eNom and Tucows don’t use their official websites for domain name verifications

With the introduction of the 2013 Registrar Accreditation Agreement (RAA) registrars are obligated to send whois verification emails to all domain name registrants. Inaccurate contact data may result in the suspension or termination of a domain registration.

Almost immediately after registrars started sending verification emails, various phishing scams appeared. Such as the one for the #1 registrar in the world: Go Daddy.

I have noticed 2 registrars that don’t use their official website domain name for domain name verifications that are sent to registrants thus making it even harder for registrants to identify phishing attempts.

The registrars are eNom and Tucows that are both big scale domain name resellers. Maybe that is the reason that the try to keep their brand hidden: to allow their resellers to have some brand recognition. But that creates more problems at this point.

These are the domain names that these 2 registrars use for RAA verification:
eNom (and eNom Central and resellers):
name-services.com (rra.name-services.com)

Tucows (and OpenSRS resellers)
domainadmin.com

So if you get an email and the link inside includes these 2 domain names, the link is safe.

But still anyone can confuse for example the domain name name-services.com for name-service.com or names-services.com.

I think eNom and Tucows should consider changing this.

Also I don’t understand why some registrars require you to log into your account so you can verify your contact email. It should be as easy as this:
a) click link in verification email message
b) browser opens and loads: done. You are verified

Are they afraid that someone that has hijacked your email will verify your domain name
to keep it from being suspended?

Until now more than 200 registrars have signed the 2013 RAA. Registrars that want to offer new gTLD domain name registrations are required to sign the 2013 RAA. Moniker.com is the only top 10 registrar that has not yet signed the 2013 RAA so it has not send any verification emails yet.

Sold.Domains

About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the OnlineDomain.com blog in 2012.

2 comments

  1. The GoDaddy fiasco with the spoofed emails clearly shows that indeed, there should be NO requirement to log in, in order to verify an email address. Not all registrars have implemented infrastructure supporting this clean approach.

  2. I get your point.

    Tucows and eNom are reseller registrars that send notices for many of those their resellers and this use generic domains for their email messaging.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.