>>achyne+(OP)
Incredible. Their registrar (TierraNet) has some explaining to do.

>>achyne+(OP)
The importance of using a reliable registrar can't be overstated. tierra.net looks like a small company, without 24hr support, and with an abandoned social media presence. Why would a company with 40M users use a tiny registrar to save 2 bucks on a domain name?

>>achyne+(OP)
This is why you register your domain with MarkMonitor or Cloudflare. I cannot comprehend why they were so stupid to use a registrar that is not corporate oriented. This is just unreal.

>>achyne+(OP)
Zoho CEO here.

Our domain was abruptly blocked by our registrar this morning. Our NOC team and myself tried to get in touch with them and they tell us "Contact our legal". Even I could not get in touch with anyone beyond their phone operator. The domain was restored, but as DNS takes time to restore, we are still facing issues. They later claimed there were abuse complaints about Zoho.com emails (which is our personal email service with millions of free and paid users). We received a total of 3 complaints from them and two of them have been acted upon and one is under investigation.

Once we dig our way out of this, we will find ways make sure no one takes down our domain again this way.

>>JohnTH+63
This was not the company used. The domain registrar market has gone through consolidation and it ended up here. We have been moving domains and this is a cautionary tale for us.

>>svembu+h3
You should consider using Google Domains. There’s literally no company that’s more professional in this regard.

>>achyne+(OP)
A whole lot of people are learning about the hazards of centralization in email lately. First Google turns GMail into a slow-loading nightmare for weaker computers like mine, then they announced the closure of Inbox. Now 40 million people are without email because Zoho couldn't keep up with registrar consolidations (https://news.ycombinator.com/item?id=18060013).

Zoho is fine as a service, but a domain suspension shouldn't cut tens of millions of people off from email.

>>KenanS+84
Google is their direct competitor.

>>unstuc+a4
> A whole lot of people are learning about the hazards of centralization in email lately.

What is the alternative?

>>unstuc+a4
I agree this is unacceptable. We are figuring out ways to make this more resilient - we host third-party domain mails, and we could map those domains directly without involving our domain. That could be one solution. We have learned a serious lesson here.

>>unstuc+k4
I'm sure many of their employees can also use Android phones.

Google is far too omnipresent to just ignore.

>>KenanS+84
Yes, all of these possibilities are under investigation. We have just recently secured ICANN approval to be a domain registrar. With our scale, this has become important now.

>>choose+p4
I don't know, I'm not an email geek. Lots of smart people run their own email systems and report good delivery rates going by past threads here. Maybe they can work together on something more accessible.

>>KenanS+84
Well when Google bans you, you will simply find no recourse. Google is pretty shitty company when support is needed.

>>KenanS+84
Google is a company with a horrendous customer support history.

>>achyne+(OP)
Honest question: What exactly does it mean for a registrar to block a domain? I believed so far that for my browser to successfully connect to a web server running on a domain or for a mail server to deliver email to a domain, there should only be valid A, AAAA, MX, and/or CNAME records in the DNS.

Was it really a block at the registrar level or was it a block at the DNS level, i.e., the registrar also ran DNS service and their DNS service refused to return responses for zoho.com domains?

At what layer or at which stage of the protocol can a registrar disrupt this and take a domain offline?

>>unstuc+k4
This isn't really a problem for companies the size of Google - while they may well refuse service to competitors or prohibit usage via terms of service, if they do allow a competitor on board there's no way they treat them any differently - there will be huge legal ramifications of they do.

>>svembu+t4
Steal GitLab's business model and let people/companies self-host their own Zoho.

>>achyne+(OP)
Direct IP?

Got a major sales push today, looking for a bandaid.

>>KenanS+84
Could you elaborate on your view that Google Domains is the most professional company for this kind of issue?

>>svembu+h3
I'd go with DYN.COM for all my domain and DNS needs for a million/billion(?) Dollar business such as this. No referral here, just advice.

>>svembu+X4
It's kinda crazy that you have to become a domain registrar to circumvent problems like these in the future....

>>achyne+(OP)
This is pretty bad service from Tierra registrar. I am taking this as a cautionary tale for everyone. Domain registrar have way too much power. A back up domain in case things go south, should be a must.

>>KenanS+84
As a small start up when we ran into a similar problem while using google domains, they gave us a very hard time with bad support...something we could not afford then. I dont have a good alternative but wanted to mention this experience with google domains. Hope that helps.

>>JohnTH+63
They probably registered the name very early in their corporate life. At some point, they had a real business, and a business critical domain name, but they didn't realize they needed to do something different. My CEO registered our business names at network solutions, sigh.

Anyway, as a wakeup call -- if you have a business critical domain name, you need to find (and use) a registrar that has a registry lock procedure for the TLD you're in. A registry lock means the registry won't process changes from your registrar unless you authorize them, which makes it a lot harder to change things on purpose, or by an attacker. I imagine abuse takedowns could still go through though -- but there will at least be more people who know you care about your domain.

>>foo101+75
The registrar maintains the records that specify which nameservers, i.e. DNS servers, will resolve names for that domain. The registrar simply changes that record to point to nameservers that they operate, and with DNS entries that “take it offline”.

>>foo101+75
I assume the registrar was also the nameserver in this case

>>achyne+(OP)
I really hope https://handshake.org will catch on. It has the potential to solve a few very hard problems (PKI and online identity) without fundamental changes to the way the Internet works.

>>svembu+h3
Just FYI, I'm one of the maintainers of a mid-size forum regarding opensource virtualization/containers and thus spam is a daily occurrence.

While the fight against it is rather dire and no end will ever be in sight, I'll nonetheless never stop (tool assisted) fighting.

Anyway, @zoho.com addresses used by spammers started to pop up circa a month ago and increased rapidly in occurrence. As we use stopforumspam to report and track spammer info (and surely are not the single forum seeing those @zoho.com domains) you may got a few flags raised somewhere.

Not sure what caused this sudden (from our POV) attraction of spammers using zoho, you may want to look into some defense against this. While a full solution may not be achievable it's often enough to be faster than other providers, aka the tiger defense ;-)

>>foo101+75
I'm not seeing a block at the moment. I did find a whois history page that claims their NS records in January, 2018 are the same as what I'm seeing now:

    ns1.vtitan.com
    pdns90.ultradns.net
    pdns90.ultradns.com
    dns1.p03.nsone.net
    dns2.p03.nsone.net
    nds3.p03.nsone.net

Those don't appear to be connected to the registrar (tierra.net); most likely the NS records were removed or replaced with servers that direct all queries to a parking page for abusive domains. The TLD servers for com. return a 2 day TTL for all glue records, and their SOA record indicates a 1 day negative TTL.

(Of course, some caching resolvers ignore TTLs :( )

>>foo101+75
There are several layers where a registrar has control over DNS resolution.

Terms:

ICANN: The organization responsible for coordinating the maintenance of the domain name system (among other things).

Registrar: A company authorized to update ICANN database on behalf of registrants. Google, GoDadddy, Enom, etc are registrars

Registrants: An entity that wants to register a domain name. In this case, Zoho is a registrant, but it could also be an individual. This is your role if you 'own' a domain.

Authoritative Name Server: A domain name server that is considered authoritative for a specific domain.

Stuff registrars can do (among other things):

1.) They can update the ICANN database to disable a domain completely[1]

2.) They can replace your authoritative name servers with their own or someone else's (ex: botnet domains being reassigned to a security company for dismantling via court order)[2]

3.) If the authoritative name servers for a domain are owned by the registrar, then the registrar can merely change the DNS entries themselves to point to something other than the domain owner's wishes.

[0] - https://en.wikipedia.org/wiki/ICANN

[1] - https://www.icann.org/resources/pages/epp-status-codes-2014-...

[2] - https://www.icann.org/en/system/files/files/guidance-domain-...

>>avens1+3a
Am I seeing things or is dig really telling me their NS records pointed to vtitan.com? Who the hell is vtitan? Route53 with AWS would run them what, $100 a month for their level of traffic?

>>chrsst+bb
> vTitan, an international company with offices in California, Singapore and Tamil Nadu, is engaged in the development, manufacture, distribution and sales of a broad range of medical devices and consumables used in global healthcare markets.

what in the world?

>>achyne+(OP)
So as a domain owner you are completely at the mercy of your registrar?

What is considered a reliable registrar in Europe?

>>ttul+g3
The domain was registered in 2004; MarkMonitor was around then, but Cloudflare wasn't. I was involved in moving a domain to MarkMonitor in 2013; at that time, they had a rather steep minimum spend to get on their platform, and they barely wanted to talk to us.

>>svembu+h3
Is zoho.eu also affected by this?

>>achyne+(OP)
This is terrible.

>>chrsst+bb
Zoho appears to have funded it along with a few other companies. Unfortunately, the Indian news page that reported on the launch is even worse than news sites in the US with popups, pop-ins, pop-overs, pop-rocks, etc, so I can't in good conscience link it here.

>>achyne+(OP)
Is there a blockchain for DNS?

>>svembu+h3
Sridhar, after this nightmare is over, move all your domains to MarkMonitor

>>achyne+(OP)
Running their DNS on a 2-bit registrar is exactly the kind of thing I have come to expect from Zoho. I am forced to use this company for a handful of services at my company. If I started to tell you the idiocy I've had to put up with from these guys, I'd never stop ranting. I'll save it for DevRant.

>>svembu+h3
If you have 40M users I suspect the annual cost from the registrar is very small part of the budget. Get a registrar where you don't have to deal with a phone operator.

I work in this industry and it's a very clear separation between bulk registrars and those that maintain fewer but high value domain names. The latter usually give you a personal contact person to call and work proactively to deal with threats to companies' domain names and trade marks. I don't think I have ever heard of a domain being abruptly suspended by such a registrar.

The cost is usually 5x-10x that of the cheapest registrars so there is naturally a balance to be struck, and as I work in this industry I might be a bit biased. However the damage when waiting on the TTL when registries update NS records sounds very substantial when they first suspend and later restore a domain name in what sound as a very reckless behavior.

>>glglwt+Gf
I believe OpenNIC was something like that.

>>unixhe+P5
This should be higher up in the comments. DNS is a seldom thought of security / point of failure. Dyn's whole business model is basically: we won't turn you off until we talk to you.

>>teilo+Yg
The domain was registered over 22 years ago, and it kept moving through registrars who were acquired. We do have a solid record of reliable services, and have kept growing in spite of never taking a dime in outside capital.

>>JohnTH+63
I've been very happy with MarkMonitor. They have good customer service, a good reputation, and best of all, they auto-renew domains and send an invoice. That means that the failure mode is "domain is renewed, I owe them a check."

If your domains are riding on a credit card, you potentially have a failure mode of "card was declined, my domain did not renew, everything is down."

>>snowwr+4i
and then someone steals the domain out from under you and you'll need to pay in bitcoins to get it back.

>>belorn+wh
Which register do you recommend?

>>svembu+h3
Transfer your domain to a major registrar. Tierra.net looks like some bs cheap registrar and doesn't have any social media updates on their accounts since 2017. I'd recommend Namecheap.

>>taf2+Wi
MarkMonitor is what Facebook, Google, Apple, Microsoft and other huge companies use. They don't take small accounts, though.

>>achyne+(OP)
This is a hard lesson for people that no matter how resilient your authoritative DNS infrastructure is, for your own nameservers (plus route53 or similar), your domain registrar is absolutely a single point of failure.

If you have something with 40M customers I'd highly recommend going with the same domain registrars used by some of the Fortune 100 companies.

Seizing a domain at the registrar level, by court order, is also how the US government implements "seizure" of domains, if you've ever seen a torrent index site that has suddenly been replaced with a big scary FBI page (examples: https://www.google.com/search?q=this+domain+has+been+seized+... )

>>bqe+Pj
> Google

Google is a registrar themselves... Do you mean they use someone else for their own domains?

>>svembu+h3
I highly recommend AWS Route53 domains paired with their DNS service. Pay for the AWS support plan so you can call. I suspect Zoho is a multi-million dollar company at this point, should not be using a discount registar.

>>edm0nd+Xi
social media updates is not the best marker of current business activity.

>>Alupis+Ak
Google uses markmonitor:

Domain Name: GOOGLE.COM

   Registry Domain ID: 2138514_DOMAIN_COM-VRSN

   Registrar WHOIS Server: whois.markmonitor.com

   Registrar URL: http://www.markmonitor.com

   Updated Date: 2018-02-21T18:36:40Z

   Creation Date: 1997-09-15T04:00:00Z

   Registry Expiry Date: 2020-09-14T04:00:00Z

   Registrar: MarkMonitor Inc.

   Registrar IANA ID: 292

   Registrar Abuse Contact Email:

abusecomplaints@markmonitor.com

>>Alupis+Ak
Correct, MarkMonitor is a _huge_ business. Alphabet has had an account there for much longer than they have been a Registrar under Google name.

>>Alupis+Ak
They're a reseller like everyone else. If I'm not mistaken they actually use eNom for customers buying domains on any of their platforms (though not for their own domains).

>>TekMol+Ib
For private or business use?

Privately I’m pretty happy with Namecheap, they never failed to provide the support I needed in a friendly and precise manner. For business purposes with high value domains MarkMonitor seems to be the industry leader.

>>tomnip+Kl
Doesn't seem to be true, for my domain registered at Google:

Registrar: Google Inc.

Registrar IANA ID: 895

Registrar Abuse Contact Email: registrar-abuse@google.com

Registrar Abuse Contact Phone: +1.8772376466

Verify yourself at: https://www.iana.org/assignments/registrar-ids/registrar-ids...

Zoho is Zoho Corporation Private Limited IANA ID: 3803

>>belorn+wh
Yes, that is good advice. We are reviewing all our processes about domain registries right now. Major lesson learned, and I would encourage other companies to think this through and learn from our experience today.

>>KenanS+84
Maybe domains registered more recently work differently, but my Google domains use a random user account generated by Google for eNom (the provider they were contracting with at the time). That makes each domain it's own virtual customer (I couldn't just login to eNom or Google see a list of all my domains). I need to log into Google Domains as a separate account for each domain, and then that takes me to GSuite which links to eNom.

Also, last I checked, unlocking a domain for transfer to another registrar required emailing Google/eNom. There's no interface for it. For a while the entire UI to choose to cancel a domain just disappeared as well.

I would not recommend Google Domains.

>>keving+Vl
Both seem to be US companies. What levarage do you have over them if they screw you? I would say none. Suing a company overseas is pretty much impossible.

>>yjftsj+Lh
Like namecoin? or https://handshake.org

>>Thaxll+vl
It probably looks like what Zoho should use..

>>wolco+8l
Perhaps. But surely they've run into some sort of technical issue from time to time. Isn't posting such to Twitter a reasonable expectation? I mean, if they don't want to proactively communicate with customers, maybe they have a culture where they don't want to hear from customers at all? Hello Google ;)

>>TekMol+Ib
> What is considered a reliable registrar in Europe?

I heard a lot of good things about German INWX[1], even though French Gandi[2] is more popular and is the registrar of ycombinator.com (and was the registrar of reddit.com until recently, before they moved to MarkMonitor).

[1] https://www.inwx.de/en

[2] https://www.gandi.net/en

>>ttul+g3
That's a lot of strong words in a short comment for an honest mistake. I don't think this is called for with pretty much any unintentional error where we don't know the exact background.

>>svembu+h3
If you’re providing email service, you should be actively monitoring public blacklists, not waiting for your registrar or hosting company to notify you. Even if your domain isn’t banned, your users’ emails may be bounced by other servers. That you don’t seem to know any of this means you aren’t employing the right people.

>>unstuc+a4
I wouldn't say Zoho is one of the ones enjoying "centralized" status. If you said so of Google or Microsoft, or in the past perhaps Yahoo, then in the western world that's true; but I can only vaguely recall ever hearing of Zoho, let alone see an email address of theirs used by anyone.

While email is getting harder to run yourself due to all the bad actors, with dozens of reasonable choices (plus the option to self-host like I do) you can hardly call it centralized.

>>nodeso+Tk
This was registrar level, not nameserver level.

>>tlampo+7a
It sounds like the spammers found a way to automatically create new @zoho.com email accounts, and the single way to stop them might be using a CAPTCHA service from the direct competitor, Google. At least that was the unfortunate case for the privacy focused German email provider Mailbox.org[1]:

> We recently detected activities on our servers where bot nets were used to create hundreds of thousands of e-mail accounts for the sending of spam e-mail. Although we take this as a compliment – somebody out there must be convinced our infrastructure is up for the job – we needed to find a solution to stop this abuse of our service, of course. We subsequently deployed a number of different CAPTCHA systems to help our servers identify bots during registration. However, spammers were able to circumvent all these solutions shortly after they were put in place. [...] We therefore decided to use Google’s CAPTCHA for the time being, because out of the set of solutions we tried thus far, this one seems to work best.

[1] https://userforum-en.mailbox.org/knowledge-base/article/goog...

>>pmlnr+2q
AWS Route 53 provides full registrar services for a while now.

>>tomnip+Kl
They're a reseller for some TLD's, and a registrar for others.

>>Operyl+em
I get emails for a friend's domain that was originally registered through Google Apps (G Suite) many years ago, and I see emails with "enom" in them going back all those years.

>>krn+vq
I suppose due to the increasing risk of being broken by competing neural networks, recaptcha appears to be moving towards a model based on usage heuristics in v3. This is something that is more easily achievable by a small startup, so I hope to see competition for this type of solution if there isn't some already.

>>svembu+h3
I think it's pretty good that you came to ycombinator yourself!

I wish you the best of luck once you catch up with the CEO of Tierranet (or perhaps you already have!)

>>stephe+mu
That’s before Google domains hit off

>>tlampo+7a
Hi Sorry for the issue caused to you. Can you provide few email address to abuse at zoho.com, so we would take appropriate action after investigations. Regards. Rajasekar Zoho Abuse Monitoring Desk.

>>forgot+76
It is more likely Zoho is getting into/already in the business of selling domains and hosting as part of their portfolio and that's why they are becoming a registrar.

>>TekMol+fn
Ah I see, beg your pardon, I misunderstood your question. If you’re looking for domain registrars located in Europe I can only suggest one as I don’t have much experience dealing with others. Epag [1] has always been nice to deal with.

[1] - https://www.epag.de/en/

>>lwansb+ev
> recaptcha appears to be moving towards a model based on usage heuristics in v3

I always thought that Google has a huge competitive advantage here, because most people browse the web being logged into their Gmail accounts, and, therefore, as with Google Analytics and Google Adsense, Google knows that it's you who is viewing that page. It can then present extremely time-consuming CAPTCHAs to anonymous visitors, most of whom are likely to be bots or the spammers themselves.

>>krn+io
I can highly recommend INWX. What I like about them is that the service they provide is domains only (I don't consider their web hosting offers [1] seriously). Thus no conflict of interest and resources are focused on a good domain service.

[1] https://www.inwx.de/en/hosting

>>belorn+wh
Hey mate,

I've always been a bit perplexed as to how registrar's are created. How could I become a registrar?

Any advise or resources to explore this very open question would be wonderful.

Cheers J

>>michae+Nh
Except Oracle recently purchased DYN. It will be interesting to see if they maintain their previously good reputation.

>>svembu+h3
I'm sure that Zoho has many talented engineers, but to manage abuse on the scale of 40M users you might benefit from engaging with one of the firms that specializes in this area.

>>svembu+hm
Cloudflare Secure Registrar - I know you guys probably in some ways compete with Cloudflare, but maybe give them a call. Or for that matter become your own registrar and get into the corporate registrar business. With this experience under your belt, no doubt you'll crush it!

>>taf2+Wi
Cloudflare Secure Registrar. Few people know that Cloudflare operates a registrar, but they do. The pricing is $enterprise, as it should be:

"Cloudflare Registrar is the highest level of registrar security. It protects your organization from domain hijacking with high-touch, on and off-line verification of any changes to your Registrar account. Cloudflare is an ICANN accredited registrar providing secure domain registration for high-profile domains."

>>nodeso+Tk
$400M PA reportedly...

>>ttul+g3
Do you happen to know how much Cloudflare charges for this?

>>keving+Vl
I love namecheap - customer for over 10 years - but a recent incident has me rethinking my patronage. We recently received a "lawyer DDOS" - where a law firm sent multiple letters claiming /alleged/ trademark infringement. Without proof of identity, proof of subpoena, judge's order - whatever - namecheap rolled over on their WHOIS protection. There was no dialog, no email from legal, nothing.

I was dismayed to see that someone can literally send one email, get your personal info, and impact your company.

Very disappointed in namecheap.

>>lucb1e+po
When you have 40M users, this is an inexcusable oversight. It points at Zoho having an incompetent CIO role. An experienced and appropriately paid CIO would most definitely have had this near the top of his or her list years ago.

>>lwansb+ev
I am working on exactly this at hcaptcha.com

>>krn+vq
If you’d like to use a strong captcha approach without using a competitor you might want to check out http://funcaptcha.com (I have no affiliation, have heard good things and been presented it on a couple of sites)

>>Androi+dt
They use Gandi iirc, they are not a registrar themselves.

>>edm0nd+Xi
Even a solid company like Namecheap wouldn't actually be appropriate for a large, enterprise corporation such as Zoho.

>>amirhi+AA
This is really neat!

>>krn+Fw
...or running a logged off browser with cookied restricted to the browser session. I spend my time solving captchas which I am getting sick of. My immediate reaction now when presented a captcha is to browse away.

>>achyne+(OP)
I believe DNS/domain name is really a problem that could be better served using a blockchain technology. The registers can't be trusted

>>svembu+h3
Ted from Namecheap here. I shot you an email. We'd be happy to help you out and ensure that your domain is locked down.

>>edm0nd+Xi
I get the feeling a lot of folks ended up there from Domain Discover which had good ratings back in the day. They actually aren't that cheap.

>>achyne+(OP)
Wow, Zoho is down a second time today now with a 400 Bad Request...

>>achyne+(OP)
I hope they move to a proper domain register after this...

The lack of decent options of domain registers for technical people that don't need their hand held and have decent security, while not being $$$$ enterprise options is depressing...

I use Uniregistry which has TOTP support and what seems to be a competent team, and a friend swears by AWS's Route53 domain registration, but more choices with actual good policies and aren't just a reseller would be welcome.

>>ted0+qC
Hi Ted.

This event seems to have been triggered from abuse complaints - and involved the registrar not reaching out to the client in question.

Curiously enough, I had a very similar incident with Namecheap last week: an unsubstantiated email (without subpoena, judge's order, or even validation of who actually sent the email) - was sent to namecheap abuse /alleging/ (correct, no proof) trademark infringement.

Namecheap rolled over and provided all information to the third party - and didn't bother to inform me of the incident. The only way I found out was a menacing legal letter using the address that I have on file at namecheap.

If Namecheap doesn't respect due process (ie, requiring legal documents to turn over customer information) or customer privacy (Hi, we have just had to turn over information) - on a 10+ year customer, I'm not sure that you're in a better position than Terra.

Severely disappointed with you guys.

>>achyne+(OP)
40M users doesn't really give a good idea of how significant 3 complaints are. Still it sounds like some additional screening and protection against phishing needs to be implemented on Zoho's side.

>>lbrine+aB
Sure they are, if you register a .com the registrar is "Amazon Registrar, Inc." since 2016 or so (https://www.icann.org/registrar-reports/accredited-list.html). For some other TLDs, they might outsource it.

>>cm2187+UB
That is pretty terrible if the web is being split into "google knows who you are and approves of you visiting this website" vs not being tracked by google and being treated as a second class user.

>>waffle+3y
Basically, you have to go through the ICANN accreditation process, which is documented here:

https://www.icann.org/resources/pages/accreditation-2012-02-...

The cheaper, and easier way, if you're looking to start selling domains with a lower barrier to entry (but less control over how much you pay/how you sell your domains) is to find a white-label reseller registrar.

>>waffle+3y
> I've always been a bit perplexed as to how registrar's are created. How could I become a registrar?

In all that time of being perplexed, you never thought to do a simple Google search? https://www.google.com/search?q=how+registrar%27s+are+create...

>>themih+8C
Namecoin is a good example of this - decentralised domain registrations using the .bit TLD.

>>indigo+sB
Why not?

>>ttul+Fz
FWIW, CF's registrar is nice, but also represents an extreme form of lock-in on the part of Cloudflare -- the registrar subscription is specifically tied to your enterprise plan and will be terminated if you are not using other CF products.

>>achyne+(OP)
I've had similar issues when operating my business. The bottom line is your company is only as strong as your vendors. If you pick weak vendors then your business is harmed as a result. If you find that you have a weak vendor then you must dump that vendor immediately and replace them with someone who is a strong vendor. Period.

>>kweks+5A
I am also on namecheap and this freaks me out. can you provide more info?

>>dogeco+bF
That is not the case anymore. We would still allow you to continue to purchase just registrar.

>>svembu+h3
Handshake.org is trying to solve this problem for good by decentralizing DNS at the root TLD level. I'd look into this if you want to make sure no one takes down your domain ever again.

Disclosure: we're building a registrar on top of Handshake. We can also help you claim "zoho" on Handshake for free if you're interested.

>>ldarby+RD
I can relate to what the previous poster said. The worst thing is that this happens even for services I pay for. Some of them even do that for logging in.

>>indigo+sB
What would you recommend?

>>devopl+65
For most of history Google offers essentially no support. Recently Google has started making phone support available for Google Ads (AdWords) putting a contact number on their customer facing website.

>>cm2187+UB
Thank you Cloudflare for contributing to that nonsense.

>>tlampo+7a
As a network engineer for an ISP, I can tell you that StopForumSpam reports generally don't make it on our radar. Cisco Talos IP reputation, SpamHaus, SpamCop and various other DNSBLs do make it on our radar and are proactively monitored by most responsible ISPs.

That being said, the proper way to report abuse to an ISP is to email the official point of contact for abuse associated with their IP netblock. In the case of Zoho, that contact info can be found here: https://bgp.he.net/AS2639#_whois

ARIN rules require that all IP netblock owners provide a valid point of contact for abuse issues. ARIN validates the points of contact annually. I believe that RIPE, APNIC and LACNIC have similar rules.

If an ISP doesn't act on the abuse after it has been reported to their abuse point of contact, then you have a legitimate complaint against them.

>>Svexax+To
I'm pretty sure you're over inferring stuff from that post. It's not credible that 20+ years old company serving email for millions of users wouldn't know the most basic stuff about running an email server, don't you think?

>>ldarby+RD
Using google with a vpn (PIA) was a non-starter. I usually had to solve 3 or 4 puzzles before I could get to results. Privacy is important to me and it is just as important for them to deny me it.

>>kbd+XE
Probably because you want enterprise grade support, a real person that you can call and will help you solve your problems without having to deal with low level support before.

>>svembu+hm
I learned this the hard way just a few months ago with Namecheap. Those guys dumped all of my personal information to some people (my name, address, phone number, etc.). I have kids in my home and all they offered me was $100 in Namecheap credit, which I didn't accept out of principle. I spoke with a lawyer and the privacy laws in the U.S. seem to make it not even worth going after them. Registrars basically can do what they want and it's hard to hold them accountable.

>>edm0nd+Xi
I don't recommend Namecheap. A few months ago they dumped all of my private information erroneously, including physical address, for a whois guarded domain. They admitted to it too and all they offered me was $100 in Namecheap credit.

Spoke with lawyers and from what i was told in consultations there's basically nothing I can do about it.

TL;DR Namecheap will endanger your family and they give 0 fucks.

>>ted0+qC
Don't take Ted up on his offer. Namecheap released all of my personal information erroneously and all they offered me was $100 in Namecheap credit.

This company literally has 0 morals and doesn't care about making sure people are treated right. Also, good luck getting through their regular support. It's straight from a script with 0 deviations.

>>KenanS+84
Google doesn't even use google domains.

>>FabioF+EH
When I worked as an SRE at Stack Overflow we used name.com for all our domains (and R53/GCP/Azure for DNS). Never had any issues, and worth adding to any short list you come up with.

If you do whois lookups against the top 50 websites you'll see a lot of them use a small set of registrar's. But not all of them accept small businesses.

>>svembu+h3
Zoho has 40M users and apparently $350M in revenue. Why are you using a consumer grade domain registrar[0]?

The gold standard for any enterprise is MarkMonitor. You can pick any other enterprise level service which would mean you don't resort to lowering yourself to begging on Twitter to find a contact at a pivotal service provider

This has damaged you beyond DNS propagation, I don't know how anybody in tech is going to take you seriously again without some serious action

[0] https://www.tierra.net/

>>FabioF+EH
Probably something similar to CSC Global.

>>wp3816+EL
Cut them some slack.

>>unixhe+P5
Don’t forget https://en.m.wikipedia.org/wiki/2016_Dyn_cyberattack

>>kweks+tD
I obviously can't comment on this without any further information but I have to say that this sounds quite unusual. We have very strict policies regarding due process: https://www.namecheap.com/legal/general/court-order-and-subp...

Can you shoot me an email? ted [at] namecheap.com

>>azinma+tM
Mirai was an extremely rare event. I understand businesses were impacted, but it's unfair to hold a three-year grudge against any Mirai victims who are otherwise responsible infrastructure operators.

>>svembu+hm
Do you have enough capital to become a registrar?

>>quinti+RL
based on everything i've experienced and heard about Zoho i'd say this incident is a symptom of issues rather than a cause

>>ted0+2N
Email sent. I'd love to be mistaken on this. As re-iterated in the email, the email + address used in subsequent C&Ds were to a personal address only used in NC.

>>themih+8C
Aha! I was wondering when someone would say this!

>>cm2187+UB
Yeah I'm with you. I like to browse with everything logged out, and I clear all content on browser close.

I'm so bloody sick of helping Google train their self driving cars. I swear I'm going to have PTSD about stop signs and store fronts for the rest of my life.

>>dknech+RF
Oh, fantastic! I'll let my former colleagues know, assuming no one else has reached out to them (this was a pretty specific piece of feedback we had re registrar, so great to hear that it's changed).

>>cm2187+UB
While I too leave sites that are too annoying to use, as a dev, what are other less annoying ways to slow down bots on one's site?

>>svembu+h3
We(Gridmarkets) use multiple Zoho services and are a very satisfied customer. Would like to say we understand and stand by you as you sort this issue out.

> Once we dig our way out of this, we will find ways make sure no one takes down our domain again this way.

Would look forward to an official email with regard to what steps were taken to mitigate this going forward.

>>ethanw+5K
What people? Why are you scared of them? Should I be worried, as I have domains at namecheap.

>>svembu+h3
Zoho user since 2006.

Thank you for responding to this quickly. I saw this just a little while ago; I use Zoho Writer and Show for presentations and team-based doc editing and I have for the last decade. If Zoho goes down, I'd be very much lost. Thanks for providing a great service for this many years and I hope it keeps going for many more.

>>london+1u
Wasn't aware they'd finally taken the plunge. Thanks for the correction.

>>snowwr+4i
How much does markmonitor cost ? There is no pricing anywhere.

>>sandGo+uT
I’m guessing that’s an indication that it’s prohibitively expensive for small organisations?

>>Someth+FS
I’m in the same position and would love to hear more as well

>>achyne+(OP)
Couple of things about Zoho that I don't understand.

- Why use the same domain for the free service, which is usually more prone to abuse?

- Zohocorp.com is hosted on GoDaddy. Why not move all your domains to a single company so that they value your business more and give you a better level of customer service?

I hope once this is all over, Zoho just shares their feedback and some advices that will help small businesses.

>>achyne+(OP)
What is the startup friendly markmonitor alternative here ? I don't see pricing information at a lot of these services ...so I'm guessing they are $$$$$$.

Anything which startups can use and is $$ ?

>>achyne+(OP)
I really don't understand why any enterprise service would use these kinds of bargain bin registrars. Is using a reputable registrar with professional, enterprise-grade service not worth it given the scale of someone like Zoho? Optimizing to save a tiny amount on your registrar while you have millions pouring in from customers seems like a really poor decision.

I really believe in running a lean business, but running lean means cutting the fat, not cutting out your muscles and tendons and running with a naked skeleton that is fragile.

>>unstuc+Y4
https://mailinabox.email/ has worked well for me in the past

>>tlampo+7a
Second that as we’ve started to see fraud related registration activity from zoho.com around the end of August.

>>achyne+(OP)
ZOHO went down and hundreds of thousands of business went down...feel like this should be a bigger warning of how dependent we are to handful of companies?

>>awill+wy
Recently attended a meeting led by a DYN executive, he seemed very passionate about what they do.

>>partis+IJ
Well said

>>Obsole+YP
I've started deliberately getting them wrong - probably won't make a difference, but makes me feel a little better about it (I drew the line when I started getting CAPTCHAs on services I have paid for).

>>svembu+h3
This happened to us (Weebly) years ago when we had godaddy as our registrar. I highly suggest you transfer your domain to someone competent like Safenames or MarkMonitor.

>>JohnTH+63
You would be surprised how prevalent these problems are even with supposedly reputable registrars.

A commonly recommend option here in HN was NameCheap. Earlier this year without any notice they modified our DNS servers completely taking down our SaaS product.

Why? Some migration script run incorrectly.

They offered me a random TLD for free for one year as compensation! I declined.

>>tomcam+KT
Here's a quick timeline.

I did some work for a client in 2017 who was starting a cryptocurrency business. This involved buying a domain name for him to transfer to him later.

Well in 2018 there was some internal strife in his business that ended with a lawsuit being started. The opposing party started sending subpoenas to Namecheap asking for all information from 2018 onwards in relation to his account. What ended up happening was they released all of my information about my purchases, domains, personal information(anonymized credit card info, my actual physical address, information about my other unrelated clients domains, etc.)... going back to the start of my account.. several years worth of data prior to 2018. All clearly out of scope of the subpoena they were served.

Not only that, Namecheap never notified me of this.. in violation of their own privacy policy. They're supposed to notify their customers of the release of their information in relation to subpoenas by email or certified mail. Instead I found out much later from my previous client when he was given a copy of all of my information. And presumably his opposing parties in the crypto space were also given all of my information.

Seems kind of messed up to release all of that erroneously, without warning... especially to shady people in the crypto space.. you know, with people getting kidnapped over this stuff.

TL;DR Namecheap will drop your info, even if you paid to protect it as soon as they're given a single demand letter. And they won't stop at just giving up the info that's asked for (with 0 fight and 0 notification to you) there's a chance they'll release ALL of your account information.

>>automa+MF
Read some of my comments, they did the same to me.

>>stordo+UX
>> I'm so bloody sick of helping Google train their self driving cars. I swear I'm going to have PTSD about stop signs and store fronts for the rest of my life.

> I've started deliberately getting them wrong - probably won't make a difference, but makes me feel a little better about it

I don't even have to try anymore to get them wrong on a regular basis. Now, I think it's now more like training Google users to make the same recognition errors as its self-driving cars than training the cars to do a better job.

>>unstuc+D5
Nothing about self-hosted licensed software is unique to Gitlab, it's been a standard business model since the software industry started decades ago.

>>sandGo+uT
Back in 2014 they wanted a $10k/yr minimum.

>>unstuc+Le
Archive.org, for next time.

>>achyne+(OP)
Well, of course. Look what business Zoho is in.[1]

"Email marketing software that drives sales. Create, send, and track email campaigns that help you build a strong customer base."

They don't have 40 million users. They have 40 million targets.

Of course they don't get many complaints. If you search for "zoho opt out", you get sent to a page with a HTTP 400 error.[2]

[1] https://www.zoho.com/campaigns [2] https://help.zoho.com/portal/kb/articles/what-does-email-opt...

>>choose+p4
In case this is a serious question: federation, with servers kept running by stakeholders of whatever the email's needed for.

>>Operyl+Fl
How exactly was that story of a man owning Google.com through Google domains for a few minutes possible, then?

>>sreena+1U
I’ll add another. Why do they use the same domain for both MX records? Why not use mx.zoho.com, mx.zoho.net so that if one domain gets busted at the registry level the backup MX still works?

>>donmcr+R31
Perhaps a reliable CCTLD for the alternative, so it's not under the US government.

I noticed Amazon use a UK domain for one of the four Route 53 nameservers they specify.

>>cm2187+UB
Ditto here. And some of the worst offenders are retailers! You're trying to get someone to spend real money, and you think it's a good idea to make them screw around with 20 picture puzzles in a row before they're able to do that?!

I can only fathom these shops, both management and the webdevs, have no idea how unprofessional their site looks to anyone that isn't using a vanilla ISP connection. And my experience is coming from using a single longstanding VPS address, not even a shared VPN.

A sensible scheme would allow a certain rate of login attempts per any IP before hassling a user, but Google is obviously more interested in getting their training data than making sure you don't lose customers!

>>glenng+DA
The "Book Demo" button and "read white paper" button seem to be broken, which does not inspire much confidence. The first button just takes me to the bottom of the page while the second button does nothing.

Not sure if this is the same, but I once came across a website with a captcha where you had to rotate a dog so it stood upright, but it was lagging so bad that it would skip several frames, making it impossible to time the angle correctly. After several minutes of trying I gave up and went to a different website with an inferior service, but which did not waste my time.

>>krn+vq
hCaptcha definitely a way to go - strong product, not working with competition, etc.

>>abraha+6O
It's not just capital, becoming accredited is a major paperwork and logistical hassle, and you have to do it with every TLD you want to support.

>>Animat+d31
[2] Works fine for me.

Also, Zoho is among the most trustworthy companies list of mine. They don't do funny business with AI and targeted Ads with your data.

You try, you pay and you use the software. Traditional, no-nonsense business model. I respect both Apple & Zoho for doing this. Just because Apple has a platform to run ads (The App Store), it doesn't mean Apple is in the advertising business.

>>svembu+h3
The hell are you complaining about unreachable contacts when your own abuse@ address is dead -

    Arrival-Date: Thu, 30 Aug 2018 00:00:00 +0200 (CEST)

    Final-Recipient: rfc822; abuse@zohocorp.com
    Original-Recipient: rfc822;abuse@zohocorp.com
    Action: failed
    Status: 4.7.1
    Remote-MTA: dns; mx2.zohocorp.com
    Diagnostic-Code: smtp; 451 4.7.1 Greylisted, try again after some time

This is from our MTA after 5 (FIVE) days of trying to deliver you a spam report, with all delivery attempts originating from the same IP.

And that's without getting into why you have a filter on your abuse@ address to begin with.

>>ted0+2N
Here is the second victim with a similar story: https://news.ycombinator.com/item?id=18063667

Is the problem systematic?

>>slv77+aV
Dear Siv,

Thank you for your notification, will check on this and block those who spam using our system. However please put up an email to abuse at zoho.com so it would help us provide clue to our investigations. Reg Rajasekar Zoho Abuse Monitoring Desk.

>>icebra+wI
And yet here we are.

>>sandGo+uT
My invoices say $20/yr per .com; other TLDs are more expensive. Because we have a ton of domains we spend over $20k a year with them. I'm sure there is a minimum but I don't know what it is these days.

I would not say MarkMonitor is a tool for startups. It's a tool for organizations that would lose a lot if they lost a domain. I bet Zoho wishes they could go back in time and spend $10k to avoid this problem they had.

>>johndo+U51
Both buttons work for me on mobile. Can't be sure, but that page looks like a JavaScript heavy "single page app" type situation, so if your JS is turned off that might explain things.

Incidentally, both links just pop up a sign-up form.

>>achyne+(OP)
Its not like Zoho is known for their high availability anyways, their domain not being reachable is just par for the course.

Also since it said "suspended for abuse complaint", I would almost immediately assume the Zoho just didn't properly handle abuse claims and its their fault.

Needless to say I have a incredibly low opinion about their "service" based on having used their mail product for almost a year (switched to google afterward).

>>glenng+DA
The link redirects to some other site now.

>>toast0+6c
You can transfer a domain name to a different registrar.

>>achyne+(OP)
I feel that once you’ve passed a certain size you should move the domain to a more professional service, no matter the cost. MarkMonitor etc.

>>huhten+391
If I had to guess they're probably rejecting the message further because it likely contains the spam itself.

This is a key error in their handling of their abuse@ address, it needs to be expected to receive spam.

>>johndo+U51
The site requires you to whitelist marketo.com which is blocked on uMatrix as it's a marketing company.

>>johndo+U51

  a captcha where you had to rotate a dog so it stood upright

Ticketmaster uses one like this, with various animals.

>>amirhi+AA
Not sure why, but when I try to load your site in Safari or Chrome on iOS, the page displays for a second and then the tab crashes.

>>svembu+Vh
To me this is even worse than choosing a bad registrar once by mistake. You keep choosing companies who can't stay in business and let your domain float around like it didn't matter. The second or third buy-out of your name registration should have been an alert to switch to a top tier company for stability. On the internet, your domain name is literally the crux of your services.

Thank you for sharing your story. It should serve as a warning to others who may need to audit their infrastructure.

>>solark+E31
He didn't own the name, he found a way to change the DNS records; while being registered at MM, google.com is still pointed to Google's own DNS servers.

>>ted0+2N
Doesn't seem very strict at all:

"Upon the receipt of a valid criminal subpoena, unless the circumstances or subpoena warrant otherwise, Namecheap may promptly notify the customer whose information is sought via email or U.S. mail"

Two things seem unclear:

1) The phrase "unless the circumstances or subpoena warrant otherwise"

2) The use of "may" in "may promptly notify the customer". Why is that not "shall" or "must"?

>>lathia+gf1
But if the diagnostic code were correct and it were just a grey listing, that would be okay, wouldn't it? Just clashes with the mentioned five days.

>>belorn+wh
which registrars are these?

>>ldarby+RD
They are not treating you as second class citizen, they are saying they haven't trust you to be human yet. Which is the whole point of capcha.

You want Google to not know about you. You want to be a stranger to them. And you are complaining that they don't trust stranger, which you want to be, as much as someone they know?

>>ldarby+RD
s/Google/China

>>Someth+FS
Check out https://news.ycombinator.com/item?id=14139288

Never use namecheap for anything important.

I almost has a domain frozen with namecheap after one warning. If I missed the warning email or checked my email after 24 hours they would have completely suspended my domain. I'm talking about a site with MILLIONS of visitors per month and ten thousands of posts per day, not some small blog.

>>tomcam+KT
See my comment above.

I repeat don't use namecheap for any meaningful business, especially anything that is "enterprise"

>>edm0nd+Xi
Namecheap is just as bad, check out https://news.ycombinator.com/item?id=14139288

I almost has a domain frozen with namecheap after one warning. If I missed the warning email or checked my email after 24 hours they would have completely suspended my domain. I'm talking about a site with MILLIONS of visitors per month and ten thousands of posts per day, not some small blog.

>>ted0+qC
Namecheap is just as bad.

I run a forum site with MILLIONS of visitors and about 5,000 TB of traffic per month. Namecheap.com suddenly sent me a link warning that they will suspend my domain completely within 24 hours, if I did not delete two problem images (which were inappropriate/troublesome images but in the context of the forum posts, "a very poor attempt at humor"). I deleted the images and avoided being suspended, but the way they threatened to suspend my domain due to two images was ridiculous. If I missed the warning email or checked my email after 24 hours they would have completely suspended my domain. I'm talking about a site with MILLIONS of visitors per month and ten thousands of posts per day, not some small blog.

They may be suitable for some blog, but I can now say to NEVER use them for any enterprise site.

https://news.ycombinator.com/item?id=14139288

>>automa+MF
Read my comments too. Namecheap definitely is just as bad.

>>henryg+hj1
I don't like to give recommendations since it either mean promoting the company I work at which just feels like mixing professional and private, or promoting competitors which just feel worse. Instead I prefer giving general advice on what to look for when picking a registrar.

Having a personal contact at the registrar for example might sound unnecessary, but it means that a person at the registrar should know the company involved and the impact of the domain or domains before any serious action like suspension are made. In large and bulk like registrar this isn't the case and as such no one likely knew what Zoho.com was or how many users it would effect. It was likely just an other $10 annual fee among millions of other domains, and as such it is very easy to just suspend and forget and later try fix any issues if those are raised. Cheap and quick solution but very costly if the owner values the domain name above that of $10.

>>waffle+3y
The first aspect is that every* TLD has it own registry and system. For the generic ones you got ICANN accreditation process, but there is also a bunch of registrar reseller that act as a middle man between ICANN and other registrars.

Usually most processes involve some form of capital investment and/or technical capability. Country specific TLD can either be easier or much much harder depending on which country.

* Not really everyone.

>>achyne+(OP)
Reading through the thread, people have similar problems with namecheap, name.com.

So if you cant afford something enterprise like MarkMonitor, and you don't want something super cheap $9.99 per year. What sort of good quality middle ground choices do we have?

>>maniga+P11
I know. I used GitLab as an example because git is as ubiquitous in development as email and just as prone to centralization. Plus, the recent funding news made it the most obvious example since people are concerned.

>>zackbl+H61
Pretty sure they only need to worry about dot com.

>>solark+E31
A freak accident and lack of checks.

>>Rajase+fa1
Did you see this comment? Just passing it along in case it is helpful.

https://news.ycombinator.com/item?id=18064197

>>JohnTH+63
You seem to imply that reliable ≠ small, and that small registrars are cheaper.

In my experience, the opposite is true in both cases. Big registrars can’t afford any support costs since they prefer to squeeze the price down as far as possible, and therefore they prefer to simply lose or outright drop any customer in case of any and all problems. Conversely, small registrars may charge more, but have better (i.e. actually existing, and sometimes even dedicated and personal) support for when things go wrong, and have a vested interest in keeping you as a customer.

>>jamiew+KE
Namecoin is cool but I think there are still big issues to be fixed, like renewals/pricing to avoid one person getting all the good domain/sane names.

>>svembu+h3
btw, I just noticed that Zoho.com domain TLS certificate expires next year. Hope you have automatic checks for the timely renewal.. I have been a fan of Zoho and hope you make a comeback.

>>wp3816+EL
I was thinking the same. I hadn't even heard of Tierra until this post. Seems insane that Zoho would cheap out on a registrar.

>>fredst+Gh1
I believe that's for criminal subpoenas. For civil subpoenas they actually change #2 to "will." However in my experience they never notified me.

"Upon the receipt of a valid civil subpoena, Namecheap will promptly notify the customer whose information is sought via email or U.S. mail. If the circumstances do not amount to an emergency, Namecheap will not immediately produce the customer information sought by the subpoena and will provide the customer an opportunity to move to quash the subpoena in court. Namecheap reserves the right to charge an administration fee to the customer by charging the customer’s Namecheap account."

>>gbrayu+rL
I use name.com for all my personal domains because it's cheap and supports a lot of unusual TLDs. But I would never trust a $100M company to it. Who cares about saving ~ $100/year.

>>joesb+Fj1
If it's about using only Google's services, then yes I agree, but the point is if lots of random sites all decide to use Google for captchas.

This has already happened with tor and Cloudflare, but at least that changed for the better recently (see https://www.zdnet.com/article/cloudflare-ends-captcha-challe...). In that case it was just one CDN using captchas to discriminate against a group of users, so that one change by the CDN could fix the issue. If too many random sites are independently blocking or slowing down anyone not logged into Google, then that'll turn the web into Google's web.

>>themih+c32
Yeah you're right - Namecoin has a massive squatting problem. It costs only pennies to register a name which doesn't help.

One possible solution is a proof of work for name registrations, similar to the Onion Name System [1]. There is a short talk by Jesse Victors that explains it nicely [2].

[1] https://github.com/Jesse-V/OnioNS-HS

[2] https://youtu.be/zZzOVKPcIMg

>>Michae+pE
Thanks for your response Micheal. That's an interesting website. I'll take a look!

>>partis+IJ
Interesting--I'm trying Nord right now and while Google has been fine, Amazon blocks me regardless of what I do and I ended up having to add some static routes for Craigslist.

>>ethanw+v01
Thank you for sharing that awful story. Sorry you had to go through it. Quite disappointing to a customer of Namecheap as well.

>>Animat+d31
Hi,

The "email opt out" [2] link is fixed now.

>>huhten+391
Dear User,

Thank you for bringing this up. It was due to our greylist setting for *@zohocorp.com domain, we have now excluded the greylist for abuse addresses. Please resend your complaint to our abuse address. Regards, Zoho Account and Abuse Monitoring Desk.

>>huhten+391
Further you can report to us using https://www.zoho.com/report-abuse/

>>anumit+zm3
No, it's not. Nothing in "help.zoho.com" seems to work.

400 Bad Request in Firefox.

curl:

    curl https://help.zoho.com
    <html>
    <head><title>400 Bad Request</title></head>
    <body bgcolor="white">
    <center><h1>400 Bad Request</h1></center>
    </body>
    </html>

>>taf2+Wi
Gandi.net, located in France with strong privacy. And a good API (the new version)

>>wp3816+HO
Yep, this incident shows deeper problems. As an outsider, I now question their security team, their devops, their entire company and internal policies.

This is a huge oversight.

>>toast0+y8
I can understand if they're a cement company with a website. Zoho is in the business of email with @zoho.com emails. This is a huge oversight which makes me question their whole company and how things might be internally.

>>svembu+h3
change registrars ASAP!

Also, this is why I think DNS should be decentralized.

>>waffle+WU2
Are you a bot?