Let me assure you, you are right. We would never do this as firstly, it is unethical and secondly we value our customers. Thanks for being one of them.
Is there any way you can show that? Like some kind of audit that verifies all the domains you register are associated with real customers somehow? I really want to trust you and your team, and have never experienced front-running while using your service, and I realize it is hard to prove you are not doing something, but I have to think that some kind of technical/audit-trail solution would be a lot more effective than replying on various social media posts.
As you can see, the original poster deleted his original claim on reddit. No one has ever provided a single shred of evidence that this is actually a thing.
Thank you, our policy has absolutely not changed and never will. We are in the business of serving our customers, not attempting to take advantage of them in any way.
Administrators as in whom? No one on our team is monitoring searches and registering domains, period. These claims are 100% false. You can easily prove this at any time by conducting a search yourself and monitoring what happens.
This is false, we do not monitor customer searches nor do we register domains that have been searched on our site. I've said this before and I'll say it again here, if anyone cares to prove that this actually exists and someone within our company is registering searched domain names I will give them a 50k reward on the spot.
It shouldn’t be hard for someone making these claims to show whois data before and after. Maybe the whois before requires some foresight, but the whois after does not. I will note that despite putting “Confirmed” in the title of their Reddit post and saying they did a whois search that showed Namecheap had bought the domain, the user has not provided that whois data, nor the domain name so that others can independently confirm.
The price of a domain registration going up in real time as you’re trying to buy it is obviously a frustrating experience. Domain name frontrunning is a legitimate concern, shady registrars have done it in the past (e.g. NetworkSolutions), and there are many other entities besides registrars that might do it as well.
Trying to register a domain name is notably not a hygienic process at the best of times, the information that someone might be willing to pay money for a particular domain name could leak and be exploited at many different stages of a typical search process. Unfortunately, the user only finds out they’ve been exploited when they try to pay on the registrar’s site. Registrars concerned about being unfairly accused might find that providing some transparency into the process can assuage this reaction - perhaps a “why did this price go up?” button/link that shows excerpts from your log history of whois calls for that domain name, or if the problem is the gTLD provider changing their prices on the fly, maybe a log of that information over time.
(Exhaustive potential conflict of interest disclaimer: I hold ~$40/year worth of registrations through Namecheap and another ~$30/year worth of registrations through Gandi. Besides these two aforementioned purchases, I do not and have never been employed by, held an investment position in, or maintained any other kind of financial relationship with any domain registrar [lookup service, TLD provider, etc.] in any form.)
I chose three domains, and for each of them, did a whois query from a local terminal then looked them up on Namecheap. All three are domains I can imagine someone registering (i.e. not just keyboard mashing).
They have these SHA1 hashes (echo -n '$domain $salt', all salts are the same string):
3ded27709bfcbba44ce893262f531c595ee82f72
78eb52058b915fde23df7289250146e4a6622a9e*
e5db7a02eec8ce2b351a5955d84cc6daa561a41f*
These three I did not whois first, and only looked up on Namecheap:
8d59b003b9261bbb7f8268d8f56fbebb1574688f
68a87269d6011110c43ec6bb928ca008de4fcb6e
fa636723fb66d2fb4e93b317f185eb058149e53b*
I will check them again sometime tomorrow and report back (and reveal the domains then).
(I have four domains registered with Namecheap, no other allegiances of any sort. I was not logged in while testing this.)
* Edit: Well, this is embarrassing. I posted this, then closed the Termux session on my phone where I was hashing them... without saving the hashes. Apparently that doesn't write to .bash_history. I recovered three of them from memory by brute forcing words I'd used against a list of TLDs. I'll update again if I remember any of the others.
If this sounds incredibly suspicious to you given the entire point of this comment, I don't blame you. I encourage people to try the same experiment on their own anyway, especially sometime when this isn't in the news.
Salt was "monosodium glutamate". One of the ones I forgot was "quadrangular" or a similar word, but I couldn't find it by brute force.
As of right now, none of these are registered. I did kind of screw this up, might be good to try again another time and against more registrars (and maybe not post about it in advance in a thread where the CEO is known to be watching). But currently I don't see any evidence that this is happening, at least not with Namecheap and not for every domain.
Thanks for being a customer and for your input here. I can also assure you that we do not adjust our pricing based on searches. Our pricing is pretty static and is usually given to us from the tld registries themselves. They sometimes create "premium" pricing for certain domain names and all we do is pass that on to the customer with a very minimal percentage added to it(usually less than 10%) in most cases.
I had a similar experience with my domain, hegz.me, which I had purchased from Namecheap. I allowed it to expire and did not pay the redemption fees, thinking I could buy it again at a later time. However, to my surprise, after the redemption period had ended, it was listed for a price of $2,888. Can you explain why this is the case?
To be clear, the issue was with a 3rd party provider that we use to send our newsletter. None of our own systems or customer accounts where breached. I sent a follow up email to all users that were affected. The domains linked in the original phishing emails were also disabled. I apologize for this issue and to anyone it may have affected. We have also taken immediate steps to insure it will not happen again.
So… What happened? Did you get your keys stolen out of a CI or something? It just seems suspicious that you’d be the only business affected by this 3rd party provider.
If I have a business and I use a company like sendgrid, I have credentials to use that service. If some employee has access to that account (such as to send newsletters), and that employee’s credentials were lost or stolen, that doesn’t seems suspicious at all.
I don’t have any inside info here, but it makes sense. And as a namecheap customer, I see no reason to panic at this time.
Employees should use 2FA for their accounts and Sendgrid seems to offer this; for password stored in sending applications one can use combination of password and IP ACLs but I don't know if SendGrid allows to set IP ACLs for senders. While 2FA is not a panacea it significantly reduces rick.
One can send newsletters using a subdomain like news.acmecorp.com and have Sendgrid's IPs in SPF record only for this subdomain and not for the main domains (though most recipient would not notice change from say @acmecorp.com to @news.acmecorp.com).
I don't think this is unique to NameCheap, I've gotten both metamask and DHL emails from other lists I'm on, I assume from the same threat actor. I would assume that they're opportunistically using whatever mailing list they can gain access to.
They're actually pretty common, just like there are tons of metamask phishers on twitter. Those are just popular vectors because they're fairly broadly effective. Preventing spam and phishing like this is unfortunately a pretty big part of the job for anyone in the business of sending email. (source: engineering manager at a marketing platform)
This ridiculous registrar threatened to lock our domain and destroy our business within 24 hours for a defective DMCA notice that addressed one if our 40 million user profile subdomains. Our legal counsel advised to temporarily comply instead of arguing (although he did send them a nasty letter) to move over to a normal registrar from this cheap one, that i got when i was bootstrapping with no money because it was several dollars cheaper. It's not a business of a domain registrar (unlike a web host) to enforce DMCA notices.
So you found out how DMCA works and how much it sucks the hard way, eh?
You’re right it shouldn’t be the business of a domain registrar. But every provider in the chain that the copyright holders can reach to will end up responsible. You, the registrar, web host, ISP, everything.
Send your complaints to the US government and the copyright lobby. It’s a bullshit law. Namecheap complies with it because if they don’t, THEY get cut off by their own providers, and so on up the chain until the fines roll in.
My experience with namecheap is similar very bad too. They also sent me an email saying if you don't respond in a short time(24 hours) your domain will be revoked. Related experience: https://news.ycombinator.com/item?id=14139288 I moved my domains from namecheap to gandi.net and so far no problems. I would avoid namecheap like the plague for any large site. Of note, I had millions of unique vistors per month on that domain for a normal legal site.
ycombinator uses gandi.net too.
and even if they obey us and internation laws, threating to revoke a domain within 24 hours if no reply regarding an external complaint, with just an email warning is ridiculous and not how other reputable domain registrars work.
Why should it matter how many visitors you have? People with 3 visitors pay the same and can be also badly affected if the domain is yanked at a wrong time. Especially nasty if you run email on the yanked domain.
I agree with that.
I was just emphasizing the livelihood of multiple people and a whole business depended on answering a email from namecheap within 24 hours due to an complaint they received.
Abusive DMCA takedowns are unfortunately extremely easy, very time consuming to report, and seemingly very rarely have any action taken against the person who falsely claimed. Not excusing Namecheap here, what they did was totally shit.
Heroku did the same thing to me for same reason - completely shut down my entire account with several revenue generating websites with zero notice.
We are contacting you from the Namecheap Legal and Abuse department regarding your “XXXXX” Namecheap account.
We are in receipt of a copyright infringement notice pursuant to 17 U.S.C. §512 of the Copyright Act, requesting that we disable allegedly infringing material that appears on a domain hosted in your account (“Domain”):
xLINKSx
As a hosting service provider, Namecheap complies with the Digital Millennium Copyright Act (“DMCA”). We would like to help you avoid any service interruption. Please review the DMCA notice that we have included in this communication.
If you do not have the authorization to host the alleged disputed content, and if you are not authorized to use the disputed content, you will need to remove the content within 72 hours, or we may be required to suspend your hosting account under DMCA guidelines.
In order for us to consider a case resolved, the reported link(s) is to show the '404 Not Found' error/suspended page or redirect to the main page of the website.
If you believe that the identification of this infringing content is in error, we suggest that you contact the reporting copyright owner to resolve the matter. If the reporting copyright owner agrees there is a mistake, ask them to email Namecheap at dmca@namecheap.com.
If you are not able to come to an agreement with the reporting copyright owner or if you disagree with the copyright claim, you may submit a DMCA Counter-Notice to Namecheap within ten (10) business days of the date of this email. The Counter-Notice must comply with the requirements of the DMCA and must contain the following points:
1. Your contact information, including name, address, and telephone number, as well as facsimile number and email, if available;
2. A statement that, under penalty of perjury, you have a good faith belief that the material was removed or disabled as a result of a mistake or misidentification of the material to be removed or disabled;
3. Identification of the material that has been removed or to which access has been disabled, and the location at which the material had appeared before it was removed or access was disabled;
4. A statement that you consent to the jurisdiction of the United States District Court in which the address you provide is located, or if your address is outside the United States, for the judicial district of California;
5. A statement that you will accept service of process from the person who provided the initial notice or an agent of that person;
6. A physical or electronic signature by you or your agent.
The DMCA Counter-Notice should be sent either via this ticket by replying to our notice or to Namecheap.com Attn: Legal Department, 4600 East Washington Street, Suite 305, Phoenix, AZ 85034, USA, Facsimile:
Once a valid DMCA Counter-Notice has been submitted, Namecheap would provide a copy of the Counter-Notice to the reporting copyright owner. In addition, the DMCA requires that you remove the disputed content for at least ten (10) and not more than fourteen (14) days from when the Counter-Notice was served. Thus, Namecheap will advise the complaining party that the listing will be reinstated within ten (10) days and will remain so unless we hear from the reporting copyright owner that he or she has filed an action against you under the DMCA in a court of competent jurisdiction for copyright infringement and is seeking a court order to restrain you from publishing the disputed content.
By submitting your Counter-Notice to Namecheap, you agree to waive, and hereby do waive any legal or equitable rights or remedies you have or may have against Namecheap with respect to any Counter-Notice you send, or claims regarding any aspect of the disputed content and its publication and/or Namecheap's action in implementing a takedown or re-establishing the content, and you agree to indemnify and hold Namecheap, and its owners/operators, affiliates and/or licensors, harmless to the fullest extent allowed by law regarding all matters relating to your sending of a Counter-Notice.
If you feel you received this notification in error, please contact us at with more information as to why. We do apologize for any inconvenience this may cause you.
This proliferates the same confusion that your company has. The note you quoted is about hosting accounts ("hosting service provider"). We did not host anything with you, we only registered a domain. This notice does not apply. When i get to my laptop i will dig out the original notice from you and the response from our counsel.
I had clicked on the DHL one link. It took me to a site which looked like DHL, and in the next step, chrome refused to load the website. Is there any impact on folks on clicked on the links? I never entered any info as such, so not sure, but looking for more information on whether I should be concerned.
I assume it was a phishing site where the threat came if you actually provided them with details
(I didn't receive the DHL one, but did test the Metamask link in a safe browser environment. It was just a phishing site to try to get people's crypto credentials)
I never received an email, but just today received spam on an email address only used with namecheap. You might want to check your logic for what was impacted.
why is a company like namecheap not servicing their own email servers? what a cop out.
I've also read about you not wanting to update 2FA systems... another cop out
I wonder how many people got caught and ruined by this scam, what if you are behind it?
you don't deserve to be in business.
Mindless comments like these are not useful to the discussion. You are speculating on something that didn’t even happen, if indeed it’s just a newsletter provider that got beached.
Namecheap is still responsible for the third parties they work with. But nobody “gave your password”.
Namecheap is still reasonably cost competitive. I use them for a few domains I own and haven’t had any major issues and found the price closer to other well known competitors.
I alway compare prices at domcomp.com Over the time, most of my 15 domains (mixed tlds, .com .net .us .xyz .in etc) got moved over to cloudflare & dynadot, with them both having cheaper renewals.
Until you try to put a single NS record on your domain. Then you have to cough up the dough for a business plan. Utterly laughable and why I moved off Cloudflare for my domains. NS records are free on Namecheap and Porkbun.
Is it that difficult for you to comprehend brand names? It might have been accurate at some point, but times grow and brand names aren't meant to be taken literally.
Ser, your name is satoshiiii, so am I supposed to think you are the real Bitcoin creator? or are you straight up lying to other users?
Can you please clarify how exactly the decision making process occurred to give a 3rd party email provider a copy of your private DKIM signing key for the domain "namecheap.com" ?
The emails could not have gone out with DKIM-signature and successfully validated by openDKIM at my receiving MX/SMTPD against the public half of the key in your DNS TXT record for your DKIM key, unless you had given them access to the private key.
Did the persons who are responsible for creating and maintaining your DKIM public/private key pair and its selectors directly give the key to some third party (sendgrid, mailchimp, whatever) type email newsletter services, or were they ordered to do so by somebody else in Namecheap management?
Or, did the persons responsible for your authoritative DNS zone for namecheap.com insert an additional DNS TXT record for the DKIM key used by a 3rd party service?
While I don't know the details of the third party at name cheap, it's pretty common to have a bunch of third parties with their own DKIM keys and just trusting and including their public keys on your DNS zone. Nobody sends all their own mail, your service desk, support software, ticketing system, alerting system, collaboration provider all have DKIM keys and SPF records you're adding to your zone and they just control the keys for their own input.
This means that if they get pwned, it's their ability to send mail on your behalf that gets abused, not some key stealing and DKIM impersonation (and why would they bother if a perfectly fine emailing system is already open and ready to spam the crap out of everyone).
I received one of the phishing messages as well as the follow up / apology. An interesting wrinkle is that both were handled by sendgrid and used the same dkim selector. I would guess that a set of sendgrid api credentials shared with some 3rd party service was compromised.
- One of our domains had a DKIM trust with Mailgun (3rd party)
- Mailgun was integrated with a planning service (4th party?)
- Planning service was integrated with a CRM (5th party?)
- CRM was integrated with a website (6th party?)
Website got pwned, spam ensues using the entire chain all the way back to our domain. This was a while ago but I think the website was pwned, leaked API credentials for the CRM, those were locked to only read the address book for sources (not even destinations! but '*' was allowed...) but because the software was crap the planning/calendaring service was registered as a 'source', which included API creds. The planning service itself was pretty good, no further grab-keys-via-API, but using what was already allowed you could send raw MIME messages and it would just use the Mailgun API it had access to.
Luckily for me, I was on a prometheus spree and had an exporter grab the Mailgun metrics every few minutes (Ironically to support the CRM team because they didn't have any good metrics of their own and did like to blame everyone else), so while it was configured to look for dips, it also triggered on spikes because those tend to end with dips too.
I think in the end nobody learned from it because every team/vendor covered their ass with "well we only run it in datacenters with firewalls so this is the cloud at fault" and I don't think anyone got flak for it (but some definitely deserved a fair bit).
