Problematic flaw in .co.za (EPP) transfer process

[NullHypothesis]

Hi Guys

Me again with a novella.

.co.za domains has the advantage of being able to transfer a domain name between registrars instantly and without having to renew it for another year. But I recently noticed a little bit of a problem. Unlike the legacy transfer system, the EPP update Email “Domain Transfer Request for domainname.co.za” sent from “[email protected]” does not contain the Email address that requested the transfer. I tried hovering over the "Accept Transfer" hyperlink to see if there is anything there about the person requesting the domain but nothing.

In other words, if I am selling the nkandlagirls.co.za domain (aftermarket), to JZ ([email protected]) but JM ([email protected]) gets wind of the transaction. [email protected] can then submit a transfer ticket from his registrar. I will then get a “Domain Transfer Request” which I assume is from ([email protected]) and click the “Accept Transfer” link and the domain is gone. ([email protected]) now has control of the domain and he can direct it to wherever he wants to. A lot of “did you submit the update” back and forth or contacting “losing” registrar can be avoided. And what if two updates for the same domain is received how do you know if it’s (a duplicate) from the same Email or if one is a fraudster?

Maybe day to day this is not a problem, but I sometimes buy and sell domains. And I’ve had to deal with partners that are stabbing each other in the back. The one “found” the domain first then he told the other about it. Then the other completes the transaction without the one who discovered it. And the one who found it is bitter. I think there is a margin for fraud if the delinquent knows the selling process. Example if it’s: terms agreed > payment made > payment clears > submit ticket. JM knowing this could distract JZ after payment is made and submit his ticket first.

It just worries me a bit, sometimes I broker domains, if I hold the (buyers) money while seller transfers name over I’m going to be a bit nervous. I just worry if there is a dispute I cannot quickly provide the chain of custody with regards to who initiated the transfer.

Even if you using Escrow and a third party swoops in and takes it. Once you click that “Accept Transfer” your recourse is dispute resolution (you gonna go lay fraud charges at SAPS huh?). And that money will be in Escrow till the matter is sorted (and returned to buyer if we can’t get the domain back) and the seller will be out of a domain. I’ve dealt with a UniForum complaint already they just like “oh send your complaint to [email protected], call me maybe”

Why do we not have the ability to easily “push” domains from one account to another account at the same registrar with local domains? It’s instantaneous, and there is a paper trial. Buyer gives his account name seller pushes domain to his account. Registrar has a record that the internal transfer took place.

To legally cover myself I will be isolating each domain about to be sold in a different account and just hand over the username and password to the buyer. The first thing the buyer must do is change his password and then initiate the transfer himself.

That, and why does the local registry need 5 days to update changes to contact details? But when a domain is transferred to a new registrar the receiver’s contact details can update immediately.

Do me a favour: see below, see the pink text on the first image (EPP), if you did an EPP transfer before what does yours read? Mine always reads the name of the new registrar; surely it will be better to show the requesting email address here?

EPP (new)

Legacy (old)

 

[envo]

You can't transfer a domain that's about to expire within 30 days (I know it's not exactly what you're asking, but your understanding of how it works is lacking slightly)

As for your initial observation, depending on who you're using as a registrar, they implement this safely. The transfer request from/who does get emailed to you beforehand. But since this is an API implementation, and not everyone would have the feature, I'd assume it's specific to the registrar you're using and you can contact them specifically to suggest this feature or move to someone who has this.

 

[NullHypothesis]

You can't transfer a domain that's about to expire within 30 days (I know it's not exactly what you're asking, but your understanding of how it works is lacking slightly)

As for your initial observation, depending on who you're using as a registrar, they implement this safely. The transfer request from/who does get emailed to you beforehand. But since this is an API implementation, and not everyone would have the feature, I'd assume it's specific to the registrar you're using and you can contact them specifically to suggest this feature or move to someone who has this.

You have completely missed the gist of the post (it deals with the update of .co.za domains). Also (while it has nothing to do with that),you are the one that is out of date. You can now move a .co.za domain within 30 days of expiry. And I've been doing this for a long time. My point is accurate.

 

[NullHypothesis]

As for your initial observation, depending on who you're using as a registrar, they implement this safely. The transfer request from/who does get emailed to you beforehand.

You can say this for sure? How? I move many domains on the monthly basis, your assumption is incorrect.

 

[NullHypothesis]

As for your initial observation, depending on who you're using as a registrar.

I ask you which registrar uses the [email protected] Email address? That comes from the registry ZACR (fka UniForum).

 

[willo]

Why do we not have the ability to easily “push” domains from one account to another account at the same registrar with local domains? It’s instantaneous, and there is a paper trial. Buyer gives his account name seller pushes domain to his account. Registrar has a record that the internal transfer took place.

This depends on which registrar you use. I know Frikkadel.co.za supports this feature, others might too.

That, and why does the local registry need 5 days to update changes to contact details? But when a domain is transferred to a new registrar the receiver’s contact details can update immediately.

I haven't understood this one either. Perhaps a measure to curb fraudsters? Maybe Calvin can shed some light on this.

You can't transfer a domain that's about to expire within 30 days

Yes, you can. I've transferred an expired domain and renewed it at the new registrar. Newly registered domains, however, has issues.

 

[NullHypothesis]

You can't transfer a domain that's about to expire within 30 days (I know it's not exactly what you're asking, but your understanding of how it works is lacking slightly)

As for your initial observation, depending on who you're using as a registrar, they implement this safely. The transfer request from/who does get emailed to you beforehand. But since this is an API implementation, and not everyone would have the feature, I'd assume it's specific to the registrar you're using and you can contact them specifically to suggest this feature or move to someone who has this.

Read it slowly again, and this time do not reply with conjecture, because we deal with fact and we have to be very thorough. I have tried this with both Domains.co.za & ZADomains.net

Here is the process:

1. Go to "winning" registrar to initiate transfer process.

2. First Email received: CO.ZA Registry: Domain Transfer Request for domainaname.co.za this Email comes from [email protected] (registry).

3. then a Email comes from the winning registrar to say something along the lines of "This email is to inform you that the transfer of the domain domainname.co.za has been requested.

4. Then comes another Email from the registry CO.ZA Registry: Domain Transfer Notification for "domainname.co.za" this from [email protected] saying "Please be advised that the domain transfer for "domainname.co.za" has been completed."

5. Then usually a Email from the losing registrar to say "We have received confirmation that your domain domainname.co.za has successfully transferred away from us."

Nowhere is the Email address of the person that requested the update mentioned.

 

[NullHypothesis]

Why do we not have the ability to easily “push” domains from one account to another account at the same registrar with local domains? It’s instantaneous, and there is a paper trial. Buyer gives his account name seller pushes domain to his account. Registrar has a record that the internal transfer took place.

To legally cover myself I will be isolating each domain about to be sold in a different account and just hand over the username and password to the buyer. The first thing the buyer must do is change his password and then initiate the transfer himself.

This depends on which registrar you use. I know Frikkadel.co.za supports this feature, others might too.

No they don't. I'm talking about a automated push (button) within the client area (for a .co.za domain).

By the way add Frikkadel to the list of registrars that I have tested (along with Domains.co.za & ZADomains.net) that do not mention the Email address that initiated the transfer out. The registry Email only mentions the new registrar the transfer application came from (and not the Email address that initiated it). Now I'm even more keen to find out who envo's registrar is.

 

[NullHypothesis]

You can't transfer a domain that's about to expire within 30 days (I know it's not exactly what you're asking, but your understanding of how it works is lacking slightly)

As for your initial observation, depending on who you're using as a registrar, they implement this safely. The transfer request from/who does get emailed to you beforehand. But since this is an API implementation, and not everyone would have the feature, I'd assume it's specific to the registrar you're using and you can contact them specifically to suggest this feature or move to someone who has this.

You can't transfer a domain that's about to expire within 30 days.

Yes, you can. I've transferred an expired domain and renewed it at the new registrar. Newly registered domains, however, has issues.

I don't think that envo knows what he's talking about in totality. His reply makes no sense, is he a bot? It sounds like he just did a search for random threads and just regurgitated what he read.

 

[Frikkadel]

No they don't. I'm talking about a automated push (button) within the client area (for a .co.za domain).

By the way add Frikkadel to the list of registrars that I have tested (along with Domains.co.za & ZADomains.net) that do not mention the Email address that initiated the transfer out. The registry Email only mentions the new registrar the transfer application came from (and not the Email address that initiated it). Now I'm even more keen to find out who envo's registrar is.

We really wouldn't mind adding this functionality if we had access to it. EPP tells us who the requesting regsitrar is, but not who requested the transfer.

There are some issues with adding a "move domain to another account" button on the front end, but if you logged a ticket with us requesting the domain be moved to another account, we'd gladly do that.

 

[Murmaider]

Hi,

Maybe I can clarify some information here for you.

On EPP, You have domain objects (eg: example.co.za) and contact objects (eg: DCS26262654).

The contact object contains all the registrant information in the case of .co.za (On international domains, there are different contact objects for each admin, billing, tech, etc).

When you transfer a domain, you are _only_ working with the domain object. The contact object on a domain is not touched, changed or influenced in anyway. No contact information on any domain name changes during a domain transfer.

What actually happens is that once a domain has successfully been transferred, a contact update is done by the gaining registrar to the contact object with the new information that was specified when you did the domain transfer.

In the case of .co.za, after a domain transfer has taken place, the contact object receives the update from the gaining registrar and that contact object enters it's 5 day pending update period. It's not possible to update the contact information immediately on a .co.za domain, even with a domain transfer.

When a gaining registrar initiates an epp domain transfer, no "initiator email address is given to the EPP system".
ZACR has no idea on who exactly is requesting the domain transfer. All they see is "Registrar X is requesting a domain transfer of Y domain from Registrar Z"

For example, this is all that is sent by the Gaining Registrar to the EPP system when a domain transfer is requested:

<epp:epp xmlns:epp="urn:ietf:params:xml:ns:epp-1.0" 
xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
  <epp:command>
    <epp:transfer op="request">
      <domain:transfer>
        <domain:name>example.co.za</domain:name>
      </domain:transfer>
    </epp:transfer>
  </epp:command>
</epp:epp>

Now Internationally, the registries never interact with the registrants in anyway, only the registrars do.

When doing a transfer of a .com for example, the emails you receive are sent directly from the Gaining and Losing Registrars. The gaining registrar sends you an email saying "We have received a transfer from [email protected]" do you want to authorize it. (This is known as the Forms of Authority Email) and is an ICANN Requirement on TLD's and gTLD's.

With .co.za, ZADNA decided that only the ZACR registry would send transfer notifications directly to the registrant from [email protected]. They did this to prevent Registrars from holding the registrants domains hostage and because they didn't trust all registrars to perform this task. This however ended up causing more problems than it's worth since it has blurred the lines between the Registrar & Registry and also means that the registry has no way of telling the registrant who actually requests a domain transfer.

Likewise, the losing registrar has no idea what email address initiated a domain transfer, all they receive from the EPP system is:

<epp:epp xmlns:epp="urn:ietf:params:xml:ns:epp-1.0" 
xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
  <epp:response>
    <epp:result code="1301">
      <epp:msg>Command completed successfully; ack to dequeue</epp:msg>
    </epp:result>
    <epp:msgQ count="1" id="ABC-123">
      <epp:qDate>2011-04-15T14:36:27.549+02:00</epp:qDate>
      <epp:msg>Domain 'example.co.za' transfer requested by 'RegistrarID', 
a decision is required to approve or reject the transfer</epp:msg>
    </epp:msgQ>
    <epp:resData>
      <domain:trnData>
        <domain:name>example.co.za</domain:name>
        <domain:trStatus>pending</domain:trStatus>
        <domain:reID>RegistrarID</domain:reID>
        <domain:reDate>2011-04-15T12:36:27Z</domain:reDate>
        <domain:acID>CurrentID</domain:acID>
        <domain:acDate>2011-04-15T12:37:47Z</domain:acDate>
      </domain:trnData>
    </epp:resData>
    <epp:trID>
      <epp:clTRID>CLTRID-13028710879-4AIN</epp:clTRID>
      <epp:svTRID>ZACR-EPP-12F5929931B-BAEC8</epp:svTRID>
    </epp:trID>
  </epp:response>
</epp:epp>

So the losing registrar can only see 'Register X' is requesting a domain transfer for Y domain.

As for domain pushing, we often push domains between clients and reseller accounts, but only on request from the "losing" reseller or client. There would still be a 5 day contact update period to the new registrants details though.

We have also acted as an escrow for many domain sales whereby the domain is transferred to us for holding and we release the domain out to the new owner once payment transfer has been completed.

Regards,
Dave @ Domains.co.za

 

[NullHypothesis]

We really wouldn't mind adding this functionality if we had access to it. EPP tells us who the requesting regsitrar is, but not who requested the transfer.

There are some issues with adding a "move domain to another account" button on the front end, but if you logged a ticket with us requesting the domain be moved to another account, we'd gladly do that.

Thank you for taking the time to reply and confirmation. I thought as much (regarding EPP telling you who registrar is but not who requested the transfer).

There are some issues with adding a "move domain to another account" button on the front end, but if you logged a ticket with us requesting the domain be moved to another account, we'd gladly do that.

Is this process sound regarding human error? If it's accidentally moved to another account can it be retrieved without long stories? I was dealing with a registrar that was using a intern to do their support. For security I'm assuming you do this only do this for a request ticket that originates from the client area? I know its pedantic but I run a tight ship.

 

[NullHypothesis]

Hi,

Maybe I can clarify some information here for you.

On EPP, You have domain objects (eg: example.co.za) and contact objects (eg: DCS26262654).

The contact object contains all the registrant information in the case of .co.za (On international domains, there are different contact objects for each admin, billing, tech, etc).

When you transfer a domain, you are _only_ working with the domain object. The contact object on a domain is not touched, changed or influenced in anyway. No contact information on any domain name changes during a domain transfer.

What actually happens is that once a domain has successfully been transferred, a contact update is done by the gaining registrar to the contact object with the new information that was specified when you did the domain transfer.

In the case of .co.za, after a domain transfer has taken place, the contact object receives the update from the gaining registrar and that contact object enters it's 5 day pending update period. It's not possible to update the contact information immediately on a .co.za domain, even with a domain transfer.

When a gaining registrar initiates an epp domain transfer, no "initiator email address is given to the EPP system".
ZACR has no idea on who exactly is requesting the domain transfer. All they see is "Registrar X is requesting a domain transfer of Y domain from Registrar Z"

For example, this is all that is sent by the Gaining Registrar to the EPP system when a domain transfer is requested:

<epp:epp xmlns:epp="urn:ietf:params:xml:ns:epp-1.0" 
xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
  <epp:command>
    <epp:transfer op="request">
      <domain:transfer>
        <domain:name>example.co.za</domain:name>
      </domain:transfer>
    </epp:transfer>
  </epp:command>
</epp:epp>

Now Internationally, the registries never interact with the registrants in anyway, only the registrars do.

When doing a transfer of a .com for example, the emails you receive are sent directly from the Gaining and Losing Registrars. The gaining registrar sends you an email saying "We have received a transfer from [email protected]" do you want to authorize it. (This is known as the Forms of Authority Email) and is an ICANN Requirement on TLD's and gTLD's.

With .co.za, ZADNA decided that only the ZACR registry would send transfer notifications directly to the registrant from [email protected]. They did this to prevent Registrars from holding the registrants domains hostage and because they didn't trust all registrars to perform this task. This however ended up causing more problems than it's worth since it has blurred the lines between the Registrar & Registry and also means that the registry has no way of telling the registrant who actually requests a domain transfer.

Likewise, the losing registrar has no idea what email address initiated a domain transfer, all they receive from the EPP system is:

<epp:epp xmlns:epp="urn:ietf:params:xml:ns:epp-1.0" 
xmlns:domain="urn:ietf:params:xml:ns:domain-1.0">
  <epp:response>
    <epp:result code="1301">
      <epp:msg>Command completed successfully; ack to dequeue</epp:msg>
    </epp:result>
    <epp:msgQ count="1" id="ABC-123">
      <epp:qDate>2011-04-15T14:36:27.549+02:00</epp:qDate>
      <epp:msg>Domain 'example.co.za' transfer requested by 'RegistrarID', 
a decision is required to approve or reject the transfer</epp:msg>
    </epp:msgQ>
    <epp:resData>
      <domain:trnData>
        <domain:name>example.co.za</domain:name>
        <domain:trStatus>pending</domain:trStatus>
        <domain:reID>RegistrarID</domain:reID>
        <domain:reDate>2011-04-15T12:36:27Z</domain:reDate>
        <domain:acID>CurrentID</domain:acID>
        <domain:acDate>2011-04-15T12:37:47Z</domain:acDate>
      </domain:trnData>
    </epp:resData>
    <epp:trID>
      <epp:clTRID>CLTRID-13028710879-4AIN</epp:clTRID>
      <epp:svTRID>ZACR-EPP-12F5929931B-BAEC8</epp:svTRID>
    </epp:trID>
  </epp:response>
</epp:epp>

So the losing registrar can only see 'Register X' is requesting a domain transfer for Y domain.

As for domain pushing, we often push domains between clients and reseller accounts, but only on request from the "losing" reseller or client. There would still be a 5 day contact update period to the new registrants details though.

We have also acted as an escrow for many domain sales whereby the domain is transferred to us for holding and we release the domain out to the new owner once payment transfer has been completed.

Regards,
Dave @ Domains.co.za

Thank you for taking the time to reply with such a comprehensive response. Very interesting to know what is happening behind the scenes. I guess for the majority of people (even on here) this is all semantics. But its important to me.

 

[Jade @ Absolute Hosting]

NullHypothesis

I see that *most* of your queries have been answered - apologies for not jumping in sooner. I had typed a few paragraphs an hour ago but did not respond in time.

With regards to the domain push which you suggested, I have added this to the list of features to be implemented. With regards to security, we'll ensure that the reseller or registrar initiating the push has the ability to withdraw the push after it has been initiated.

The push would apply a contact update after accepted which as you know locks the contact and domain for a period of 5 days unless the pending update is cancelled and resumed.

 

[Murmaider]

NullHypothesis

The push would apply a contact update after accepted which as you know locks the contact and domain for a period of 5 days unless the pending update is cancelled and resumed.

Hi Jade,

Contact updates do not lock the domain object for 5 days, only the contact object. If you are locking the domain up for 5 days when doing a contact update, then you might want to re-evaluate your code.

 

[NullHypothesis]

NullHypothesis

I see that *most* of your queries have been answered - apologies for not jumping in sooner. I had typed a few paragraphs an hour ago but did not respond in time.

With regards to the domain push which you suggested, I have added this to the list of features to be implemented. With regards to security, we'll ensure that the reseller or registrar initiating the push has the ability to withdraw the push after it has been initiated.

The push would apply a contact update after accepted which as you know locks the contact and domain for a period of 5 days unless the pending update is cancelled and resumed.

Hi Jade

Thanks for taking the time to reply.

The showing of who requested the update will be a better solution that being able to retract a push. A push is supposed to be irreversible especially if there is money in Escrow. Escrow can't pay out if there is a chance that seller can get his domain back once payment has been released to him.

Once the seller has inspected the domain pushed to him (it is spelt correctly etc.) and gives Escrow the go ahead to release funds. He expects that domain to be in his account when he wakes up tomorrow.

Regards,
NH

 

[Murmaider]

Hi Jade

Thanks for taking the time to reply.

The showing of who requested the update will be a better solution that being able to retract a push. A push is supposed to be irreversible especially if there is money in Escrow. Escrow can't pay out if there is a chance that seller can get his domain back once payment has been released to him.

Once the seller has inspected the domain pushed to him (it is spelt correctly etc.) and gives Escrow the go ahead to release funds. He expects that domain to be in his account when he wakes up tomorrow.

Regards,
NH

The best in a domain sale is a escrow service from someone you trust, where the current owner gives the escrow the permission to transfer the domain to them and update the contact information to the escrow provider. Once the funds have been released, the ESCROW updates the contact information to be the new registrant and hands the domain over to the new registrant.

No losing registrar for .co.za domains will be able to tell who the request is coming from.

 

[NullHypothesis]

In the case of .co.za, after a domain transfer has taken place, the contact object receives the update from the gaining registrar and that contact object enters it's 5 day pending update period. It's not possible to update the contact information immediately on a .co.za domain, even with a domain transfer.

So you are telling me that during that five days the only change on the whois is that of the "1c. Registrar"? And changes to nameservers is subject to "standard" times during this period. Is this correct?

 

[NullHypothesis]

Hi Jade
Thanks for taking the time to reply.
The showing of who requested the update will be a better solution that being able to retract a push. A push is supposed to be irreversible especially if there is money in Escrow. Escrow can't pay out if there is a chance that seller can get his domain back once payment has been released to him.
Once the seller has inspected the domain pushed to him (it is spelt correctly etc.) and gives Escrow the go ahead to release funds. He expects that domain to be in his account when he wakes up tomorrow.
Regards,
NH

The best in a domain sale is a escrow service from someone you trust, where the current owner gives the escrow the permission to transfer the domain to them and update the contact information to the escrow provider. Once the funds have been released, the ESCROW updates the contact information to be the new registrant and hands the domain over to the new registrant.

Remember there are sometimes brokers (which not only involves a three way Escrow but a two way split of money), and the seller or the buyer don't necessary trust the broker or even the Escrow (some domains cost as much as houses). Sometimes you have to reassure people all the time (during this process) that all is well. I just like to have my ducks in a row.

No losing registrar for .co.za domains will be able to tell who the request is coming from.

I get that but it’s not rocket surgery to implement this. Are you of the opinion (used to dealing with the bureaucratic nature of the registry) that it won't happen anytime soon?

 

[NullHypothesis]

NullHypothesis

I see that *most* of your queries have been answered - apologies for not jumping in sooner. I had typed a few paragraphs an hour ago but did not respond in time.

With regards to the domain push which you suggested, I have added this to the list of features to be implemented. With regards to security, we'll ensure that the reseller or registrar initiating the push has the ability to withdraw the push after it has been initiated.

The push would apply a contact update after accepted which as you know locks the contact and domain for a period of 5 days unless the pending update is cancelled and resumed.

Hi Jade,

Contact updates do not lock the domain object for 5 days, only the contact object. If you are locking the domain up for 5 days when doing a contact update, then you might want to re-evaluate your code.

Murmaider maybe I'm a bit slow but are you not comparing different things or taking out of context? Jade is talking about a feature that does not exist yet. And talking about a internal transfer at the same registrar. She mentioned that as part of the push functionality. Maybe they want to apply that policy with their company's (yet to be added) push functionality?