality does little for the reasons I have mentioned. All RegFly had to do was escrow privacy whois, and when asked, tell ICANN it was privacy for them. Then ICANN would have "laundered" all the domains to the RegFly owners .... Now is that REALLY what we were all looking for?

Doesn't the current WHOIS data escrow archive Doug Mehus  –  Mar 20, 2017 5:37 PM

Doesn't the current WHOIS data escrow archive multiple versions of a domain name's underlying, not publicly-visible, ownership information at regular intervals? Also, I thought it was required now, not optional, no? Even if it's "required," yes I agree there's potentially a way a nefarious registrar could "game" that "escrow" system, too, by essentially borrowing from the "old book of tricks" from shady companies that maintain two "accounting books" of the company, one for the "tax man" and the true one for their "shareholders," by essentially having two separate domain name databases. However, there'd be a way around this, which might or might not require a contract change: subject registrars to mandatory random audits at least every two years by ICANN (or an ICANN-appointed designated forensic accounting firm) and if ICANN or the designated firm senses so much as an "inkling" of obstruction, their registrar agreement can be terminated for cause on the spot and the registry ordered to bulk transfer their domain names. Also, with the number of registrars to audit, ICANN should also increase the annual and startup costs to become an ICANN accredited registrar such that many small registrars with only 100,000 (or less) domain names are forced to sell their assets to a larger player. As an aside, my very first registrar back in 1999 was directNIC.com (then legally known as Intercosmos Media Group or something like that) and I think even they've had some questionable history, right? Boy, I have a "knack" for picking crappy registrars - directNIC.com, RegisterFly and GoDaddy. I think I've finally found a GOOD one in Uniregistrar. Cheers, Doug

More complexity and less visible context Garth Bruen  –  Mar 16, 2017 8:57 AM

What is happening here is this registrant KNOWS which registrars IGNORE the policy requirement and then transfer the domain when it should not be allowed.
This is absolutely the case and would add that innocent registrars receiving transferred domains may not know the abusive or criminal history of the domain(s) when they come in and the situation catches them off-guard.
The correct solution here is to GO AFTER the registRARS involved that are out of compliance with their contracts. And there should be two prongs here, going after them being out of compliance with their registry and ICANN contracts as the ICANN contact requires the Registries to duplicate these policies in their registrar contract = You can’t be out of compliance of just one contract.
Generally I would agree, but in this case the registrars did (with some mistakes) follow the contract and the illegal domain still managed to escape because of process and procedure failure at ICANN.
so there are not 3000 registrars to cycle domains through
This is theoretical for example. We all know for a fact that most registrars are not "real" and merely placeholders or used to capture domains in the aftermarket. The "extra" registrars do not actually have any domains, websites or ability for a consumer to buy a domain from them. Yet they collectively pass something like 8 million USD up to ICANN each year which is a situation never really explained by ICANN. But that is a different story.

>The "extra" registrars do not actually have Charles Christopher  –  Mar 16, 2017 2:35 PM

>The "extra" registrars do not actually have any domains, websites >or ability for a consumer to buy a domain from them. This needs correction. They do have domains, they do have websites, and they do sell domains. This is the business I have been in. These registrars are real, but the domains they sponsor are typically accessed through some other "more public" registrar. Its a simple management issue, ICANN contracts push catchers to have more registrars to catch, but making those all publicly facing registrars is redundant. It only takes one registrar to make the catches available to the market on behalf of all the others. By placing this cost onto drop catching the registries are spared an overwhelming electronic war on their backend servers. Not a perfect solution but it is what it is. But as you suggest, this moves us off topic.

Yes Garth Bruen  –  Mar 21, 2017 8:00 PM

And whenever I have asked ICANN staff about the redundant registrars their response is usually something like "I don't known what you're talking about"

>"I don't known what you're talking about"And Charles Christopher  –  Mar 21, 2017 8:53 PM

>"I don't known what you're talking about" And that is a fair answer Garth. You call them redundant, that are not redundant. They are redundant to what *YOU* consider acceptable use, but that is your problem not ICANNs. If you want to compete in the drop catching industry you need lots of connections to the registries, and to do that you need registrars. That is the fact of it, and the other fact of it is these businesses give a lot of visibility to the overall domain name industry. Could the rest of the industry live without drop catching? Probably. So what? This is how they make their living. And if it did not exists the only difference is domineers would be getting even less sleep. They will be sitting at their PCs during drop time, madly wearing out their keyboards trying to registrar domains. So think of drop catching as being eco friendly, its saving the landfills all those worn out keyboards. :D Regardless of HOW it happens, it WILL happen, either manual method, or the current "drop catch server war" at the registries during drop time.

I'd say that just because that's how Todd Knarr  –  Mar 21, 2017 11:09 PM

I'd say that just because that's how the drop-catching industry makes it's living isn't any reason at all that the domain name system has to accomodate them. My opinion is that those registrars are redundant to the intended functioning of the domain name system and if stopping bad behavior requires removing their business model and making life harder for the dominers, then that's their problem.

>if stopping bad behaviorWhat is the "bad Charles Christopher  –  Mar 21, 2017 11:24 PM

>if stopping bad behavior What is the "bad behavior" you wish to stop? And once you "stop" it using a dedicated registrar, how will you stop that "bad behavior" from being accomplished using someone else's registrar (which is how the industry started)? >removing their business model What is the business model you are objecting to?

Oh, and a really good way to Charles Christopher  –  Mar 21, 2017 11:40 PM

Oh, and a really good way to get rid of the current drop catch industry is to encourage Verisign (and other registries) to implement the Waiting List Service: http://www.internetnews.com/asp-news/article.php/949201/VeriSign-To-Launch-Waiting-List-Service.htm Note well doing so would RAISE the price of domain name registrations, $40 back in 2002. Current industry pricing is $69 at NameJet, and $79 at SnapNames, and I am sure Versign could withstand $99 pricing ..... Oooooops, checkmate. Prices of domains go up either way, either a third party catcher gets it or the registry gets it. Pick one. http://www.internetnews.com/isp-news/article.php/1451891/ICANN+Approves+Waiting+List+Service.htm Note NetworkSolutions and Verisign have now parted ways. https://www.icann.org/resources/unthemed-pages/halloran-decl-2003-09-15-en "Thus, the benefits of the WLS extend not only to VeriSign’s direct customers (registrars) but also to end-users (registrants and prospective registrants). The WLS provides a simple, fair, low-cost and easy to understand procedure for registering recently deleted domain names. By contrast, the wait list services offered by registrars have low efficacy rates, and the consumers who pay money for these services have no guarantee that they will get a particular domain name, even if that name is not renewed by its current registrant. The WLS, on the other hand, provides a 100% certainty that, if the domain name is deleted, the domain name will be registered to the WLS subscriber, with the attendant certainty for the WLS subscriber of knowing it is “first in line” or pre-registered for a particular domain name should it become available." Again, pick one. :)

The bad behavior would be of registrants Todd Knarr  –  Mar 21, 2017 11:42 PM

The bad behavior would be of registrants evading the WDPRS process by transferring domains after a complaint is received and using the large number of registrars to insure they practically always have a registrar willing to help them by allowing the transfer. Those "redundant" registrars who exist only to catch dropped domain names aren't a direct target, but any of the changes (like making the 60-day transfer lock a matter of technology at the registry level so registrars don't have the option of ignoring it) will inevitably impact them. Their business model is grabbing domain names that a registrant failed to renew, registering them in their own name (openly or hiding behind domain privacy) so that other registrars can't resell them and then offering them for sale. Enforcing the transfer lock would destroy that business model, if they showed the domain as registered then there'd be a 60-day window when they couldn't sell that domain (transfer not allowed) and if they showed the domain as unregistered then their competitors could resell that domain out from under them. Again I don't see any reason to directly target them, but I also don't see any reason to refrain from enforcing the 60-day transfer lock by unavoidable technological means applied at the registry level just because it would impact them.

Thank you for entertaining my questions.>The bad Charles Christopher  –  Mar 22, 2017 12:06 AM

Thank you for entertaining my questions. >The bad behavior would be of registrants evading the >WDPRS process by transferring domains So lets tease that out by adding the registrar and registry collectively are ignoring the 60 day transfer hold policy. Thus they clearly are behaving badly, and there is no enforcement taking place so ICANN is behaving badly to. Agreed! >Enforcing the transfer lock would destroy that business model, Verisign *IS* currently implementing the 60 day transfer lock for NEW REGISTRATIONS. Thus the industry is operating with that policy having no effect on it. It never has any effect except to annoy registrant as they have to wait to transfer from an undesired registrar into their preferred registrar. Verisign is *NOT* implementing the 60 day transfer hold policy, which has no effect on drop catchers as no transfers take place inside that system. Now there is a subtle point that might be missed here and that is "transfer fulfillment". In this case the registrar auctions off the domain without it ever dropping. However in this case the registrar will, for reasons I will not get into, wait more than 60 days (after expiration) to transfer the domain. And so even transfer fulfillment is not affected by the 60 day transfer hold. There are *TWO* transfer hold policies at issue here. >Again I don't see any reason to directly target them, but I also don't see >any reason to refrain from enforcing the 60-day transfer lock by unavoidable >technological means applied at the registry level just because it would impact them. As I have articulated, the 60 days holds that affect drop catching are in place in all TLDs, to no effect on this industry. So drop catching is totally unrelated to the problem of the OP.

Garth,Any registrar used by this registrant is Charles Christopher  –  Mar 16, 2017 2:23 PM

Garth,

Any registrar used by this registrant is NOT “innocent”, they are not following the required policy. In fact they are ignoring the policy so as to INVITE the business of cycling registrations through them this way.

Further, Verisign unlike other registries is encouraging this behavior by not simply enforcing the 60 day hold in the EPP backend code. This is why the other registries did so, because its not allowed.

As much as I to dislike ICANN and see never ending failures, the only failure here is that ICANN is not enforcing their own policies, and shining a light on that fact should be all that i necessary to solve the problem. Frankly, trying to create even more policies just feeds the growth of the ICANN monster.

Registrars and Registry involvement in this problem is not to be ignored or let off the hook. You want a solution, the solution is enforce the current requirements. Simple.

Charles

Re: required policy Garth Bruen  –  Mar 21, 2017 7:09 PM

Charles, Had a few discussions about this in Copenhagen and the registry lock is recommended but not required. There are good and bad registrars, but the system can be gamed here even so. Verisign is distinct in its position here from many other registries, but they are also the biggest which highlights the issue. Because ICANN cannot see the complexity of cybercrime and abuse they are not suited to handle the issues that result, hence the deeply flawed ticketing process. Their "Ticket Closure" philosophy is equivalent to delivering an upside-down plate with uncooked ingredients at a restaurant and saying "You got what was listed on the menu". So there is no hard policy to enforce, no will to enforce, no ability to effectively track and understand the issues. The failure is top-to-bottom and the criminals know this. -Garth

Well said, Garth. I hadn't thought about Doug Mehus  –  Mar 21, 2017 8:34 PM

Well said, Garth. I hadn't thought about utilizing the "registry lock" function within the EPP registry framework/architecture. Good idea! What would it take to make this a requirement instead of a recommendation? Can ICANN implement it with, let's say, 60- to 90-day notice to the registries/registrars as a sort of "policy guidance notice" or would that still require a contract change? Cheers, Doug

>Verisign is distinct in its positionWhy does Charles Christopher  –  Mar 21, 2017 8:20 PM

>Verisign is distinct in its position

Why does their position mater? Who is the “authority” of “my” registrations, Verisign or ICANN?

https://www.icann.org/resources/pages/name-holder-faqs-2012-02-25-en

“Domain name is within 60 days of a previous transfer”

https://www.name.com/support/articles/234458468-ICANNs-Transfer-Policy-FAQ

“What is a 60-day transfer lock?
Under the existing transfer policy, if you transfer a domain, it will be locked for 60 days. This is an ICANN policy so it affects all accredited registrars and domains—and is not specific to only Name.com. We are unable to lift these locks or make any exceptions.”

>So there is no hard policy to enforce

https://www.icann.org/news/announcement-2-2015-09-24-en

“Registrars must impose a 60-day inter-registrar transfer lock following a Change of Registrant but registrars may allow registered name holders to opt out of the lock prior to any Change of Registrant request.”

https://www.icann.org/resources/pages/policy-2012-03-07-en

“A domain name is within 60 days (or a lesser period to be determined) after being transferred (apart from being transferred back to the original Registrar in cases where both Registrars so agree and/or where a decision in the dispute resolution process so directs). “Transferred” shall only mean that an inter-registrar transfer has occurred in accordance with the procedures of this policy.”

https://www.icann.org/resources/pages/text-2012-02-25-en

“Please note that you may not transfer your domain name to a new registrar within the first 60 days after initial registration, or the first 60 days after a transfer.”

https://www.icann.org/resources/pages/name-holder-faqs-2012-02-25-en

“If I bought a name through one registrar, am I allowed to switch to a different registrar?

Yes. The Inter-Registrar Transfer Policy, applicable to all ICANN-accredited registrars, provides that registered name holders must be able to transfer their domain name registrations between registrars. You must wait 60 days after the initial registration or any previous transfers to initiate a transfer.”

So lets be clear here. Godaddy was the original registrar to push the hold after contact updates. Many felt this was wrong, went to ICANN, and ICANN accepted GoDaddy interpretation of their contract. That was so many years ago I can’t recall when this occurred. But that is SEPARATE from the “transfer lock” imposed any time a domain is TRANSFERED. There is no “interpretation” here. There is policy, and its in the above ICANN text. When a domain transfers, it is to be locked by policy, implemented by policy at Verisign, implemented by code at Afilias (~2002).

“Verisign is distinct in its position”, ok, who cares, what does the ICANN poicy above say? Versign is in effect positing the finger at the registrar to meet the policy and they are not. Back to what I said, force Verisign to implement the “Policy” in code so there are no “distinct in its positions” in conflict with policy (“law”).

Now what is “new” is the extension of what Godaddy first started, that is the extension of the 60 lock not just for transfers but also for contact updates:

https://www.icann.org/news/announcement-2-2015-09-24-en

“Registrars must impose a 60-day inter-registrar transfer lock following a Change of Registrant but registrars may allow registered name holders to opt out of the lock prior to any Change of Registrant request.”

https://www.icann.org/news/announcement-2016-06-01-en

“Updates
The updates to the Transfer Policy include:

Registrars must deny an inter-registrar transfer request if the registrar imposed a 60-day inter-registrar transfer lock following a Change of Registrant, and the Registered Name Holder did not opt out of the lock.”

Update! Garth Bruen  –  Mar 24, 2017 1:36 PM

The domain at the center of this swirl currently appears suspended. One might think that all this chatter and and the memo I have pushed out resulted in alarm bells going off waking the sleepy security guard on duty who then sprang into action. Sadly, no. The suspension is at the hosting level.

According to ICANN:

Domain Status:ok

The domain is still registered, still in the registry, still in the DNS, will likely reappear shortly. Stand by, you’ll have full access to narcotics again in no time!

Registry status is also "ok", I say Charles Christopher  –  Mar 24, 2017 10:33 PM

Registry status is also "ok", I say this as I trust direct from the registry data more than the publicly facing data ... Which is sometimes different. Last update was: 2017-03-19T18:48:07Z Last transfer was: 2017-02-27T05:15:48Z So last update occurred shortly after this CircleID post. FWIW

>Stand by, you'll have full access to Charles Christopher  –  Mar 24, 2017 10:40 PM

>Stand by, you’ll have full access to narcotics again in no time!

What bothers me most is that there are laws at play in this case, there is no need for additional internet policies or procedures to address this issue. Which again was my original point.

Thank you ICE for again demonstrating our tax dollars are hard at work .... Busy replacing the pretty curtains (Wizard of Oz).

Ever watch the movie Brazil? :D

“Sam Lowry: Excuse me, Dawson, can you put me through to Mr. Helpmann’s office?
Dawson: I’m afraid I can’t sir. You have to go through the proper channels.
Sam Lowry: And you can’t tell me what the proper channels are, because that’s classified information?
Dawson: I’m glad to see the Ministry’s continuing its tradition of recruiting the brightest and best, sir.
Sam Lowry: Thank you, Dawson.”

And...we're BACK! Garth Bruen  –  Mar 29, 2017 8:28 PM

As pedicted, DONT didn't stay down for long (never does), made more escapes than Houdini. By the way this domain doesn't just offer opioids, it also sells Rohypnol, AKA "roofies" or the date rape drug. Rohypnol is used in a predatory way when attackers place it in a drink consumed by an unsuspecting victim. Like all drugs it has a legitimate use, in this case for patients suffering from extreme insomnia. Drugs, like domains, are harmless until improperly used.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC