New Domain Verification

On June 4th a user registered for service using entirely reasonable credentials, passing any sane human verification check. The user proceeded to add 1,522 domains belonging to our other customers under a reseller account, and then used those domains to send spam. The idea here being that by using our service they could pass SPF. Though it would fail DKIM, passing SPF is still quite valuable. Previously we had accounted for this behavior by policing spoofed emails (heavy audit trails, alerting, etc). What we didn't account for was when the domain wasn't spoofed because it matched the SMTP login domain, because the user maliciously added the domain to their account. More on this at the bottom of the post.

Now, obviously, anyone with half a brain could tell you this was an inevitable conclusion to the ability to add domains in DirectAdmin without ownership verification. It's not rocket science. However, the ability we're talking about has been present in the shared web hosting industry for the vast majority of it's existence. Still, today, this is an issue present in a huge number of shared web hosting providers, if not still the majority (and may well still be the majority). As our frontend was modeled after the shared web hosting industry, and as a low budget provider, we figured the industry at large (and the MUCH larger players in it) would face an attack of this kind well before we did and thus they would make demands of the tooling we shared by licensing, allowing the "fix" to drip down to us at no cost.

We weren't out here trying to solve all of the problems inherent in that industry for them, and in our minds the fact that we shared them meant we were at least in good company. But as seems to be the way life actually goes, it was thrust upon MXroute to solve this problem. So we did. Now you have to verify ownership of a domain to add it via DirectAdmin. This ONLY refers to NEW domains that you add to your account. Zero domains in your account already will require this verification.

Your domain verification key will be used as a TXT record in your domain's DNS. You will obtain it in DirectAdmin from the DNS Records page under Account Manager in the left menu. The key is the record name, the record contents are just "domain-verified" because it's not really important. By having a unique record name per account, we will have made it difficult for anyone to just do bulk lookups of a single TXT record and find domains owned by the same user. Once you have your domain added into DirectAdmin, you can delete the TXT record.

More on the June 4th attack:

The attacker attempted to send 5,899 Comcast phishing emails from the 1,522 domains. Unfortunately most of these emails succeeded. The only positive here is that this particular attack did not harm anyone's domain reputation. Now that we've covered both methods of performing this attack, we are no longer susceptible to it.