Warning: ICANNResolve.com is sending E-mails asking for your domain username/password

[woeger]

Warning: I just got an E-mail (text copied below) telling me I must register with ICANN at a website named: www.icannresolve.com with my domain contact info, registrar name, registrar username and password for each domain, and also my domain Security question at my registrar (for each domain I own).

I went to the site, and while it looks *somewhat* legit and links to a lot of the Icann.org website, there is no way I'm entering my login info with password for each domain I own on this site...

Be warned. Many will likely loose control of their domains due to this, as this must be a scam in my opinion.

Email I received from the address icann@icannresolve.com follows below:

-----

Dear Domain Account Holder,

You are being sent this notice from ICANN due to the fact that you
currently own an active domain name. ICANN is currently upgrading all
domains from their registry database.

The upgrade will introduce new control options for your domain and easier
access. The new upgrade is required by the registry. All domain users are
expected to submit their domain information manually at
http://www.icannresolve.com/ with the required information for ICANN to apply the required updates.

The upgrades will be applied to accounts on a first come, first serve
basis. You have until July 25, 2008 to submit the required information to
avoid service and domain interruption.

Thank you for your time.

Sincerely,

ICANNResolve
ICANN.org Resolutions Department

-----

What thinkest ye about this? Ever heard of them?

[tinnitus]

I got one of those emails too. The website did look legit-ish, but I would say definitely a scam, seeing as the domain ICANNRESOLVE.COM was registered on June 14th of this year with Namecheap and the whois info is hidden.

[scrsteven]

the message I got from icannresolve just said "test" and thunderbird blocked an image that I didn't care to click display... was the rest of that message in the image?

[woeger]

No image here, just all text from them. They used an E-mail address I only use on my WHOIS records, so they seem to be contacting domain owners/contacts only.

Also the E-mail From: text shows ICANN as the source. ICANN better put out a press release concerning this and investigate.

Appears someone pulled the site down already and it is just showing a Namecheap.com parked page now...

[Rubber Duck]

This is not going to fool anyone that is bright enough to have got something really special, now is it?

[woeger]

Not likely, but not everyone who owns a great domain (like a generic .COM, 3 character .COM, etc.) is an active Domainer. They surely were hoping to gather/harvest usernames/passwords at various registrars for purposes unknown. I still know many people who allow their ISPs or web designers to be listed as "all the contacts" for their domains. Perhaps some tech contacts/admin may think they have to "give ICANN this info".

Maybe they hoped to steal/use prepaid funds at various registrars (like eNom) and possibly take away valuable domains to try and quickly sell them to unwary buyers?

This is the first time I have ever received an E-mail like this claiming to be from ICANN...

Update: I just read on another domain forum, that a member there said that he contacted Namecheap.com after receiving this same E-mail from them, and that Namecheap seems to have acted on his complaint and has taken down the offending web site/domain.

[DNP]

Yes their site is down now.

[jasdon11]

Defo fraud. Anyone reported it to ICANN / namecheap?

[dotcomgiant]

got the same mail..good to see the site is down .

[sdsinc]

Can someone post the headers from the E-mail ?

[draggar]

Quote:

Originally Posted by Rubber Duck

This is not going to fool anyone that is bright enough to have got something really special, now is it?

99.999% of domainers won't fall for this but what about someone like my sister who owns a couple of domain names (her name, etc..) and knows very little of the industry?

Quote:

Originally Posted by woeger

Not likely, but not everyone who owns a great domain (like a generic .COM, 3 character .COM, etc.) is an active Domainer. They surely were hoping to gather/harvest usernames/passwords at various registrars for purposes unknown.

Steal domains and try to register many more with the stolen accounts.

[HeavyLifting]

FULL MESSAGE WITH HEADERS


Delivered-To: <REMOVED FOR POSTING>
Received: by 10.82.169.13 with SMTP id r13cs3488bue;
Mon, 23 Jun 2008 21:51:42 -0700 (PDT)
Received: by 10.140.172.19 with SMTP id u19mr14076294rve.31.1214283101166;
Mon, 23 Jun 2008 21:51:41 -0700 (PDT)
Return-Path: <icann@icannresolve.com>
Received: from <REMOVED FOR POSTING> ([<IP REMOVED FOR POSTING>])
by mx.google.com with ESMTP id 5si11411009wrh.24.2008.06.23.21.51.40;
Mon, 23 Jun 2008 21:51:41 -0700 (PDT)
Received-SPF: neutral (google.com: <IP REMOVED FOR POSTING> is neither permitted nor denied by domain of icann@icannresolve.com) client-ip=<IP REMOVED FOR POSTING>;
Authentication-Results: mx.google.com; spf=neutral (google.com: <IP REMOVED FOR POSTING> is neither permitted nor denied by domain of icann@icannresolve.com) smtp.mail=icann@icannresolve.com
Received: from <REMOVED FOR POSTING> (root@localhost)
by <REMOVED FOR POSTING> (8.12.10/8.12.10) with ESMTP id m5O4C2oF024048
for <<REMOVED FOR POSTING>>; Mon, 23 Jun 2008 21:12:02 -0700
X-ClientAddr: 208.43.69.146
Received: from host.icannresolve.com (omegagalaxy.com [208.43.69.146] (may be forged))
by <REMOVED FOR POSTING> (8.12.10/8.12.10) with ESMTP id m5O4C2Pw024043
for <<REMOVED FOR POSTING>>; Mon, 23 Jun 2008 21:12:02 -0700
Received: from [208.43.70.241] (helo=www.icannresolve.com)
by host.icannresolve.com with esmtpa (Exim 4.69)
(envelope-from <icann@icannresolve.com>)
id 1KB0VH-0001fB-9A
for <REMOVED FOR POSTING>; Mon, 23 Jun 2008 23:51:39 -0500
To: <REMOVED FOR POSTING>
Subject: ICANN - Domain Upgrade Notice
Message-ID: <2dccd670d53caafe543ef34cfe75d7dd@www.icannresolve .com>
Date: Tue, 24 Jun 2008 06:22:08 +0200
From: "ICANN" <icann@icannresolve.com>
Reply-To: icann@icannresolve.com
MIME-Version: 1.0
X-Mailer-LID: 1
X-Mailer-SID: 5
X-Mailer-Sent-By: 1
Content-Type: text/plain; format=flowed; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.icannresolve.com
X-AntiAbuse: Original Domain - <REMOVED FOR POSTING>
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - icannresolve.com

Dear Domain Account Holder,

You are being sent this notice from ICANN due to the fact that you
currently own an active domain name. ICANN is currently upgrading all
domains from their registry database.

The upgrade will introduce new control options for your domain and easier
access. The new upgrade is required by the registry. All domain users are
expected to submit their domain information manually at
http://www.icannresolve.com/email/li...D FOR POSTING) with the
required information for ICANN to apply the required updates.

The upgrades will be applied to accounts on a first come, first serve
basis. You have until July 25, 2008 to submit the required information to
avoid service and domain interruption.

Thank you for your time.

Sincerely,

ICANNResolve
ICANN.org Resolutions Department

[Sterling]

Yup, I was just coming here to post the one I got. lol

I hope no one falls for it.

[MAllie]

Well, it seems that no matter how many times they tell us to (1) never click a link in an email (2) never give anyone our password or personal details, no matter how authoritative they claim to be, there are always people who give scammers their passwords, bank details, whatever and suffer loss as a consequence.

Since anyone genuine would never ask for these things, it's a simple matter to just consign any such email to oblivion, however you want to do it.