Suspicious message from CIRA contact form? (1 Viewing)

Nafti

Member
Joined
Nov 11, 2020
Topics
78
Posts
1,102
Likes
749
Just received 2 suspicious messages (5 minutes apart) on 2 of my premium .ca’s. The Whois on both domains is private. Both domains are also at different registrars.

Has anyone else here received something similar or the same?

I will not be replying to either one of the messages.

1714144187869.jpeg
 
Got one too... this is a real person working at an Ottawa-based company, so I'm not sure if it's CIRA testing their system, or malicious?

Either way, not good as I thought the contact form at CIRA was meant to keep out these types of emails

https://www.linkedin.com/in/tarek-galleze/

His specialty is "Penetration Testing" 🤷‍♂️
 
The message above is a legitimate request through the Message Delivery Form. CIRA does not audit or monitor content of these messages but we do verify the email address of the sender before sending the message to the registrant email on file. The process is something like... requestor fills in the MDF and includes their email address.... CIRA sends a validation request to the requestors email address.... if the verification link is clicked within 7 days, then the message is forwarded to the registrant
 
We also impose limits as to the number of requests that can be made for a specific domain and from a specific IP address in a 24 hour period
 
Thanks for the explanation @richard.schreier

Is there ever a point where CIRA flags these messages as SPAM? For example if 100's of contact form message are sent from the same email - with no discernible message - or something suspicious like the one above "reply safely (phishing)"
 
@LCM the MDF process does not look at content or perform any kind of filtering, we only do volume constraining as mentioned above.
 
When anyone uses a +4 or any + derivative in an email address they are probably sending multiple emails.

So if dn.ca restricted ted@tedsfrries.ca then if they are using Gmail or workspace they could sign up again with Ted+4@tedsfries.ca or even t.ed@tedsfries.ca because Gmail also ignore periods.

There are some many ways to use the same email address and you have to pay attention to the periods and plus signs, that is a dead give away there may be something untoward happening.
 
I also received 8 of these today between 10.25-10.30 am
 
From the same email I listed from my screenshot?

Mine was between 10:24-10.29.
Yes. Everything from the same sender but for different domains and with the same message in the "Message" section.

CIRA Emails.jpg
 
Technically a plus sign is NOT a valid character in any email addresses. Google allows it as a special case and ignores ALL numbers or characters beginning with the + . Google also ignores all dots. So:

I.am.a.spammer@gmail.com
iamaspammer@gmail.com
iamaspammer+1@gmail.com
iamaspammer+2@gmail.com
etc etc.

These are all the exact same email address!

This allows the owner to circumvent any throttling restrictions that might be based on email address. According to @richard.schreier though, CIRA doesn't throttle on email address, only IP address (which also can be circumvented with a VPN).

But clearly though, based on the random emails sent, the subject line and the body of the messages sent indicate this person is up to no good. Its almost as if he was setting up a script to automate spamming of the contact form and they accidentally let it run longer than they intended to with the test message.

They might have thought it was a way to get a bunch of eager domainers (hoping for a sale) to click on their link and visit their website... People will do any scam they can automate to trick people into visiting their website.
 
All, we are investigating the Message Delivery Form emails some of you have been receiving and it would appear there was a testing process by a third party that went awry. Once we have the details we will reach out to each of you individually and will post here
 
Confirmed, a testing process that went awry, here is the official text those of you that received emails will get as an explanation

"You may have received an email from the CIRA Registry Platform over the past two days with the subject line: subjecTest with a link to softwaresecured.com. This message was part of a test of our system and was sent in error.

The Registry system is functioning normally and there has been no security incident or malicious activity related to this error.

We apologize for the inconvenience."
 
Confirmed, a testing process that went awry, here is the official text those of you that received emails will get as an explanation

"You may have received an email from the CIRA Registry Platform over the past two days with the subject line: subjecTest with a link to softwaresecured.com. This message was part of a test of our system and was sent in error.

The Registry system is functioning normally and there has been no security incident or malicious activity related to this error.

We apologize for the inconvenience."
That’s good to know and we can now rest well.

Thanks @richard.schreier
 

Sponsors who contribute to keep dn.ca free for everyone.

Sponsors who contribute to keep dn.ca free.

Back