Someone on the Internet is committing fraud

Update posted June 27th, 2024

This was not the fraud we thought it was

We have learned that emails we originally identified as abuse were sent by an external contractor engaged by ISC to conduct a focussed and short-term lead generation campaign. We have instructed the vendor to halt that campaign.

We clearly suffered some communications failures here. Our communication with the vendor should have made it clear that we would not be comfortable with the approach they adopted. Plus, our internal communication failed as we lacked sufficient awareness of the campaign to respond in a more appropriate fashion when we received questions about the emails.

We have been assured by the vendor that this was not a bulk unsolicited email campaign. We affirm our stance that bulk unsolicited email is counter to our mission in support of Internet infrastructure.

We apologize for any inconvenience or disruption this event may have caused. We promptly canceled our abuse complaint concerning the domain name, and we ask any of you who have taken any filtering or blocking or complaint action against the domain name or the originating IP addresses to do the same. We appreciate the outpouring of sympathy from our community, many of whom have emailed us with helpful suggestions. We thank you for your continued support.

Original post below


Sadly, people on the Internet are sometimes not who they say they are, and you have to read unsolicited email with skepticism.

An alert and responsible IT Professional has notified us that someone is sending spam emails, masquerading as an ISC staff person, offering information about unpublished BIND software vulnerabilities. These emails are supposedly from Bree Reed bree-r.a@tryisc.com. If you receive email like this, check to see if it is from the ISC.org domain. If it is not, the email is not from ISC.

ISC does not send unsolicited bulk marketing emails. We follow a long-established, published process for disclosing security vulnerabilities in our software (ISC Software Defect and Security Vulnerability Disclosure Policy). This includes publishing vulnerabilities in our knowledgebase and announcing the fixes on our product-specific public mailing lists.

If you feel you have received illegitimate communications from someone purporting to be an ISC staff member, please report it. If someone other than ISC.org is offering to provide software vulnerability information about ISC software, this is suspicious and probably fraudulent. ISC does offer professional support services, which includes advance notification of security vulnerabilities, but we have not authorized anyone else to disclose that information prior to public disclosure.

Recent Posts

What's New from ISC

Previous post: Kea 2.6.0 Released