Tuesday, Tuesday, April 02, 2002, 11:03:19 AM, David Denney wrote:
> On Mon, Apr 01, 2002 at 04:45:17PM -0500, Chuck Hatcher wrote:
>> This is disturbing, since I was not aware the customer was in the process of
>> having the address changed. Previously OpenSRS required the consent of the
>> RSP to effect this kind of change, and I question the wisdom of changing the
> The policy was not changed, its been full of holes the whole time. It
> should AT LEAST include additional notifications and verifications.
> Anybody who sends in a fax of their driver's license with the correct
> name (how hard is it to forge a FAX?) can steal any one of your
> customer's domains pretty easily. And if they do it on a Friday
> afternoon, OpenSRS will not do ANYTHING until at least monday. They
> dont even bother to notify the old contact before changing the data.
> Better make sure you have indemnified yourself agaist your customers,
> because OpenSRS sure as hell is against you and your customers.
> This whole issue was brought up about two weeks ago, under the thread
> "hijacking, AGAIN". I was lucky that the hijacked domain was not
> actively in use by my customer.
David,
The domain had been hijacked months ago, and as was pointed out, the
changes were made with the username/password for the domain, which
only you could have given them.
So while the fax system certainly has holes, you also had a chance to
notice the issue before anything other than the email address in the
admin contact was changed.
-- Best regards, William X Walsh <william@userfriendly.com> -- OpenSRS installation and customizations Payment Processing Integration Apache Installation and Support Services http://www.wxsoft.com/
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:37:09 EDT