Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes

Michael Thomas mike at mtcc.com
Mon Feb 13 00:14:12 UTC 2023 

It makes you wonder why they just don't rekey and put up a different 
selector while deleting the compromised selector?

Yes, this is bad but it has a straightforward solution to the compromise 
-- unlike compromised cert signing keys, natch.

Mike

On 2/12/23 4:01 PM, Eric Kuhnke wrote:
> Namecheap has updated their status page item to include
>
> "We have stopped all the emails (that includes Auth codes delivery, 
> Trusted Devices’ verification, and Password Reset emails, etc.)"
>
>
> Yikes.
>
>
> On Sun, Feb 12, 2023, 3:54 PM Michael Thomas <mike at mtcc.com> wrote:
>
>     I think that it might be appropriate to name and shame the third
>     party, since they should know better too. It almost has the whiff
>     of a scam.
>
>     Mike
>
>     On 2/12/23 3:49 PM, Eric Kuhnke wrote:
>>     One very possible theory is that whoever runs the outbound
>>     marketing communications and email newsletter demanded the keys
>>     and got them, with execs overriding security experts at Namecheap
>>     who know better.
>>
>>     I would sincerely hope that the people whose job titles at
>>     Namecheap include anything related to network engineering,
>>     network security or cryptography at that company do know better.
>>     Large domain registrars are not supposed to make such a rookie
>>     mistake.
>>
>>
>>     On Sun, Feb 12, 2023, 3:46 PM Michael Thomas <mike at mtcc.com> wrote:
>>
>>
>>         On 2/12/23 3:40 PM, Eric Kuhnke wrote:
>>         >
>>         https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257
>>
>>         >
>>         >
>>         > https://lowendtalk.com/discussion/184391/namecheap-hacked
>>         >
>>         > It looks like a third party service they gave their keys to
>>         has been
>>         > compromised. I got several phishes that fully pass as legit
>>         Namecheap
>>         > emails.
>>         >
>>         > https://www.namecheap.com/status-updates/archives/74848
>>         >
>>         >
>>         If they actually gave them their own private keys, they
>>         clearly don't
>>         get how that's supposed to work with DKIM. The right thing to
>>         do is
>>         create a new selector with the third party's signing key.
>>         Private keys
>>         should be kept... private.
>>
>>         Mike
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230212/6d97231b/attachment.html>

More information about the NANOG mailing list