thrashiedean.com

You go to work every day at the store you own, and one morning,
your key to the door doesn\’t work. You look in the window, and
the display items have changed. A stranger is behind the
counter. But when you call the police, they can\’t do anything
because the company papers now indicate that the store belongs
to the stranger.

The above scenario isn\’t likely to happen with a
bricks-and-mortar store. Because of insecurities in the domain
registration system, however, information highwaymen could take
over your online business.

As with identity theft, domain thieves steal your identity –
the identity used to register and configure your domain name.
After that, your website, your email, your online business, and
possibly your reputation are theirs.

Domain names at risk of theft

While theft is a risk with all domain names, domains most at
risk are more valuable ones. Domains with dot com extensions
have a higher resale value than domains with other extensions,
and domains with high traffic or valuable keywords are also more
likely to be targets.

The motive behind domain hijacking is usually monetary, but it
may be personal. If anyone wants to attack you, stealing your
domain name is one way to do it.

How domain theft happens

When domain hijackers steal your domain, they gain access to the
domain\’s Whois records. They
can modify the domain\’s nameservers so that the domain points to
a different server. They can also transfer the domain to a
different registrar.

Either way, site visitors will find themselves at the website of
the domain hijacker instead of at your site. All domain email
will go to or through the other server instead of to you. All
you\’ll have left is a website without public access because your
domain isn\’t pointing to it any more.

How can this happen?

Domain hijacking methods

• Domain hijackers send forged faxes to the domain registrar,
impersonating the registrants.

• Domain hijackers hack into the accounts of free email
addresses listed in Whois records and use those addresses to
obtain domain account information.

• Domain hijackers send out fraudulent email renewal notices,
and registrants unknowingly transfer their domains to the
thieves.

Registrar non-action

• The gaining registrar (the registrar that the domain is
transferred to) doesn\’t obtain approval from the domain name
registrant or administrative contact as required by ICANN Inter-Registrar
Transfer Policy.

• The losing registrar (that the domain is transferred from)
doesn\’t notify the registrant of the transfer during the
five-day pending transfer period. During this period, the
registrant can cancel or deny approval of the domain transfer
— if the registrar notifies the registrant of it.

Registrant carelessness

• The registrant forgets to update Whois details or to renew
the account.

• Someone with access to the registrant\’s records steals the
information.

Domain name disputes

If you discover that your domain has been hijacked, contact
your registrar immediately. If your registrar is unable to
resolve the situation, the ICANN (Internet Corporation for
Assigned Names and Numbers)
Transfer Dispute Resolution Policy (TDRP) applies.

By going the above arbitration route, you don\’t have to argue
your case in person. On the other hand, all you can get back in
the process is your domain (and not necessarily that). For a lot
more money, you can take your case to court, where you can seek
compensation for damages in addition to the return of your
domain. This process takes more time, however.

You may be able to proceed both ways – get your domain back via
ICANN domain dispute resolution procedures and then go to court
to collect damages. You can also appeal a domain arbitrator\’s
decision in court.

How to protect your domain name

Protecting a domain name is similar to protecting a
bricks-and-mortar store from burglary. With a combination of
precautions in place, thieves will find it difficult or
impossible to gain access.

Your domain account information

• List your name for the administrative contact, and use your
full name.

• Create a complex password with letters (both upper case and
lower case) and numbers. Don\’t use any real words or personal
information in it. Make it long. Make it unique – don\’t use the
same password for anything else. Change it periodically.

• Keep your domain login name, account number, and password in a
place where only trusted people can access it.

• Use a valid contact email address that doesn\’t use the domain
it\’s for. Be sure that this email account also has a complex
password. If you\’re going to be offline for more than a few
days, have someone else check the email for this account.

• Don\’t use a free email address such as a Hotmail or Yahoo
address. Domain hijackers target domains with free email
addresses in the Whois records. After they\’ve cracked your email
account password, the support you need to get your email account
back will probably be slow, giving the hijackers plenty of time
to take over your domain.

• Update your Whois record whenever the information in it
changes.

Your domain account features

• Choose a domain registrar that sends registrants transfer
pending notifications when a domain transfer is taking place.

• Consider protecting your Whois details with a registrar that
offers a private domain name record. With this feature, your
registrar\’s data appears with your Whois record rather than your
data. The downside of using this feature is that your business
may have less credibility because you\’re hiding who you are.

• Register your domain for a long time period, and set up
calendar reminders to renew it before it expires.

• Set up your domain to be renewed automatically if your
registrar offers this feature.

• Use the Registrar-lock mechanism if it\’s available through
your registrar. When a domain is locked, it cannot be modified
or transferred unless the registrant unlocks it or follows the
domain transfer process.

Other domain security measures

• Set up a free Whois
monitoring alert email service and add your domain to your
monitoring list. You will receive email notifications whenever
the expiration date, registrar, or status of a monitored domain
changes. (Whois does not have data on all domain extensions.)

• Make sure that someone checks your website every few days,
preferably daily.

I am helping a charity re-work their website. They had a volunteer doing it years before me, but lately she hasnt been touching the site. However, she is still in the scene and doesn\’t know they\’re re-working the site on her.

I\’m concerned about getting the domain name. The registrant name is someone who is friendly with the charity but no longer works there, the reg number is the charity, but the reg email is of the old volunteer. The administrative contact is someone who works there still.

Will this be an issue. I\’m assuming the old volunteer has the login cridentals and I\’m afraid she won\’t give them up. Is she obligated to, since the registrant-organizaion is the name of the charity?

(I got all my information from doing a whois by the way… not sure how accurate they are…)
When I say the old volunteer has the login cridentals, I mean she is probably the one who registered the domain name, thus she\’d have the login information to change the DNS

A company renewed a domain name without my permission at a high rate (12.95) while others would offer me 7.95 or even 1.95. I called and emailed them to ask them why they renewed my domain name; I didn\’t respond. Then I called my credit card company who gave me a refund. Now, I\’ve decided I want the domain, how can I go about transfering or re-registering it. I feel that if I ask to transfer it I didn\’t pay for it, yet I didn\’t ask for it either and I need that domain is it is my name and I plan to use it for email. What should I do?

they are claiming trademark infringement..

Domain names, are, for the most part, are sold on a first come, first served basis. That is to say, the first person to register any particular name, retains control of that name until they either transfer (often by selling) that domain name to another person, or fail to pay their annual renewal fee.  This means that the person who is first to recognize the value in a previously unregistered domain name, can register it, and keep it until able to sell it for a profit. Since many types of domain names, including, com, net, org domains can be registered for just a few dollars per year, and but the value of owning some domain names is many times that, there is a potentially lucrative fee in selling on (\”flipping\”) these domains in what is known as the aftermarket.

There are however some important facts you need to realize before considering entering this business:

1. Most domain names are not particularly valuable in themselves – so if you register the wrong names, you will probably have a hard, maybe impossible, job of selling them on. In this case, you will of course be out of pocket for the registration fees of those domains that you fail to sell.

2. Most of the obviously valuable domain names, such as commercially lucrative single word com domains have been registered a long time ago. You can\’t expect to find low hanging fruit like that. Instead, you must know what types of domain names are in demand, and look for available but potentiallysaleable domains in those particular areas.

3. If you register domains that infringe trademarks (this is known as \”cybersquatting\” or \”domain squatting\”), you are unlikely to be able to sell them. Furthermore,the trademark holder may come after you using domain dispute procedures to try to get the domain, or may even sue you in court.

4. As well as knowledge of the research, sales and marketing aspects of domain flipping, to be successful, you will also need to learn about the technical procedures for transferring domains, as well as when and how to use domain escrow services.

In short, like any other business, success with domain flipping does require knowledge and expertise. There are also risks involved (some of which are mentioned above), and you also need to know about these. Some of these things you can learn along the way, but you may also find it helpful to talk to other people with experience in the domaining industry, and perhaps to read guides such as Brian Pubrat\’s \”Domain Cash Vault\” or Edwin John\’s \”How I Sell My Domain Names\”.

We lost our domain because the registrar failed to renew after numerous requests to renew it? Are there any outlets for us to regain the domain?

Reverse domain name hijacking has proven to be one of the biggest problems in the domain name industry today.  Most importantly, it is an issue that can have a direct impact on your internet identity and web presence.

What is Reverse Domain Hijacking?

Typically associated with cyber squatting, reverse domain hijacking describes a practice where a company that owns a trademark exercises its trademark rights in attempts to secure a domain name from the legitimate holder.  This is something that has become all too common these days.  More and more, we are seeing small companies and entrepreneurs registering domain names that are also targeted by bigger companies.  In hopes of intimating the little guy, these big spenders have been known to cry the UDRP (Uniform Domain-Name Dispute Resolution Policy) and engage in legal battles many smaller companies simply can’t afford.

While domain disputes often boil down to a lot of specifics, it is a known fact that several larger companies rely on their financial resources to wrestles names from the grips of legitimate owners.  Why has this practice become so widespread?  This is because the UDRP does not contain any meaningful literature stating that overzealous and determined trademark owners cannot file complaints.  And despite the monstrous label of reverse domain name hijackers, nothing to this point has been enough to deter the efforts of corporate giants.  As long as these companies continue to enjoy publicized measures of success, such claims could be filed for some time to come.

Fighting Back Against the Bullies

So, what do you do when the big bad corporate bullies come knocking and threatening to seize your domain?  Well, if they have the resources along with the trademark, the company can file an action in court and make the claim that the registration or utilization of the domain is not considered unlawful on their part in accordance to the ACPA (Anticybersquatting Consumer Protection Act).  This legislation was put in place to balance the rights of domain name holders and trademark owners respectively.  Most importantly, it was enacted to address the growing problem of reverse domain name hijacking.  However, there is only so much the ACPA can do for you.  For instance, you can only win back your domain name as the legislation does not cover any financial damages against the trademark owner.  Equipped with ample resources, this is one of the main reasons trademark owners will continue their abusive practices and keep the pressure on smaller companies.  Unfortunately, even though you can leverage the ACPA to take action in court, very few domain owners have a wallet sizable enough to challenge a bigger company for the domain name they have legitimate rights to.

Change is Needed

There has been much debate on whether the ACPA should be amended to create a greater balance between the rights of domain name and trademark owners.  However, implementing such a change would require the full cooperation of many parties including the domain and trademark holders who already are not seeing eye to eye, and quite possibly a few government bodies as well.  Unfortunately, until the playing field is leveled, trademark owners will continue to pull out their big wallets and strip domain names away from less fortunate, but legitimate registrants.

The .uk registry is the world\’s fourth largest (after the .com, .org & .de registries). It\’s administered by Nominet, a not-for-profit company based in Oxford, England. Nominet acts not just as the .uk registry, but also as the .uk dispute resolution service provider.

Nominet doesn\’t use the UDRP for dispute resolution, but has instead created a distinctive system inspired by the UDRP. The substantive rules governing .uk disputes are set out in Nominet\’s dispute resolution policy document (referred to below simply as the \”Policy\”) & its dispute resolution procedure document.

Procedural rules

The Nominet dispute resolution procedure is a close relative of the UDRP procedure. However – there\’re some important differences.

There is a free mediation service built in to the Nominet procedure. The mediation process involves a neutral third party who tries to bring the complainant & respondent to agreement through \”shuttle diplomacy\”. If the parties can resolve their dispute before the mediation period comes to a close, Nominet waives its fee.

Another distinctive feature of the Nominet procedure is the possibility of appealing an expert\’s decision (in Nominet proceedings, panellists are called \”experts\”). By contrast there is no appeal ? other than to a court of law ? from a decision under the UDRP or the EURid rules.

A single expert always decides \”first instance cases\”. Should either party appeal the first instance decision, a three member panel will be appointed to decide the appeal. At the time of writing, there have only ever been six appeals.

The Nominet fee is always paid by the complainant. At present, that fee stands at ?750 plus VAT. There is also a fee of ?3000 plus VAT payable by a person invoking the appeal procedure.

The remedies available are cancellation or transfer. Unlike in UK litigation, there\’re no provisions for the unsuccessful party to pay the successful party\’s costs.

Substantive rules

Basic rule is that: \”A Respondent must submit to proceedings under the Dispute Resolution Service if a Complainant asserts to us, according to the Procedure, that: (i) The Complainant has Rights in respect of a name or mark which is identical or similar to the Domain Name; & (ii) The Domain Name, in the hands of the Respondent, is an Abusive Registration.\” (Paragraph 2(a) of the Policy.)

\”Rights\” are treated in a similar way to rights under the UDRP: the test isn\’t a hard one to meet.

The idea of an \”Abusive Registration\” maps imperfectly on to the concepts of legitimate interest & bad faith under the UDRP.

Rights in a name or mark?

Paragraph 1 of the Nominet Policy gives that: \”\’Rights\’ includes, but isn\’t limited to, rights enforceable under English law. However – a Complainant will be unable to rely on rights in a name or term which is wholly descriptive of the Complainant\’s business.\”

In practice these rights are often rights arising out of registered ® UK or Community trade marks.

However, the rights can also be rights in the tort of passing off. This is a complex subject, but most experts will be prepare to accept that a complainant has unregistered trade mark rights which could give rise to an action in passing off where the complainant can show substantial use of a mark or name as a trade mark in the UK. It\’s probably fair to say that the standard of proof required by Nominet experts of these unregistered rights is significantly lower than that required by the English courts in a passing off action – even though in passing off cases the evidence is usually being used to prove a different point.

Rights can also mean contractual rights ? e.g. where one person has contracted with another to transfer the domain, but then refuses to do so.

?which is identical or similar to the domain name

Because most Nominet experts have at least some expertise of trade mark law, the concepts of identity & similarity are heavily conditioned by the comparable concepts in trade mark law.

As regards identity, the domain name extensions are ignored, so that the trade mark MERCEDES is identical to the domain name mercedes.co.uk. Similar formal differences (e.g. the use of hyphens in a domain name in place of spaces) should not upset a finding of identity.

Similarity is more difficult… In European trade mark law there is a concept which may be called \”confusing similarity\”, & it\’s this concept which experts are accustomed to apply when comparing one mark to another. The question is: would the public be confused by the use of the marks or names, or associate one with the other. Judging by the detail of experts\’ decisions, a similar question is often asked in .uk domain name dispute arbitrations.

Abusive registration

\”\’Abusive Registration\’ means a Domain Name which either: (i) was registered ® or otherwise acquired in a manner which, at the time when the registration or acquisition took place, took unfair advantage of or was unfairly detrimental to the Complainant\’s Rights; OR (ii) has been used in a manner which took unfair advantage of or was unfairly detrimental to the Complainant\’s Rights.\” (Paragraph 1 of the Nominet Policy)

Note that the abuse can take place either at the time of registration/acquisition or subsequently. In either case, the key ideas are those of taking \”unfair advantage of\” or being \”unfairly detrimental to\” the complainant\’s rights.

Proving an allegation of abusive registration

A non-exhaustive list of factors which may be evidence that the domain name is an abusive registration is set out in paragraph 3(a) of the Nominet Policy:

\”(i) Circumstances indicating that the Respondent has registered ® or otherwise acquired the Domain Name primarily: (A) for the purposes of selling, renting or otherwise transferring the Domain Name to the Complainant or to a competitor of the Complainant, for valuable consideration in excess of the Respondent\’s documented out-of-pocket costs directly associated with acquiring or using the Domain Name; (B) as a blocking registration against a name or mark in which the Complainant has Rights; or (C) for the purpose of unfairly disrupting the business of the Complainant;

(ii) Circumstances indicating that the Respondent is using the Domain Name in a way which has confused people or businesses into believing that the Domain Name is registered ® to, operated or authorised by, or otherwise connected with the Complainant;

(iii) The Complainant can demonstrate that the Respondent is engaged in a pattern of registrations where the Respondent is the registrant of domain names (under .uk or otherwise) which correspond to well known names or trade marks in which the Respondent has no apparent rights, & the Domain Name is part of that pattern;

(iv) It\’s independently verified that the Respondent has given false contact details to us; or

(v) The domain name was registered ® as a result of a relationship between the Complainant & the Respondent, & the Complainant: (A) has been using the domain name registration exclusively; & (B) paid for the registration and/or renewal of the domain name registration.\”

Because of paragraph 3(c)(i) of the Policy, it\’s unwise to offer to sell the domain to a trade mark owner where there is a dispute or the potential for a dispute. Another effect of that paragraph is that it\’s easier for a complainant to prove her or his case where a domain name is used commercially. For this purpose, commercial use includes serving pay-per-click advertising or carrying affiliate links.

Paragraph 3(c)(v) is designed to deal with the all-too-common situation where an employee of a company (often in the IT department) or service provider to a company (often a web developer) registers domain name reflecting the company\’s trade marks, & then refuses to transfer the domain name when a dispute arises.

Disproving an allegation of abusive registration

A non-exhaustive list of factors which may be evidence that the domain name isn\’t an abusive registration is set out in paragraph 4(a) of the Policy:

\”(i) Before being aware of the Complainant\’s cause for complaint (not necessarily the \’complaint\’ under the DRS), the Respondent has: (A) used or made demonstrable preparations to use the Domain Name or a Domain Name which is similar to the Domain Name in close connection with a genuine offering of goods or services; (B) been commonly known by the name or legitimately connected with a mark which is identical or similar to the Domain Name; (C) made legitimate non-commercial or fair use of the Domain Name; or

(ii) The Domain Name is generic or descriptive & the Respondent is making fair use of it;

(iii) In relation to paragraph 3(a)(v) [registration as a result of a relationship between the parties]; that the Registrant\’s holding of the Domain Name is consistent with an express term of a written agreement entered into by the Parties; or

(iv) In relation to paragraphs 3(a)(iii) and/or 3(c) [pattern of abusive conduct]; that the Domain Name isn\’t part of a wider pattern or series of registrations because the Domain Name is of a significantly different type or character to the other domain names registered ® by the Respondent.\”

Paragraph 4(a)(ii) is arguably one of the most significant in the Policy. Controversially, some experts have read this rather narrowly, such that domain names which are 100% descriptive of the business in which they\’re being used are being transferred to complainants in circumstances where it would be very hard if not impossible to put together a credible case in the High Court.

Conclusions

The Nominet procedure is inexpensive & efficient, & the quality of expert decision-making tends to be reasonable. However – the procedure is by no means perfect: it\’s a blunt instrument & from time to time decisions are issued which seem unfair, at least inasmuch as they represent a significant extension of trade mark owners\’ rights over the position in trade mark law. Moreover, the very fact that there is a distinct set of rules governing .uk domains (and a distinct dispute resolute procedure) means that, where a dispute involves other domain name extensions as well, there is extra expense.

Hagit Ben-Artzi owns Sequitur IPS, a legal consultancy providing specialist advice & representation in domain name disputes & domain name arbitration proceedings. Please visit the Sequitur IPS domain name disputes website.

You file a UDRP complaint under ICANN & a panel has ordered a transfer of the stolen domain name. From this point, you would think everything would automatically fall into place, but more often than not, you\’ll still have some work to do.

Under the domain name dispute policy, more specifically UDRP Policy Paragraph 4(K), it states that the registrar is required to implement the Panel\’s decision 10 (ten) business days after it receives notification of the decision from the dispute resolution service provider, except if the registrar receives information from the domain name registrant (Respondent) in that 10-day period that it\’s challenging.

Here are some steps cybersquatting lawyers use to ensure that the stolen domain name is transferred back to you:

• Establish an account for the domain name
• Ensure the registrar updates the domain name servers (DNS)
• Ensure the registrar gives you with an Authorization Code so that you can initiate the transfer of the registrar & modify the contact information
• Initiate a request for the transfer of registrar using the Authorization Code
• Note: most registrars have an automated process that requires confirmation from the Admin-C contact on the account.
• Ensure the registrar updates the WHOIS database for the domain name to include your information for the Admin/Technical/Billing contact.

If you become a victim of domain name theft, winning your cybersquatting arbitration is key. Still, the domain name transfer process does not always go as smoothly as it should & may require experienced cybersquatting lawyers to get the domain name back for you… This involves working with your IT person & the registrar, both new & old, to ensure the cybersquatting Panel\’s decision is implemented.

Enrico Schaefer is the founding attorney of Traverse Legal, PLC, a law firm specializing in web law. You can find out more about protecting your domain name, UDRP arbitrations & anti-cybersquatting laws at Traverse Legal\’s domain name theft & trademark infringement domain dispute blog.

Are you losing visitors to your domain? Are your search engine rankings still yours?

Other people might hijack your search engine rankings & they might steal your web site visitors. The worst thing is that you might not even notice it.

Imagine your domain URL is listed in search engine results on Google, MSN & Yahoo. In the search engine results, most people that click on your domain URL are sent to your website. However – some people that click your domain URL are sent to a totally unrelated website that has nothing to do with your site & even though your website domain name URL is displayed in the browser, people see a completely different site that has literally nothing to do with you or your company.

How do these hackers steal your Visitors?

Hackers exploit a flaw in the software some domain name servers use & by sending incorrect information to these particular domain name servers, hackers compromise the domain name server to redirect the traffic for the URLs to another site.

If domain name servers do not use a method to validate that the information has come from valid or authoritative source, it will send visitors to the wrong pages. This means that people who enter your domain name URL in the web browser will be sent to the hacker\’s pages instead of your pages.

How can you protect you website?

It is very important that you use a reliable host that doesn\’t use an open DNS server. To check this, go straight to www.dnsreport.com & enter the domain name URL of your website. You should see PASS in the Open DNS servers line. If your domain name fails the test, you should contact your web host. If you do not want to expose your website to hackers, it\’s critical that you use a secure DNS server. If your web host can not fix the issue, you should change to another web host.

Enrico Schaefer is the founding attorney of Traverse Legal, PLC, a law firm specializing in web law. You can find out more about protecting your domain name, UDRP arbitrations & anti-cybersquatting laws at Traverse Legal\’s domain name theft & trademark infringement domain dispute blog.