[NamecheapCEO]

To be clear, the issue was with a 3rd party provider that we use to send our newsletter. None of our own systems or customer accounts where breached. I sent a follow up email to all users that were affected. The domains linked in the original phishing emails were also disabled. I apologize for this issue and to anyone it may have affected. We have also taken immediate steps to insure it will not happen again.

[clarifyitto]

So… What happened? Did you get your keys stolen out of a CI or something? It just seems suspicious that you’d be the only business affected by this 3rd party provider.

[btgeekboy]

If I have a business and I use a company like sendgrid, I have credentials to use that service. If some employee has access to that account (such as to send newsletters), and that employee’s credentials were lost or stolen, that doesn’t seems suspicious at all.

I don’t have any inside info here, but it makes sense. And as a namecheap customer, I see no reason to panic at this time.

[citrin_ru]

Employees should use 2FA for their accounts and Sendgrid seems to offer this; for password stored in sending applications one can use combination of password and IP ACLs but I don't know if SendGrid allows to set IP ACLs for senders. While 2FA is not a panacea it significantly reduces rick.

One can send newsletters using a subdomain like news.acmecorp.com and have Sendgrid's IPs in SPF record only for this subdomain and not for the main domains (though most recipient would not notice change from say @acmecorp.com to @news.acmecorp.com).

[OJFord]

You wouldn't claim 'the issue was with a 3rd party provider' though.

[jcrawfordor]

I don't think this is unique to NameCheap, I've gotten both metamask and DHL emails from other lists I'm on, I assume from the same threat actor. I would assume that they're opportunistically using whatever mailing list they can gain access to.

[morganbird]

They're actually pretty common, just like there are tons of metamask phishers on twitter. Those are just popular vectors because they're fairly broadly effective. Preventing spam and phishing like this is unfortunately a pretty big part of the job for anyone in the business of sending email. (source: engineering manager at a marketing platform)

[cft]

This ridiculous registrar threatened to lock our domain and destroy our business within 24 hours for a defective DMCA notice that addressed one if our 40 million user profile subdomains. Our legal counsel advised to temporarily comply instead of arguing (although he did send them a nasty letter) to move over to a normal registrar from this cheap one, that i got when i was bootstrapping with no money because it was several dollars cheaper. It's not a business of a domain registrar (unlike a web host) to enforce DMCA notices.

[scrollaway]

So you found out how DMCA works and how much it sucks the hard way, eh?

You’re right it shouldn’t be the business of a domain registrar. But every provider in the chain that the copyright holders can reach to will end up responsible. You, the registrar, web host, ISP, everything.

Send your complaints to the US government and the copyright lobby. It’s a bullshit law. Namecheap complies with it because if they don’t, THEY get cut off by their own providers, and so on up the chain until the fines roll in.

[highclass]

My experience with namecheap is similar very bad too. They also sent me an email saying if you don't respond in a short time(24 hours) your domain will be revoked. Related experience: https://news.ycombinator.com/item?id=14139288 I moved my domains from namecheap to gandi.net and so far no problems. I would avoid namecheap like the plague for any large site. Of note, I had millions of unique vistors per month on that domain for a normal legal site.

ycombinator uses gandi.net too.

and even if they obey us and internation laws, threating to revoke a domain within 24 hours if no reply regarding an external complaint, with just an email warning is ridiculous and not how other reputable domain registrars work.

[megous]

Why should it matter how many visitors you have? People with 3 visitors pay the same and can be also badly affected if the domain is yanked at a wrong time. Especially nasty if you run email on the yanked domain.

[highclass]

I agree with that. I was just emphasizing the livelihood of multiple people and a whole business depended on answering a email from namecheap within 24 hours due to an complaint they received.

[beeboop]

Abusive DMCA takedowns are unfortunately extremely easy, very time consuming to report, and seemingly very rarely have any action taken against the person who falsely claimed. Not excusing Namecheap here, what they did was totally shit.

Heroku did the same thing to me for same reason - completely shut down my entire account with several revenue generating websites with zero notice.

[NamecheapCEO]

This is our standard notification, word for word:

Untitled Note Hello XXXXX,

We are contacting you from the Namecheap Legal and Abuse department regarding your “XXXXX” Namecheap account.

We are in receipt of a copyright infringement notice pursuant to 17 U.S.C. §512 of the Copyright Act, requesting that we disable allegedly infringing material that appears on a domain hosted in your account (“Domain”):

xLINKSx

As a hosting service provider, Namecheap complies with the Digital Millennium Copyright Act (“DMCA”). We would like to help you avoid any service interruption. Please review the DMCA notice that we have included in this communication.

If you do not have the authorization to host the alleged disputed content, and if you are not authorized to use the disputed content, you will need to remove the content within 72 hours, or we may be required to suspend your hosting account under DMCA guidelines.

In order for us to consider a case resolved, the reported link(s) is to show the '404 Not Found' error/suspended page or redirect to the main page of the website.

If you believe that the identification of this infringing content is in error, we suggest that you contact the reporting copyright owner to resolve the matter. If the reporting copyright owner agrees there is a mistake, ask them to email Namecheap at dmca@namecheap.com.

If you are not able to come to an agreement with the reporting copyright owner or if you disagree with the copyright claim, you may submit a DMCA Counter-Notice to Namecheap within ten (10) business days of the date of this email. The Counter-Notice must comply with the requirements of the DMCA and must contain the following points:

1. Your contact information, including name, address, and telephone number, as well as facsimile number and email, if available;

2. A statement that, under penalty of perjury, you have a good faith belief that the material was removed or disabled as a result of a mistake or misidentification of the material to be removed or disabled;

3. Identification of the material that has been removed or to which access has been disabled, and the location at which the material had appeared before it was removed or access was disabled;

4. A statement that you consent to the jurisdiction of the United States District Court in which the address you provide is located, or if your address is outside the United States, for the judicial district of California;

5. A statement that you will accept service of process from the person who provided the initial notice or an agent of that person;

6. A physical or electronic signature by you or your agent.

The DMCA Counter-Notice should be sent either via this ticket by replying to our notice or to Namecheap.com Attn: Legal Department, 4600 East Washington Street, Suite 305, Phoenix, AZ 85034, USA, Facsimile:

Once a valid DMCA Counter-Notice has been submitted, Namecheap would provide a copy of the Counter-Notice to the reporting copyright owner. In addition, the DMCA requires that you remove the disputed content for at least ten (10) and not more than fourteen (14) days from when the Counter-Notice was served. Thus, Namecheap will advise the complaining party that the listing will be reinstated within ten (10) days and will remain so unless we hear from the reporting copyright owner that he or she has filed an action against you under the DMCA in a court of competent jurisdiction for copyright infringement and is seeking a court order to restrain you from publishing the disputed content.

By submitting your Counter-Notice to Namecheap, you agree to waive, and hereby do waive any legal or equitable rights or remedies you have or may have against Namecheap with respect to any Counter-Notice you send, or claims regarding any aspect of the disputed content and its publication and/or Namecheap's action in implementing a takedown or re-establishing the content, and you agree to indemnify and hold Namecheap, and its owners/operators, affiliates and/or licensors, harmless to the fullest extent allowed by law regarding all matters relating to your sending of a Counter-Notice.

If you feel you received this notification in error, please contact us at with more information as to why. We do apologize for any inconvenience this may cause you.

====================================

Edit

[cft]

This proliferates the same confusion that your company has. The note you quoted is about hosting accounts ("hosting service provider"). We did not host anything with you, we only registered a domain. This notice does not apply. When i get to my laptop i will dig out the original notice from you and the response from our counsel.

[FrontierPsych]

huh...My domain is with you.

I didn't even know this was a thing.

I easily could not look at my emails for a few weeks - on vacation or whatever.

Wow that sucks.

[ankit219]

I had clicked on the DHL one link. It took me to a site which looked like DHL, and in the next step, chrome refused to load the website. Is there any impact on folks on clicked on the links? I never entered any info as such, so not sure, but looking for more information on whether I should be concerned.

[notahacker]

I assume it was a phishing site where the threat came if you actually provided them with details

(I didn't receive the DHL one, but did test the Metamask link in a safe browser environment. It was just a phishing site to try to get people's crypto credentials)

[morganbird]

It's just phishing. You're not at risk if you didn't give them your credit card info or anything like that.

[joshka]

I never received an email, but just today received spam on an email address only used with namecheap. You might want to check your logic for what was impacted.

[zeitgeist1]

why is a company like namecheap not servicing their own email servers? what a cop out. I've also read about you not wanting to update 2FA systems... another cop out

I wonder how many people got caught and ruined by this scam, what if you are behind it? you don't deserve to be in business.

[Krisjohn]

What about the open redirect?

[walrus01]

Can you please clarify how exactly the decision making process occurred to give a 3rd party email provider a copy of your private DKIM signing key for the domain "namecheap.com" ?

The emails could not have gone out with DKIM-signature and successfully validated by openDKIM at my receiving MX/SMTPD against the public half of the key in your DNS TXT record for your DKIM key, unless you had given them access to the private key.

Did the persons who are responsible for creating and maintaining your DKIM public/private key pair and its selectors directly give the key to some third party (sendgrid, mailchimp, whatever) type email newsletter services, or were they ordered to do so by somebody else in Namecheap management?

Or, did the persons responsible for your authoritative DNS zone for namecheap.com insert an additional DNS TXT record for the DKIM key used by a 3rd party service?

[oneplane]

While I don't know the details of the third party at name cheap, it's pretty common to have a bunch of third parties with their own DKIM keys and just trusting and including their public keys on your DNS zone. Nobody sends all their own mail, your service desk, support software, ticketing system, alerting system, collaboration provider all have DKIM keys and SPF records you're adding to your zone and they just control the keys for their own input.

This means that if they get pwned, it's their ability to send mail on your behalf that gets abused, not some key stealing and DKIM impersonation (and why would they bother if a perfectly fine emailing system is already open and ready to spam the crap out of everyone).

[28mm]

I received one of the phishing messages as well as the follow up / apology. An interesting wrinkle is that both were handled by sendgrid and used the same dkim selector. I would guess that a set of sendgrid api credentials shared with some 3rd party service was compromised.

[oneplane]

I've seen it even worse:

  - One of our domains had a DKIM trust with Mailgun (3rd party)
  - Mailgun was integrated with a planning service (4th party?)
  - Planning service was integrated with a CRM (5th party?)
  - CRM was integrated with a website (6th party?)

Website got pwned, spam ensues using the entire chain all the way back to our domain. This was a while ago but I think the website was pwned, leaked API credentials for the CRM, those were locked to only read the address book for sources (not even destinations! but '*' was allowed...) but because the software was crap the planning/calendaring service was registered as a 'source', which included API creds. The planning service itself was pretty good, no further grab-keys-via-API, but using what was already allowed you could send raw MIME messages and it would just use the Mailgun API it had access to.

Luckily for me, I was on a prometheus spree and had an exporter grab the Mailgun metrics every few minutes (Ironically to support the CRM team because they didn't have any good metrics of their own and did like to blame everyone else), so while it was configured to look for dips, it also triggered on spikes because those tend to end with dips too.

I think in the end nobody learned from it because every team/vendor covered their ass with "well we only run it in datacenters with firewalls so this is the cloud at fault" and I don't think anyone got flak for it (but some definitely deserved a fair bit).