"Submit a ticket"

Now, let me start by saying I love ticket systems. They are the order amongst the chaos in the IT support world, and when supporting customers often the correct approach is to ask them to raise a ticket.

However, when a member of the public brings to your attention a criminal enterprise using your platform, it's not a constructive response.

Yet it's the one I received from Namecheap CEO, Richard Kirkendall, in this very situation today.

Royal Mail

This started with a text from "Royal Mail" claiming I needed to pay £2 to receive a parcel that they couldn't deliver (this is, of course, nonsense but many will sadly fall for it). The website was https://royalmail-redirect.me and this site was hosted by Namecheap, one of the largest hosting companies around.

Simple, report the scammer, shut it down...

Having determined this, the obvious thing to do is report it.

A quick tweet to any reputable company is all that takes these days, and many have shut down scammers' websites or phone lines within an hour or so of such a report... but not Namecheap.

Indeed having seen others had problems I also tagged @NamecheapCEO so they were included in the response, and could see how their company handled it.

I was surprised to get this response within the hour from the CEO, Richard Kirkendall, himself;

More than 9 out of 10 abuse reports submitted to us are false or incorrect. We processed/investigated 1.1 million abuse claims/reports in 2020 and only 100k of them were actually found to be linked to abuse. Less than 1 percent of domains registered with us. Submit a ticket.

Wow. Rather than acknowledge an issue, point out that "9 out of 10 reports are false or incorrect" and defend the policy to ignore the report.

What followed didn't really make much sense. I asked simply why can their support team not raise internally based on the report I made?

Because 1. we receive a lot of frivolous reports daily and each needs to be investigated. 2. We have no idea who random people on twitter are and therefore we need to categorize each abuse report as well as track it.

Again, let's divert attention away from the problem. They're big and important, they get lots of frivolous reports, so presumably that's the assumption - 90% of the time it's not worth looking at anyway?

No idea who random people are?

But let's also consider "We have no idea who random people on twitter are" ... why does it matter who raises the report of something so blatantly obvious?

Does it matter if it's someone like me (a named account with my full name) or PurpleFluffyKitten23, surely not?

Not to mention is processing my personal data even relevant at all in relation to an abuse report given the screenshots of the site, and the domain (which they can just visit in a browser!)

Indeed, maybe if they were as worried about who their customers were as they seem to be about Twitter identities, we wouldn't be in this situation in the first place.

After all, this is a company that accepted money from criminals to host a website to defraud people, and they're worried about receiving abuse reports from "random people on Twitter"

Blatantly Obvious

I made the claim that this case was "blatantly obvious by the content of the site", although apparently even this was enough to set Namecheap on the defensive;

What may seem "blatantly obvious" to you may not be so for others. Not everyone lives in the UK for example.

Indeed, not everyone lives in the UK, but let's look at the facts;

  • Domain registered 2021-02-26 (11 days ago)
  • SSL cert on the same day
  • Page is branded "Royal Mail Ltd" (bet that's not the registrant!)
  • It's a copy of a real Royal Mail page, with all links are prefixed with a # to make them invalid.
  • The "Tracking Number" RM220837544GB is hardcoded and doesn't change.
  • If you click continue it asks for personal data, including Date of Birth (for a parcel delivery?)
  • If you continue beyond that page, it asks for Cardholder Name, Card Number, Security Code, Account Number, and Sort Code...

You don't need to live in the UK to know this is a scam. Indeed I'd bet you don't need to live in the UK to know what Royal Mail is.

I'd recognise a USPS scam, or Singapore Post, or Australia Post, or Deutsche Post etc (and I also know without Googling it that these are national postal services, and not people that pick a low budget hosting package with an SSL cert for a single tracking page) - this is common sense, not a deep level intelligence operation.  

If someone working for a hosting company can't tell this is a scam, Namecheap have bigger problems.

Very fine people on both sides?

When 9 out 10 abuse reports can take down legitimate customers, small businesses etc. , due process is paramount. There are potential victims on both sides of the table so don't over value one over the other.

Now, I can actually agree with this to some extent.

I've held more than one role where I've had the button that kills a telephone service if it's involved in fraud and replaced the call with the ActionFraud message informing people that if they've had a call from that number the caller should NOT be trusted.

However, if I make a test call to that number and they answer the phone "Good Afternoon HMRC Court" you can bet I'll be pressing that button.

Nonetheless, the salient point here isn't the actual fraudulent use, but the complete evasiveness by Namecheap.

My personal view is that any company working in this space has a responsibility and a duty of care to the public to do everything they can to prevent their network and resources being used to facilitate fraud and the way to do that is to take all reports seriously and not simply say "Submit a Ticket"