At First I Thought Someone Was Trying to Scam Me Out of My Domain Name
I received an interesting email where I thought an elaborate phishing attempt was going to take place, but it turns out it was DNS again.
Quick Jump: The Initial Email Address | My Gut Says Someone Is Going to Try and Scam Me | Replying Back to Them and Getting a Response | Doing a Bit of Investigation
A couple of years ago I ended up accidentally serving 300k+ pirated books on a sub-domain that I forgot to remove an A record for. That was a fun lesson learned on always making sure you remove DNS entries for IP addresses that you no longer have control over.
The other day I received an email that grabbed my attention and it made its way into my gmail inbox with no warnings.
Email subject: Domain Takeover Request: www.example.org
For privacy’s sake of the person who emailed me, I’m replacing their real domain name with example in all areas of this post along with using a fake first and last name for them.
After reading the subject I thought maybe they wanted me to buy their domain which would have been weird so then I started to fantasize about how maybe Example wanted to offer me 50 million dollars for my domain to take ownership of it under their name.
The Initial Email Address
Good afternoon Nick,
My name is Devin and I am the COO of a small 501c3 nonprofit, Example. I am reaching out to you as we’d had a brief hiatus in operations, especially with our Tech Officer who is no longer with the company.
During this time, our management of our web domains [including www.example.org] lapsed. You appear to be the new owner of that domain. I was reaching out to see if you were willing to part with it and transfer it back to us so we can continue our operations.
I’m happy to talk more about what we do and / or answer any questions.
Thank you in advance,
–
Devin Eddison
Devin.Eddison@example.org
www.example.org
It definitely didn’t look like a scam but I’m still skeptical at this point.
Carefully Taking a Look at Their Site
They linked their site so I checked it out, but I’m not a maniac and I do run Windows which means I’ve had 20+ years of training never to click an unknown link in an email.
So within WSL 2 I decided to curl the address curl example.org. It responded with:
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
Ok, so I need to tell curl to follow redirects, that’s easy enough with, curl -L example.org to which it replied curl: (6) Could not resolve host: mlist.nickjanetakis.com.
My Gut Says Someone Is Going to Try and Scam Me
My gut reaction was this was about to be a conversation that ends quickly with me saying I don’t own the domain and then that would be the end of it, or maybe they would follow up with some scheme to get me to transfer my nickjanetakis.com domain to them.
His email looked really natural but there were things that left me very curious. For starters, the “from” address came from example.org (the same email in his signature) and the raw email headers showed that both SPF and DKIM verification passed from that domain.
So that kind of made warning bells ring in my head because if he didn’t own the domain anymore how is he sending me emails from it?
Secondly, mlist.nickjanetakis.com is a sub-domain that I recently decommissioned. It was an old newsletter service, but I learned my lesson from the PDF books to immediately remove the A record when I decided I was taking that app offline.
So then I started to think about potential scenarios where maybe someone was monitoring the mlist sub-domain’s A record because it is public info. It was in the HTML source of any page that has an email sign up form.
Since I recently removed that record, maybe they were trying to confuse me.
I figured maybe they set up a domain level redirect on example.org to mlist.nickjanetakis.com in hopes to hook me into their elaborate scam after mlist’s A record changed. That didn’t seem impossible at first glance.
Replying Back to Them and Getting a Response
Since I thought I was being scammed, I sent a pretty cold response.
Hi,
I think you have the wrong person. I do not own that domain.
In my mind, this is a really harsh reply. Normally I’m super open to help anyone who emails me unless they are blatantly spamming me or trying to con me.
Then Devin replies back in 30 minutes (on a Saturday) with:
Sorry about that! When I typed in that url, it was automatically redirected to your site so I’d assumed you’d picked it up.
Sorry for the confusion.
Thank you!
Well, that was pretty unexpected. I anticipated either not getting a response or some crazy plan to slowly convince me to unlock my domain and “temporarily” transfer it to them so they could regain control over example.org.
I replied back with:
Anyone can redirect any domain to another domain without permission from the redirect recipient.
I’m not sure why anyone would redirect your old domain to a sub-domain I don’t use anymore.
Honestly when you first emailed me, I thought it was some type of phishing scam to attempt to get me to transfer my domain to you, especially since you’re emailing me with a DKIM verified address on the domain you claim no ownership over.
My thought process is, this could be a 200 IQ move by him to come off as being legit in that he’s not sure what’s going on to somehow gain my trust so I’m still a little skeptical. Of course I would never end up transferring my domain to him, but I’m a really curious person. I genuinely enjoy solving mysteries and understanding things in detail.
About 2 hours later Devin replies with:
That’s fair enough. Looks like I have a bit to learn in this space for sure.
Definitely didn’t consider this looking sketchy but I appreciate you responding and clearing it up for me.
I was hoping to avoid going the whole domain broker route but that seems to be the ticket.
Thanks again!
Ok, now I’m 99.99% convinced he’s not trying to scam me and he really lost his domain and wants it back. His wording is so genuine and I feel for him with the whole domain broker bullshit, and I imagine it’s a lot worse for someone who isn’t technical.
I reply back with:
No problem.
You can always do a WHOIS on your domain, such as: https://who.is/whois/example.org
But WHOIS privacy will hide the owner’s contact details. You might be able to email the address there and it may get redirected to the real owner. It’s not guaranteed they will read it, but it’s a start without having to go through a broker.
Another option is to hit up the way back machine at https://web.archive.org/web/*/https://example.org and see what the site looked like in the past in hopes to find a trace of an email to contact.
I actually did the above just to see, and it looks sometime between October 2016 and April 2017 for some reason your domain started to redirect to one of my subdomains.
Funny enough I put up the server for my site in Nov 2016.
I’m not really sure what happened, but maybe it has to do with IP recycling. In other words, the server I rented to host the page your domain is redirecting to has a specific IP address. But I didn’t have ownership of that IP address prior to Nov 2016. Maybe someone who owns your example.org domain today set up a redirect to that IP address in the past which used to point somewhere else but now points to my domain.
I pretty recently decommissioned the subdomain that Example is redirecting to, so maybe there’s some long lived DNS caching happening. It’s not impossible, but I’m not 100% sold on this theory, but that’s my best guess given the timeline matches up so well.
I’ll admit, the DNS cache thing was a bit of a stretch. I probably should have given more thought into it before replying but as soon as I determined he wasn’t scamming me I felt compelled to help.
Since I wasn’t 100% sure what was going on, I spent ~10 minutes piecing things together.
Doing a Bit of Investigation
The first thing I did was dig A example.org to see if there was an A record pointing to the IP address where mlist.nickjanetakis.com used to live. That would have been the exact issue I had with the PDFs a few years ago except now it was someone else’s mistake.
;; QUESTION SECTION:
;example.org. IN A
Turns out, it was empty. The domain had no A record attached to it.
That was sort of unexpected at first glance.
Then I started to think, ok, how is his domain forwarding to a sub-domain that I removed an A record for a week ago. There’s no way DNS is being cached for this long.
Then I logged into my Digital Ocean control panel and noticed the server that was running mlist.nickjanetakis.com is still up, there’s just no DNS record attached to it. This was on purpose. My new service is running on a different server with a different sub-domain but I still wanted to keep my old server around for a few weeks before deciding to destroy it.
This way if things went crazy with the new one, I could swap things over to the old server.
That made me think about my PDF adventures from years ago so I decided to go-to https://MY_DIGITALOCEAN_IP and then I was greeted with a redirect to mlist.nickjanetakis.com.
Ah, now things are starting to make sense. On the old server, I disabled all cron jobs that could have potentially sent out emails but I did leave nginx running.
This was a server I set up almost 4 years ago with Ansible so the nginx configuration wasn’t fresh in my memory, so I took a look at it. Yep, I had a redirect set to ensure directly going to the IP address of the server redirects you to mlist.nickjanetakis.com.
That redirect is a good idea because it forces anyone visiting your site to get redirected to your domain in case they happen to visit your IP directly. This ensures your site is always served from a single location with a valid SSL certificate, such as foo.com or www.foo.com depending on your preference
Looking back I should have stopped nginx on the old server once the new server was up and running, but since I used different sub-domains I didn’t think about it.
If it were stopped, I never would have gotten emailed by Devin because then going to the IP address directly would have resulted in a “Failed to connect, connection refused” message with no hint of my domain.
Ah, So That’s What Happened
I can’t say with 100% certainty what’s going on, but since there’s no A record on example.org pointing to my old server’s IP, I can only guess there’s a domain level redirect set to redirect example.org to my old server’s direct IP address.
I also decided to dig MX example.org and yep, there were all sorts of records there so that likely explains why Devin could still email me from the domain.
Armed with that knowledge I think this is a case where whoever ended up owning example.org forgot to update that redirect and other DNS records, so we’re back to another case of DNS and IP recycling causing headaches and confusion.
So then I sent a follow up reply to Devin with:
Ok, I think I confirmed what I wrote in my previous email really happened.
While mlist.nickjanetakis.com is down (I removed it a week ago), the IP address that it is assigned to is still up at http://MY_DIGITALOCEAN_IP, and I configured my web server to automatically redirect MY_DIGITALOCEAN_IP to mlist.nickjanetakis.com and that errors out because it doesn’t exist anymore.
So now I’m 100% sure whoever owns your domain has a domain level redirect set up to point example.org to MY_DIGITALOCEAN_IP directly, which they no longer have control over because when they shut down their server I ended up getting that IP address when I rented a server from the same company.
This is low level technical details but I’m happy the mystery is solved, but sorry I can’t do anything about it. It’s out of my control. Your only options would be to try emailing the private email in the WHOIS info, maybe contact https://REGISTRAR_COMPANY directly because that’s the company who’s responsible for registering your domain and see if you can get any info from them or attempt to use a domain broker.
It’s now been almost 72 hours and Devin hasn’t replied back. I hope he gets his domain back at a fair price. It really stinks losing a domain to squatters or other inactive entities.
Has something like this ever happened to you? Let me know below!