Now, this Domain Hijacking is getting funky … [Updated]

So, about 24 horus ago I noticed that my DNS servers for my Domain uu.org were pointing to some external provider instead of my own boxes. I initially thought Network Solutions (NSI) fucked something up and got really pissed as their support website refused to work, creating an error message instead of a ticket.

Further investigation now let me believe that someone really is trying to steal my domain — i. e. on purpose. As I had to discover earlier today, another of my domains, 42.to, was forcefully reconfigured as well, now pointing to nameservers ns43.domaincontrol.com and ns44.domaincontrol.com instead of mine. What’s more, the MX was repointed as well, now delivering *my* emails to smtp.asia.secureserver.net and mailstore1.asia.secureserver — as 42.to was used as the email address with NSI, this most likely is how “they” got administrative access to uu.org domain entries (NSI allows to retrieve one’s ID and with the ID one can ask for a password reset link sent by … email).

What’s odd is that GoDaddy seems to be playing an active role here, as both domaincontrol.com and secureserver.netare registered to:

   Registrant:
   Special Domain Services
   14455 N Hayden Rd Suite 219
   Scottsdale, Arizona 85260
   United States

According to http://domainnamewire.com/tag/domain-warehousing/ “Special Domain Services” is a subsidary of Go Daddy.

I’ll now send a cease and desist email to “Special Domain Services”, although I doubt it will change a thing :-(

 

Source: wusel’s Space (sent via email)

[Update]: On my complaint, TONIC hostmaster infiormed me that:

With reference to your recent enquiry, we must inform you that the registration of 42.to expired 2012-06-16. Remaining unpaid this was deleted one month later.

Checking my mailbox, it seems that I haven’t received any expiry notifications from TONIC after the renewal in 2007; most likely this summer I forgot to check on 42.to when renewing uu.org (it’s due on a similar timeframe).
Fu^WUnfortuinate, but, well, 50 USD/year was quite a high price for a domain I barely used anyway (initially as secondary domain for uu.org nameservers, the last live server in that domain went out of business in 2009; actually, no real loss). Oddly enough, it took until 2012-10-27 for someone to grab it, and www.42.to now points to GoDaddy IP space (173.201.238.128), returning a forbidden/404 when accessing it.

So, no takeover there; but I still wonder if it’s a coincidence that the mail address wusel@42.to was used in the records for uu.org (and now ends up somewhere in GoDaddy/Special Domain Services land) and that uu.org was DNS changed yesterday.

By another coincidence, according to my mailbox, NSI did send me (to wusel@42.to) the “Action Required: Notice Regarding Your Domain Name(s)” email on behalf of ICANN usually between end of October and late November — maybe that was the trigger?

At least uu.org should be safe now:

After all, Network Solutions *does* care, and I’m glad about it.