Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes

Eric Kuhnke eric.kuhnke at gmail.com
Sun Feb 12 23:49:28 UTC 2023


One very possible theory is that whoever runs the outbound marketing
communications and email newsletter demanded the keys and got them, with
execs overriding security experts at Namecheap who know better.

I would sincerely hope that the people whose job titles at Namecheap
include anything related to network engineering, network security or
cryptography at that company do know better. Large domain registrars are
not supposed to make such a rookie mistake.


On Sun, Feb 12, 2023, 3:46 PM Michael Thomas <mike at mtcc.com> wrote:

>
> On 2/12/23 3:40 PM, Eric Kuhnke wrote:
> >
> https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257
> >
> >
> > https://lowendtalk.com/discussion/184391/namecheap-hacked
> >
> > It looks like a third party service they gave their keys to has been
> > compromised. I got several phishes that fully pass as legit Namecheap
> > emails.
> >
> > https://www.namecheap.com/status-updates/archives/74848
> >
> >
> If they actually gave them their own private keys, they clearly don't
> get how that's supposed to work with DKIM. The right thing to do is
> create a new selector with the third party's signing key. Private keys
> should be kept... private.
>
> Mike
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230212/7eadec63/attachment.html>


More information about the NANOG mailing list