Registrar registering .uk without permission

[bluerock]

However, what appears to have happened here is that someone has signed up for a Fasthosts account in your name, with your email address (or changed it afterwards) and then tried registering, therefore the whois applied your details but remained suspended until you confirmed.

Maybe this is stunt by someone to have the .uk cancelled, therefore being FTR and allowing them to register and try to sell to you!

Your pretty much spot on. Ive had it confirmed that the domain will be cancelled today and the rights revert back to me.
It should not get to stage 4 of the registration process and this is the point Ive made to Nominet, who have been very good with this.
I think its the first time theyve come across it.

 

[bluerock]

Unbelievable from Fasthosts who quote:
"Im not a domain expert but I thought anyone could now register a .uk domain and the rights period was over."

I politely reminded him that there are still over 4 years to go!!

 

[Sam]

What a joke just goes to show they havent got a clue...

I have seen one like this person with the rights to the .co.uk someone has managed to register the .UK in another name and registrar...

Unbelievable from Fasthosts who quote:
"Im not a domain expert but I thought anyone could now register a .uk domain and the rights period was over."

I politely reminded him that there are still over 4 years to go!!

 

[mojoco]

What a joke just goes to show they havent got a clue...

I have seen one like this person with the rights to the .co.uk someone has managed to register the .UK in another name and registrar...

Is there the potential mass problem that some of our .uk domain names may already have been registered by another party, meaning we all need to do an actual check through our portfolio's ?

 

[spiderspider]

Is there the potential mass problem that some of our .uk domain names may already have been registered by another party, meaning we all need to do an actual check through our portfolio's ?

Not from my understanding, unless you have clicked a link in an email (like BlueRock had).

However, change BlueRock for some gullible Joe Public who is holding a domain he's had since year dot, and knows sod all about domains gets an email that says to confirm you own xxxx.co.uk click here, whats he gonna do? Potential for fraud is massive here.

 

[bluerock]

On the registrar data compliance the email, address and telephone must match. As the attempted registrant did not know my phone number they put another number in. The data compliance therefore could not match yet it went further.

 

[BurtyB]

Sadly in some cases it's fairly easy to go one step further than what happened to you in this case and register a domain on the same tag which will bypass the authorisation email.

1) "Mr Thief" wants to register example.uk, a whois later they know the registrar is "Example Registrar".

2) They check the whois for example.TLD (com/net/etc) and find it doesn't use privacy protection and is registered in the same name as example.co.uk (and address if it isn't opt-out).

3) They then plug the registration details including the email address shown on the example.com whois into Fasthosts and start the registration process for example.uk. If they don't see the "Please correct the highlighted fields." warning they've validated the registrant details (any site that checks via the API would probably work to validate the example.co.uk registrant details).

4) Go to "Example Registrar" and add example.uk to the cart using "Mr Thiefs" contact details for the client information, specify a new contact for the domain registration and enter the example.com whois registrant information validated above.

5) Pay for the domain...

6) No validation checks are done as the registrant information matches and it's on the same tag so all they need to do is update the contact details on the domain to "Mr Thief" and they've registered a .uk they didn't have the rights to.

All very simple to automate if anyone wanted to find a list of .uk domains they could easily hijack.

Nominets opinion on this is "Registrars are responsible for ensuring second level registrations on their tag are made legitimately" - aren't we the lucky ones!

Looks like I'll be changing all of my domains to use unique email addresses tonight...

Chris.

 

[bluerock]

I'm not seeing a requirement for the telephone number to match within the document I've referenced. Where are you seeing this stated?


(from iPad - K)

Its on 2b. Its the last entry under "registrant details".
"Do details meet Data Completeness Check? (address, email, telephone)"

They did not know my number so used a false one.

 

[BurtyB]

I am still not absolutely sure this would work in practice, based on reading through the document I've referenced. Obviously it could be good practice to use an unpublished email address for the admin-c and keep valuable domain names on a registrar tag controlled by oneself or a trusted registrar.

Last night I tried it with one of my co.uk domains which I manage via WHMCS (I'm sure it could be done via other systems too it's just that is how I manage my domains). I added an order for the .uk domain to the cart (as a user) using a crafted URL (bypassing the domainchecker which would say the .uk domain already existed). Used a set of test information for the client (including a different name/email address/etc.) and then selected to use alternate contact information for the domain registration and entered the details from a .com domain whois. This results in the domain being registered and the only email address that gets sent any kind of notification is the one of the "test user" not the registrant of the .co.uk domain.

Chris.

Hmm Pie... or was that API.

 

[jasman]

Last night I tried it with one of my co.uk domains which I manage via WHMCS (I'm sure it could be done via other systems too it's just that is how I manage my domains). I added an order for the .uk domain to the cart (as a user) using a crafted URL (bypassing the domainchecker which would say the .uk domain already existed). Used a set of test information for the client (including a different name/email address/etc.) and then selected to use alternate contact information for the domain registration and entered the details from a .com domain whois. This results in the domain being registered and the only email address that gets sent any kind of notification is the one of the "test user" not the registrant of the .co.uk domain.

Chris.

Hmm Pie... or was that API.

When you say the only email address that gets sent any kind of notification is the one of the "test user" not the registrant of the .co.uk domain, was that the email from Nominet with the link to approve it? Or was it some other email and the email with the link is still to come? Is the domain you registered stuck in "suspended" status?

From following this thread, I thought the email with the link gets sent to the .co.uk's admin email and worse case is domain gets created, remains suspended for 7 days then cancelled if the .co.uk admin email owner doesn't click the link to approve (and Nominet need to urgently make sure future registration is once again restricted to the .co.uk/ rights owner if that isn't currently the case).

Or did you manage to bypass the above procedure and get an unsuspended .uk without the .co.uk admin email being involved at all?

 

[BurtyB]

Or did you manage to bypass the above procedure and get an unsuspended .uk without the .co.uk admin email being involved at all?

The only email sent is from my billing system (WHMCS). There is no email from Nominet if the .uk domain is registered on the same tag as the .X.uk with rights (see 3b from the Nominet pdf linked earlier) so after ordering the .uk domain it was live, in the zone and resolving (and the .X.uk registrant wouldn't have any clue).

 

[jasman]

OK thanks for clarifying. So to summarise, beware of Nominet emails with a link to approve the creation of a .uk version of one of your domains. And watch out if you have domains held at a registrar open to the public - keep your admin email secret.

Presumably then if

a) you have your own tag just for yourself and
b) should you receive any Nominet emails asking to approve a .uk request from some other tag/ registrar, you make sure you never click on them

...it is not possible for someone else to create a .uk version of one of your domains on your tag?

 

[Retired_member41]

Does it mean someone could create accounts with fasthosts 123-reg domainmonster etc and when a domain is about to drop, say about now on the day of the drop, register the .uk

There would be no domain to revert it back to, as the .co.uk would have dropped and been re-registered.

Unless nominet only allow you to register a .uk from a matching right when not suspended?

 

[BurtyB]

To clarify fully is the .uk 2LD that is registered on the same registrar tag as the 3LD that had the Right, in your experiment, registered to the same Registrant as the 3LD that had the Right or can it be registered to a different Registrant? I realise the .uk 2LD is registered using a different admin-c email address, but I am not sure whether you are claiming that it is possible to make the registration to a totally different Registrant.

Initially the 2LD would need to be registered with the same registrant details as the 3LD, but there's nothing to stop Mr thief changing them and/or pushing it to a different tag afterwards and waiting to see if they get caught.

I would much rather Nominet emailed the registrant with rights in ALL cases (even if it was just a notification) rather than just those with a tag mismatch to prevent this being an issue that could go unnoticed for some time.

Chris.