News

NameCheap.com - Spam-Friendly Provider, hosting GetMyBusinessFundedNow[dot]com

UPDATE 2018-06-28: see the follow-up post here.

Another day, another large hosting provider knowingly providing service & support to spammers, by turning a blind eye to spam complaints. The latest provider to demonstrate that behaviour? NameCheap.com.

Since earlier this year, a site that we manage has received repeated, persistent spam EMails hawking small-business loans, via links using a number of different, but similar domain names. Rather than sending the links in regular EMails, these spammers were instead using the website's contact form - a common trick used by some types of spammers, to evade spam filters (typically it's much more difficult to block contact form spam, because the actual EMails come from your own server) - which also makes it harder to report the spammers, since you can't do so using automated/turnkey services like SpamCop. But these spammers managed to get my attention thanks to their persistence (at one point, we were receiving daily contact form spam from them), so I started attempting to track down where the spam-vertised sites were hosted. Which brings us to the main topic of this article: NameCheap.com, the company providing hosting service to the spam support site advertised in the most recent example.

Read on for the details of NameCheap's response (or rather the utter lack thereof) when we attempted to report the issue to them.

We took the standard steps to determine where the spam support site was hosted: first looking up the IP address of the server hosting it, 192.64.119.159 - and then looking up that IP address in a geolocation service that also also lists the owner of the IP address: in this case, the owner is listed as "Namecheap Inc." Being familiar with NameCheap & knowing them as a fairly large, reputable (by and large) provider, we decided to report the issue to them & looked up the contact information for their abuse department. We then sent copy of the full spam message to their primary abuse reporting address, abuse@namecheap.com, including the offending links to the spam support site hosted on their servers. That was on November 1st... after 5 days with no response whatsoever, we sent a follow-up through their support ticket system. That was 4 days ago, on November 6th - and the response since then? The best way to illustrate that is with a screenshot of the replies/history for that support ticket:

That's right, after 9 days, the only messages under that ticket are the ones from us - with no response whatsoever from NameCheap staff. The ticket is listed as not even having been assigned to one of their staff - which, if you're familiar with Kayako Fusion (the support ticket software they appear to be using), means there's a very good chance that the ticket hasn't even been looked-at yet. And suffice it to say, nothing has been done about the offending spam-support site: GetMyBusinessFundedNow[dot]com is still online, and still hosted on NameCheap's servers. At this point, it looks like NameCheap belongs in the steadily-growing list of large providers who are spammer-friendly in practice, if not in official policy: such as OVH, BlueHost, Google/GMail, and Microsoft/Hotmail. They're a great choice for spamming & hosting spam-support sites, but they should be avoided for anything else - for the same reasons that it's a bad idea for a legitimate business to setup shop in a neighbourhood that's full of crack houses.

UPDATE 2018-06-28: see the follow-up post here.






Comments

Perry on December 11 2017

Did they follow up with you on this? I have also come across problem with NameCheap spam. All they do is threaten you with a lawsuit if you report spam.

Nunya on February 13 2018

I guess they’re not very scared of threats from a nobody.

StephenB on February 19 2018

@Nunya - I guess this post hit a nerve, eh? I’m curious: do you have any actual reason to be an apologist for Nameacheap, or is there just nothing better to do when you live in McKinney, Texas?

len on June 24 2018

NameCheap is a great service for spammers; the company is willing to turn a blind eye while these creeps carry out their illegal campaigns using NameCheap’s servers. Since January, I have reported 31 sites connected to NameCheap (I can provide the full list if you would like). These sites bombard people with hundreds of email messages per day, use spoofed email addresses, contain bogus opt-out links that go nowhere, and violate dozens of laws and industry best practices, yet NameCheap does nothing about them as long as they pay their bills. No wonder they can charge so little for their services; the spammers must pay them enough to more than make up for it.

StephenB on June 25 2018

@LEN - sadly, that’s been my experience as well. I have a few posts in the works, following-up on this one - the absurdly-slow response time to abuse complaints was bad enough, but it turned out to be just the tip of the iceberg. When they finally DID respond, they repeatedly claimed that the sites weren’t hosted with them - turns out that the spammers were using full-page frames/iframes to embed spam content from other websites. And Namecheap is perfectly happy to accept that as a defense/hide behind that as an excuse to continue providing service to spammers: even though the spam URLs are hosted on their servers, they claim it’s not their responsibility because the actual spam-support content is hosted elsewhere & just embedded via frames/iframes.

Even just getting to that point is an uphill battle, thanks to the stunning incompetence of Namecheap’s support/abuse-handling staff. First, they’ll likely misunderstand the most basic aspects of the complaint & insist that issue isn’t their responsibility because the EMail didn’t come from their servers - even if you clearly indicate that you’re reporting a spam-support website instead and not the EMail itself. Then they’ll insist that the site isn’t hosted with them, despite the fact that the domain is pointing at their nameservers & resolves to an IP address that they control. And most of the time, they’ll further misunderstand the problem by claiming that they can’t suspend the domain registration - despite that not being the issue in question, and not being necessary to actually address the issue.

Apparently, the ability to understand the difference between EMails, websites, and domain names is completely optional for working in Namecheap’s support department. And that’s being generous, assuming that they’re not being deliberately-obtuse for the purpose of being obstructionist.

Even when I’ve reported spam-support sites that were entirely hosted on their servers (rather than hosted elsewhere & embedded via frames), their response fell well below the standards of most other large providers I dealt with: their spammer customer disabled the individual URL that was advertised in the spam EMail, while leaving the rest of the obviously-spammy site unchanged - and Namecheap considered that sufficient to resolve the issue. This meant that their customer was free to continue spamming links to other URLs on the same site - and it took Namecheap weeks to do even THAT much, so their spammer customer had probably long-since switched to spamming a different URL since then.

To top it all off, there’s Namecheap’s CEO - Richard Kirkendall… He was quoted in a recent KrebsOnSecurity.com article about new TLDs that are apparently very popular with spammers & scammers (which, unsurprisingly, Namecheap is one of the biggest providers of). He came off as an angrily-defensive child, accusing Krebs of making an “irresponsible assumption” - THEN he jumped into the article’s comments, accusing people who criticized Namecheap of “wild accusations,” and literally referring to anti-spam advocates as “nazis”.

https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/#comments

Seems like a REAL classy guy!

Andrew on April 26 2019

NameCheap is truly a haven for the worst of the spam groups.  I’ve been dealing with them for almost a year now regarding a group of domains that are registered through NameCheap and have email services through their company.  NameCheap refuses to comply with their own advertised policies.

They have a client sending porn spams to children and advertising a domain registered thru NameCheap along with providing an email server.  Since the spammer is using various hacked servers to send out the millions of spams we find that NameCheap turns a blind eye to this, and allows them to continue to spam.  The same is true with a series of advance fee fraud spams, where this same group was posing as Warren Buffett.  NameCheap refused to act to stop their client from committing crimes, even though they were fully aware of the crimes happening through their services.

Their response to my multiple complaints about the porn spams to my child? 
“Please be informed that such issues are investigated by hosting providers but not registrars. We do not have the ability to check server logs and confirm that the domain is indeed involved in sending unsolicited bulk emails. We will be able to suspend the domain only in case we receive a corresponding court order or a complaint from an official organization, such as Spamhaus, SpamCop, SURBL, etc. “

The domain is registered through NameCheap and the domain is using NameCheap’s email service to receive emails. 

That place needs to be raided by the police.

Voice of Doom on June 5 2019

They pretend they have no control over the criminal activity they host. It is really quite embarrassing.

Mark on July 14 2019

Who want a list of registered domain registered with namecheap by one registar for spamming purpose?
I have over 300 .us domains used to spam me.
anyone one want to start a law suite?

Faith Till on April 10 2020

That thing is quite shocking for me. That article was published in 2017, and till now, when I checked that IP https://iplocation.io/ip/192.64.119.159
It still shows that it belongs to Namecheap, Inc.
Means, there is no follow up
They are not afraid of such a thing
Or actually they are behind all these spammy activities.

Amber Ball on April 14 2020

Not getting the point. Why they are doing this. That company has Good repute in the market. They should have to protect this, by taking struck action against such an act.
The IP Lookup still give surprising results
https://dnschecker.org/ip-location.php?ip=192.64.119.159

AndersA on May 1 2020

I just reported a spammer that uses diskgrey.com and a load of other domains for spamming Outlook accounts. Each and every of those domains hosted by - yes you guessed who - namecheap.com. I ended up setting up some rules and aside from blocking each and every one of those domains also forwarded them to .(JavaScript must be enabled to view this email address) and .(JavaScript must be enabled to view this email address) with the entire content, headers and the works of those mails. For every single mail they sent an answer back but NOT from .(JavaScript must be enabled to view this email address) but ONLY for .(JavaScript must be enabled to view this email address) and in EVERY single answer from that address they posted a confirmation of having received the mail plus a ‘Ticket-ID’ and a link to view the ticket. When accessing the link you are taken to their ‘Support—> Tickets’ page BUT you HAVE TO LOG IN first to see the ticket. The thing is that when you check the email there is NO LOGIN for the ticket! And that repeated itself for eeeevery single mail that was forwarded to them that way! When I contacted their support today (May 1, 2020) they told me to use a form to report the abuse. The form DIDN’T CONNECT when trying to send the content and just timed out. So when asking for another way of reporting they gave me two emails to send the report to instead. .(JavaScript must be enabled to view this email address) and .(JavaScript must be enabled to view this email address). When I had sent the mail off I asked about an average response-time for the report and was told that ‘they were unable to give a response-time’ because ‘it differs from case to case’. I replied that that is the very idea of an average that you find out what’s longest and what’s shortest and then calculate an - average but was told that ‘they don’t have that kind of information’! I responded that that is hardly believable that an IT-related company doesn’t benchmark its customer-support response times and quality. I asked again and was being ignored with sporadic responses and ten-minutes waiting-time in between which clearly showed that they didn’t want to or didn’t care answering the question. So in essence - no automatic reply for the reception of the email, no response on the expected waiting time and no serious interest in removing the spammers. This company is conducting criminal behavior! I recommend everyone to report as a whole these offenses to law enforcement and to ICANN by filing a report on their respective cases. The more pressure the more they’re being highlighted and the more there is a spotlight on them.

AndersA on May 5 2020

Follow up to my initial post:

#1 (baloney) response from namecheap:

‘While the diskgrey.com and kindafro.com domains are registered with Namecheap, they are hosted with other companies. Since we have no access to SMTP servers used by the domains, we are not able to check the email logs for traces of spamming activity.

Additionally, the domains are not currently blacklisted by any trusted anti-spam organization. Therefore, we cannot confirm that the domains are used for sending unsolicited bulk emails.

Please contact the hosting companies for help with investigating the incidents of spam. You will need to forward the entire emails with full headers to them.’

#2 Follow-up (baloney) response from namecheap:

‘This is a follow-up to our previous message.

We confirm the receipt of your report regarding the following domain names:

festgive.com
echomore.com
upcousin.com
boyroar.com
jawsnews.com
wetmade.com
funkystud.com
dunkreel.com

Please note that, unfortunately, as a Registrar we failed to confirm the above mentioned domains’ involvement in spamming activity. The hosting provider is the party responsible for SMTP servers so they are the ones that can check email logs for the domains. It is highly recommended to address the issue for them to investigate.

However, it seems that upcousin.com is listed in one of the trusted anti-spam organizations, Spamhaus DBL. We have opened a case regarding the domain name. Please allow 48 hours for the issue to be resolved.’

Response to namecheap:

- linking to following article (huge mistake on behalf of krebsonsecurity to lock the comment section underneath this post)
https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/#more-44137
- advising to read and learn difference between email, websites, domains, iframe-hosting in said article
- point out fact that namecheap is reknown for harboring spammers by providing domains
- inform that hosting content doesn’t spread spam, providing domains however does
- repeat request to remove spammers/suspend domains or risk report to law enforcement and ICANN

...and voil√°:

‘Thank you for keeping the correspondence with us.

This is to inform you that the upcousin.com domain was suspended. It has been placed on the clientHold status and locked to prevent modifications in our system.

Additionally, please be informed that our Legal and Abuse department has zero tolerance towards any illegal activity that is related to the services provided by Namecheap.

Let us assure you that we fully understand your concern. We do our best within the limits of our Terms of Services to prevent abusive activity from domains registered with Namecheap. Unfortunately, at the moment it is not possible to implement your request due to we have no access to SMTP servers used by the domains, we are not able to check the email logs for traces of spamming activity.’

Useful links…

https://www.theverge.com/2020/3/5/21166485/facebook-lawsuit-namecheap-faked-domain-names-phishing

https://www.spamhaus.org/news/article/795/weaponizing-domain-names-how-bulk-registration-aids-global-spam-campaigns

https://www.webhostingtalk.com/showthread.php?t=1661095

https://www.plainsite.org/dockets/3ba43f7h7/ohio-northern-district-court/digital-millennium-copyright-act-to-copyright-agent-namecheap-inc-legal-department/

This company is deliberately providing domains for spammers which is criminal activity and as such needs to be taken down in court with a collective class action suit. The only way to stop this once and for all is to close down the entire company by having all the affected do so legally in a coordinated effort.

Linux and Windows web hosting plans start at just $7.95/mo.