Now, this Domain Hijacking is getting funky … [Updated]

So, about 24 horus ago I noticed that my DNS servers for my Domain were pointing to some external provider instead of my own boxes. I initially thought Network Solutions (NSI) fucked something up and got really pissed as their support website refused to work, creating an error message instead of a ticket.

Further investigation now let me believe that someone really is trying to steal my domain — i. e. on purpose. As I had to discover earlier today, another of my domains,, was forcefully reconfigured as well, now pointing to nameservers and instead of mine. What’s more, the MX was repointed as well, now delivering *my* emails to and — as was used as the email address with NSI, this most likely is how “they” got administrative access to domain entries (NSI allows to retrieve one’s ID and with the ID one can ask for a password reset link sent by … email).

What’s odd is that GoDaddy seems to be playing an active role here, as both and secureserver.netare registered to:

   Special Domain Services
   14455 N Hayden Rd Suite 219
   Scottsdale, Arizona 85260
   United States

According to “Special Domain Services” is a subsidary of Go Daddy.

I’ll now send a cease and desist email to “Special Domain Services”, although I doubt it will change a thing :-(


Source: wusel’s Space (sent via email)

[Update]: On my complaint, TONIC hostmaster infiormed me that:

With reference to your recent enquiry, we must inform you that the registration of expired 2012-06-16. Remaining unpaid this was deleted one month later.

Checking my mailbox, it seems that I haven’t received any expiry notifications from TONIC after the renewal in 2007; most likely this summer I forgot to check on when renewing (it’s due on a similar timeframe).
Fu^WUnfortuinate, but, well, 50 USD/year was quite a high price for a domain I barely used anyway (initially as secondary domain for nameservers, the last live server in that domain went out of business in 2009; actually, no real loss). Oddly enough, it took until 2012-10-27 for someone to grab it, and now points to GoDaddy IP space (, returning a forbidden/404 when accessing it.

So, no takeover there; but I still wonder if it’s a coincidence that the mail address was used in the records for (and now ends up somewhere in GoDaddy/Special Domain Services land) and that was DNS changed yesterday.

By another coincidence, according to my mailbox, NSI did send me (to the “Action Required: Notice Regarding Your Domain Name(s)” email on behalf of ICANN usually between end of October and late November — maybe that was the trigger?

At least should be safe now:

After all, Network Solutions *does* care, and I’m glad about it.