Posted on by Jean-Luc Aufranc (CNXSoft) - 20 Comments on How to get your domain suspended in five easy steps!

How to get your domain suspended in five easy steps!

Regular readers may have noticed CNX Software was inaccessible for several days, and the reason was that my domain was suspended. I’m a bit late for April Fools’ day, but I’ll show how you can get your domain suspended too in five easy steps! I’ll also provide some background to what happened, and several errors of judgment made along the way

What happened?

On March 28, as I woke up I noticed I could not access the website and I had also received several emails and mentions on social networks that the website was down. I first tried to restart the LEMP stack of the server nginx, mysql, php, but it did not help. I quickly figured out there was a problem with DNS, so I went to the Cloudflare dashboard which is where I manage the DNS records, but I did not see any problems there. Eventually, I saw the domain name servers were changed to: ns1.suspended.com and ns2.suspended.com, and I could not change anything. So my domain was suspended. CloudFlare is not managing the domain registration, I only use it for the DNS records, and they were not involved in this case at all.

Note that I did not receive any email or phone call from the reseller where I purchased the domain in 2010. I first tried chat support but was told to open a ticket, which was handled by the “billing” department. I open the ticket on March 28th, 2022 (21:25) (some US timezone), and received an answer on March 29th, 2022 (05:54) saying the domain was suspended because of phishing. I know I’m not running some phishing scam, so either the server was hacked, or somebody had made a fake report to take my domain down. I was not given the exact reason yet, but a case was opened and was told I would receive an email soon (to an email from my suspended domain).

I replied I was probably the victim of fraud, and so I had to refresh the ticket from time to time, and on Tuesday, March 29th, 2022 (23:38), or 26 hours after opening the ticket I was given a screenshot showing “definitive proof of my abusing ways” (I make that up).

cnx software domain suspended phishing

I was not given the link to the report, only that screenshot, meaning I did not have access to the full link. I could not see anything wrong with it, and I knew the phishing content was not hosted on CNX Software, because go.cnx-software.com was a subdomain used for redirection to Skimlinks (automatic affiliate programs listed on the Privacy Policy page), so it should go to some third party website, which in this case, appeared to be Twitter. Instead of disabling go.cnx-software.com immediately, I decided to ask for a link to the report and full link, and said I did not own Twitter, so I could not remove the phishing content, but I could help report the tweet once I get the link.

On the evening of March 29 (Thailand time), the domain was restored, so I assumed the problem might be resolved and phishing content removed from Twitter. But the domain was suspended again late evening on March 31, so I asked again what was going on in an update to the ticket on Thursday, March 31st, 2022 (07:02) (back to US timezone), with a follow-up asking when I’ll get proof of any wrongdoing on March 31st, 2022 (22:02). At this point, I removed Skimlinks redirection for go.cnx-software.com, and changed it to www.cnx-software.com. But obviously, I could not test it because the domain was down. I was told in “chat” that I would have to pay a $50 fine for abuse, but I haven’t received a bill yet.

I finally got an answer on April 1st, 2022 (00:13), sadly no April Fools joke, with the actual proof:

hostfast domain suspended malicious redirection

The actual issue was phishing content via malicious redirection, which I expected, but it’s not hosted on Twitter, and instead on another domain hosted on Yandex Cloud, as you can check by yourself in the report.

Deceptive site ahead

The go.cnx-software.com sub-domain was probably not used anymore on CNX Software since I removed the Skimlinks script last year, and manually create affiliate links as needed. So either the person who reported the phishing issue was a bad actor trying to take down CNX Software, or more likely, had a computer infected with some kind of malware that creates redirects to phishing websites by appending strings to URLs/using exploitable directs. I was surprised cnx-software.com was taken down for this, as Skimlinks themselves should be easily exploited (I informed them about that), and social media networks or URL shorteners should have their domain taken out daily for that, but I’ll have an explanation for that later.

Anyway, at this point, I decided to just completely remove go.cnx-software.com sub-domain, and wait until the issue is resolved which took around 48 hours from the time I changed the go.cnx-software.com redirect to www.cnx-software.com. The domain was back up on April 2, 16:03 (Thailand time), and “support” confirmed the issue had been resolved and services restored on the afternoon of April 3.

Five easy steps to get your domain suspended

The easiest way to get your domain suspended is to do activities governments (or corporations) don’t like such as selling drugs and arms, organizing non-government-approved protests, promoting terrorism, saying something outrageous on Twitter going viral to get the crowd to hate and cancel you, and so on. That would be illegal or hurt some people’s feelings, but my time-tested method does get your domain suspended perfectly legally and safely:

  1. Register the cheapest domain and hosting package you can find, preferrable a reseller, and do so in the name of a close relative, or your future ex-girlfriend or ex-wife for convenience and other personal reasons
  2. A few years later, register to Skimlinks, and enable custom domains to redirect any links to a subdomain. Alternative solutions to make your website open to hackers are also fine.
  3. A few years later, move the domain to a new account with your own contact details (name, address, telephone number), but do NOT check whether the WHOIS contact information is updated.
  4. Lose all contact with (or willingness to) the person listed in the WHOIS, and make sure the registered email in the WHOIS is not monitored by anybody
  5. Wait and profit!

It may take a while… It took over 12 years for me, but you’ll surely get your domain suspended after following those steps, time is on your side!

Lessons learned

The first time I registered the domain, I did not want to spend much money on it, since I was not sure what I would do with it, it was just a backup in case I offer services as a freelance embedded software engineer/consultant. So I just took the cheapest plan using an account I already used for another domain I registered to help somebody set up their website. Now there are plenty of review websites where you can check user feedback (some of the positive reviews are fake), and in my case, it would have helped to purchase the domain directly from a registrar in of a reseller for two reasons:

  1. The registrar would have both the WHOIS contact information and the account information, so I’d assume they’d be able to contact customers with either in case of issues.
  2. Communication would be much faster as in this case, I have to contact the reseller, which then contacts the registrar, which then replies, and the reseller feedbacks the answer from the registrar. This could take 36 to 48 hours to get a reply from the companies involved in this particular case.

TrustPilot appears to be widely used for registrar/domain resellers reviews, and it’s possible to check whether a company is an accredited registrar on the ICANN website.

Accredited registrar

I’m considering transferring the domain to Dynadot as I have another domain there (cnx-maker.net), reviews are OK, and the company is an accredited registrar. I would not recommend registering a .cn domain from them through, at least if you intend to host the website in China. I’ve done it in the past (cnx-software.cn), and we eventually had to transfer it to Alibaba Cloud, since Dynadot are not certified to get an ICP license required in China.

Note that transferring a domain is not possible when it is suspended, or even changing WHOIS information, as it is fully locked (clientHold). My domain has been restored, but I’m still unable to change the WHOIS contact information because the reseller is not answering the ticket (for over 3 days) asking to change, and the dashboard returns an error when updating to update the WHOIS contact information to the “default profile”. Chat support tells me they can’t do anything about that. Transferring the domain won’t be possible until I do that, and I expect further pain down the road.

Another lesson learned is that you should make sure the WHOIS contact information is up-to-date, which may be different from your registrar account information. It’s quite possible that the registrar tried to contact me at the old email address, but I would not know. They don’t have the contact details provided to the reseller, and as I understand they are the ones handling abuse reports. I also contacted the registrar directly on April 1, and was told I would get an answer within 48 hours, but nothing so far. If your domain registrar says you’ve done something wrong without providing clear evidence, do not try to dispute it, or say you’ve done nothing wrong, fix it as fast as possible even without knowing the full details of your case.

Security is important, and I regularly update the server to make sure it has the latest patches, but I missed the potential harm that URL redirection through Skimlinks could cause. This service is used by a large number of websites, and they do this type of redirection themselves. So I did not think much of it at the time. It’s quite possible that domains owned by larger companies would never be taken down for this type of exploit, but I suppose they keep their WHOIS contact information up-to-date. I would have appreciated it if the registrar had contacted the reseller to inform me before taking the domain down, especially since I’ve been using cnx-software.com for over 12 years without issue, and it may have been the first and only report for the domain, especially it only impacted a sub-domain.

On another note, I’ve been using Google Workspace (previously known as Google Apps) for my domain as a free user since 2010, but the free service will end in May, and since I don’t intend in paying $500 per year to Google to keep my current cnx-software.com email addresses, I’ll transfer those to another service, maybe Zoho or Bluehost, since I’ve ruled out self-hosting. Other alternatives are welcome.

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

Radxa Orion O6 Armv9 mini-ITX motherboard

Radxa ROCK 5C Lite SBC with Rockchip RK3588 / RK3582 SoC

No related posts.

Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
20 Comments
oldest
newest
Boardcon CM3588 Rockchip RK3588 System-on-Module designed for AI and IoT applications