Tuesday, Tuesday, April 02, 2002, 11:03:19 AM, David Denney wrote: > On Mon, Apr 01, 2002 at 04:45:17PM -0500, Chuck Hatcher wrote: >> This is disturbing, since I was not aware the customer was in the process of >> having the address changed. Previously OpenSRS required the consent of the >> RSP to effect this kind of change, and I question the wisdom of changing the
> The policy was not changed, its been full of holes the whole time. It > should AT LEAST include additional notifications and verifications. > Anybody who sends in a fax of their driver's license with the correct > name (how hard is it to forge a FAX?) can steal any one of your > customer's domains pretty easily. And if they do it on a Friday > afternoon, OpenSRS will not do ANYTHING until at least monday. They > dont even bother to notify the old contact before changing the data. > Better make sure you have indemnified yourself agaist your customers, > because OpenSRS sure as hell is against you and your customers. > This whole issue was brought up about two weeks ago, under the thread > "hijacking, AGAIN". I was lucky that the hijacked domain was not > actively in use by my customer. David, The domain had been hijacked months ago, and as was pointed out, the changes were made with the username/password for the domain, which only you could have given them. So while the fax system certainly has holes, you also had a chance to notice the issue before anything other than the email address in the admin contact was changed. -- Best regards, William X Walsh <[EMAIL PROTECTED]> -- OpenSRS installation and customizations Payment Processing Integration Apache Installation and Support Services http://www.wxsoft.com/
