NameSilo

warning Concerning e-mail from NameCheap

Spacemail by SpaceshipSpacemail by Spaceship
Watch
pb

pb

Top Member
VIP
★ 15 ★
Impact
7,074
I've just received a weird e-mail from NameCheap (attached below). It was sent from [email protected] (IP 149.72.141.59 - passed SPF, DKIM, DMARC) to the mail address I'm using with NameCheap, using my name&surname, and the links in the mail are under links.namecheap.com. If it's not a breach I don't know what it is...

1676236912872.png
 
Last edited:
Reply
25
8 Thanks
1 Like
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
AfternicAfternic
Sort by date Sort by points
I got both of those emails too. The DHL one went straight to spam, but the Metamask one hit my inbox.

At first, I thought it was just more spam, but the email sender got me a bit confused. It seems concerning, to be honest.
 
Last edited:
Reply
0
0 Like
0 Thanks
•••
pb said:
I hope I cleaned it up properly...

Delivered-To: [my_mail]
Received: by 2002:a0c:d7d1:0:b0:534:7395:29d9 with SMTP id g17csp2940914qvj;
Sun, 12 Feb 2023 13:25:38 -0800 (PST)
X-Received: by 2002:a81:dc05:0:b0:52f:aab:5f71 with SMTP id h5-20020a81dc05000000b0052f0aab5f71mr3056322ywj.17.1676236897621;
Sun, 12 Feb 2023 13:21:37 -0800 (PST)
X-Google-Smtp-Source: AK7set/Y4XLx6CUK4OPxgJoIyt2DYAR+8D4ffd9SYC4vUjctrlsNbeaVzVErxRFqkbrLcN6ntkhJ
X-Received: by 2002:a81:dc05:0:b0:52f:aab:5f71 with SMTP id h5-20020a81dc05000000b0052f0aab5f71mr3056291ywj.17.1676236896577;
Sun, 12 Feb 2023 13:21:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676236896; cv=none;
d=google.com; s=arc-20160816;
b=vwjrJ7FGyVmDEbg1vM/FC69WX8ryfO2kfsjVQg01oxJ2OuluO9plzeu2HTFIPKZYbc
Re8Jjxa76XVwTNIW6hAn1cAQfqpDso49LpRykpLglpZvOva6lG+5wkbZN6zXEMKFLUPJ
wBhDXsDPsFT+7f/AFjqitOq8ITRyZzlB0fFsyMP4BdartI5UW8dEqKhN3YamLND1hvUY
GwJrjTP9QGk/yBH11Ibn35iGk1X73oEAe9o40lu3g2yCWypT4t+SLSwlWCkrg7sTIv9r
5rqdHRpg9oCB7LzlXQ7NdQa9imjyU/+oXcqFvfj5pN2GoZGMM7dYiHXsbu14/Orx3aon
EtWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:reply-to:message-id:subject:mime-version:list-unsubscribe:from
:feedback-id:date:dkim-signature;
bh=5MLgTLrZB0u3RqAQCStwUI5dGjMMNfLn7ZSO3geJAnk=;
b=Wt2rGZotauheFnx5RaB4CGAKO1pYT9SXoyDaaoXuFk9/y1Wu2iKuOD3dS1gkkBaeVA
jrXFdiSo2laJs1uzrOs2I2Au3DVGC1vBjrPm7JEZe7o5tRPrLn4e64Ipvs1+nV68iUOc
oRUNa+2RwKyUCr6uEbB/l3v34Z46ECY4ZUsGIzMLoBuELiDWKd/5rYqMYTpoFCutEtmx
X1qbRjgvasCY+1CFPJo9nnwsF49HOD5wZ3ZsJNiE7weFFKFZtT0ZJSUCTHYcbwAI62Pw
xFAQ9xWyLL4UdjjwQEALwuMHsADjKrmZJTqfQ2+4ilqADrzjmqU3hPA+7LVUFNkFRfmY
B/Ow==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=s1 header.b=ythgTo4+;
spf=pass (google.com: domain of bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com designates 167.89.64.95 as permitted sender) smtp.mailfrom="bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=namecheap.com
Return-Path: <bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com>
Received: from o6.mailservice.namecheap.com (o6.mailservice.namecheap.com. [167.89.64.95])
by mx.google.com with ESMTPS id q132-20020a815c8a000000b004fd32b6075dsi12268336ywb.116.2023.02.12.13.21.36
for <[my_mail]>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Sun, 12 Feb 2023 13:21:36 -0800 (PST)
Received-SPF: pass (google.com: domain of bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com designates 167.89.64.95 as permitted sender) client-ip=167.89.64.95;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=s1 header.b=ythgTo4+;
spf=pass (google.com: domain of bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com designates 167.89.64.95 as permitted sender) smtp.mailfrom="bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=namecheap.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=namecheap.com; h=content-type:from:list-unsubscribe:mime-version:subject:reply-to:to: cc:content-type:from:subject:to; s=s1; bh=5MLgTLrZB0u3RqAQCStwUI5dGjMMNfLn7ZSO3geJAnk=; b=ythgTo4+iQ/nQOitKZGKF28zU6G9lG8+FsJ/NRZ/QXINc8XV5jDxHBXf4vWQjhDzu8xh EjXnml9zYCNktsRYA2kNosXZaeCJPNDUgaDh3hD81YCueLwazlffCCXDEbjmjc7wk0TZgk qu76uksj2q8Sd8n+1j0NDr16LOV0Q0h7jh/V4hRbg8ffiDmtol42IOOEX4h1V+AECpYcrV a4Z3q10/72Gf3XClDeMBkV8spyjs7lG8JyuPVZsy5PIMfGSdxA4ODZav4tPgOvUzS4fY5P MYkTPyWDXyzzflgeXWQuK0+IF/21xOVeQsoEXOc8e1EMXSVGUP5XvTBg0Uen9O9g==
Received: by filterdrecv-b79bb7454-xcf6j with SMTP id filterdrecv-b79bb7454-xcf6j-1-63E9585F-68
2023-02-12 21:21:35.774950246 +0000 UTC m=+181305.375421437
Received: from NDc5Mzc2Mw (unknown) by geopod-ismtpd-5-1 (SG) with HTTP id iMbMpeRzStOHPFrYXY7ilw for <[my_mail]>; Sun, 12 Feb 2023 21:21:35.707 +0000 (UTC)
Content-Type: multipart/alternative; boundary=f0f40b2bef6c62308fe702efeef447e1b23e2fbac9576460ad841833ad94
Date: Sun, 12 Feb 2023 21:21:35 +0000 (UTC)
Feedback-ID: 8288221:6168579:9774:iterable
From: "contact ." <[email protected]>
List-Unsubscribe: <https://links.namecheap.com/e/encryptedUnsubscribe?_r=9a766a4fa5294d089b01463bac20344b&_s=685fbf8d22a8421a95c168e93916e61f&_t=LJxzL8ZXnPxXCE_Kdn_vUmnC7fdvIr9qcVldWW2CqyZAfKw0X0CW4DhaGdQ1b8wXr-ibEoEvd04aU8jOeqFulcsXFGISKh7l_--Z6tE2A5Y=>,<mailto:[email protected]>
Mime-Version: 1.0
Subject: MetaMask : Your wallet is about to be suspended
X-Campaign-ID: 6168579
X-Message-ID: 685fbf8d22a8421a95c168e93916e61f
Message-ID: <iMbMpeRzStOHPFrYXY7ilw@geopod-ismtpd-5-1>
Reply-To: [email protected]
X-SG-EID: Sf/6gCYo6POogvTNeXQAUzuhmXXiY87VJrtPmjowdxcnfIoiiBzj+ETkhZGZDH6sNJMxo5N6KSgz1KVpBNNeXyVTYMIc/872sN3zsHmg6OTpcF48786LQ9oosrBa7X7eZUH1vRFT99T7UY+psJX4VDmFrCCdv8uhTvriG5RKEXtURiWQ/G6H76FR+DNWtVOb8yeQMRBYeJclrEFpqGGUS8b5nV0MQ81knBl8jngQJqU=
X-SG-ID: N2C25iY2uzGMFz6rgvQsb8raWjw0ZPf1VmjsCkspi/IARr5ApfQLGQYXi0KvHQ0z32Z/Xww8RCO+g+UQxQyQwD8nqfalxxxSXPrzzNr3pDyUfT2Mjz/Rg7yupzSi4u2IkbJGO7iOjw2ujQBua7la45RNbNYx+HESYUWPZfz9Jwtan4IT2ZWk0TFl6bxL6fyxhfcLb7GOGBYIl95ttL4aWg==
To: [my_name] <[my_mail]>
X-Entity-ID: nYXv3xAQEE15JmfKP56ELQ==
Click to expand...
Can you compare this with other emails from nc:

Message-ID: <iMbMpeRzStOHPFrYXY7ilw@geopod-ismtpd-5-1>
 
Reply
1
0 Like
0 Thanks
•••
Reply
0
0 Like
0 Thanks
•••
I wonder if the _r token in the unsubscribe link is personalised - if yes, then it's the same that I have in all their previous (legitimate) mails.
 
Reply
1
1 Thanks
0 Like
•••
Reply
1
1 Thanks
0 Like
•••
Last edited:
Reply
2
2 Thanks
0 Like
•••
Reply
1
1 Thanks
0 Like
•••
Apparently, someone already lost money on this:

https://twitter.com/x/status/1624884429029007362

Not sure why people just click links... An email from Namecheap regarding your MetaMask wallet (two unrelated things) should instantly raise suspicions.
 
Reply
14
2 Thanks
2 Agree
1 Like
•••
Reply
7
5 Thanks
1 Like
•••
Last edited:
Reply
11
2 Agree
1 Thanks
0 Like
•••
I received the same from two suspicious emails @namecheap !!


1676241115424.png



1676241308274.png

1676241364891.png



1676241196120.png



.
 
Last edited:
Reply
1
1 Thanks
0 Like
•••
Rhinnnn said:
Statement from Namecheap:

https://www.namecheap.com/status-updates/archives/74848

The most important part:

"your products and account details are not affected by this issue."
Click to expand...
This is kind of a big deal.

Dear Customers,

We have evidence that the upstream system we use for sending emails is involved. We have stopped all the emails and contacted our upstream provider to resolve the issue.

As a result, some unauthorized emails might have been received by you.

Please ignore such emails and do not click on any links. We are currently investigating the situation.

Once we have any news from the responsible team, this post will be updated right away.

Please rest assured that your products and account details are not affected by this issue.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.
 
Reply
5
2 Agree
1 Thanks
0 Like
•••
bmugford said:
This is kind of a big deal.

Dear Customers,

We have evidence that the upstream system we use for sending emails is involved. We have stopped all the emails and contacted our upstream provider to resolve the issue.

As a result, some unauthorized emails might have been received by you.

Please ignore such emails and do not click on any links. We are currently investigating the situation.

Once we have any news from the responsible team, this post will be updated right away.

Please rest assured that your products and account details are not affected by this issue.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.
Click to expand...

Yes, that part is important but at least we know that Namecheap itself hasn't been hacked.
 
Reply
3
1 Like
1 Thanks
•••
Last edited:
Reply
5
2 Thanks
1 Like
•••
I received those same emails too. But didn't click. So, I headed to Namepros right away to check any updates about this.

So the email service was only that got hacked.

Regardless, I'm still moving my domains out of Namecheap. :xf.grin:
 
Last edited:
Reply
1
0 Like
0 Thanks
•••
bmugford said:
This is kind of a big deal.
Click to expand...
Yes, if they have been hacked, and now emails are being sent, that is a big deal.

So Namecheap is indicating that it is an upstream provider security issue?

Perhaps they should also check for potential hacking involving their recurrent Fast Transfer authorizations showing up unexpectedly. This has been a recurrent problem recently for me, including at present. Since it involves domains also showing up unexpectedly at GoDaddy auctions and Afternic, there is certainly a security concern here.

Not a good day for Namecheap. Hopefully they are able to quickly rectify both situations.
 
Reply
0
0 Like
0 Thanks
•••
Reply
2
2 Thanks
0 Like
•••
I hope no one became the victim of this phising email. I am almost click it, but I realized my Metamask is using my other email. I had a valuable NFT given by my boss there, it is bought by a sum of money, so it makes me panicked. And after check it the email is from namecheap 😃..

IMG_20230213_070626.jpg
 
Reply
0
0 Like
0 Thanks
•••
Reply
2
1 Agree
0 Like
0 Thanks
•••
Others got email from [email protected] and I got from [email protected]. Namecheap should investigate their new employee, just make sure no one from internal doing something bad. It seems sent by 2 different emails from Namecheap
 
Reply
0
0 Like
0 Thanks
•••
Log in or sign up to reply here.

  1. EngBridge.com

    • Make Offer

  2. FirstArkansas.com

    • Show Price

  3. insuranceformilitary.com

    • Make Offer

  4. RWAPlan.com

    • Show Price

  5. 127001.online

    • Make Offer

  6. mennsa.com

    • Make Offer

  7. aip.gr

    • Make Offer

  8. oxyve.com

    • Make Offer

  9. ruaai.com

    • Make Offer

  10. SpeakSpanishFluently.com

    • Make Offer

Similar threads

Paul
Forwarding your e-mails? You might be missing the important ones.
0 replies
905 views
Paul
Paul
Kate
Possible Namecheap hacker on the prowl
3 replies
2K views
Mark
Mark
Future Sensors
security New Minimum Requirements for Sending Bulk Mail to Gmail and Yahoo
0 replies
3K views
Future Sensors
Future Sensors
wikes82
Phishing E-mail from ICANN Resolve
2 replies
2K views
weblord
weblord
verbster
Sedo e-mail real or fraud?
2
20 replies
3K views
forge
forge
Appraise.net

We're social

Top news this week ➔

Escrow.com

New posts ➔

Spaceship

Auction activity ➔

Rexus Domain

How do you think a potential buyer first checks if your domain is for sale?

Polls of interest ➔

CryptoExchange.com

Hot this week ➔

Domain Recover

Community favorite ➔

CatchDoms

Hot this month ➔

Blog favorites

DomDB

  1. EngBridge.com

    • Make Offer

  2. FirstArkansas.com

    • Show Price

  3. insuranceformilitary.com

    • Make Offer

  4. RWAPlan.com

    • Show Price

  5. 127001.online

    • Make Offer

  6. mennsa.com

    • Make Offer

  7. aip.gr

    • Make Offer

  8. oxyve.com

    • Make Offer

  9. ruaai.com

    • Make Offer

  10. SpeakSpanishFluently.com

    • Make Offer
NameFit
  • The sidebar remains visible by scrolling at a speed relative to the page’s height.
Back