Re: Anyone can take over virtually any domain on the net...

[bryanf () SAMURAI COM (Bryan Fullerton)]

On Fri, Jan 14, 2000 at 10:26:44AM -0500, "BUGTRAQ () ROZZ COM" <BUGTRAQ () ROZZ COM> wrote:
> This confims what I always thought; that there was a unique number in
> the response that was needed for the ACK.

True.  If the domain is setup to require ACK before transferring. Many (most?)
are setup to send the confirm email after the modify request is processed -
by the time the contact actually reads their mail the modify may have gone
thru to the root servers, and the domain may be in the hands of someone else.
I really don't know what happens if you can double-transfer a domain before
NSI receives back a NAK response to a confirm email.

Spoofing mail from a contact is something I've done regularly in the past
when customers leave an ISP and can no longer send/receive mail from/to the
contact address, but want to transfer their domain to my servers.  It's fairly
trivial, and I suspect common practice amongst ISPs who can be bothered - many
just say "transfer it yourself, let us know when it's done", avoiding the
whole issue.  I haven't done it to maliciously transfer a domain, only for
the actual domain owner, but there's nothing really stopping anyone from
sending in a request.

Which is why most of my personal domains use CRYPT-PW as their Guardian
setting instead of MAIL-FROM.  :)  Admittedly trivial to find out if anyone
got ahold of my sent-mail folder or intercepted a request, but it's a small
step up.

Bryan

--
Bryan Fullerton                http://www.samurai.com/
Core Competency
Samurai Consulting
Can you feel the Ohmu call?