Request transfer code directly from CIRA (1 Viewing)

DomainRecap · Aug 25, 2022

rlm said:
I can't see how it would contribute to much if any spam. Even if your email is in public whois, that's where they are going to get it from - no auth code request form needed. As long as they don't allow you to attach a message, spammers have nothing to gain by requesting auth codes on your behalf.

I never said it would, I stated it would be easy way to harass a company, and it would.

rlm · Aug 25, 2022

Sorry - I guess I should have been more specific. I was foolishly grouping spam and whatever your definition of harassment is, together. If your email address is public anyways, there are countless ways to harass them with that email address. Like using it to request usernames and password resets for your registrar and email accounts. That would freak me out more than any auth code request attempt on a single domain. And the number of people who will ever know about and use that CIRA form are going to be very few. So if I suddenly get all these "harassing" messages via the auth code request form, I'll know it was you just trying to desperately prove a very lame point. As with everything in life, there are pluses and minuses to everything. I think most of use will consider that the plus aspect of this feature heavily outweighs the minus.

Eby · Aug 25, 2022

rlm said:
So if I suddenly get all these "harassing" messages via the auth code request form, I'll know it was you just trying to desperately prove a point.

rlm · Aug 25, 2022

Esdiel said:
I wish I had known since I could have helped you. I found a solution to this after having similar trouble with GD.

The trick is to go to your domain manager and export a list of the domains you want. While going through the process, just make sure to check off the box that says "Include domain authorization codes?"

Then poof, you can get auth codes under any circumstance, without asking. Even when the specific function to request the auth code is disabled for whatever reason.

Dang, wish I had noticed that! Its a great loophole. I'm sure they'll eventually close it once they catch on.

DomainRecap · Aug 25, 2022

rlm said:
Sorry - I guess I should have been more specific. I was foolishly grouping spam and whatever your definition of harassment is, together.

SPAM and Corporate Harassment are clearly two totally different things, so either get mad at yourself and stop trolling me, or learn to read and you won't have a problem.

And yes, it would be easy as pie to jump on my VPN and fill every corporate email box with transfer codes, but I'm not a jerk like that, but there are plenty of them out there. Just go on Reddit or Discord for about 2 minutes.

rlm · Aug 25, 2022

DomainRecap said:
SPAM and Corporate Harassment are clearly two totally different things, so either get mad at yourself and stop trolling me, or learn to read and you won't have a problem.

And yes, it would be easy as pie to jump on my VPN and fill every corporate email box with transfer codes, but I'm not a jerk like that, but there are plenty of them out there. Just go on Reddit or Discord for about 2 minutes.

I'm sure you're right, I could probably find worse on Reddit or whatever which is why I don't go there, nor have I every been there. I'm guessing that's where you go to practice your chops.

Lol, me the troll? Sure, I'll be the troll.

But if I'm going to be the troll, then you're the living definition of a Negative Nancy. It's grating that you frequently have to be an argumentative downer, no matter how trivial the point, and whether it affects you or not. This is a prime example.

I, as well as many people, consider spam to be anything unsolicited. Phone calls, text messages, door knockers, junk snail mail, emails, social media messages. You name it, if its unsolicited from an unknown or unwelcome source, its spam to me. I'm sure I'm not the only one here that uses the term very broadly these days.

Clearly, in this case, the only form of corporate harassment that a simple CIRA auth request form could possibly generate is.... drumroll please... an unsolicited email, i.e. SPAM. So no, these are not two totally different things. You singled out a very specific type of corporate harassment - an unsolicited email message. Apparently Armageddon is coming in the form of an unrequested auth-code request.

And wouldn't the CIRA Registrant Contact form be worse? You don't even need to know their email address for that!

In any case, dude, try to lighted up a bit, in the scheme of potential "corporate harassment" methods, this is unbelievably minor, and no worse than what already exists. So we add 1 new form that almost no one on planet earth even knows about, to the gazillions of forms I could enter an email address into as a way to harass someone at the other end of that email. Its like a drop in the ocean, meaningless.

I wanted to point out, unrelated to you, that a legitimate knee-jerk concern might be if someone nefarious could intercept your email. And I'll point out that it could be through an account hack, or from leaving your computer or phone open long enough for them to install a global redirect or filter on your email accounts. That's why I carefully pointed out many of the various levels of security options you may or may not have through your registrar and email accounts. Understanding that is the key to understanding that an unrequested auth code email is not the thing you should be worried about. Hopefully that has prompted a few people to take that two-factor-authentication stuff seriously, on all of your registrant email AND registrar accounts. If something is going to go wrong - its most likely to be at your email or registrar account level. In only takes one of them to be hacked to be a major problem.

In any case. My vote is that the CIRA Auth Code Request form is a good thing. Thanks @richard.schreier for making it happen.

DomainRecap · Aug 25, 2022

rlm said:
But if I'm going to be the troll, then you're the living definition of a Negative Nancy.

Hey, that's just how my genetic pool mix turned out, and there's nothing I can do to change it. I'm not even a "glass half empty" person I'm more a "where the hell did the rest of my drink go?" guy. For example, I can play virtually all sports at a high level, but I can't ski and I can't dive - there's just some things you're born with some you're not.

But I'm still alive, still healthy and still doing well, so maybe there's something to be said for my "look at the negative outcomes first" mindset.

rlm · Aug 26, 2022

DomainRecap said:
Hey, that's just how my genetic pool mix turned out, and there's nothing I can do to change it. I'm not even a "glass half empty" person I'm more a "where the hell did the rest of my drink go?" guy. For example, I can play virtually all sports at a high level, but I can't ski and I can't dive - there's just some things you're born with some you're not.

But I'm still alive, still healthy and still doing well, so maybe there's something to be said for my "look at the negative outcomes first" mindset.

Well, I guess its always a good thing to know yourself and I appreciate you sharing that. But I don't believe you can't change things. For one, I'm sure I could teach you to ski given the time and desire - and I'm sure we'd have a blast doing it.

You clearly enjoy a debate, next time, just for fun, try challenging yourself by debating the opposite position than what comes natural.

rlm · Aug 26, 2022

rlm said:
That's the problem with the CIRA Registrant Contact Form, I occasionally get spurts of spam from that one (offering web design & hosting services), although not much in the past month, so maybe CIRA is monitoring the usage of that form for abusive IP's and email addresses and message content, all of which could be used to identify and block spammers. Or maybe it was too much effort for too little return. In any case, that seems to have subsided for now.

Well I spoke too soon - got a spam message today from the CIRA Registrant Contact form:

From: Amanda Smith

Email address: info@hubsolved.info *If you wish to reply to this message, contact this email address *

Subject: Professional Graphic, Logo and Website designing services for your company

Message:

Let me know if you need a logo / website made or SEO done for any of your website / domains. We can setup custom designed website at a very reasonable cost. Feel free to write back for a free quote and portfolio.

This is the message I'm getting, almost always the same message, and always has been from various bs .info domain names. I assume the rest of you TBR players are getting them as well on your relatively recent TBR domain acquisitions?

theinvestor · Aug 26, 2022

Yes I’ve been receiving these as well.

Spam through CIRA contact form

GeorgeK · Aug 26, 2022

I don't like the use of the AuthInfo code for transfers. I explained (at length, 60 pages!) in my recent comments to ICANN (as they have a transfers working group that wants to get rid of the ACK/NACK step!) why it's a bad system in terms of security, and made a counter-proposal:

Meditations on Domain Name Transfers: Final Call for Comments To ICANN
https://freespeech.com/wp-content/uploads/2022/08/LEAP-comments-Transfers-Phase1a-20220814-FINAL.pdf

(see especially Section E). Having a "secret code" is inherently insecure, which I explain in detail. Briefly, it'd be better to "push" the domain from the losing registrar to the gaining registrar (but with appropriate safeguards to ensure that the recipient doesn't get pushed "bad" domains, and is going to pay the renewals, etc.). (all discussed in Section E, although the other sections are worth reading too)

Esdiel · Aug 26, 2022

rlm said:
I assume the rest of you TBR players are getting them as well on your relatively recent TBR domain acquisitions?

I got the same enquiry via the contact form about a month ago.

The name, email address, and subject line were different, but the message is the exact same wording (verbatim) and they also used a .info domain. 100% the same person doing this, unless it's a team working together.

I believe it's only the first or second spam I ever received via the form though, unless I forgot or deleted the emails.

DomainRecap · Aug 26, 2022

I get those same "Logo & Design" SPAM messages on about 1/3 of my TBR registered domains, and most tend to be on higher-quality domains.

It looks like someone is actively farming the "top of the TBR chart" for their SPAM victims.

Esdiel · Aug 26, 2022

Mine actually wasn’t a tbr win, it was a leftover I bought during the WHC sale. So they must be going thru more than the tbr wins although targeting tbr wins would be smarter/easier.

Nafti · Aug 26, 2022

Mine was a text message on Wednesday. I do have a few domains showing public Whois so I’m guessing this is how “The best GODADDY designer” found me.

rlm · Aug 26, 2022

GeorgeK said:
I don't like the use of the AuthInfo code for transfers. I explained (at length, 60 pages!) in my recent comments to ICANN (as they have a transfers working group that wants to get rid of the ACK/NACK step!) why it's a bad system in terms of security, and made a counter-proposal:

Meditations on Domain Name Transfers: Final Call for Comments To ICANN
https://freespeech.com/wp-content/uploads/2022/08/LEAP-comments-Transfers-Phase1a-20220814-FINAL.pdf

(see especially Section E). Having a "secret code" is inherently insecure, which I explain in detail. Briefly, it'd be better to "push" the domain from the losing registrar to the gaining registrar (but with appropriate safeguards to ensure that the recipient doesn't get pushed "bad" domains, and is going to pay the renewals, etc.). (all discussed in Section E, although the other sections are worth reading too)

Agreed - there could be a better way to handle transfers.

But to be honest, the current method as implemented by CIRA is super simple and satisfyingly efficient. Its awesome to transfer a domain and know its done in seconds. It saves so much time. No waiting around wondering if everything is going to eventually go through correctly. And the buyer doesn't really need to communicate any information to the seller, so when dealing with uninformed buyers, I don't have to explain the process to them, I don't have to wait for them to get me the correct information, etc. Half the time the buyer isn't even sure who their registrar is. Even the least computer savvy buyer's have no problem understanding how to initiate a transfer and paste in the auth code. So from that perspective, I hate to ruin a good thing. Then again, I've never been hijacked or screwed over either.

The only issues I really have with the current system is that the buyers often don't update the registrant contact info properly - so it'll show I'm still the owner years after the transaction. And some registrars don't have a good implementation of handling the Registrant/Contact info on incoming domain transfers, so they'll default to copying my info, then promptly locking the domain for 60 days so it can't be fixed. And it would be really nice to confirm that the buyer details are correct before agreeing to the transfer. If there is any weak link in Escrow services - its the fact they only get circumstantial transfer evidence when approving transactions. There is definitely an opening there to get scammed.

I like the idea of having differing auth codes for both the sender and receiver, both needing to enter the appropriate code at a CIRA based approval page. So kinda like having two keys to the nuclear missile button. It would work like this:

1. Current registrant sends new registrant an auth code, exactly as they do now.
2. Gaining registrant initiates transfer from their account at preferred registrar with auth code, exactly as the do now.
3. If auth code matches expected value, a new transaction is started through a central CIRA transfer portal.
4. Gaining registrant is forced to enter the full legal registrant & admin contact details for verification (or select existing one).
5. Gaining registrant reviews data and confirms it is correct.
6. Gaining registrant is forced to agree to latest CIRA terms & conditions and select the correct CPR category.
7. Current registrant receives email with transfer approval request link.
8. Current registrant reviews the full legal registrant & admin contact details of Gaining registrant.
9. If current registrant is satisfied that the details match the expected values, they enter the second auth code.
10. If both codes are correct, transfer is instantly completed.

It sounds more complicated than it is. Actually would be very simple from the user side.

Having CIRA handle transfer through a central transfer portal on CIRA servers would vastly improve compatibility and reliability of the transfer system by removing the weak link - the registrar. Instructions for completing a transfer would be nearly identical for every single registrar - with only the initiation and payment step occurring at the gaining registrar.

GeorgeK · Aug 26, 2022

rlm said:
It sounds more complicated than it is. Actually would be very simple from the user side.

Having CIRA handle transfer through a central transfer portal on CIRA servers would vastly improve compatibility and reliability of the transfer system by removing the weak link - the registrar. Instructions for completing a transfer would be nearly identical for every single registrar - with only the initiation and payment step occurring at the gaining registrar.

Yup, my proposal(s) were very similar. Because, when there's no fraud, the current system works fine. But, it completely falls apart, with no good audit trail, when there's fraud --- and you can't just 'assume' there won't be bad actors trying to manipulate the system.

In my long submission to ICANN:

https://freespeech.com/wp-content/uploads/2022/08/LEAP-comments-Transfers-Phase1a-20220814-FINAL.pdf

section G (along with Section E) accomplishes what your idea suggests --- with section G making visible the "new" WHOIS, so that the existing registrant can confirm what it's going to be before approving the transfer. [don't really need 2 authinfo codes, though, as section E makes clear]

At present, with all security relying on the secrecy of the AuthInfo Code, a bad actor can either (a) directly intercept it from the true owner or proposed owner, or (b) pretend they never received it, and have plausible deniability if they simply take it to a different registrar, etc.

With .ca transfers, at least the relevant jurisdiction is in Canada, to "fix things" if there's a stolen domain, etc. That's not the case for gTLDs like .com, .net, .org, etc., where the thief might take it to a Chinese or Russian registrar, making legal issues potentially much more complex.

rlm · Aug 26, 2022

Agreed 100%

Groot · Sep 7, 2022

Oh that's a damn nice feature, well done CIRA.

silentg · Jan 26, 2023

Used this for the first time and got the code right away.

Request transfer code directly from CIRA (1 Viewing)

Highest Post Count

Bonfire.ca

Ebenezer Thevasagayam

Bonfire.ca

Highest Post Count

Bonfire.ca

Highest Post Count

Bonfire.ca

Bonfire.ca

DNCanada.ca

Leap.com

Member

Highest Post Count

Member

Member

Bonfire.ca

Leap.com

Bonfire.ca

Member

DomainRetail.com

Members who recently read this topic: 43

Support our sponsors who contribute to keep dn.ca free for everyone.

Escrow.com

Wise.com

Popular This Week

CIRA.ca

Popular This Month

Google Ad