Attention Webmasters: Fake Domain Renewal Emails Spotted

Martin Brinkmann
May 3, 2011
Updated • Apr 9, 2012
Development, Security

I have a lot of domains. Well, a lot is relative but it is enough to lose the overview occasionally. While the majority is hosted at one popular provider (Godaddy), some are hosted at other domain registrars and web hosting companies. I get regular automated emails from those companies. They tell me that a domain name is expiring for instance.

Imagine my surprise when I received a new email today from a company that I never worked with before. The email was send by [email protected] and was send via, a Godaddy owned company IIRC.

It reads:

FWD: Attention: Expiring Soon


Notice of Expiration

Bill To: Invoice # 1304452910
Invoice Date May 3, 2011
Essen, NR Terms Net 14
45130 - US Due Date May 18, 2011
P.O. #
Domain Name Registration Price Term
MARTINBRINKMANN.COM May 3, 2011 - May 3, 2012 $75.00 1 Year

Attention :

This solicitation is to inform you that it's time to send in your search engine registration for MARTINBRINKMANN.COM. DRS is a submission service and search engine ranking firm.

Failure to complete your search engine registration by May 18, 2011 may result in the cancellation of this offer (making it difficult for your customers to locate you using search engines on the web).

Your registration includes search engine submission for MARTINBRINKMANN.COM for 1 year. You are under no obligation to pay the amount stated above unless you accept this offer by May 18, 2011. This notice is not an invoice. It is a courtesy reminder to register MARTINBRINKMANN.COM for search engine listing so that your customers can locate you on the web.

This Offer for MARTINBRINKMANN.COM will expire on May 18, 2011. Act today!
For Domain Name:

All links in the email pointed to A few aspects of that email were suspicious:

  • I was not addressed personally
  • The price for a one year renewal was way to high ($75)
  • The domain was set to expire on May 3, 2011 but I did not receive renewal emails before.
  • The domain was paid for until 2013 and not 2011

I was curious and visited the site anyway. I knew that I was protected from harm by NoScript, so no worries there. The page looked like this

Notice anything in particular? Right, there is no account login on the page. All you can do is to enter your credit card data on the first page. That page was obviously phishing for credit card information.

This is the first time that I have received such an email. It looks and feels very amateurish to me. Having said that, it is likely that the attackers will tune the emails in the future, for instance by only writing to domain owners whose domains are really expiring.

Use this as a word of caution. If you receive such emails submit them to your domain registrar so that their legal department can take care of it.

As a side note. I'm currently working on a domain management tool which webmasters and companies can use to manage all their domains and web properties. If you are interested to hear more about it let me know.


Previous Post: «
Next Post: «


  1. Daryl said on May 3, 2011 at 11:13 pm

    Got one much the same as that myself for one of several/many domains I look after.

    It’s a pretty good job too as these things go. However, it stuck out for me too for much the same reason as you mention (a) not from one of the small number of companies who look after my domains (b) price.

    Undoubtedly it will catch out the unwary though.

  2. Andy said on May 3, 2011 at 11:54 pm

    It’s an obvious phishing scam, especially when you read what it’s for – search engine registration – not domain name registration.

    1. Martin Brinkmann said on May 4, 2011 at 12:17 am

      It is nevertheless linking domains to their rightful owners. But good eyes you got, that the money you pay for is not for the domain renewal.

  3. Rick said on May 4, 2011 at 5:04 am

    If this is your first phishing on domain registration you have been lucky I guess. I get about one a month. The highest attempted registration fee I’ve run into is $125 / yr or a real discount of $200 for 2 yearrs :)

    Fortunately I have all of the domains on a host that provides the registration dates etc. with auto-renews, so I know whatever I get via email is not real.

  4. Patrick Duguay said on May 8, 2011 at 5:01 pm

    I got this as well except that it has all my personal information connected to my account. Don’t know how they got this information.

    1. Martin Brinkmann said on May 8, 2011 at 5:20 pm

      Probably from the whois information.

  5. DLouise said on May 10, 2011 at 8:14 pm

    Yup…just received one of these today. The tip off? The over-inflated renewal amount!

    Was about to “reply” regarding the new rate, when it hit me, somethin’ ain’t right here. Their email address was fishy, looked it up, found it was associated with “”…you can read the “who-is” on this one.

    Thanks for your boards as well, for further info.

  6. Kloxi said on May 14, 2011 at 8:51 pm

    Yeah – I’ve just had this too. If they wanted my credit card details they could have been smart enough to guess approximately how much I expect to pay for “search engine registration”. NOT 75$! God bless the idiots of this world! Seriously though, we need to watch out for these guys getting smarter as has been pointed out. Hey – it wouldn’t be difficult!

  7. Amanda said on May 16, 2011 at 3:37 am

    Hi – just had the same email. A number of things stood out that made it suspect. The subject line started with *Re: * for a start! Some poor sentence structure, along with the fact that my webhosting company was not listed anywhere made it easy to spot the fake, but I’m sure it would be successful with some. Very sneaky!
    FYI – I found this site just by googling the subject line – so great stuff!

    Cheers, A

  8. Mick Lauer said on May 16, 2011 at 4:54 pm

    Thanks for the heads up. FBed it to all I know, and our company is notifying our clients.

    I found this article because a client of mine asked about their domain.

    Thanks again,


  9. jim bosche said on September 28, 2011 at 7:24 am

    this is the website –

    here is the owner of the site – i am going to call the police in beverly hills to get this idiot.

    created: 14-Sep-2011
    last-changed: 15-Sep-2011
    registration-expiration: 14-Sep-2012



    registrant-firstname: T
    registrant-lastname: Jackson
    registrant-street1: PO Box 2818, Beverly Hills
    registrant-pcode: 90213
    registrant-state: CA
    registrant-city: Beverly Hills
    registrant-ccode: US
    registrant-phone: +1.3103675558

    admin-c-firstname: T
    admin-c-lastname: Jackson
    admin-c-street1: PO Box 2818, Beverly Hills
    admin-c-pcode: 90213
    admin-c-state: CA
    admin-c-city: Beverly Hills
    admin-c-ccode: US
    admin-c-phone: +1.3103675558

    tech-c-firstname: T
    tech-c-lastname: Jackson
    tech-c-street1: PO Box 2818, Beverly Hills
    tech-c-pcode: 90213
    tech-c-state: CA
    tech-c-city: Beverly Hills
    tech-c-ccode: US
    tech-c-phone: +1.3103675558

    bill-c-firstname: T
    bill-c-lastname: Jackson
    bill-c-street1: PO Box 2818, Beverly Hills
    bill-c-pcode: 90213
    bill-c-state: CA
    bill-c-city: Beverly Hills
    bill-c-ccode: US
    bill-c-phone: +1.3103675558

  10. jim bosche said on December 7, 2011 at 11:35 pm

    this is a bogus link for a scam
    it has been used as a phishing scam to get businesses to click, for fear that the BBB has a complaint on them. it poses as coming from the BBB, but it has nothing to do with the BBB or the BBB complaints. The BBB does not send complaints by email.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.