Punished by eNom for a Registration Placeholder
by Randy Cassingham Updated! See the End
I'm posting this minutes after my sites came back online. As I was writing this, most of my web sites were offline, thanks to proactive (that is, on purpose) action by enom, the huge domain registrar which provides registration for the "domain names" for more than 8 million web sites. The registrar, of course, I (used to?) use. And here's the unbelivably scary thing I learned while struggling to get them back up: any web site, including yours, can be knocked off the 'net without warning and without notice, and for the most mundane of reasons, by the people you pay for your most basic online service: your domain registration. Even if it's not enom.
Your site is your sole source of income? Too bad. Your site is depended upon by thousands of people for critical information? Tough. You're expecting an urgent e-mail? Shrug. The weekend is coming up? They may or may not be able to help you until Monday -- check back later. We'll see -- the only guy who can help has a long lunch planned.
Have you ever done a whois lookup to get a site owner's address or other contact information, and been stymied? Everyone who has used "whois" has found bad, outdated, fake, or obfuscated information. Then perhaps it probably occured to you why: "I wouldn't want my home address or phone number available to any whacko online!" If you have a web site, and aren't a huge corporation which can shield your private contact info, odds are pretty good you put in a fake address or phone.
If so, you are at severe risk of your site being shut down without warning. You are literally not allowed to supply fake info -- rape crisis centers and shelters for battered women, for instance, cannot put in a fake address or phone number if they want their own domain name. (A PO Box, answering service, etc. is -- as far as I know -- OK, but many don't know of this rule and put in fake info.)
Yet you can bet pretty much every spammer and phishing site has fake info on their domain registration.
How it Happened
Yesterday (8 February 2007), after someone let me know that I hadn't updated the contact info on one of my domains, I took a look at my main sites. Many had old info in the domain registration; some had fake (3030000000) or no ("n/a") phone numbers, some had correct numbers. All had a real e-mail address, an autoresponder pointing to full contact information. And they had been that way for years -- I moved in 2003!
"Yeesh," I said, and I set about updating them, logging in to my control panel at enom. But I didn't really want my direct office phone on my domain registrations. I had planned to get a voicemail/fax number, but hadn't gotten down that far on my to-do list yet, so as I updated the records on my domains with my actual mailing address I stuck in a placeholder phone number, "0000000000", until I could replace it with the voicemail number after I got it. I never got the chance to update it.
Within hours, my web sites started to die -- just yanked offline. There was no "Hey, you need to give us correct information" warning. Obviously I thought there was a server problem, but after making a call to my tech support guy, we quickly learned the site was fine. It was DNS that was screwed up. DNS converts "CrankyCustomer.com" to the actual IP address your browser needs to surf to to get to a web site. DNS is ultimately controlled by your domain registrar -- in my case, enom.
My weird news site This is True (in business online since 1994), was gone. My crazy lawsuits site, which recently issued the most outrageous suits of the year "awards", was nowhere to be found. The Honorary Unsubscribe archive, obituaries of people who have affected our lives, shut down. No one could go to my good jokes site. My cool web sites archive was lost in the ether. Even my weather station -- the only online station in my county, which I've put online so people here can get current weather info, was knocked out. That site also has a special "member area" for the volunteer Emergency Medical Services first responders for my area, and they couldn't communicate.
But it got worse: I founded HeroicStories, but no longer publish it or own the domain (though I still donate hosting for it), and that site was also knocked out. Even one of my newer domains that has never had "fake" contact info was killed. Why? Just to punish me?
The Real Problem: You're at Risk Too
If they can punish me, they can punish anyone with a web site, including you. And anyone you help with a web site, like I do with HeroicStories.
Domain registrars do need the ability to shut down sites, such as phishers trying to commit identity theft and worse. But really: is changing my phone number from one that I haven't used for three and a half years to one just as useful on the same level? My registered address is an autoresponder pointing to my real and complete contact info, but they couldn't bother to check. "We have the power, and dammit we're going to use it!" There's no thought to the possible destruction of my 13-year-old business, nor the damage to my customers and six-figure reader base.
It's not just enom -- every registrar can do this. But I fault enom specifically, since they didn't need to take such drastic action without giving notice.
Don't just shrug: if it can happen to me, it can happen to you. You can set up redundant servers, redundant disk farms, redundant connectivity, redundant everything -- but your domain registrar is a single point of failure that could destroy your business -- just because someone felt like it. My sites just got back online as I posted this; they were off for 24 hours.
On 26 February -- more than two weeks later -- I got an e-mail from eNom with this laughable claim regarding one of my domains, http://www.GOOHF.com, which was not one of the domains they deactivated during the first round:
Dear eNom Customer,
This is a message to verify that the current contact information as listed in the eNom whois database for the domain name listed in the subject line is both valid and complete. We have received complaints that the listed information is erroneous. Please respond to this message within the next 15 days to provide valid and complete WHOIS information.
Failure to comply is a direct breach of ICANN policy, as well as the eNom registration agreement, and may result in loss of your registration rights without further notice.
Thank you in advance for your cooperation, and we look forward to your reply.
"Complaints"?! Plural? I publicly challenge eNom on that. I doubt they have any complaints, let alone more than one. I responded to their message challenging them to produce even one complaint.*
Of course, this is the sort of notice that I've been saying all along that they should have sent the first time -- ping me to check, provide 15 days' of notice, and explain why they are doing it (to ensure compliance with ICANN policy).
So despite the ridiculousness of it, I actually applaud that they are showing progress in their customer service. Now to the next step: adding some intelligence to the equation.
*Within minutes, eNom replied:
The complaints were issued through ICANN, this is merely a verification request. If the current contact details are complete and valid, all that is required is your verification of such. If you verify that the current contact details for this domain are accurate, there is no further action required on your part.
I still find it hard to believe there have been any "complaints", but so be it. I replied again, with "I hereby state: All the information on the domain registration is accurate. Is that what you need?"
They replied, again within minutes: "That is exactly what we need in order to fulfill our obligation with ICANN. Thank you for your cooperation in this matter."
Matter -- apparently -- closed. See how easy that is, eNom? Sheesh.