advice What’s happened to my domain?

[Blueforever]

Yesterday (November 18th) I received an email from namesilo that my domain name (TokenizeEverything.com) was to be transferred out to another registrar, there was also an option to cancel if i follow the URL which I quickly did.

I logged into my account to find the name missing. I spoke to support who had said that ‘When you cancelled the transfer it was deactivated’ although they reinstated the name to my account which I can see is there and thought that was the end of it.
A few hours later I check the domain to find it has a different landing page. Wtf!
Go to Whois to find it’s under a network solutions registry owned by a guy named David shoop jr. Fb profile https://m.facebook.com/DavidShoopJr

I log into my namesilo account, and there it is. The name is still in my account.

I try to make changes, nameservers, make Whois private, but none of it works. It’s like the domain is only there in text but it’s not in my account as I have no control on it, if that makes sense.
I spoke to namesilo, they have given me no answers except their IT people are looking into it.
Now I see this guy has added a WordPress site to my domain name. Whats odd, is when looking at the login history, there is no unusual login to my account.
Any thoughts on what is going on? Has my name been stolen? If it has why show your full name on Whois? Or is this a glitch on namesilos end?

 

[Ostrados]

Sedo MLS is immune to this loophole because they have solid domain verification using text records, but still same problem can happen if previous domain owner forgot to remove the domain from his account, as Sedo do not recheck the domains again after they are accepted.

 

[7363824]

It is clear this is theft attempt not honest mistake, some scammer listed the domain at Afternic, then you accepted.. after that he might set the domain at $20 BIN then buy it himself from Network Solution and get the domain in his account for free!

That is very possible scenario if true then it is huge loophole in Afternic system anyone can do trial and error and list hundreds of domains, some non zero percentage my click Afternic approval email by mistake as @Blueforever did, then scammer will easily steal those domains that were added to his Afternic account.

We are summoning @Joe Styler to shed light on this loophole

The scariest part is for someone who lists domains on Afternic I might not realize if someone else listed my domain thinking it was one I listed.

 

[55Domains]

The scariest part is for someone who lists domains on Afternic I might not realize if someone else listed my domain thinking it was one I listed.

correct, if one lists 100s of domains, these are routine emails and you just accept them, there is no way one who does a real quantity of domains can remember which domains he is having listed and whch not. A loophole that needs instant attention and fixing from afternic/registrars

 

[Joe Styler]

I know it did sell via Afternic, but I do not know all the details beyond the fact that Afternic is working with Namesilo to see what happened. It appears to me from what I have seen that the OP approved the listing via an email from Namesilo. We have a pretty robust verification system in place. I believe this name was under privacy on the WHOIS, regardless we ask the registrar if the name can be listed, they in turn contact the registrant who has to approve the listing.
We did not pay anyone on the sale as far as I know because it is being investigated. I did not comment last week because I did not have all the facts. Some of them were logs only Namesilo has access to, ie what customer was asked to opt in to transfer the domain, who actually did do that, etc. I still do not know all the facts as there is still an investigation. I do not think there is a security loophole as you as the registrant of the domain have to confirm that you want to sell the domain with us via your registrar before we can list your domain as a fast transfer sale - meaning a sale that would move the domain away from your account after it sold.
There are ways to unwind this if there is theft or fraud etc. We will have to wait and see all the facts in this sale to determine the outcome. I do not have them yet.

 

[Ostrados]

I know it did sell via Afternic, but I do not know all the details beyond the fact that Afternic is working with Namesilo to see what happened. It appears to me from what I have seen that the OP approved the listing via an email from Namesilo. We have a pretty robust verification system in place. I believe this name was under privacy on the WHOIS, regardless we ask the registrar if the name can be listed, they in turn contact the registrant who has to approve the listing.
We did not pay anyone on the sale as far as I know because it is being investigated. I did not comment last week because I did not have all the facts. Some of them were logs only Namesilo has access to, ie what customer was asked to opt in to transfer the domain, who actually did do that, etc. I still do not know all the facts as there is still an investigation. I do not think there is a security loophole as you as the registrant of the domain have to confirm that you want to sell the domain with us via your registrar before we can list your domain as a fast transfer sale - meaning a sale that would move the domain away from your account after it sold.
There are ways to unwind this if there is theft or fraud etc. We will have to wait and see all the facts in this sale to determine the outcome. I do not have them yet.

The loophole is this:

anyone can do trial and error and list hundreds of domains, some non zero percentage may click Afternic approval email by mistake

The solution is to use text record verification as you do in Godaddy auction listings.

 

[Joe Styler]

We have been explicitly told by lots of Afternic users, some on this forum on other threads that they do not want to do that. We are probably moving to some form of that at some point but many customers have told us that various registrars they use do not make it easy to update the DNS or update the DNS in bulk to add txt records and with lots of listings to add this would mean they would no longer list with us.

I understand your position but there is an equally valid position, which is, don't randomly click approvals on links in your emails it is not a good habit because this could be done for a lot of things like someone resetting your password to a financial institution etc.

I think randomly trying to send people links to click would fall under fraud in which case we can unwind sales as I have previously stated. We are also regulated by various bodies as well as in compliance with courts of competent jurisdiction etc. We also can and do as warranted work with law enforcement bodies throughout the world. Stealing people's domains is not without its problems for the perpetrators. We have other steps in place as well to combat things of this nature which I do not wish to comment on publicly.

 

[7363824]

We have been explicitly told by lots of Afternic users, some on this forum on other threads that they do not want to do that. We are probably moving to some form of that at some point but many customers have told us that various registrars they use do not make it easy to update the DNS or update the DNS in bulk to add txt records and with lots of listings to add this would mean they would no longer list with us.

@Joe Styler

I understand your position but there is an equally valid position, which is, don't randomly click approvals on links in your emails it is not a good habit because this could be done for a lot of things like someone resetting your password to a financial institution etc.

I think randomly trying to send people links to click would fall under fraud in which case we can unwind sales as I have previously stated. We are also regulated by various bodies as well as in compliance with courts of competent jurisdiction etc. We also can and do as warranted work with law enforcement bodies throughout the world. Stealing people's domains is not without its problems for the perpetrators. We have other steps in place as well to combat things of this nature which I do not wish to comment on publicly.

I for one would want dns text record verification. You already do it for Godaddy auction listings so you already have developed the code and would just need to port it over to your afternic system. I believe most registrars have a means to do bulk DNS updates or even default dns records that can automatically be applied. If you just give each user an account specific, unchanging, verification code I could easily set that up as a default dns record with I believe every registrar I use.

Like I said, I list domains on Afternic it is sometimes hard to keep straight if the domain I get a verification email is for one I legitimately listed or not.

That is to say nothing of the annoying manual process to remove a domain if it's already listed by a previous owner.

Another option though it would be to allow a partner registrar to create a link between the registrar account and an Afternic account using oauth which could allow one click listing from the registrar resolving the verification and removal issues, but would require buy-in from your partner registrars to update their systems.

 

[Ja Kai]

Yesterday (November 18th) I received an email from namesilo that my domain name (TokenizeEverything.com) was to be transferred out to another registrar, there was also an option to cancel if i follow the URL which I quickly did.

I logged into my account to find the name missing. I spoke to support who had said that ‘When you cancelled the transfer it was deactivated’ although they reinstated the name to my account which I can see is there and thought that was the end of it.
A few hours later I check the domain to find it has a different landing page. Wtf!
Go to Whois to find it’s under a network solutions registry owned by a guy named David shoop jr. Fb profile https://m.facebook.com/DavidShoopJr

I log into my namesilo account, and there it is. The name is still in my account.

I try to make changes, nameservers, make Whois private, but none of it works. It’s like the domain is only there in text but it’s not in my account as I have no control on it, if that makes sense.
I spoke to namesilo, they have given me no answers except their IT people are looking into it.
Now I see this guy has added a WordPress site to my domain name. Whats odd, is when looking at the login history, there is no unusual login to my account.
Any thoughts on what is going on? Has my name been stolen? If it has why show your full name on Whois? Or is this a glitch on namesilos end?

With namesilo (like many others) the domain can't leave your account without a forced transfer.

I know it did sell via Afternic, but I do not know all the details beyond the fact that Afternic is working with Namesilo to see what happened. It appears to me from what I have seen that the OP approved the listing via an email from Namesilo. We have a pretty robust verification system in place. I believe this name was under privacy on the WHOIS, regardless we ask the registrar if the name can be listed, they in turn contact the registrant who has to approve the listing.
We did not pay anyone on the sale as far as I know because it is being investigated. I did not comment last week because I did not have all the facts. Some of them were logs only Namesilo has access to, ie what customer was asked to opt in to transfer the domain, who actually did do that, etc. I still do not know all the facts as there is still an investigation. I do not think there is a security loophole as you as the registrant of the domain have to confirm that you want to sell the domain with us via your registrar before we can list your domain as a fast transfer sale - meaning a sale that would move the domain away from your account after it sold.
There are ways to unwind this if there is theft or fraud etc. We will have to wait and see all the facts in this sale to determine the outcome. I do not have them yet.

What Godaddy/Afternic users would like to hear, is not all the nonsense about systems, processes, and how the Afternic/Godaddy customer should not be making the mistake of clicking on the wrong email activation. IT IS GODADDY/AFTERNIC's responsibility to insure that a domain does not leave someones account - without them having intent to facilitate the sale. YOU, Joe, should have systems in place to protect the customer - it just shouldn't be the way it currently is.

Blaming people for authorizing emails that are received by them, from afternic - or afternic partners - is BS. HOW ABOUT matching up the email for verification to the email of the account that sold the domain - If they don't match up, keep the sale "pending" until you figure out what went awry.

Joe, stop blaming the consumer. The onus is YOURS - it's your system.

For once, it would be nice to hear, "yeah, we made a mistake. it shouldn't be this way. We will make it right".

 

[Abdullah Abdullah]

We have been explicitly told by lots of Afternic users, some on this forum on other threads that they do not want to do that. We are probably moving to some form of that at some point but many customers have told us that various registrars they use do not make it easy to update the DNS or update the DNS in bulk to add txt records and with lots of listings to add this would mean they would no longer list with us.

I understand your position but there is an equally valid position, which is, don't randomly click approvals on links in your emails it is not a good habit because this could be done for a lot of things like someone resetting your password to a financial institution etc.

I think randomly trying to send people links to click would fall under fraud in which case we can unwind sales as I have previously stated. We are also regulated by various bodies as well as in compliance with courts of competent jurisdiction etc. We also can and do as warranted work with law enforcement bodies throughout the world. Stealing people's domains is not without its problems for the perpetrators. We have other steps in place as well to combat things of this nature which I do not wish to comment on publicly.

Assuming the registrant does not click on any links in emails he is not aware of, here is what I believe might be an issue. Lets suppose I bought a name that has been approved for fast transfer sale, and which is listed on Afternic by the previous owner , who happens to be the one who approved the Fast Transfer before I bought the domain. What happens if it gets sold on Afternic? Of course it will.be removed from my account wihout my knowledge. I believe this is the loophole which can be exploited by scammers.

If a push or transfer takes place, I.believe Afternic should void the previous Fast Transfer approval and request a new one from the new owner. If the new registrant then simply approves without checking if he or she listed the name or not, then it will fall on him/her. This can also affect even handregs.

 

[Ostrados]

Assuming the registrant does not click on any links in emails he is not aware of, here is what I believe might be an issue. Lets suppose I bought a name that has been approved for fast transfer sale, and which is listed on Afternic by the previous owner , who happens to be the one who approved the Fast Transfer before I bought the domain. What happens if it gets sold on Afternic? Of course it will.be removed from my account wihout my knowledge. I believe this is the loophole which can be exploited by scammers.

If a push or transfer takes place, I.believe Afternic should void the previous Fast Transfer approval and request a new one from the new owner. If the new registrant then simply approves without checking if he or she listed the name or not, then it will fall on him/her. This can also affect even handregs.

Yes and that's why registrars must cancel fast transfer agreement on a domain in case of:
1- Domain push
2- Domain transfer
3- Domain drop

I think practically this should be done from Registrars side not from Afternic side, because registrars have live data about domain changes, Afternic do not.

Same issue will also happen with @Sedo MLS I think.

 

[Abdullah Abdullah]

Yes and that's why registrars must cancel fast transfer agreement on a domain in case of:
1- Domain push
2- Domain transfer
3- Domain drop

I think practically this should be done from Registrars side not from Afternic side, because registrars have live data about domain changes, Afternic do not.

Same issue will also happen with @Sedo MLS I think.

Agreed, however , I think even these market places can know when and if there is a change in the name, whether it dropped, or contacts getting updated or even in cases of privacy enabled domains, you can still detect the changes.

 

[nhauctions]

Correct, however, if they then do not fix their "mistake" immidiately, and dont also make sure this cannot happen again, it dosnt matter, "if they knew", atleast in court it would not, they took/transferred a name without authorization and did not go on to fix the issue, then its theft. And to me it looks like that if Blueforever was an end-user here and didnt know about domaining etc, this would have gone unanswered and Namesilo would have just ignored it.

That might be true in the US but it's not true in the UK. This would be a civil matter and nothing to do with the criminal courts. Isn't that also the case in the US. Blueforever would win a case like this but I still don't think it's theft. To prove theft you have to show there was an intention to steal it from the outset. That is different to what happened here. To be clear, I think Namesilo are in the wrong here and look very incompetent, but I still don't think it's theft.

 

[Ja Kai]

I understand your position but there is an equally valid position, which is, don't randomly click approvals on links in your emails it is not a good habit because this could be done for a lot of things like someone resetting your password to a financial institution etc.

That might be true in the US but it's not true in the UK. This would be a civil matter and nothing to do with the criminal courts. Isn't that also the case in the US. Blueforever would win a case like this but I still don't think it's theft. To prove theft you have to show there was an intention to steal it from the outset. That is different to what happened here. To be clear, I think Namesilo are in the wrong here and look very incompetent, but I still don't think it's theft.

This appears not to be theft. Rather, a clusterf*ck of godaddy/afternic programming. Godaddy always blames the customer.

 

[Ja Kai]

Here is what @JoeStyler and Godaddy want to keep from the public.

When HugeDomains and other big companies input their domains, there is a reduced authentication process. They can actually list a name, that you have already listed, and that name will be removed from your afternic listings and entered into the BIG company's afternic portfolio. At the time this occurs, the domain is ALREADY opted-in and will fast transfer when sold - without the original owner even knowing - until the transfer has already occurred (that is if they read the email from the registrar that was holding the domain).

 

[tonyk2000]

Assuming that @Blueforever indeed mistakenly approved instant transfer setup for a whois-privacy protected domain, we are definitely not speaking about a theft attempt. Nor there is any wrongdoing on NameSilo / Afternic end. Who knows, maybe the domain owners has >1 registrar accounts or >1 afternic accounts, and/or authorized somebody else to sell the domain on their behalf (including through Afternic) - either should be OK from Afternic and Namesilo point of view. The second human error is of previous owner - they could not realistically expect to sell something they no more own, so I'd classify their submission as another error in this story. Good that @namesilo and Godaddy @Joe Styler are working to "correct" this unfortunate combination of 2 errors

 

[7363824]

Here is what @JoeStyler and Godaddy want to keep from the public.

When HugeDomains and other big companies input their domains, there is a reduced authentication process. They can actually list a name, that you have already listed, and that name will be removed from your afternic listings and entered into the BIG company's afternic portfolio. At the time this occurs, the domain is ALREADY opted-in and will fast transfer when sold - without the original owner even knowing - until the transfer has already occurred (that is if they read the email from the registrar that was holding the domain).

And what exactly are you basing this on? Adternic has its share of flaws and is a screwed up system in many ways but this seems a bit far fetched, unless you have some evidence of this.

Assuming that @Blueforever indeed mistakenly approved instant transfer setup for a whois-privacy protected domain, we are definitely not speaking about a theft attempt. Nor there is any wrongdoing on NameSilo / Afternic end. Who knows, maybe the domain owners has >1 registrar accounts or >1 afternic accounts, and/or authorized somebody else to sell the domain on their behalf (including through Afternic) - either should be OK from Afternic and Namesilo point of view. The second human error is of previous owner - they could not realistically expect to sell something they no more own, so I'd classify their submission as another error in this story. Good that @namesilo and Godaddy @Joe Styler are working to "correct" this unfortunate combination of 2 errors

It very much is negalegence due to Afternic's and Namesilo's lack of proper verification. At least they are reversing everything but they also need to fix their systems that allowed this to happen in the first place.

 

[Ja Kai]

And what exactly are you basing this on? Adternic has its share of flaws and is a screwed up system in many ways but this seems a bit far fetched, unless you have some evidence of this.

Treat it as gospel, unless Joe refutes.

 

[tonyk2000]

They can actually list a name, that you have already listed, and that name will be removed from your afternic listings and entered into the BIG company's afternic portfolio

The latest case I saw - domain mystically became "pending review" @ my afternic account (after being 100% set and approved initially). Not deleted ot disappeared. And the "review" was completed in my favor. I know that somebody else (api customer of afternic most likely) is constantly trying to add it. During the first 60 days of my ownership, I sent maybe 5 request asking afternic to remove the domain from their system - they removed it, but it was re-added again in a few days. After 60 days and the last request to remove the domain, I finally decided to add it, as it became ready to be transferred.

 

[7363824]

Treat it as gospel, unless Joe refutes.

I mean I hate to be the one for defend Godaddy/Afternic and they have tons or problems but i dont think that is one of them.

 

[tonyk2000]

Yeah, it is a common knowledge that api customers of afternic are able to add anything without any verification. If they do not really own the domain, and if the domain is regged with a fast-transfer registrar, then fast transfer auth request is sent to legitimate owner. The owner may reject - but the domain still would be listed for sale, just without fast transfer. What is not 100% clear is how duplicate requests of api customers to add the domain which already exists at afternic are currently dealt with. There are reports - in this thread by @Ja Kai and in related threads by other members - that such domains may disappear from legitimate owners accounts. I've not seen this scenario yet - but what I saw was the domain switching to "pending revew" (last case), or, earlier, I saw nothing negative. Meaning that as soon as I added "conflicting" domain to Afternic - it would remain there, but I will also have to fix the things on Sedo end (as many api customers of Afternic a) do not know what they own and b) submit their lists to both Afternic and Sedo).
It may well be that (automated?) processing of duplice requests received from api afternic customers depends on the domain registrar (afternic system should be able to check real unmasked whois for GD-regged domains at least)... also fast transfer status may be taken into account (if the real owner earlier approved fast transfer - then afternic system may reasonably guess that the retail customer indeed owns it, and that the api customer who sent duplicate add request does not actually own it).... ? ... @Joe Styler

 

[Joe Styler]

Treat it as gospel, unless Joe refutes.

That is not the way it works and treating it as Gospel unless I respond is not reliable either. I am pretty busy and I do my best to look at NamePros and keep up with it but I don't always see everything or have time to respond. For instance I will be out for Thanksgiving starting in a couple hours and not looking at anything on Namepros until at least next week

 

[Joe Styler]

Assuming the registrant does not click on any links in emails he is not aware of, here is what I believe might be an issue. Lets suppose I bought a name that has been approved for fast transfer sale, and which is listed on Afternic by the previous owner , who happens to be the one who approved the Fast Transfer before I bought the domain. What happens if it gets sold on Afternic? Of course it will.be removed from my account wihout my knowledge. I believe this is the loophole which can be exploited by scammers.

If a push or transfer takes place, I.believe Afternic should void the previous Fast Transfer approval and request a new one from the new owner. If the new registrant then simply approves without checking if he or she listed the name or not, then it will fall on him/her. This can also affect even handregs.

That isn't how things work at Afternic. The current registrant has to agree to the transfer. That is not only how we work it is ICANN rules. We do void the previous opt in when there is a new registrant. This was done in this case. We work with the registrars, the customer needs to approve the transfer via their registrar, you should be familiar with the way things work being from Epik which is a partner as well as a registrar, who has to follow the same transfer rules from ICANN as anyone else. The current registrant must agree to the transfer.

 

[Abdullah Abdullah]

That isn't how things work at Afternic. The current registrant has to agree to the transfer. That is not only how we work it is ICANN rules. We do void the previous opt in when there is a new registrant. This was done in this case. We work with the registrars, the customer needs to approve the transfer via their registrar, you should be familiar with the way things work being from Epik which is a partner as well as a registrar, who has to follow the same transfer rules from ICANN as anyone else. The current registrant must agree to the transfer.

Thanks for responding Joe. I understand this very well, however, my question wqs different. I am talking about buying a name that is listed in another account and that has been approved for fast transfer before. Provided the domain stays in the same registrar that the fast transfer was approved for, I dont think the new owner will get any new request to approve fast transfer. That will be the case right?

 

[xynames]

Just received an email advising me that Afternic was removing a domain from my listings because they were “unable to verify your ownership of the domain,” but...Afternic itself sold this domain for me over two years ago, at which point it was Fast Transferred out.

This Afternic glitch of thinking a domain I sold long ago is still in my portfolio - any relevance to the issue at hand in this thread?

 

[Abdullah Abdullah]

Just received an email advising me that Afternic was removing a domain from my listings because they were “unable to verify your ownership of the domain,” but...Afternic itself sold this domain for me over two years ago, at which point it was Fast Transferred out.

This Afternic glitch of thinking a domain I sold long ago is still in my portfolio - any relevance to the issue at hand in this thread?

I would say Yes. But it is good they are taking steps to correct this