The Danger Of Expired Domains

When thinking about domain name security I have always tended to think about ensuring that a domain name is not stolen. On reflection this really is not our only concern. Yahoo have recently announced that they are opening up email accounts that are no longer used (wired article). As you can imagine this has caused a bit of furore about the potential of emails these accounts may still be receiving.

So how does this relate to domain names?

There is a fairly simple explanation. The majority of domain names are registered either for business purposes or as vanity domains. Under such circumstances we like to create an email address on our nice new shiny domain name. As part of our normal business we tend to use such emails for signing up for other services (banks, forums, social media services etc). How many of us actually remember which email address that we use for such services?

When we finally come to allow the domain name to expire we do not tend to think about this and may not find out until we need to do a password reset.

So how can this be exploited? This is an extremely trivial task for anyone to exploit. All that need be done is to register the desired domain name and use create a catch all email address. A catch all email address will receive any emails that are for a specific domain name. The new owner of the domain name is now able to receive emails for the domain and does not have to know which specific email was used to sign up or register for services. When email are seen for service they can use the normal forgot password feature for the service.

So how can you protect yourself from such an issue? This is quite tough. You can obviously ensure that you do not let certain domains expire and ensure that you only ever use emails for thee domains to register for services. The alternative is to keep track of which domain email has been used as a contact or to register for the service. If you plan on allowing the domain to expire ensure that anything you have signed up for are aware that the email is no longer used.

Tell us your thoughts