Industry Observations-Technical Insight

Why com.com Should Scare You

A long time ago I began to compile a list of lesser known but still very scary choke points on the Internet. This was a short list of providers (like the DNS 4.2.2.2 that most routers use, for instance) that could have major impact if they were ever compromised or owned by a nefarious 3rd party. One of those was com.com.

Com.com is the single best typo squatter domain on the planet. Let’s say, for instance, you accidentally type in user@yahoo.com.com (notice the end there). Yes, it would go to .com.com email servers if they were set up to allow email to come in. If you typed a URL as http://www.yahoo.com.com similarly, you would also redirect to the typo domain. Or how about phishing sites of ebay.com.com or have you downloaded the latest patch from microsoft.com.com? Given that .com is the largest TLD, com.com is the best typo domain naturally.

A few months ago and without much fan fare, com.com was silently sold by CNET to DSparking.com – one of the most notorious domain squatters ever. Sources close to the deal told me it was sold for around $1.5 million. Yes, the fox owns the hen-house. For $1.5 million it was a steal though – it’s easily worth that just in typo traffic and the huge volume of accidental inbound links.

However, things are not as bad as they could be. For instance, port 80 (web) is open, yes, but port 25 (mail) is not. If and when DSparking decides to open port 25 they will start receiving tons of email that is potentially extremely sensitive. Even if it seems rejected by the mail servers they could still be logging it.

For now mail appears to be closed and has been since the deal went through. They could easily be opening port 25 only to selective IP address ranges, or even opening and closing it periodically to get a snapshot of traffic. There’s no easy way to know for sure. I doubt it’s open at all but should that change, and it could easily, this should be considered an extremely dangerous domain.

Correction:

as @spazef0rze pointed out although port 25 is closed on the website, mail is still being processed through a seperate DNS entry:

$ host -t MX yahoo.com.com

yahoo.com.com mail is handled by 10 mx.b-io.co.

Also, as @mubix noted, there are many other ports/protocols that can be subject to interception if typo’d in the same way. So yes, it’s probably time to block this. No good can come of it.

  • http://welivesecurity.com Marc-Etienne M.Léveillé

    Hi Robert,

    I’d like to point out that com.com does in fact sinkhole e-mail messages sent to anything.com.com. You can look at their MX record :

    whitehatsec.com.com. 3600 IN MX 10 mx.b-io.co.

    mx.b-io.co is owned by bounce.io, who claim to be monetizing typo in e-mail addresses by sending bounce messages containing ads.

    Cheers,

    Marc-Etienne

    • Maurina Venturelli

      Hi Marc,

      Thank you for the comment. Robert added a correction that addresses your comment. (See above).

      Best,
      Maurina V
      Social Media Manager, WhiteHat Security

  • http://extrapepperoni.com/ Chris Pepper

    I’m more concerned with stupid URL autocorrection. What if I type yaho.com, which doesn’t resolve, and my dumb-but-helpful browser appends ‘.com’, as the most likely transformation to get me where I wanted to go?

    I don’t know of any browsers that do this currently — all those I have used take a period in the string as a hint not to do more than prepend ‘http://’ — but it’s probably inevitable somewhere.

    • Maurina Venturelli

      Hi Chris,

      Thank you for your comment, here is a response from Robert:

      An interesting thought, but that never happens from what I’ve seen. No browser anywhere appends a .com to the end of anything without the user manually doing it. Even browser that accept the command-Enter function (in Mac – in Windows it works differently) look at the effective TLD and
      if it matches an existing known effective TLD it won’t append an additional .com.

  • Daniel Vidos

    Thanks for the info!