I keep getting emails about expiring subdomains that I have not regsitered like postmaster, shop, cart etc. There does not seem to be a website at those sites (or any other ports open) but I don’t understand how, or why, someone is registering all these subdomains. You can see them all at crt.sh - I switched from jwilder’s reverse proxy to traefik recently and it looks like maybe the registrations have stopped but any help on why they were all being registered and how someone could do it would be helpful. I register the main domain and www and those never send emails because traefik renews them in time.
The emails looks like: Let’s Encrypt certificate expiration notice for domain - Your certificate (or certificates) for the names listed below will expire in 19 days
I have a DNS wildcard and the reverse proxy (traefik) redirects anything that isn’t currently being used (any vhost I suppose) to a simple 404 page but what I don’t understand is how someone is requesting the certificates? And why?
There’s nothing in the logs to indicate anyone else has access. I can account for the time, IP, username and key of everyone who accessed the site. Traefik also does not list any of these certificate requests. Is there a way to see what IP address the requests came from and which validation method they used?
On your other point how does having wildcard DNS allow mail spam or phishing sites? It points to my server not to anything else, and then the reverse proxy serves up a blank page to any request without a valid domain. This stack overflow discussion seems to say the worst that can happen is you can have i-hate.company.com and suffer some SEO problems but as I serve a 404 that doesn’t seem like a major problem.
Ok thanks for the explanation. I’ve asked the client to change the DNS setup with their registrar.
None of the domains have ever had any content on them so it doesn’t seem like phishing, or an early failed attempt at it. Is there a way to figure out who requested the certificates? Is there a way to find the IP address and validation method used to request them?
This information isn’t public, but you can write to security@letsencrypt.org describing your situation and see if the security team can help investigate the possible abuse or compromise related to these subdomains.
If traefik has “on demand” certificate issuance an attacker, or just a curious user could trigger it to request a certificate for any subdomain they want just by accessing a subdomain (I don’t use this but remember reading about it before, so I may be incorrect)
If this is indeed the case it wouldn’t indicate any sort of compromise of your system, but could lead to rate limit problems and result in a form of denial of service.
Yes the client doesn’t know who those subdomains might be from. I’ve had it happen with several domains, some are wordpress, some not. The only thing in common is they are all using Traefik to get certificates from Let’s Encrypt.
Going to a subdomain doesn’t issue a certificate so that can’t be it.
I will contact the security team on Monday and see if I can get to the bottom of it that way.