Suspicious message from CIRA contact form? (1.Viewing)

Active Topics New Topic
  • Topic Starter Topic Starter Nafti
  • Start date Start date
  • Replies Replies: Replies 20
  • Views Views: Views 3,253
Nafti

Nafti

Member
DN.ca Supporter
Joined
Nov 11, 2020
All Topics
94
Posts
1,269
Likes
894
Country flag
Just received 2 suspicious messages (5 minutes apart) on 2 of my premium .ca’s. The Whois on both domains is private. Both domains are also at different registrars.

Has anyone else here received something similar or the same?

I will not be replying to either one of the messages.

1714144187869.jpeg
 
Got one too... this is a real person working at an Ottawa-based company, so I'm not sure if it's CIRA testing their system, or malicious?

Either way, not good as I thought the contact form at CIRA was meant to keep out these types of emails

https://www.linkedin.com/in/tarek-galleze/

His specialty is "Penetration Testing" 🤷‍♂️
 
The message above is a legitimate request through the Message Delivery Form. CIRA does not audit or monitor content of these messages but we do verify the email address of the sender before sending the message to the registrant email on file. The process is something like... requestor fills in the MDF and includes their email address.... CIRA sends a validation request to the requestors email address.... if the verification link is clicked within 7 days, then the message is forwarded to the registrant
 
Thanks for the explanation richard.schreier @richard.schreier

Is there ever a point where CIRA flags these messages as SPAM? For example if 100's of contact form message are sent from the same email - with no discernible message - or something suspicious like the one above "reply safely (phishing)"
 
When anyone uses a +4 or any + derivative in an email address they are probably sending multiple emails.

So if dn.ca restricted ted@tedsfrries.ca then if they are using Gmail or workspace they could sign up again with Ted+4@tedsfries.ca or even t.ed@tedsfries.ca because Gmail also ignore periods.

There are some many ways to use the same email address and you have to pay attention to the periods and plus signs, that is a dead give away there may be something untoward happening.
 
Technically a plus sign is NOT a valid character in any email addresses. Google allows it as a special case and ignores ALL numbers or characters beginning with the + . Google also ignores all dots. So:

I.am.a.spammer@gmail.com
iamaspammer@gmail.com
iamaspammer+1@gmail.com
iamaspammer+2@gmail.com
etc etc.

These are all the exact same email address!

This allows the owner to circumvent any throttling restrictions that might be based on email address. According to richard.schreier @richard.schreier though, CIRA doesn't throttle on email address, only IP address (which also can be circumvented with a VPN).

But clearly though, based on the random emails sent, the subject line and the body of the messages sent indicate this person is up to no good. Its almost as if he was setting up a script to automate spamming of the contact form and they accidentally let it run longer than they intended to with the test message.

They might have thought it was a way to get a bunch of eager domainers (hoping for a sale) to click on their link and visit their website... People will do any scam they can automate to trick people into visiting their website.
 
Confirmed, a testing process that went awry, here is the official text those of you that received emails will get as an explanation

"You may have received an email from the CIRA Registry Platform over the past two days with the subject line: subjecTest with a link to softwaresecured.com. This message was part of a test of our system and was sent in error.

The Registry system is functioning normally and there has been no security incident or malicious activity related to this error.

We apologize for the inconvenience."
 
richard.schreier said:
Confirmed, a testing process that went awry, here is the official text those of you that received emails will get as an explanation

"You may have received an email from the CIRA Registry Platform over the past two days with the subject line: subjecTest with a link to softwaresecured.com. This message was part of a test of our system and was sent in error.

The Registry system is functioning normally and there has been no security incident or malicious activity related to this error.

We apologize for the inconvenience."
Click to expand...
That’s good to know and we can now rest well.

Thanks richard.schreier @richard.schreier
 

Sponsors who contribute to keep dn.ca free for everyone.

Sponsor
CanSpace
CIRA
FullHost
NameNinja
WHC
Donors

Sponsors who contribute to keep dn.ca free.

Members who recently read this topic: 28

Back
Top Bottom