Domain wrongly associated with my email

I got an email today from LetsEncrypt about a change for older browsers. It included this line here:

grafik1118×100 8.13 KB

The problem is I never heard of this domain. Is there anything I have to do about this?

Yes just had this too for some Russian hostname. Letsencrypt messed up their mailing campaign.

Got the same message with references to different domains, one under .ro and one under .com, neither of which are mine. If this is an ongoing mail campaign, I suggest stopping it immediately.

Quote:

Hello from the staff at Let's Encrypt.

On September 30, there will be a change in how older browsers and 
devices trust Let's Encrypt certificates, resulting in a minor decrease 
in compatibility. If you run a typical website, you won't notice a 
difference. Devices and browsers running up-to-date software will 
continue working fine, and we've taken steps to make sure the vast 
majority of older devices will too. If you run a large website, or need 
to support less common software (particularly non-browser software), 
you'll want to read about the details at:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

In either case, no action is required from you. We're letting you know 
so you can provide answers to any questions your site visitors may have.

Here is a sample hostname from one of your current Let's Encrypt 
certificates:  ---.ro  ---.com 

Since 2015 we've served the world with 1.6 billion free certificates, 
each one providing security and privacy to people on the Web. It's work 
that's 100% funded by charitable donations since we are a nonprofit. If 
your company is interested in sponsorship, please email 
sponsor@letsencrypt.org. If you can make a donation, we ask that you 
consider supporting our work today: https://letsencrypt.org/donate/ 
Thank you.

- The Let's Encrypt team

Can someone confirm that these emails are indeed sent by Let's Encrypt and that the email indeed lists domains that Let's Encrypt considers associated with the address that the email is sent to?

I recently received an email like this with an incorrect domain.

Can a Let's Encrypt official confirm if this is:

• A phishing campaign?
• An indicator of ACME account compromise?
• An indicator of someone using my email address for their ACME account? Are ACME accounts email validated?

No, no validation is done on the email address supplied when an ACME account is created. The likely reasons for what you (all) are seeing are

• Someone, deliberately or inadvertently, used a wrong address when registering their ACME account; or
• Your domain was at one time hosted by a provider who also hosted the domain in question, and that provider's integration was suboptimal, resulting in your email address being used for a bulk certificate.

It has been some time since I validated my domain, and I'm doing it just for some private hosting. Where can I check the domains associated with my email, or make sure my security is not compromised?

The email that I used is not publicly well known, so I would be surprised if this were the case.

Could this be a phishing campaign that tricks Let's Encrypt to send emails on the behalf of a threat actor? For example, the threat actor knows user@example.com owns a domain, so creates many ACME accounts with that email for domains that host malware. Then user@example.com receives an email from Let's Encrypt so is more likely to click the link to the incorrect malware domain.

I am the original owner and host of all domains and ACME accounts associated with that email.

For those who have received an email containing an unfamiliar domain name, please see the staff response here:

No, then they wouldn't wait for some announcement, instead they'd let certificate expire so people get the links immediatly. Also the domains I got didn't lead to anything, at least not a webserver.

But this is a vulnerability: just create a certificate to something malicious using known emails, let it expire and hope the victim clicks the links.

Admittedly, I've expressed the same concern myself in the past. I know from responses I've received to my own suggestions in numerous places that Let's Encrypt has improvements to their email notification system in their sights. Those of us who are longstanding contributors of this community were given early warning yesterday by the staff about the notification going out. The staff are looking at the responses to assess and make adjustments to plan going forward.

So there is a vulnerability in the Let's Encrypt email system and there is the possibility that Let's Encrypt is incorrectly referencing domains. These emails should be halted. Am correct to I assume this warrants contacting security@letsencrypt.org?

I don't suppose there is a way of subscribing to notifications whenever a certificate is issued using my email address? Possibly with a "wasn't me" link? Or at least a way to get an email with all host names associated with my email address?

I have asked the Let's Encrypt staff to review this topic/thread. It's a busy time and they're a small team, so please give them some time to process.

I have reported this thread to security@letsencrypt.org.

Hi, folks,
@fixingthembugs @JerMah @Pflyg @timh @Tredwell

We've identified a problem with these e-mails, where the wrong sample hostname was selected. We've paused sending while we fix the problem with how we queried our database. The database itself is accurate.

The security and integrity of your Let's Encrypt registration (account) and certificates were not affected. Hostnames are made public in Certificate Transparency logs, so this was not a breach of private data.

I received a notification for this and while I don't expect we'll be affected, the "sample hostname from one of your current Let's Encrypt certificates" is not one I would have expected to see. How do I track this down and remedy the situation?

Regarding the unfamiliar domain name, please read:

While a careless or confused hosting provider may cause similar problems, I can confidently say that this wasn't the case here. The domains in the email I received resolve to IP addresses belonging to different providers in Romania and Sweden and I don't know either of them.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.