Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter


Emails pretending to be from your registrar claim they are suspending your domain for abuse complains.

Link downloads malware.

These emails are NOT coming from your domain registrar!!1!



Subject: Domain [ domain name ] Suspension Notice

Dear Sir/Madam,

The following domain names have been suspended for violation of the
[ domain registrar ] Abuse Policy:

Domain Name: [ domain name ]
Registrar: [ domain registrar ]
Registrant Name: [ name of domain registrant ]

Multiple warnings were sent by [ domain registrar ] Spam and Abuse Department to give
you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to
contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our
attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

[ domain registrar ]
Spam and Abuse Department
Abuse Department Hotline: 480-131-5681

This email has been protected by YAC (Yet Another Cleaner)

Picture of fake domain abuse complaint email with malware.

The .php script seems to expect a domain in the GET request which the email provides.


Header Examples:

2 November 2015 

So not only do they name-drop your domain and registrar in the email body, they show up in your From and Envelope headers.

Received: from []
X-Envelope-From: kazuhiko1961ss
From: " [ domain registrar ] " <icann-abuse-reports@[ domain like your registrar ]>
Subject: Domain [ domain name ] Suspension Notice



2 November 2015

Downloaded executable : [ domain name ]_copy_of_complaints.pdf.scr  ( Cryptowall ransomware )

VirusTotal report | report | report 

A for effort. Yes, the GET with your domain name in it results results in an executable named with your domain name.

Anywhoo... gets public-facing IP address :


POSTs data to and gets data from a ton of hacked/junky websites :

I'm sure eventually we would get a bunch of ransom notes and some tor2web gateways with which we could buy our files back.

When I ran it, the tor2web gateways were :

Ransom went to Bitcoin wallet :