Re: Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
It makes you wonder why they just don't rekey and put up a different selector while deleting the compromised selector? Yes, this is bad but it has a straightforward solution to the compromise -- unlike compromised cert signing keys, natch. Mike On 2/12/23 4:01 PM, Eric Kuhnke wrote: Namecheap has updated their status page item to include "We have stopped all the emails (that includes Auth codes delivery, Trusted Devices’ verification, and Password Reset emails, etc.)" Yikes. On Sun, Feb 12, 2023, 3:54 PM Michael Thomas wrote: I think that it might be appropriate to name and shame the third party, since they should know better too. It almost has the whiff of a scam. Mike On 2/12/23 3:49 PM, Eric Kuhnke wrote: One very possible theory is that whoever runs the outbound marketing communications and email newsletter demanded the keys and got them, with execs overriding security experts at Namecheap who know better. I would sincerely hope that the people whose job titles at Namecheap include anything related to network engineering, network security or cryptography at that company do know better. Large domain registrars are not supposed to make such a rookie mistake. On Sun, Feb 12, 2023, 3:46 PM Michael Thomas wrote: On 2/12/23 3:40 PM, Eric Kuhnke wrote: > https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257 > > > https://lowendtalk.com/discussion/184391/namecheap-hacked > > It looks like a third party service they gave their keys to has been > compromised. I got several phishes that fully pass as legit Namecheap > emails. > > https://www.namecheap.com/status-updates/archives/74848 > > If they actually gave them their own private keys, they clearly don't get how that's supposed to work with DKIM. The right thing to do is create a new selector with the third party's signing key. Private keys should be kept... private. Mike
Re: Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
Namecheap has updated their status page item to include "We have stopped all the emails (that includes Auth codes delivery, Trusted Devices’ verification, and Password Reset emails, etc.)" Yikes. On Sun, Feb 12, 2023, 3:54 PM Michael Thomas wrote: > I think that it might be appropriate to name and shame the third party, > since they should know better too. It almost has the whiff of a scam. > > Mike > On 2/12/23 3:49 PM, Eric Kuhnke wrote: > > One very possible theory is that whoever runs the outbound marketing > communications and email newsletter demanded the keys and got them, with > execs overriding security experts at Namecheap who know better. > > I would sincerely hope that the people whose job titles at Namecheap > include anything related to network engineering, network security or > cryptography at that company do know better. Large domain registrars are > not supposed to make such a rookie mistake. > > > On Sun, Feb 12, 2023, 3:46 PM Michael Thomas wrote: > >> >> On 2/12/23 3:40 PM, Eric Kuhnke wrote: >> > >> https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257 >> > >> > >> > https://lowendtalk.com/discussion/184391/namecheap-hacked >> > >> > It looks like a third party service they gave their keys to has been >> > compromised. I got several phishes that fully pass as legit Namecheap >> > emails. >> > >> > https://www.namecheap.com/status-updates/archives/74848 >> > >> > >> If they actually gave them their own private keys, they clearly don't >> get how that's supposed to work with DKIM. The right thing to do is >> create a new selector with the third party's signing key. Private keys >> should be kept... private. >> >> Mike >> >>
Re: Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
I think that it might be appropriate to name and shame the third party, since they should know better too. It almost has the whiff of a scam. Mike On 2/12/23 3:49 PM, Eric Kuhnke wrote: One very possible theory is that whoever runs the outbound marketing communications and email newsletter demanded the keys and got them, with execs overriding security experts at Namecheap who know better. I would sincerely hope that the people whose job titles at Namecheap include anything related to network engineering, network security or cryptography at that company do know better. Large domain registrars are not supposed to make such a rookie mistake. On Sun, Feb 12, 2023, 3:46 PM Michael Thomas wrote: On 2/12/23 3:40 PM, Eric Kuhnke wrote: > https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257 > > > https://lowendtalk.com/discussion/184391/namecheap-hacked > > It looks like a third party service they gave their keys to has been > compromised. I got several phishes that fully pass as legit Namecheap > emails. > > https://www.namecheap.com/status-updates/archives/74848 > > If they actually gave them their own private keys, they clearly don't get how that's supposed to work with DKIM. The right thing to do is create a new selector with the third party's signing key. Private keys should be kept... private. Mike
Re: Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
One very possible theory is that whoever runs the outbound marketing communications and email newsletter demanded the keys and got them, with execs overriding security experts at Namecheap who know better. I would sincerely hope that the people whose job titles at Namecheap include anything related to network engineering, network security or cryptography at that company do know better. Large domain registrars are not supposed to make such a rookie mistake. On Sun, Feb 12, 2023, 3:46 PM Michael Thomas wrote: > > On 2/12/23 3:40 PM, Eric Kuhnke wrote: > > > https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257 > > > > > > https://lowendtalk.com/discussion/184391/namecheap-hacked > > > > It looks like a third party service they gave their keys to has been > > compromised. I got several phishes that fully pass as legit Namecheap > > emails. > > > > https://www.namecheap.com/status-updates/archives/74848 > > > > > If they actually gave them their own private keys, they clearly don't > get how that's supposed to work with DKIM. The right thing to do is > create a new selector with the third party's signing key. Private keys > should be kept... private. > > Mike > >
Re: Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
On 2/12/23 3:40 PM, Eric Kuhnke wrote: https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257 https://lowendtalk.com/discussion/184391/namecheap-hacked It looks like a third party service they gave their keys to has been compromised. I got several phishes that fully pass as legit Namecheap emails. https://www.namecheap.com/status-updates/archives/74848 If they actually gave them their own private keys, they clearly don't get how that's supposed to work with DKIM. The right thing to do is create a new selector with the third party's signing key. Private keys should be kept... private. Mike
Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257 https://lowendtalk.com/discussion/184391/namecheap-hacked It looks like a third party service they gave their keys to has been compromised. I got several phishes that fully pass as legit Namecheap emails. https://www.namecheap.com/status-updates/archives/74848
Re: intuit DNS
Ruhroh someone took the ai out again -- J. Hellenthal The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > On Feb 12, 2023, at 02:01, Saku Ytti wrote: > > ╰─ dig NS intuit.com|grep ^intuit|ruby -nae 'puts $F[-1]'|while read dns;do > echo $dns:;dig smartlinks.intuit.com @$dns|grep CNAME > done > a7-66.akam.net.: > smartlinks.intuit.com. 30 IN CNAME cegnotificationsvc.intuit.com. > a11-64.akam.net.: > smartlinks.intuit.com. 30 IN CNAME cegnotificationsvc.intuit.com. > a24-67.akam.net.: > smartlinks.intuit.com. 30 IN CNAME cegnotificationsvc.intuit.com. > a1-182.akam.net.: > smartlinks.intuit.com. 30 IN CNAME cegnotificationsvc.intuit.com. > a6-66.akam.net.: > smartlinks.intuit.com. 30 IN CNAME cegnotificationsvc.intuit.com. > a18-64.akam.net.: > smartlinks.intuit.com. 30 IN CNAME cegnotificationsvc.intuit.com. > dns1.p01.nsone.net.: > dns2.p01.nsone.net.: > dns3.p01.nsone.net.: > dns4.p01.nsone.net.: > ╭─ ytti@ytti ~ > 0|0|0|1 ↵ 09:58:40 > > >> On Sat, 11 Feb 2023 at 23:01, Daniel Sterling >> wrote: >> >> Someone at Intuit please look into why your DNS for this A record >> hasn't been consistently resolving, this has been going on for several >> days if not weeks >> >> https://dnschecker.org/#A/smartlinks.intuit.com >> >> -- Dan > > > > -- > ++ytti
