Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
Michael Thomas
mike at mtcc.com
Sun Feb 12 23:54:50 UTC 2023
I think that it might be appropriate to name and shame the third party,
since they should know better too. It almost has the whiff of a scam.
Mike
On 2/12/23 3:49 PM, Eric Kuhnke wrote:
> One very possible theory is that whoever runs the outbound marketing
> communications and email newsletter demanded the keys and got them,
> with execs overriding security experts at Namecheap who know better.
>
> I would sincerely hope that the people whose job titles at Namecheap
> include anything related to network engineering, network security or
> cryptography at that company do know better. Large domain registrars
> are not supposed to make such a rookie mistake.
>
>
> On Sun, Feb 12, 2023, 3:46 PM Michael Thomas <mike at mtcc.com> wrote:
>
>
> On 2/12/23 3:40 PM, Eric Kuhnke wrote:
> >
> https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257
>
> >
> >
> > https://lowendtalk.com/discussion/184391/namecheap-hacked
> >
> > It looks like a third party service they gave their keys to has
> been
> > compromised. I got several phishes that fully pass as legit
> Namecheap
> > emails.
> >
> > https://www.namecheap.com/status-updates/archives/74848
> >
> >
> If they actually gave them their own private keys, they clearly don't
> get how that's supposed to work with DKIM. The right thing to do is
> create a new selector with the third party's signing key. Private
> keys
> should be kept... private.
>
> Mike
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230212/3bb6d289/attachment.html>
More information about the NANOG
mailing list