Re: Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes

[Michael Thomas <mike () mtcc com>]

I think that it might be appropriate to name and shame the third party, 
since they should know better too. It almost has the whiff of a scam.

Mike

On 2/12/23 3:49 PM, Eric Kuhnke wrote:
> One very possible theory is that whoever runs the outbound marketing 
> communications and email newsletter demanded the keys and got them, 
> with execs overriding security experts at Namecheap who know better.
>
> I would sincerely hope that the people whose job titles at Namecheap 
> include anything related to network engineering, network security or 
> cryptography at that company do know better. Large domain registrars 
> are not supposed to make such a rookie mistake.
>
>
> On Sun, Feb 12, 2023, 3:46 PM Michael Thomas <mike () mtcc com> wrote:
>
>
>     On 2/12/23 3:40 PM, Eric Kuhnke wrote:
>     >
>     https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257
>
>     >
>     >
>     > https://lowendtalk.com/discussion/184391/namecheap-hacked
>     >
>     > It looks like a third party service they gave their keys to has
>     been
>     > compromised. I got several phishes that fully pass as legit
>     Namecheap
>     > emails.
>     >
>     > https://www.namecheap.com/status-updates/archives/74848
>     >
>     >
>     If they actually gave them their own private keys, they clearly don't
>     get how that's supposed to work with DKIM. The right thing to do is
>     create a new selector with the third party's signing key. Private
>     keys
>     should be kept... private.
>
>     Mike