Regular readers may have noticed CNX Software was inaccessible for several days, and the reason was that my domain was suspended. I’m a bit late for April Fools’ day, but I’ll show how you can get your domain suspended too in five easy steps! I’ll also provide some background to what happened, and several errors of judgment made along the way
What happened?
On March 28, as I woke up I noticed I could not access the website and I had also received several emails and mentions on social networks that the website was down. I first tried to restart the LEMP stack of the server nginx, mysql, php, but it did not help. I quickly figured out there was a problem with DNS, so I went to the Cloudflare dashboard which is where I manage the DNS records, but I did not see any problems there. Eventually, I saw the domain name servers were changed to: ns1.suspended.com and ns2.suspended.com, and I could not change anything. So my domain was suspended. CloudFlare is not managing the domain registration, I only use it for the DNS records, and they were not involved in this case at all.
Note that I did not receive any email or phone call from the reseller where I purchased the domain in 2010. I first tried chat support but was told to open a ticket, which was handled by the “billing” department. I open the ticket on March 28th, 2022 (21:25) (some US timezone), and received an answer on March 29th, 2022 (05:54) saying the domain was suspended because of phishing. I know I’m not running some phishing scam, so either the server was hacked, or somebody had made a fake report to take my domain down. I was not given the exact reason yet, but a case was opened and was told I would receive an email soon (to an email from my suspended domain).
I replied I was probably the victim of fraud, and so I had to refresh the ticket from time to time, and on Tuesday, March 29th, 2022 (23:38), or 26 hours after opening the ticket I was given a screenshot showing “definitive proof of my abusing ways” (I make that up).
I was not given the link to the report, only that screenshot, meaning I did not have access to the full link. I could not see anything wrong with it, and I knew the phishing content was not hosted on CNX Software, because go.cnx-software.com was a subdomain used for redirection to Skimlinks (automatic affiliate programs listed on the Privacy Policy page), so it should go to some third party website, which in this case, appeared to be Twitter. Instead of disabling go.cnx-software.com immediately, I decided to ask for a link to the report and full link, and said I did not own Twitter, so I could not remove the phishing content, but I could help report the tweet once I get the link.
On the evening of March 29 (Thailand time), the domain was restored, so I assumed the problem might be resolved and phishing content removed from Twitter. But the domain was suspended again late evening on March 31, so I asked again what was going on in an update to the ticket on Thursday, March 31st, 2022 (07:02) (back to US timezone), with a follow-up asking when I’ll get proof of any wrongdoing on March 31st, 2022 (22:02). At this point, I removed Skimlinks redirection for go.cnx-software.com, and changed it to www.cnx-software.com. But obviously, I could not test it because the domain was down. I was told in “chat” that I would have to pay a $50 fine for abuse, but I haven’t received a bill yet.
I finally got an answer on April 1st, 2022 (00:13), sadly no April Fools joke, with the actual proof:
The actual issue was phishing content via malicious redirection, which I expected, but it’s not hosted on Twitter, and instead on another domain hosted on Yandex Cloud, as you can check by yourself in the report.
The go.cnx-software.com sub-domain was probably not used anymore on CNX Software since I removed the Skimlinks script last year, and manually create affiliate links as needed. So either the person who reported the phishing issue was a bad actor trying to take down CNX Software, or more likely, had a computer infected with some kind of malware that creates redirects to phishing websites by appending strings to URLs/using exploitable directs. I was surprised cnx-software.com was taken down for this, as Skimlinks themselves should be easily exploited (I informed them about that), and social media networks or URL shorteners should have their domain taken out daily for that, but I’ll have an explanation for that later.
Anyway, at this point, I decided to just completely remove go.cnx-software.com sub-domain, and wait until the issue is resolved which took around 48 hours from the time I changed the go.cnx-software.com redirect to www.cnx-software.com. The domain was back up on April 2, 16:03 (Thailand time), and “support” confirmed the issue had been resolved and services restored on the afternoon of April 3.
Five easy steps to get your domain suspended
The easiest way to get your domain suspended is to do activities governments (or corporations) don’t like such as selling drugs and arms, organizing non-government-approved protests, promoting terrorism, saying something outrageous on Twitter going viral to get the crowd to hate and cancel you, and so on. That would be illegal or hurt some people’s feelings, but my time-tested method does get your domain suspended perfectly legally and safely:
- Register the cheapest domain and hosting package you can find, preferrable a reseller, and do so in the name of a close relative, or your future ex-girlfriend or ex-wife for convenience and other personal reasons
- A few years later, register to Skimlinks, and enable custom domains to redirect any links to a subdomain. Alternative solutions to make your website open to hackers are also fine.
- A few years later, move the domain to a new account with your own contact details (name, address, telephone number), but do NOT check whether the WHOIS contact information is updated.
- Lose all contact with (or willingness to) the person listed in the WHOIS, and make sure the registered email in the WHOIS is not monitored by anybody
- Wait and profit!
It may take a while… It took over 12 years for me, but you’ll surely get your domain suspended after following those steps, time is on your side!
Lessons learned
The first time I registered the domain, I did not want to spend much money on it, since I was not sure what I would do with it, it was just a backup in case I offer services as a freelance embedded software engineer/consultant. So I just took the cheapest plan using an account I already used for another domain I registered to help somebody set up their website. Now there are plenty of review websites where you can check user feedback (some of the positive reviews are fake), and in my case, it would have helped to purchase the domain directly from a registrar in of a reseller for two reasons:
- The registrar would have both the WHOIS contact information and the account information, so I’d assume they’d be able to contact customers with either in case of issues.
- Communication would be much faster as in this case, I have to contact the reseller, which then contacts the registrar, which then replies, and the reseller feedbacks the answer from the registrar. This could take 36 to 48 hours to get a reply from the companies involved in this particular case.
TrustPilot appears to be widely used for registrar/domain resellers reviews, and it’s possible to check whether a company is an accredited registrar on the ICANN website.
I’m considering transferring the domain to Dynadot as I have another domain there (cnx-maker.net), reviews are OK, and the company is an accredited registrar. I would not recommend registering a .cn domain from them through, at least if you intend to host the website in China. I’ve done it in the past (cnx-software.cn), and we eventually had to transfer it to Alibaba Cloud, since Dynadot are not certified to get an ICP license required in China.
Note that transferring a domain is not possible when it is suspended, or even changing WHOIS information, as it is fully locked (clientHold). My domain has been restored, but I’m still unable to change the WHOIS contact information because the reseller is not answering the ticket (for over 3 days) asking to change, and the dashboard returns an error when updating to update the WHOIS contact information to the “default profile”. Chat support tells me they can’t do anything about that. Transferring the domain won’t be possible until I do that, and I expect further pain down the road.
Another lesson learned is that you should make sure the WHOIS contact information is up-to-date, which may be different from your registrar account information. It’s quite possible that the registrar tried to contact me at the old email address, but I would not know. They don’t have the contact details provided to the reseller, and as I understand they are the ones handling abuse reports. I also contacted the registrar directly on April 1, and was told I would get an answer within 48 hours, but nothing so far. If your domain registrar says you’ve done something wrong without providing clear evidence, do not try to dispute it, or say you’ve done nothing wrong, fix it as fast as possible even without knowing the full details of your case.
Security is important, and I regularly update the server to make sure it has the latest patches, but I missed the potential harm that URL redirection through Skimlinks could cause. This service is used by a large number of websites, and they do this type of redirection themselves. So I did not think much of it at the time. It’s quite possible that domains owned by larger companies would never be taken down for this type of exploit, but I suppose they keep their WHOIS contact information up-to-date. I would have appreciated it if the registrar had contacted the reseller to inform me before taking the domain down, especially since I’ve been using cnx-software.com for over 12 years without issue, and it may have been the first and only report for the domain, especially it only impacted a sub-domain.
On another note, I’ve been using Google Workspace (previously known as Google Apps) for my domain as a free user since 2010, but the free service will end in May, and since I don’t intend in paying $500 per year to Google to keep my current cnx-software.com email addresses, I’ll transfer those to another service, maybe Zoho or Bluehost, since I’ve ruled out self-hosting. Other alternatives are welcome.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
Very interesting summation.
Cancel culture seeming to be one of the 5 reasons does quite sum up a poorer part of today’s societies online.
Zoho as an email provider is quite good. I found out about it when I wanted a secondary email account with better security. Some even recommend ProtonMail. Regarding your domain and hosting, you should definitely migrate it to a better service altogether. Your website grew nicely in time and it is time that you have as much control as you can. You do not have to spend a fortune for hosting, there are good alternatives. I am personally using a trusted hosting provider in my home country with good prices and very, very good uptime and customer support. I don’t… Read more »
I’m using a Linode 8GB plan for hosting, so no problem here. It was up at all times, and people could still access the website by changing their hosts file. The only problem was with the domain.
Jerry or someone will be along soon to suggest running your site yourself, on a 8GB RPI4 and SDcard.
It may not be totally your fault. Late March my employer contacted me saying my IP was flagged by their security software as malicious. It turned out my router was routing to a DNS that was malicious, or some such thing I don’t totally understand.
“…not totally your fault” – meaning not mal-intent. But security is still your responsibility. Failing your responsibility is still your fault. Being incompetent to perform your responsibility makes a case for your needing help. I hope you recognise the need to get that help, and that your employer is one that is winning to provide it instead of being one of the 60% who are firing their employees for failing to practice good security habits. If you’re in the 40% who gets support from their employer, I hope you’re grateful. I also hope that you learn to be properly terrified… Read more »
Thanks for the detailed timeline.
Change registrar.
Too bad you had to go through that Jean-Luc, and thanks for sharing. I’m not sure what you mean by self-hosting… you mean like colo? I don’t trust shared hosting sellers, because the account isolation they use is trivial to bypass at any given point in time. I do trust VPS, and you can get a very good VPS for $20USD/mo with various hosting companies. I am fond of UpCloud as it is passion project by a relatively small team so they have good service, unlike the major clouds and the disaster that is Endurance International Group, now rebranded Newfold… Read more »
The last paragraph is about email hosting only. I already have a Linode 8GB VPS ($40 per month). In theory, I could host an email server on my Linode instance since it has the resources, but there seem to be a lot of pitfalls doing so (e.g. getting caught in spam filters, etc…), so I prefer to outsource it to some other companies.
Everyone seems to scream how great Switzerland is for privacy, why not unaxus.ch? Pricing is reasonable and it’s working well…
Thanks for the interresting feedback.
Infomaniak (Swisserland) have a nice offer of 6 mailbox for around 20€/year, it’s what I am studying to replace small Google Apps. That or iCloud which also allow custom mail domain.
Since you use already cloudflare for DNS you can transfer your domain there. They are registrars for some time now with good prices.
I highly recommend statuscake for checking your services: dns, http, https etc
The free tier is more than enough for people and small businesses
https://www.statuscake.com/
I’d suggest switching to protonmail if you’re selecting an email provider
And I’d use gandi for dns, because they have a API you can use with letsencrypt to make dns validation easier
That’s a harrowing tale Jean-Luc! I use Pair Domains as my registrar. They have been great for the five or so years that I’ve used them. They offer a lot of services for no extra cost. For example, they’ll forward email based on patterns. I have emails from my domains forward to my google email (free gmail account). I could give someone an address at one of my domains by just putting in a forwarding rule for that one user name and send it off wherever they want it.
Use Google Domains ($20 per year for com domain) and host site by your own. No f#cking resellers
Google is a reseller. Godaddy in this case.
Linode is ok for hosting for now, but you can’t run reliable email out of them. They have a big spam problem and they aren’t sufficiently motivated to fix it… so lots of blacklisting even if you did nothing wrong. They were recently acquired by Akamai. For DNS, Namecheap and Gandi are my usuals, but Cloudflare should be fine. You can look around and confirm these are well respected choices who will definitely be more responsive. Also, ICANN requires yearly sending of emails asking you to confirm your whois details. For email as mentioned protonmail is good. Another excellent choice… Read more »
Thanks for the detailed report, “saying something outrageous on Twitter going viral to get the crowd to hate and cancel you” still looks like my favourite way to get suspended, if I will ever get a website of some sort, in the meanwhile good luck with your endeavours.