Received an email that looked phishy:
Please read this important e-mail carefully.
Recently you registered, transferred or modified the contact information for the following domain name:
In order to ensure your domain name remain active, you must now click the following link and follow the instructions provided.
The web page listed my name and email address, so the riskiness of clicking it seemed low, but ALL KLAXONS were going off in my head about this being phishing. I also received another email threatening to suspend my domain if I did verify it.
The email headers really confirmed for me this was phishing:
Received: from mx.registrarmail.net (mx.registrarmail.net [18.104.22.168])
by myemail-mx26.g.emailprovider.com (Postfix) with ESMTP id 999AA999999DDD
for <firstname.lastname@example.org>; Mon, 28 Mar 2016 05:43:25 -0700 (PDT)
Received: from cron01.endurance.prod.tucows.net (unknown [22.214.171.124])
by mx1.registrarmail.net (Postfix) with SMTP id B5999999E51
for <email@example.com>; Mon, 28 Mar 2016 12:43:24 +0000 (UTC)
Received: by cron01.endurance.prod.tucows.net (sSMTP sendmail emulation); Mon, 28 Mar 2016 08:43:24 -0400
Date: Mon, 28 Mar 2016 08:43:24 -0400 (EDT)
From: "Domain Registrar" <firstname.lastname@example.org>
Subject: Important: Please validate your domain name
The original sender is tucows.net? There’s no way a real company would be using such a site to send these emails. After all, that’s some lonely script kiddie in their mom’s basement BS. This had to be phishing.
One last check. I did a dig on verify.domain.com and compare that to the www for the company. Two very different IP spaces, but crucially the nameservers have “dyn” in the name which red flagged that it was one of those dynamic DNS services so it could be anything anywhere. Definitely not legitimate.
So I go to the registrar’s site to report this phishing and look at my domain’s record to see if anything really had changed. It had not, but I noticed there was a phone number I’ve not used since 2003, so I update the record. There is a notice that they need me to verify the information. I go looking for it and see… another copy of the phishing email at the time I updated the record. At this point, I suspect maybe I am completely wrong. Since the risk seems low, I do click the link and verify button and go back to the registrar’s site to see if the warning about needing to verify my information cleared. It did. Dammit!
Turns out the phishy email is actually ICANN not the registrar.