Too easy to hijack/block domains using the system

[somereseller]

I've just had a problem emailing someone and found out that someone either stole a domain name or that this domain name left this system without being deleted from the DNS.

This is a big problem!
(My case was solved, but I still want to discuss this problem)

What worries me is that anybody could add any domain name to the system and emails sent to the real domain name will never reach their destination. I'm sure one could think of other evil uses.

If this is Vortech not wanting to interfere with their resellers, then we had a discussion about it and Vortech has clearly stated its position. Maybe it's time for a new discussion? Because one could add cnn and god knows what and cause quite a havoc.

Could this be used to deviate emails?

Hello,
How exactly are we supposed to know the difference between a "real" domain and just a domain they are adding so they can point it later. Where is the distinction. I admit its an issue but how are we the host supposed to control it?

[somereseller]

I've been thinking about this.

A good starting point would be to mimick the way some ssl providers do verify that you own the domain name. Get the emails tied to the domain name and offer to send the confirmation email about the move to one of the addresses. That way the owner of the domain name would get a message and if he discards it then I guess he could assume the reponsabilities.

What do you think? I mean this is something Psoft should implement, but we could still discuss the possibilities here.

[electricfox]

Wait, is the problem in that all internal e-mails within the Vortech network would be delivered to this faux domain rather than the real one? I've wondered about this myself, because I have a client who has their own mail server, but the mail server here thinks it's here, so any mail I send to them from my domain gets bounced rather being properly routed.

So was this the concern? If so, I think it's probably a simple domain resolution issue that could be changed on the mail server... Why prefer domains that are internal to the network?

all you have to do to disable the mail problem is turn off the mail service and the DNS entries for it.

[vonbrocklin]

I ran into this a few months ago. I have a client who works for ABC Corp. - domain name is abc.com.

Well, another reseller had entered abc.com into their system as a test account. Therefore I could not send email to abc.com because the MX records are hosted here and the whole thing was screwy. With Vortech's help, the reseller opted to remove the domain from their system. But the potential for abuse is great:

What if I were to sign up an account using vortechhosting.com, or yahoo.com, or hotmail.com? You can see the potential problems here.

I don't know if there is an easy solution but it definitely makes me nervous.

p.s. Landiserve - your solution only works if you control the domain.

[Silverbug]

yeah this is sort of a HUGE issue that needs to be looked at by psoft eh.

[Brangwyn]

Yeah agree its an issue, but really its not something easily policed, and I'd say is going to stay in the "too hard basket" for a good while yet !

[somereseller]

Why would the "email to domain owner" method be so hard to implement?

[Silverbug]

why does hsphere redirect any email within the network to the directly to the mail server. if it didnt do this would this not solve the problems? i agree in terms of redirecting emails quickly this method is better, but thats probably the only way of getting around this.

silverbug, because it uses local DNS servers first, and maybe only, i really don't know on that.

[electricfox]

if possible it should probably just check outer DNS servers methinks - I mean, how many e-mails stay within the network? this would resolve this issue, as domains like abc.com can be easily cleaned off the network when problems arrise. Though the potential for security flaws mentioned here are enormous.

it has nothing to do with being cleaned off the network, that is an internal hsphere database issue that give those errors, and that woudl nto be fixed at all by changing DNS servers.

[mresell]

I have also encountered similiar problem. Somereseller, what if the email doesn't get thru with your method? Do you not sign them up? You could delay a customer for weeks. Or maybe I am missing something.

We could setup the mailservers to use an external DNS, but then if your DNS is wrong, it really won't work