JRDN
Jason Roysdon dot Net

Domain Registrars, Confirmation Emails, and Wireshark packet capture filters

January 25th 2010 in Networking

I really feel for folks who have bad setups for their website. In this specific case, I'm referencing a problem where Tucows/OpenSRS was used to register the domain with one of their Registration Service Providers (RSP), acmeinternet.com. I say all this to warn folks regarding how bad this is when things go wrong. Use a company that you can call up and talk to a live body and that has been around for some time.

One problem is that the website designer used a Privacy Guard feature of Tucows/OpenSRS, or at least Tucows/OpenSRS' implementation of this sort of feature. The idea is to hide the owner's identity of a domain name, mostly so they don't get either email or snailmail spam. Great idea, but bad for your legal rights. In this case, it shows Tucows/OpenSRS' "Contactprivacy.com" as the legal registrant and all contact information. This might not be so bad if Tucows/OpenSRS had end-user support, but I still disagree and think you should always have your own name and/or company name listed as the legal registrant, even if the contact details are masked. I personally like the way GKG.net does this for email addresses (for free as well), as you can see in my Roysdon.net WHOIS information.

However, Tucows/OpenSRS passes the support buck to the RSP that the website designer chose, acmeinternet.com. Acmeinternet.com's support doesn't answer the phone and their voicemail option is broken. They don't respond to emails or support cases. For all I know the acmeinternet.com owner is deceased and the phones and their webserver is just running on autopilot.

Tucows/OpenSRS does have a support escalation method, kind of. They provide a form that is emailed to the RSP, and if the RSP won't respond in 1-2 days, then Tucows/OpenSRS will provide some sort of assistance.

Wow, what a hassle, what a pain. Just say no to this sort of cluelessness. While no tech support is perfect, at least they should respond to phone calls and emails. We're in the process of moving the domain over to GoDaddy.com, which is incredibly stable and has real people working their support desk. Godaddy's Domain Registrar and DNS service is dirt cheap as well, so I cannot see why someone (other than cluelessness) would use something as bad as Tucows/OpenSRS/acmeinternet.com to save $1 or $2. Adjusting penny-wise, pound-foolish for inflation and the currency on this side of the pond, this is just dollar-wise, hundreds-foolish.

In doing all of this, I wanted to verify that we were getting no emails from the acmeinternet.com support (in response to the support tickets opened in the customer's name with their email address, or password requests which stated the email was sent). I didn't trust the customer's Exchange server and/or TrendMicro spam filter not to be eating emails, so I wanted 100% certainty.

Using Wireshark running on the Exchange server I am able to do this. First, I only wanted internet email traffic, and no user Outlook/Exchange traffic or Exchange/OutlookWebAccess traffic, so I set the capture filter for tcp port 25. Next, I sent test emails and came up with the following Display Filters:
imf.to matches "(?i:alias\@domain\.com)" to match email address To:
imf.cc matches "(?i:alias\@domain\.com)" to match email address Cc:
smtp.req.parameter matches "(?i:alias\@domain\.com)" to match anything else (Bcc:)

The matches portion is a Perl-compatible Regular Expression (PCRE) which matches without case sensitivity (?i:) alias@domain.com, which requires escaping out @ and . with \ escapes.

I created a single Display Filter using ORs (||):
imf.to matches "(?i:alias\@domain\.com)" || imf.cc matches "(?i:alias\@domain\.com)" || smtp.req.parameter matches "(?i:alias\@domain\.com)"

I continued to run this capture while trying to contact support and asking for a password reset (which claimed to email the password). I sent further test emails at the end of this, and did see those come in, but nothing from acmeinternet.com.

I'd love to show screen captures of all this nifty packet capturing, but I don't want to have to blank out all the email and domains content for the customer's privacy. However, using Wireshark like this works great at proving that nothing is coming in to the domain owner's email address from acmeinternet.com support.




required



required - won't be displayed


Your Comment:

Using rsnapshot to create 7 daily + 4 weekly + 12 monthly + yearly backups without a large amount of storage, and allowing for manual backups with my custom script.

Previous Entry

VirtualBox OSE vs. PUEL licensing, and how to remove the OSE version that ships with Fedora and replace with the PUEL version which contains USB support and more.

Next Entry

Archives
Categories
Links