NinerNet Communications™
Blog

Corporate Blog

Phishing warning for domain registrants

31 October 2015 12:38:00 +0000

We’re seeing what appears to be a concerted “phishing” effort aimed at the registrants of domains. To be honest, the first time we saw one of these emails, the allegations it contained made us angry, and we almost fell for it. This is the classic reaction that “phishers” are looking for — anger, or fear — because those emotions will cause the smartest among us to lose control, perhaps for just long enough to do something stupid.

As always, our best advice is to take a moment to calm yourself down and take a critical look at the email that you have received. It is almost certainly fake.

We have received two different versions of these emails for several domains registered to us, and the emails are likely tailored to the registrar with which you have your domain registered. Below are the emails we’ve received, with legitimate email addresses altered to prevent their being automatically harvested by yet more spammers.

Example 1

From: domainabuse _AT_ tucows.com
To: NinerNet Communications
Subject: Domain ADDRESSGAURD.COM Suspension Notice
Date: Mon, 26 Oct 2015 18:46:54 -0700

Dear Sir/Madam,

The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:

Domain Name: ADDRESSGAURD.COM
Registrar: TUCOWS, INC.
Registrant Name: Domain Administrator

Multiple warnings were sent by TUCOWS, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us by email at mailto:domainabuse _AT_ tucows.com for additional information regarding this notification.

Sincerely,
TUCOWS, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

Example 2

From: “TUCOWS, INC.” <domainabuse@tucows.com.org>
To: NinerNet Communications
Subject: Domain GIVE-SPAM-THE-SLIP.COM Suspension Notice
Date: Tue, 27 Oct 2015 21:59:41 -0700

Dear Sir/Madam,

The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:

Domain Name: GIVE-SPAM-THE-SLIP.COM
Registrar: TUCOWS, INC.
Registrant Name: Domain Administrator

Multiple warnings were sent by TUCOWS, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
TUCOWS, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-570-6902

The text “Click here and download” was, in all cases, hyperlinked to websites NOT on domains associated with NinerNet or Tucows, the registrar with whom our clients’ domains are registered. You must always take a moment to view (in the status bar of your email program) the URL (address) of the website to which a link will take you, before you click the link.

While the first email was crafted so that it appeared to be sent from domainabuse _AT_ tucows.com — which is a real email address — subsequent messages have arrived from domainabuse@tucows.com.org. Tucows.com.org is not a real domain; however, it does exist as a sub-domain of the com.org domain which, despite how odd it looks, is an actual domain. (It is being “monetised” by its owners, who probably have nothing to do with the spammers/phishers but who have unfortunately set it up in such a way that “tucows.com.org” appears [to both humans and automated anti-spam systems] to be a working domain.) We have configured our mail servers to block messages from the tucows.com.org sub-domain, but if the contact email address for your domain is on a domain we don’t host (e.g., gmail.com, yahoo.com, etc.) then you may still receive these messages. Since tucows.com is a legitimate domain, we cannot block email from it.

As always, if you have any questions about a questionable email that you have received — or one that has made you afraid or angry — please forward it to us and we’ll take a look at it to determine whether or not it is legitimate.


Update, 2015-11-01: Minor corrections, add missing sender email address, add actual domains and remove protection for bogus email address.

Update, 2015-11-03: We’re now seeing these scam emails coming from domainabuse@tucows.com.info, and in this case the “com.info” domain (and any sub-domains) is completely bogus and should be blocked by default to most of our email clients. We checked out what happens when you click the link (don’t try this at home!) and our browser was directed to download a file named “GIVESPAMTHESLIP.COM_copy_of_complaints.pdf.scr”. This is an old trick, naming a file with a “double extension” to try to trick people into opening what they think (in this case) is a PDF file, but which (in this case) is actually (on Windows machines) an executable screensaver file (“.scr”) that can carry a malicious payload. Remember, think before you click!

Rate pages updated

9 October 2015 09:29:08 +0000

In addition to posting the new kwacha rates we mentioned here last week, we have updated all of our rate pages to lower our managed VPS rates in all currencies, and provide a complete list of the huge number of top-level domains (TLDs) that we now offer. In addition to a comprehensive array of country code top-level domains (ccTLDs), we now offer 364 new TLDs, such as (for example) the following:

  • .amsterdam
  • .club
  • .design
  • .golf
  • .irish
  • .london
  • .news
  • .ngo/.ong
  • .ninja
  • .online
  • .rocks
  • .site
  • .space
  • .taxi
  • .tech
  • .website
  • .work
  • .xyz

Please check out the new rates pages:

If you have any feedback, please let us know!

Warning about ongoing domain registration scam

9 October 2015 09:12:28 +0000

Hardly a week goes by that we don’t hear from a client with questions about a spam email that they have received regarding their domain registration(s). We appreciate hearing about these as it gives us the chance to reiterate with individual clients what to look out for in these emails, and to learn about new scams as they arise or determine that the old ones are still running.

One old one looks like the following:

From: Charles Zhang [mailto:charles@yiguandns.com]
Sent: Friday, October 09, 2015 6:01 AM
To:
Subject: yourdomain CN domain and keyword

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 8, 2015, we received an application from Huamei Holdings Ltd requested “yourdomain” as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it’s necessary to send email to you and confirm whether this company is your distributor or business partner in China?

Kind regards

Charles Zhang
General Manager
Shanghai Office (Head Office)
B06, Yujing Building, No.1 Jihe Road,
Shanghai 201107, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697
Web: www.yiguandns.com

Note that “yourdomain” in the email above is the client’s actual domain, without the TLD — top-level domain, the part to the right of the dot. For example, if your domain is example.com, the subject of this email would be “example CN domain and keyword”. Of course, the actual wording of the subjects and bodies of these scam emails can and do vary, as well as the senders.

These emails are nothing but unsolicited solicitations to register (in this case) the same domain as your existing domain in the dot-cn (China) ccTLD (country code top-level domain) — e.g., example.cn if you already own example.com. There are other variations on these attempts to scare you into registering domains you almost certainly don’t need, usually, we have noticed, in TLDs in East Asia. However, scams like this can and do originate from all over the world. Also, remember that there is no such thing as an “internet keyword”; you cannot buy such a thing, it’s just a general description of a concept.

As always, if an unsolicited email (or, for that matter, phone call, postal letter, fax, smoke signal, etc.) tries to scare you into taking some sort of action — especially if it involves getting you to spend money — it is certainly a scam. Whether it involves domains or anything else, check with a trusted and knowledgeable advisor in whatever industry is involved before you take any action. Don’t even reply to these people, and certainly don’t send them any money.

As always, if you have any questions about emails you have received regarding your domains or hosting, we’ll be happy to address them.

A note to our Zambian clients on the value of the kwacha

3 October 2015 08:13:59 +0000

As you have no doubt noticed too, the recent slide in the value of the kwacha has not escaped our notice.

Although we bill and accept payment locally in kwachas, most of NinerNet’s expenses are paid in foreign currency to offshore suppliers where our servers are located. The reliability of these offshore systems is one of the reasons we’ve heard from our clients for choosing NinerNet over other local companies with data centres in Zambia. Before the current situation, our kwacha pricing had already fallen behind the kwacha’s trajectory against the US dollar, and we were considering options to address this that did not involve a pricing shock to you, our client, and simultaneously laid out plans for future price changes (even decreases) in a predictable manner.

When we first started operating in Zambia we, like many companies, invoiced in US dollars while accepting payment in kwachas. In 2012 the Government issued The Bank of Zambia (Currency) Regulations, 2012, outlawing the use of foreign currencies for domestic transactions. As NinerNet Communications is a Zambian-registered turnover tax company, we complied. For philosophical reasons (not the least of which was to keep our pricing predictable) we did not return to invoicing in US dollars when this law was later rescinded, and the kwacha rates we set in 2012 have not changed in the three years since.

Unless the kwacha loses further value in a short period of time, this is an issue that we will deal with gradually over the next few months by bringing our kwacha rates back into line with the kwacha’s value against the US dollar.

Effective with our October 2015 invoicing at the middle of the month, our rates will increase by K3.00 per US dollar — i.e., from the K5.50 per US dollar we set in 2012 to K8.50 per US dollar. In other words — to use our most popular hosting plan (webONE) as an example — if the monthly rate was K82.50, the rate effective with this month’s billing will be K127.50. Similarly, our price for generic top-level domains (e.g., dot-com) will increase from K104.50 per year to K161.50 per year. (We will leave the price of our alternative top-level domain for Zambia [dot-zam.co] at K66.00 per year.) You can use our US dollar rates page to see where things are going; our kwacha rates page will be updated in the next few days to reflect rates at the current exchange rate that will be charged for all NEW business.

Something important to note is that accounts that are already paid up to a certain expiry date will NOT be affected. In other words, if your expiry date is set at 1 June 2016 (for example), your hosting will still expire on that date and you will not be billed anything extra. This will also continue to apply into the future; your expiry date will remain your expiry date no matter what happens to the exchange rate in the meantime. Refunds for cancelled hosting will be refunded at the rate that was paid at the time the service was invoiced.

We would like to return to stable and predictable kwacha rates as soon as possible. Assuming that the exchange rate does indeed stabilise in the near term, we will look at revising our kwacha rates — up or down, as the case may be — every three months going forward to avoid sudden changes like the one we are being forced to implement today. Of course, if there are any wild swings like there have been since the beginning of September we will have no choice but to react more quickly.

We welcome any feedback you may have on our plans. Thank-you for your understanding, and thank-you for your business.

Office hours

4 July 2015 08:59:55 +0000

NinerNet‘s offices will be closed from Friday, 3 July and will re-open on Friday, 10 July. Emergency support will continue to be available 24/7, but routine emails and enquiries will be dealt with on Friday, 10 July. Thank-you.

Office hours

23 April 2015 20:24:50 +0000

NinerNet‘s offices will be closed from Friday, 24 April and will re-open on Monday, 4 May. Emergency support will continue to be available 24/7, but routine emails and enquiries will be dealt with on Monday, 4 May. Thank-you.

Office hours

20 March 2015 04:54:14 +0000

NinerNet‘s offices will be closed for the week of 23-27 March. Emergency support will continue to be available 24/7, but routine emails and enquiries will be dealt with on Monday 30 March. Thank-you.

Delaying tactics by Network Solutions

21 January 2015 23:55:41 +0000

Businesses hate to lose customers, there’s no question of that. We hate to lose customers, there’s also no question of that. When a client tells us that they will be closing their account with us for one reason or another — it happens! — we’ll ask if there is anything we can do to keep their business. More often than not we’ll learn (often to our surprise) that the client is actually closing shop, and they’re not moving to another hosting provider — which is a bit of a relief (to us) in that we know they’re not leaving because of something we did, or something we didn’t do.

Sometimes, of course, the client is actually moving to a new hosting provider. As we’ve stated before, we do say that we’re sorry to see them go — and we mean it — and we ask if there’s anything we can do to keep their business, but if they’re committed then we back off. Importantly, we also don’t do anything to impede their progress into the sunset. In our opinion, that would be unprofessional, and we’d then deserve to lose that business. And given the number of clients that end up returning to us months or a year or two later, we’d be idiots to burn that bridge.

So it was interesting to learn today that Network Solutions (owned by Web.com) has apparently (at some point) implemented a three day waiting period if you ask for the “auth code” for a domain registered through them. (The authorisation code is required to effect a domain transfer from one registrar to another.) Now, it is our assertion that every domain name owner should ask for and make a note of the auth code for their domain as soon as it’s registered, and should also change it (if permitted by the registry) after a registrar transfer. (There is a long history of domain owners being caught flat-footed in times of crisis without this information.) But most of our incoming clients have not done that, and so now this client is being held hostage by Network Solutions for three days, waiting for the information — information they already own — that they need to effect the transfer they want to make. Network Solutions give the following reason, after a couple of screens of FUD-generating warnings of imminent Armageddon that are clearly designed to scare the domain owner into not obtaining the information to which they are entitled:

Your request for an Auth Code has been received and your information will be validated to ensure the security of your account. If your request is approved, you will receive your Auth Code by email in 3 days.

To cancel this request, please call one of our Customer Service Representatives at 1-800-779-4903.

Thank you.

Now, it’s all well and good that Network Solutions claims (or hides behind) the excuse of “[ensuring] the security of your account” (which is not surprising, considering they were responsible for one of the biggest screw ups in domain history when they allowed the fraudulent registrant transfer of a domain registered with them back when they held the monopoly on gTLD registrations), but this is clearly a delaying tactic to give the customer time to lose the will to transfer because now it’s just too much of a problem, too much effort, too complicated, too time-consuming … or whatever negative feeling develops in the mind of the domain owner as he or she spends three days mulling over (and perhaps having nightmares about) the things they read in the two screens of dire warnings before finally screwing up the courage to click the “yes, I really do want my auth code” button.

Shame on you, Network Solutions, for impeding the progress of this customer who has decided — as they’re free to do — to move their business to a competitor. But this is not surprising of a company that has a longer list of “controversies” listed in their Wikipedia article than most companies, along with those of their former parent company Verisign. They both also appear prominently in the “Domain name scams” article, as well as here on our own blog.

Christmas and New Year Hours and Wishes

23 December 2014 23:24:57 +0000

I’m taking this opportunity to thank you for your business in 2014 and to say that I look forward to continuing to earn your business in 2015.

We wish you and your families and employees a very happy Christmas, and all the best for the New Year.

Our office will be closed until Monday 5 January, but our systems will be monitored 24/7 (as always) and support will continue to be available 24/7 for emergent requests.

Configuring our servers against “POODLE”, SSL/TLS, and email security

24 October 2014 15:52:19 +0000

The maintenance to protect against the “POODLE” exploit has been finished, as we’ve noted on our status blog. While I’d like this to be a short post stating just that, like the maintenance itself, there is more to it than meets the eye.

What was anticipated to take about an hour during a scheduled weekend maintenance window ended up taking much longer as we waded through the pros and cons of configuring some or all services to disable SSL version 3. (Of course, very few people know about and can prepare for these things in advance.) First, there was some debate in information security circles about just how serious this issue was/is, how quickly it needed to be addressed, and by whom. In short, some took it more seriously than others, but there was general agreement that other issues (Heartbleed and Shellshock, for example) were much bigger. Those that didn’t feel it was that serious had their reasons, but we’re not in business to gamble with your security.

While this is a vulnerability in a protocol (SSL version 3) that is (or has been) used to secure different types of connections, the main area of concern was with HTTPS connections — i.e., web browsing. To my knowledge, the only known exploit of this protocol vulnerability uses JavaScript, and only over HTTPS connections. In other words, there is currently no known issue with using SSLv3 to secure non-HTTPS connections — e.g., email.

To that end SSLv3 will still work on some of our mail servers. How this is handled — if your email program can’t use TLS — differs between email programs, with some email clients failing silently and establishing a non-secure connection instead, and some failing completely to connect. We expect that most email programs using our existing suggested configurations will continue to work across all of our servers. However, while we have not had any reports of issues from clients, one of the reasons this took longer than anticipated was the surprising number of current or recent email clients that stopped working when we disabled SSLv3 on the mail servers. Connections by email clients configured to use SSLv3 still work on server NC018, while on NC027 they will fail silently as described above. This is related to the differing behaviour of the software running these two mail servers.

All web servers (including control panels) were configured to deny SSLv3 connections by Monday this week. Web browser developers seem to have kept up with and done a better job implementing TLS in current versions than some email client developers. As we’ve stated several times previously, Outlook 2003 should be relegated to the past, along with Microsoft Internet Explorer version 6. The latter uses only SSL (and has TLS disabled) by default. Microsoft, of all people, have actually had an active campaign to discourage the use of MSIE 6 since 2009 with their ie6countdown.com website; according to that website, only 3.3% of users worldwide are still using MSIE 6, and about three quarters of them are in China. Put it this way, using MSIE 6 today is like trying to drive a Model T Ford on modern roads among modern cars, expecting to go as fast as modern cars and to be serviced by modern mechanics. In short, using certain software today is simply a bad idea, even if it still appears to some people to work.

Another thing I’d like to address here is the difference between SSL (secure sockets layer) and TLS (transport layer security) … or, more correctly, the perceived difference. There is no difference. They are essentially the same thing. For all intents and purposes, the lay person can consider TLS version 1.0 to be SSL version 4.0. That’s not true from a technical standpoint, but as someone who deals every day with clients who just want their computers to work and are more concerned about the intricacies of their trucking business (for example), they do the same thing: encrypt your Internet connections. TLS, as the successor to SSL, is newer and better (as the “SSL version 4.0” comparison above makes clear), and you should use TLS in preference to SSL any time you have a choice.

Finally, a word about email security. It has become more and more clear to me over the years that the trend in software development is to hide things from the average user. There is a point to which this is good; after all, if you had to type in all of the commands that your email program (for example) uses to connect to the mail server to download or send your email, you might as well write a letter with a quill and ink and send it via carrier pigeon. However, if your email program is going to fail silently and send your message in the clear — i.e., over an unencrypted connection — that’s something you probably want to know about if you thought you were using an encrypted connection. But this is not something you will read about in glossy brochures extolling the virtues of this email program or that. The fact is, most people will never be aware of such an issue, and those that have the most to fear — for example, people living in or reporting on dictatorships — will only realise they have a problem when there is that ominous knock at the door that reveals their communications have been compromised.

For this reason it is not enough to rely on your email service provider — not even NinerNet Communications — to secure your communications if you are, for example, an activist in a police state or a reporter with confidential sources. No, you have to take that responsibility on yourself by encrypting the actual messages you send before you send them. How to do this is certainly beyond the scope of this post, and even if you were to do it it may not be necessary for all of your communications. But going to this extent to protect yourself in this way takes extra time and effort and may require additional software on your computer, but at the end of the day you need to determine for yourself the pros and cons in your own cost-benefit analysis.

NinerNet home page

Subscriptions:

RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.

Search:

 

Recent Posts:

Archives:

Categories:

Tags:

accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email encryption facebook google happy hosting customers hosting transfer icann invoices iphone kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam ssl ssl/tls support transparency wordpress zamnet

Resources:

On NinerNet: