Anonymous Domain Registration

Today, a few thousand words on domain registration, information security, and the fundamental weakness of security-through-obscurity. It’s long, but believe me, if you’re reading this site, it almost certainly reveals something you’ll find very interesting.

Have you ever wondered who uses those “anonymous” domain registration services? Like, say, GoDaddy’s Domains by Proxy service? Naturally, a lot of people use them – spammers, scammers, and criminals, sure, but also regular guys with not much to hide. As is pointed out with some regularity, Domains by Proxy, at least, leaves a little bit to be desired.

Fauxdaddy is long gone, but the text, at least, lives on, both highlighting the problems with this field of services, and providing pointers to another chilling experience with the service.

Now, I’m reasonably tech savvy, and GoDaddy aren’t anywhere near the top of my list of registrars I’d ever consider using, for quite a number of reasons besides the joke that is their “private” registration. I might have to reconsider my opinion of them, though. After all, they’re good enough for the FBI to use.

Say what?

A while back, I emailed a FOIA request to the FBI (at a .gov address, of course), which they decided wasn’t specific enough. So, they snail-mailed me a letter telling me so (so much for the Paperwork Reduction Act… sheesh). With that letter was a printout of my email. They couldn’t be bothered to recycle it, I guess, so they sent it back to me, to do the honors. Well, before I did, I noticed a little something – the URL of the webmail program used to view, and print, the email, was helpfully included at the bottom of the letter. And, guess what, dear reader – it isn’t a dot-gov address.

Nope, it’s a dot-com address – specifically, 935mail.com, as seen below:

(I’ve intentionally obscured what I believe to be the username, for security reasons.)

Who is 935mail.com? Well, you’d never guess from the domain registration:



Yep; it uses GoDaddy’s very own Domains by Proxy. Who needs expensive front companies at non-existant addresses, when you can just spend a few bucks a year and use some lackluster commercial service? Not the FBI, apparently.

The server that www.935mail.com runs on – at 204.249.78.128 at the moment – has no PTR (reverse-DNS “pointer”) record, and lives behind a lot of stealthy, firewalled routers somewhere near Maryland; the IP address itself belongs to Sprint, and geolocation services give a variety of information for the IP and those upstream of it.

Interestingly, the only “A” record – heck, the only record, period – the DNS zone for 935mail.com contains seems to be for the “www” record. Also, the server at 204.249.78.128 is mighty stealthy; it only listens on the HTTPS port, doesn’t ping, and quietly ignores normal portmaps. For what it’s worth, it’s running Exchange Server 2003 and Outlook Web Access. I guess it would be bad if there turned out to be any zero-day remote exploits floating around, huh? Hope they weren’t just relying on security-through-obscurity…

It might be worth mentioning, to avoid misplaced excitement, that right now it’s completely impossible to send email to anything@935mail.com; there is neither an MX record, nor an A record for the root zone, so all deliveries would fail. (Too, without a SPF record, very few mailservers will accept mail from addresses @935mail.com.) So the odds of this domain being the next gwb43.com are slim to none.

The nice, anonymous, innocent-sounding domain was registered 31 January 2005, and the DNS hasn’t been updated since. It’s registered through 2015, although the current (GoDaddy, natch) SSL certificate is valid from 01 May 2007 and expires 02 February 2009.

Who knows; searching the adjacent IP might lead you to other stealthy servers hosting interesting pseudonymously-registered domains. You’ll never know until you look, right? Another possible avenue of research includes seeing what other domains were registered on January 31st, 2005, and which, if any, are registered pseudonymously through GoDaddy. Consider it a public, open-source, distributed OPSEC lesson, at the FBI’s expense. Post any interesting finds in the comments, okay? Thanks. 🙂

Published in: Geekiness, General, Security | on June 1st, 2007| 7 Comments »

Both comments and pings are currently closed.

7 Comments

  1. On 6/2/2007 at 1:04 pm Larry Glick Said:

    If you have any doubt about the FBI’s technological abilities, just remember that the agency was founded by non other than the great John Edgar Hoover himself.

  2. On 6/2/2007 at 2:36 pm Brad Said:

    There are a number of companies that claim to do web work that do not pass the smell test. I’ve stumbled accross several. Who knows that they really do/are, but they certainly do not appear to do what they claim to do, which is usually a bunch of mumbo-jumbo marketing-ese.

    I’m not saying…I’m just saying.

    Examples: http://braddotcom.livejournal.com/335600.html , http://braddotcom.livejournal.com/228602.html , and http://braddotcom.livejournal.com/324119.html

  3. On 6/2/2007 at 11:45 pm The Thinker Said:

    This is the actual login page URL on 935mail.com for Outlook Web Access:

    https://www.935mail.com/exchweb/bin/auth/owalogon.asp

  4. On 6/4/2007 at 12:14 pm Anthony DeNicola Said:

    It is possible that the domain belongs to someone other than the FBI themselves. I use an external mail server to scub out spam on some of my e-mail accounts where that server checks my e-mail on a couple of different servers and provides a central location for me to get to them. It could be an FBI Agent who wanted to do that for him/her self…granted that is a big security no-no when you are working for a governement agency but it doesn’t mean it doesn’t happen.

  5. On 6/4/2007 at 3:03 pm Nemo Said:

    Anthony – I’m skeptical about that for three reasons – one, I kind of doubt a single lone party would go through the trouble and expense of setting up an Exchange server and Outlook Web Access just for themselves; having done it myself (for a company, not individual use) it’s not something you do during your lunch hour on a slow day.

    Second, I suspect the Bureau has more-than-adequate antispam tools at their disposal, and such a thing would be totally unnecessary. Third, necessity aside, were it a lone person doing this, that’d be a hugely scandalous privacy and security risk. As you point out that doesn’t mean it doesn’t happen… but I still think it’s unlikely.

    Fourth, and last, the URL at the bottom of the email looks something like this:

    https://www.935mail.com/exchange/%userid?%/Inbox/FOIA%20Request.EML?cmd=something

    …which makes me suspect it’s more than just some guy trying to filter out spam, or something.

    I can’t help but notice that the domain was registered less than month before the big Sober virus thing in February 2005 where people were getting emails from fbi.gov emails with virii in them; I can’t help but wonder if stealthy systems like this one were setup around that time to ensure availability of some, at least, email service in the face of what was, or had the potential to be, essentially a DOS attack on the Bureau’s email servers. In those circumstances, it’d make sense to offload internal communications, at the very least, to an unaffected machine…

  6. On 6/5/2007 at 2:04 pm Chris Cox Said:

    Having set up an small OL2K3 deployment myself and having worked with a few others, I would agree with Nemo. This is just more government outsourcing, I suspect.

  7. On 6/11/2007 at 11:32 pm Random Joe Said:

    Man, they’re still using the 935mail.com letterhead to mess with people’s heads… too funny.