Chinanethost.org Domain Registration Scam

This scam is so old I forgot about it. Goes back to at least 2010.

Basically, the scammer says they run a domain name registrar and noticed someone trying to buy .cn, .net.cn, .org.cn, and other variations of a domain name you already own.

At first, they imply that they want confirmation from you to block the sale of similar domain names. In reality, they want you to block the sale by buying the domains from them yourself.

Don’t fall for it. Very few can afford to by every top level domain variation of their domain name. Learn more about this scam here and here.

This is the version of the scam I received in 2022 July:

Subject: exampledomain
From: [email protected]
(It’s very urgent, therefore we kindly ask you to forward this email to your CEO. If you believe this has been sent to you in error, please ignore it. Thanks)
Dear CEO,
This is a formal email. We are the Domain Registration Service company in Shanghai, China. Here I have something to confirm with you. On July 7, 2022, we received an application from Hongmei Ltd requested “exampledomain” as their internet keyword and China (CN) domain names (exampledomain.cn, exampledomain.com.cn, exampledomain.net.cn, exampledomain.org.cn). But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it’s necessary to send email to you and confirm whether this company is your distributor in China?
Best Regards
Robert Liu | Service & Operations Manager
China Registry (Head Office)
Tel: +86-2161918696
Fax: +86-2161918697
Mob: +86-13816428671
6012, Xingdi Building, No. 1698 Yishan Road, Shanghai 201103, China
This email contains privileged and confidential information intended for the addressee only. If you are not the intended recipient, please destroy this email and inform the sender immediately. We appreciate you respecting the confidentiality of this information by not disclosing or using the information in this email.

If you want to setup mail filtering rules to block this particular scammer, here’s some email header information:

domain of chinanethost.org designates 205.185.118.41 as permitted sender
client-ip=205.185.118.41
[email protected]
helo=mx.chinanethost.org;
[email protected];
header.from=chinanethost.org;
dkim=pass [email protected];
spf=pass (domain of chinanethost.org designates 205.185.118.41 as permitted sender)
[email protected];
dmarc=pass header.from=robert@chinanethost.org (p=none dis=none)
Received: from mx.chinanethost.org (mx.chinanethost.org [205.185.118.41])
Return-Path: robert@chinanethost.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=chinanethost; d=chinanethost.org; h=Date:From:To:Subject:Mime-Version:Message-ID:Content-Type; [email protected];

As you can see, this particular scammer is using valid SPF, DKIM, and DMARC records.