NinerNet Communications™

Corporate Blog

Phishing warning for domain registrants

31 October 2015 12:38:00 +0000

We’re seeing what appears to be a concerted “phishing” effort aimed at the registrants of domains. To be honest, the first time we saw one of these emails, the allegations it contained made us angry, and we almost fell for it. This is the classic reaction that “phishers” are looking for — anger, or fear — because those emotions will cause the smartest among us to lose control, perhaps for just long enough to do something stupid.

As always, our best advice is to take a moment to calm yourself down and take a critical look at the email that you have received. It is almost certainly fake.

We have received two different versions of these emails for several domains registered to us, and the emails are likely tailored to the registrar with which you have your domain registered. Below are the emails we’ve received, with legitimate email addresses altered to prevent their being automatically harvested by yet more spammers.

Example 1

From: domainabuse _AT_
To: NinerNet Communications
Subject: Domain ADDRESSGAURD.COM Suspension Notice
Date: Mon, 26 Oct 2015 18:46:54 -0700

Dear Sir/Madam,

The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:

Registrar: TUCOWS, INC.
Registrant Name: Domain Administrator

Multiple warnings were sent by TUCOWS, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us by email at mailto:domainabuse _AT_ for additional information regarding this notification.

Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

Example 2

From: “TUCOWS, INC.” <>
To: NinerNet Communications
Subject: Domain GIVE-SPAM-THE-SLIP.COM Suspension Notice
Date: Tue, 27 Oct 2015 21:59:41 -0700

Dear Sir/Madam,

The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:

Registrar: TUCOWS, INC.
Registrant Name: Domain Administrator

Multiple warnings were sent by TUCOWS, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Spam and Abuse Department
Abuse Department Hotline: 480-570-6902

The text “Click here and download” was, in all cases, hyperlinked to websites NOT on domains associated with NinerNet or Tucows, the registrar with whom our clients’ domains are registered. You must always take a moment to view (in the status bar of your email program) the URL (address) of the website to which a link will take you, before you click the link.

While the first email was crafted so that it appeared to be sent from domainabuse _AT_ — which is a real email address — subsequent messages have arrived from is not a real domain; however, it does exist as a sub-domain of the domain which, despite how odd it looks, is an actual domain. (It is being “monetised” by its owners, who probably have nothing to do with the spammers/phishers but who have unfortunately set it up in such a way that “” appears [to both humans and automated anti-spam systems] to be a working domain.) We have configured our mail servers to block messages from the sub-domain, but if the contact email address for your domain is on a domain we don’t host (e.g.,,, etc.) then you may still receive these messages. Since is a legitimate domain, we cannot block email from it.

As always, if you have any questions about a questionable email that you have received — or one that has made you afraid or angry — please forward it to us and we’ll take a look at it to determine whether or not it is legitimate.

Update, 2015-11-01: Minor corrections, add missing sender email address, add actual domains and remove protection for bogus email address.

Update, 2015-11-03: We’re now seeing these scam emails coming from, and in this case the “” domain (and any sub-domains) is completely bogus and should be blocked by default to most of our email clients. We checked out what happens when you click the link (don’t try this at home!) and our browser was directed to download a file named “GIVESPAMTHESLIP.COM_copy_of_complaints.pdf.scr”. This is an old trick, naming a file with a “double extension” to try to trick people into opening what they think (in this case) is a PDF file, but which (in this case) is actually (on Windows machines) an executable screensaver file (“.scr”) that can carry a malicious payload. Remember, think before you click!

Warning about ongoing domain registration scam

9 October 2015 09:12:28 +0000

Hardly a week goes by that we don’t hear from a client with questions about a spam email that they have received regarding their domain registration(s). We appreciate hearing about these as it gives us the chance to reiterate with individual clients what to look out for in these emails, and to learn about new scams as they arise or determine that the old ones are still running.

One old one looks like the following:

From: Charles Zhang []
Sent: Friday, October 09, 2015 6:01 AM
Subject: yourdomain CN domain and keyword

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 8, 2015, we received an application from Huamei Holdings Ltd requested “yourdomain” as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it’s necessary to send email to you and confirm whether this company is your distributor or business partner in China?

Kind regards

Charles Zhang
General Manager
Shanghai Office (Head Office)
B06, Yujing Building, No.1 Jihe Road,
Shanghai 201107, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697

Note that “yourdomain” in the email above is the client’s actual domain, without the TLD — top-level domain, the part to the right of the dot. For example, if your domain is, the subject of this email would be “example CN domain and keyword”. Of course, the actual wording of the subjects and bodies of these scam emails can and do vary, as well as the senders.

These emails are nothing but unsolicited solicitations to register (in this case) the same domain as your existing domain in the dot-cn (China) ccTLD (country code top-level domain) — e.g., if you already own There are other variations on these attempts to scare you into registering domains you almost certainly don’t need, usually, we have noticed, in TLDs in East Asia. However, scams like this can and do originate from all over the world. Also, remember that there is no such thing as an “internet keyword”; you cannot buy such a thing, it’s just a general description of a concept.

As always, if an unsolicited email (or, for that matter, phone call, postal letter, fax, smoke signal, etc.) tries to scare you into taking some sort of action — especially if it involves getting you to spend money — it is certainly a scam. Whether it involves domains or anything else, check with a trusted and knowledgeable advisor in whatever industry is involved before you take any action. Don’t even reply to these people, and certainly don’t send them any money.

As always, if you have any questions about emails you have received regarding your domains or hosting, we’ll be happy to address them.

Delaying tactics by Network Solutions

21 January 2015 23:55:41 +0000

Businesses hate to lose customers, there’s no question of that. We hate to lose customers, there’s also no question of that. When a client tells us that they will be closing their account with us for one reason or another — it happens! — we’ll ask if there is anything we can do to keep their business. More often than not we’ll learn (often to our surprise) that the client is actually closing shop, and they’re not moving to another hosting provider — which is a bit of a relief (to us) in that we know they’re not leaving because of something we did, or something we didn’t do.

Sometimes, of course, the client is actually moving to a new hosting provider. As we’ve stated before, we do say that we’re sorry to see them go — and we mean it — and we ask if there’s anything we can do to keep their business, but if they’re committed then we back off. Importantly, we also don’t do anything to impede their progress into the sunset. In our opinion, that would be unprofessional, and we’d then deserve to lose that business. And given the number of clients that end up returning to us months or a year or two later, we’d be idiots to burn that bridge.

So it was interesting to learn today that Network Solutions (owned by has apparently (at some point) implemented a three day waiting period if you ask for the “auth code” for a domain registered through them. (The authorisation code is required to effect a domain transfer from one registrar to another.) Now, it is our assertion that every domain name owner should ask for and make a note of the auth code for their domain as soon as it’s registered, and should also change it (if permitted by the registry) after a registrar transfer. (There is a long history of domain owners being caught flat-footed in times of crisis without this information.) But most of our incoming clients have not done that, and so now this client is being held hostage by Network Solutions for three days, waiting for the information — information they already own — that they need to effect the transfer they want to make. Network Solutions give the following reason, after a couple of screens of FUD-generating warnings of imminent Armageddon that are clearly designed to scare the domain owner into not obtaining the information to which they are entitled:

Your request for an Auth Code has been received and your information will be validated to ensure the security of your account. If your request is approved, you will receive your Auth Code by email in 3 days.

To cancel this request, please call one of our Customer Service Representatives at 1-800-779-4903.

Thank you.

Now, it’s all well and good that Network Solutions claims (or hides behind) the excuse of “[ensuring] the security of your account” (which is not surprising, considering they were responsible for one of the biggest screw ups in domain history when they allowed the fraudulent registrant transfer of a domain registered with them back when they held the monopoly on gTLD registrations), but this is clearly a delaying tactic to give the customer time to lose the will to transfer because now it’s just too much of a problem, too much effort, too complicated, too time-consuming … or whatever negative feeling develops in the mind of the domain owner as he or she spends three days mulling over (and perhaps having nightmares about) the things they read in the two screens of dire warnings before finally screwing up the courage to click the “yes, I really do want my auth code” button.

Shame on you, Network Solutions, for impeding the progress of this customer who has decided — as they’re free to do — to move their business to a competitor. But this is not surprising of a company that has a longer list of “controversies” listed in their Wikipedia article than most companies, along with those of their former parent company Verisign. They both also appear prominently in the “Domain name scams” article, as well as here on our own blog.

Domain renewal scam warning

22 March 2012 12:25:40 +0000

We have had a new domain renewal scam brought to our attention. The example we have seen includes the following wording (changed to preserve our client’s privacy):

Domain Name: EXAMPLE.COM

To: Client Name

Your order #12345678 has been received and is currently processing. Registration includes SE submission for EXAMPLE.COM for 12 months. There is no obligation to pay for this order unless you complete your payment by Mar 25, 2012. SE Services provides submission services and search engine ranking organization for domain owners.

Failure to complete your search engine registration by Mar 25, 2012 may result in the cancellation of this order (making it difficult for your customers to locate you using search engines on the web).

Here is a redacted image of what the email might look like:

Domain renewal scam email.

Domain renewal scam email.

Clicking on the links takes you to a website that looks like this:

Domain renewal scam website.

Domain renewal scam website.

While this email carefully avoids any mention of the expiry or renewal of your domain registration, the intent is clearly to fool and scare the recipient into thinking that their domain registration is about to expire so that they click one of the prominent “PROCESS SECURE PAYMENT” links and complete the payment process. If you do this, your domain will not be renewed, and you’ll be out $75 (in this case) for services of dubious value that you may or may not actually receive. Additionally, you might be opening yourself up to identity theft and/or the abuse of your credit card information.

In fact, if you have already fallen victim to this scam, we suggest that you contact your credit card company immediately, and check to ensure that your domain is “locked” and still registered to you and under your control.

Some of the domains associated with these emails and websites are the following:


NinerNet attempts to protect our clients from these kinds of domain-related scams by having a policy of “locking” (as mentioned above) all domains under our management that can be locked. However, you should still be cautious before acting on any emails not from NinerNet (or your actual domain registrar if it’s not NinerNet) regarding any domains you have registered, especially if they attempt to scare you into taking action.

Please contact NinerNet support if you have any questions about emails regarding your domains, and we will help you.


SEO scam warning

25 January 2011 10:23:54 +0000

We have had a new (to us) scam brought to our attention by a vigilant client. The scam arrives by email in the form of an “invoice” for “search engine registration” for a domain that you are a contact for, and will be sent to the email address of one or all of the registered contacts for the domain. At this time we have seen only one email and so we only have one example to go by, but it’s quite normal for the text and presentation of such emails to change slightly. You may even receive such so-called invoices, notifications, notices, courtesy reminders, etc. via postal mail as well or instead. Sometimes, despite the overall presentation that clearly makes the solicitation look just like an invoice (complete with an invoice number), they include (as in this case) the sentence, “This notice is not an invoice” (or something similar), just to stay barely on the right side of the law.

The fact is, there is no such thing as “search engine registration”. Many years ago (in Internet time) there was such a thing, but nowadays search engines will find and index your site within a matter of hours, as long as it’s public and linked to from at least one public page on the Web, or if it’s on a newly-registered domain. There are, of course, nuances to improving where your website ranks in the search engines, but the basic fact is you do not need to pay anyone for “search engine registration”.

Please remember to check, or have accounting staff check, such “invoices” very carefully before paying them. If you ever have any concerns about what appears to be a confusing, unusual, unexpected or otherwise questionable invoice related to your domains or hosting, please contact NinerNet support and we will be pleased to help you out.

Phoney legal notice alert!

15 October 2010 05:19:54 +0000

“Domain Support Group” and “VeriSign”

6 June 2002 (original posting date on NinerNet website)

On Tuesday and Wednesday mornings we received faxes from a company calling itself “Domain Support Group”, located in New York, USA. These faxes are designed to look like legal notices, with much quoting of legal tracts and the dropping of legal phrases often quoted in the news these days such as “intellectual property”, “bad faith”, “dilution of trademark”, “Uniform Domain-Name Dispute-Resolution Policy”, “complainant”, “false descriptions”, “in accordance with the United States legal code”, etc. They also contain an official-looking account number and the warning; “You are required to advise the notification processor of your intent to license this domain on or before the expiration of this notice.”

These notices are designed to scare you into registering a dot-us domain (at an unspecified price) that may be similar to a domain that you already own. We called these people in response to the faxes we received but, once they realised we were onto their game, they were not very forthcoming with information. Through other sources we have determined that they are trying to charge several hundred dollars for a domain (which makes sense considering the legalese in the notice), something you can buy from most domain registrars (including NinerNet) for about $25.

The first notice you may receive is titled “URGENT NOTICE OF DOMAIN EXTENSION”, and it gives you 24 hours to respond. The notice you will receive 24 hours later is titled “FINAL NOTICE”. Both notices are addressed to the attention of the “Business owner or manager”.

Please ignore both of these notices. If you do receive a notice from these people and you feel so inclined, you might consider reporting this to the Federal Trade Commission (FTC) in the United States and/or your local authorities if you are not located in the US.

It has also come to our attention that the same company even cold calls domain owners, trying to get them to renew, register or transfer domains (in TLDs other than dot-us as well) — all you have to do is give them your credit card number!

This is yet another example of the sleazy practices that are being used to try and get people to register or transfer domains without full disclosure of the possible consequences. In January we warned you about the so-called Domain Registry of Canada — today we received yet another of their phony invoices. (You can refresh your memory about that scam on our site.)

Yet another example was stopped by the American courts recently, this one perpetrated by the company that wants you to trust them — VeriSign (formerly trading in the domain business as Network Solutions), whose slogan is “The Value of Trust”. They sent out some intimidating notices, even to their own existing clients, threatening them with dire consequences if they did not renew with or transfer their domain to VeriSign.

If you receive any notice via e-mail, fax or postal mail (or even smoke signal for that matter), no matter how official or legal it looks, please take a moment to review it to see if it is legitimate. If you have any doubt, we would be more than happy to look at it for you. In the confusing world of the competitive domain-registration business, it can be very easy to forget who you chose to handle the registration of your domain last year (or beyond). These companies are counting on you to forget.

To read this notice on our site and see copies of notices received from both VeriSign and the “Domain Support Group”, please see As usual, thanks very much for your time.

Scanned images of “Domain Support Group” and VeriSign notices:

Phoney invoice alert!

14 October 2010 20:00:52 +0000

“Domain Registry of Canada” and “Internet Registry of Canada”

5 January 2002 (original posting date on NinerNet website)

Once again we find it necessary to issue a warning about realistic-looking “invoices” for domain renewals. We brought this up in July last year, and the same company is attempting the same thing under a different name. What was called the “Internet Registry of Canada” is now attempting to scare you into renewing your domains with them under the name of “Domain Registry of Canada” (noted on the “invoice” as “a registered business style of 1446513 Ontario Limited”).

When we brought this to your attention last year, one of the three major complaints levelled by the likes of the Royal Canadian Mounted Police and the Canadian government’s Competition Bureau was that the “invoices” looked too much like they were issued by a Canadian government department. The new “invoices” are almost identical, although the Canadian flag has been replaced with a bigger maple leaf. (See the end of this message for links to bulletins issued by the RCMP and the Competition Bureau, a link to scans of an “invoice”, and a textual description of the “invoice”.)

The second major complaint was, as implied above, that these solicitations looked too much like an official invoice from an existing supplier, and that an unsuspecting employee or even business owner might pay the “invoice” resulting in unintended consequences (including your Web site and e-mail going down). This has not changed — the solicitations still look like invoices.

Third was the strong language used, implying that you were in imminent jeopardy of losing your domain if you did not act immediately and send payment to the soliciting company. Again, this has not changed, although the language has been moderated slightly and, buried amongst the other promotional text, is a statement that the invoice-like solicitation “is not an invoice” but rather an “easy means of payment” should you be fooled. However, as with the previous scam, the “invoice” states that your “current domain name must be renewed” (emphasis is on the “invoice”).

As before, one of the goals of these “invoices” is to get you to transfer your domain from your current registrar to the “Domain Registry of Canada”. Another goal is to convince you to needlessly register numerous variations of your domain, potentially quadrupling your annual domain fees. Space is provided for your credit card number should you choose to actually send such sensitive information to a company with such questionable business practices.

Although this company is seeking to have you transfer your domain to them, the very fine print (requiring a magnifying glass and strong light to read) on the back of the “invoice” states that “you agree to provide written, signed authorization to DRoC for the transfer of the domain name to another registrar and agree to pay any and all fees that may be charged by DRoC to effect the transfer.” This policy is clearly designed to make it easy for you to transfer your domain to them from your current registrar, but very difficult to transfer back to your chosen registrar and away from “Domain Registry of Canada” once you realise that you have been scammed. Such a policy is known as “domain hijacking”, and there other examples of this unethical practice — please see the links at the bottom. This policy also goes against international agreements governed by the Internet Corporation for Assigned Names and Numbers (ICANN), to which “Domain Registry of Canada” is either directly or indirectly a party.

A similar scheme was practised by some unscrupulous companies back when the long-distance telephone market was deregulated in both Canada and the United States. It had a very descriptive term — “slamming”. If I remember correctly, the process involved the victim endorsing a low-value cheque payable to the victim from the new long-distance company, with the fine print stating that you wished to switch from your current long-distance carrier to the new one. This practise was outlawed, but regulators have been playing catch-up with the Internet since day one.

So how do you know if an invoice you received is genuine, and how do you find out when your domain really expires? Because domains are renewed on an annual (or longer) basis and we are all used to receiving monthly invoices to remind us to pay for services, it’s easy to forget the answers to both of those questions. It has even happened to Microsoft, believe it or not, when they forgot to renew The best way to find out is to go to a reputable domain registrar, or the site of the single registration authority (from which registrars get their authority) for your top-level domain (TLD). In the case of, just use the form on their home page to check your domain. Since your domain is “taken” (by you, of course), you can click on the link on the page displaying the results of your search, and you will see a new page detailing (among other things) who your current registrar is and when your domain expires. If your domain really is about to expire, you can then go to your registrar’s home page and use their Web site to renew your domain. If all else fails, please contact us if you are not sure and we will decisively determine when your domain expires, who your registrar is, and who you should be paying.

As an aside, NinerNet Communications recently started accepting domain registrations. While we still think that is one of the best registrars out there (and certainly far superior to the likes of Network Solutions / Verisign), we would be happy and honoured to accept new domain registrations, renewals and transfers. Since this is a new service, we don’t yet have an automated system in place. Please contact us for the details.

Finally, here is a description of an official-looking “invoice” sent out by the “Domain Registry of Canada”. It arrives in a #10, plain, brown window envelope with a red maple leaf in the top, left-hand corner and the words “Domain Registry of Canada” to the right of the maple leaf. A similar layout is reproduced at the top of the actual “invoice”, which is printed on white paper using black and red ink. It refers to a domain that is probably registered to you and warns you that you risk “loss of your online identity” and that your “current domain name must be renewed” (emphasis is on the “invoice”). It then suggests several possible renewal periods for your existing domain (up to five years) and then suggests several other similar domains that you should register. Payment is accepted by cheque or credit card and is requested to be sent to a post office box in Thornhill, Ontario, Canada. A white return envelope (requiring postage) is included, completing the invoice-like package.

Sorry this was so long, but we felt that this was important enough to warrant a full explanation. If you have any questions or concerns, please let us know.

Here are some links pertinent to this scam:

Scanned images of an “invoice” package:

NinerNet home page


RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.



Recent Posts:




accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email facebook google happy hosting customers hosting transfer icann internet registry of canada invoices iphone iroc kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrant transfers registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam support transparency wordpress zamnet


On NinerNet: