While selling a domain name at the NamesCon/RightOfTheDot/Namejet auction I discovered a big security flaw at Enom. But let’s start from the begginning…
I submitted my first domain name in a NamesCon auction this year. It was a 3 letter .org that didn’t go into the live auction. In the silent auction it sold (not for what I was expecting but that is another story) as it had no reserve.
I was then asked to transfer the domain name to Enom before the domain was paid, something I didn’t really like. Nevertheless I did that too. I had some funds in an old Enom account so I made the transfer.
I was waiting for the payment so I would get an email from Namejet to push the domain into their account. But I found out that is not how it works…
While I was waiting for the payment and because of an unrelated email I logged into my account and the domain name was missing. Soon after I received an email from Namejet asking me to submit me my payment details. There was no mention of a push.
I contacted Namejet and this is what I found out.
This is how they always treat domain names that are auctioned in Namejet. Sellers don’t push domain names. But let’s say that this is how they do it.
The problem is that I have no record of the domain being transferred to Namejet or the buyer.
There is no record of a push/transfer between the 2 accounts and I received confirmation email of this push/transfer.
This is a very bad practice and of course a big security threat. I find it unbelievable that a domain name left my account and I have no record.
Even if Namejet takes the domain, there MUST be a record of the push/transfer in my account AND a confirmation email. This is a serious issue and something that any hacker or employee can potentially exploit. A domain name can leave an Enom account and the owner will never know.
I am sorry but the person that designed this system is dangerous. Modern systems have tracking and email alerts for everything. And domain names are the most valuable asset a registrar and registrant can hold. I don’t believe how this was designed and run like this for god knows how many years.
I wonder if all the other people selling domains at Namejet are finding this normal and secure…
When I first told Namejet about the issue they were defensive but at the end they said that they will look into the issue. Not sure if anything will happen as the Enom registrar system is now one of the oldest in the industry with very few improvements in the past 10 years.
Nothing shows under Reports? How did they get the domain straight out of your eNom account?
For domains I sold on NameJet, there was usually a transfer from another registrar, to NameJet’s eNom account, or a push.
No record. Maybe they did a database edit?
Something is really wrong with Enom. I recently had a premium priced New G domain renew automatically even though I disabled the ‘auto renew’ feature. To make matters worse, I received absolutely NO email notification that the domain was renewed and charged. By not be notified I am now unable to get a refund due to the time lapse….
Enom’s entire backend is on pins, and needles, it is stitched together, you can’t add premium gtlds to cart, without clicking add years, otherwise it says errors.
It needs a total retooling, the notifications sometimes come days later, but for transfer in and out, I do not recall, usually for renewals, they are delayed to come.
When I get the time, I will be moving them out, I have called support via long distance, waited on hold for them to do nothing about anything.
To be honest enom gives me that same feeling moniker did, went from 800 domains there, to like 20 something now, which will soon be moving also.
I was thinking the same thing but before Moniker destroyed everything. Old systems with lots of bugs.
Can Enom provide you a log showing that you were alerted?
No. They said there is no alert and that is the usual procedure.
I have pushed thousands of domains from ENOM to ENOM accounts and never lost any ENOM’s email confirmation for domains (since 2002), using individual Push and Bulk Push. I also pushed domains from ENOM to GODADDY accounts. When dealing with Push transactions I make all Screen Shots, store them in Outlook custom folders and in Excel archive files.
The problem is that there was no push here. The domain simply left my account.
I completely stopped using ENOM when they were not even bothering to submit EAP orders anymore, oir would submit then 30 minutes into submission. I talked to support they were uninspired, and said they had system issues or whatever. I locked up a lot of money in their EAP to have it loaded in a gun that wouldn’t fire.
Their support is lack luster, nobody cares, maybe layoffs will shake things up.
In order to make sure that a domain can be delivered if a name sells at auction Namejet takes your domain out of your Enom account and puts it in a special account. That keeps sellers from not delivering domains that are at auction.
Did you not know this? Where you not prepared to have it move over or is it just the fact that you don’t see a record of it happening?
It’s funny because I hear all the time about people not delivering on a sale. Namejet assures they have the domain. Which is great for buyers. I would think this is a good thing.
When you sign the agreement this is part of the deal. They also make sure that all names do not expire in the next year to keep people from selling names that expire in the near term. I just put a batch up of names to sell at Namejet and I know that Enom looks at my account several times a day for those names that I have put up at auction. If they are there they are swept up and put in the Namejet account. If I have any problems I email Namejet and they take care within hours.
Who was your contact and did they not answer your questions? I’m sure Jonathan and the others would love to hear about anyone not doing their job.
I don’t care if they have the domain. They could have told me to push the domain and I would have.
The problem is they took out it of the account with even telling me and Enom didn’t keep a record and didn’t email me.
It was Jonathan that defended this terrible procedure.
At the end he said that he will look into it but judging from the updates the Enom system has had in the past 10 years I don’t have much hope of anything happening.
Noticed the same thing.
Somehow this confirmation was supposed to be comforting.
And then sure enough. *POOF* domain gone, no record, not even an update from ROTD that it was done.
This was the last correspondence i got from them.
to me, Jonathan, Monte, Jamie
Hello – and thank you for the confirmation that the domain is at eNom.
We are still awaiting payment from the Buyer. Rest assured, the domain will not be pushed out of your account until it is paid.
We’ve sent your Wire information to our Accounting staff, thank you!
yep, they work that way. it’s very fishy.
if you place a domain on auction with them, when you transfer the domain to them OR if you have a domain with them, they will move the domain without any notice or record.
note that even if your domain hasn’t sold they still remove the domain from your account and after the auction ends unsold they will move the domain back to your account. all silently
My question is: why people put up with this? Is this happening with stocks?
Some time ago, I commented somewhere else that my domains were stolen several years ago without knowledge of the registrar and myself and transferred to some other registrar. This was not Enom, but an Asian registrar. I guess the hacker simply broke into the registrar server and took some domains away like a shoplifter. I noticed the theft by accident and informed the registrar of the fact that my domains are missing from the list. The registrar hadn’t had any idea about the theft until I informed them. Anyway I recovered the domains but it was a very frustrating experience.