|
 Author |
 How to remove many spammer sites at once (currently 9,175 views) |
| MarkGiles |
| Posted on: Thursday, October 26th, 2006, 2:43pm |
 |
|
Posts: 363
|
Answering the first question - ignore the timeout. What it means is this.
Having realised that his nameservers are being tested to see if they are up or down, Alex has looked into forums like this to see how it is done. He has found that people are using the dnsstuff website to perform the test. So he has tried to be clever. He wants to fool people into thinking that his illegally hijacked nameservers are no longer running. So he has put in a modification on the nameserver itself, that refuses access to the IP address of dnsstuff.com. That's why you are seeing a timeout.
So ignore any timeout you see, and report the nameserver to the registrar in the normal way.
You will know when all of the nameservers are failing when the website fails to load.
Here are the five nameservers for those sites and similar ones
ns2.fastundslow.com Beijing Innovative
ns2.concessiondog.info Tucows Edit: REMOVED NOV 9
ns1.islandjoke.info Tucows Edit: REMOVED NOV 9
ns1.fantastish.info Gandi Sarl Edit: REMOVED NOV 17
ns1.trashbream.com Blue Domino
Once the registrar sets the status to not transferable and locked out from the client, and sets the address to 0.0.0.0, the compliance request is complete. Until then, the registrar is guilty of sponsoring known criminals and being complicit in the crime. |
|
|
|
 |
Reply: 15 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, October 31st, 2006, 3:32pm |
|
|
Posts: 363
|
Key reporting contacts by Registrar. The full list is at ICANN
http://www.icann.org/registrars/accreditation-qualified-list.html
Aztus admin@aztus.com
Baremetal.com support@baremetal.com
Beijing Innovative liwei@dns.com.cn, huyan@dns.com.cn, abuse@anti-spam.cn, spam@ccert.edu.cn
Bluedomino.com domreg@bluedomino.com
CSL http://www.joker.com website form
CyberConnectics support@cybcon.com
eNom legal@enom.com
Gandi Sarl icann@gandi.net
Intercosmos sig@intercosmos.com
Misk support@misk.com
MIT help@melbourneit.com.au ?
Netfirms support@netfirms.com
OnlineNic icann@onlinenic.com
ResellerClub http://resellerclub.com/report-abuse/whois/
TLDS partnersupport@srsplus.com
TUCOWS compliance@opensrs.org
XIN Net registrar@xinnet.com, pantao@xinnet.com, abuse@anti-spam.cn, spam@ccert.edu.cn
Yesnic abuse@yesnic.com
|
|
|
|
|
Reply: 16 - 80 |
|
|
| dj |
| Posted on: Friday, November 3rd, 2006, 2:36pm |
|
|
Super Spam Fighter 
Posts: 108
|
I'd like to propose Beijing Innovative as the worst registrars as far as reporting spam.
I sent them a mail containing 16 spam emails promoting ui398.com which has yu563.com as the name server to them on 21 September this year. Since then I have sent them over 200 emails reporting this site and hl523.com, ui730.com, ui728.com, af370.com, ui727.com, ui725.com, JF132.com, FG679.com, by131.com, af367.com, fg327, and 5656fg.com.
As far as I can see they are all still up and running. |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 17 - 80 |
|
|
| tracker |
| Posted on: Tuesday, November 7th, 2006, 6:02pm |
|
|
Posts: 41
|
I’ve been trying to use this approach, however being a greenhorn at this I’ve found the process to be very time consuming with quite a bit of page flipping, copying and pasting, and confusion. Perhaps someone can point out my error in the following.
lakeandletis.com is one of the many scam sites that we’ve seen and one that I attempted to follow through on. One of the several name servers is ns2.ssauceboat.info, registered by gandi.net, but when I contacted gandi.net I received a note:
“The domain you mention, lakeandletis.com, is not registered by Gandi, but by 4DOMAINS.COM…”
Gandi lists several name servers associated with lakeandletis.com, including ssauceboat.info, and then states, “Gandi is not a web host. The domain used as the nameserver name SSAUCEBOAT.INFO, is registered via Gandi, but is not a nameserver of Gandi. We therefore have no control over its use, as that is not within the bounds of our mandate as a registrar.”
So… I wonder if anyone could decipher this for me. |
|
|
|
|
Reply: 18 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, November 8th, 2006, 2:46pm |
|
|
Posts: 363
|
Gandi has a contract with a criminal, who has registered the domain name ssauceboat.info (as well as its companion fddnode.info)
EVIDENCE
http://www.dnsstuff.com/tools/whois.ch?ip=ssauceboat.info
Within the "zone file" for sscauceboat.info, there are a number of records. The important ones are the Address records that point to the nameservers. ns2.ssauceboat.info is the name of the nameserver and it has an Address record. This has pointed to different IP addresses over the past few weeks, such as today - 218.26.34.9 and previously
68.157.135.101 - 83.143.12.252 - 81.3.139.92 - 195.96.156.154
Each of these addresses is an illegally hijacked nameserver machine.
Gandi Sarl is suggesting that they have no responsibility, and that you need to address the registrar of the spamvertized website. This argument is invalid, because ssauceboatinfo has been registered with Gandi Sarl. It has been registered by a known, notorious criminal, Alex Polyakov. By refusing to cancel their contract, Gandi Sarl is aiding a criminal in the commission of his crimes. In every civilised country this is also a criminal act. Gandi Sarl needs to be reminded of that, not in a threatening way, but as useful legal advice.
The fact that they have yet to comprehend this point of law should be publicly advertiised. For example, http://www.siteadvisor.com/sites/crampfoot.com
EDIT: On Nov 16 - 17 after much discussion, Gandi SAS removed these nameservers and joined in with other registrars who do not sponsor criminals:
ns2.dogmatrust.info
ns2.crudefuel.info
ns1.apricothangar.info
ns2.fddnode.info
ns2.ssauceboat.info
ns1.fantastish.info
ns1.herecentral.info
ns1.calldesk.info
ns2.abioticxref.info
ns2.nolisrize.info
ns2.preasworst.info
Thanks to the Gandi team who worked on this! |
|
|
|
|
Reply: 19 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, November 8th, 2006, 6:57pm |
|
|
Posts: 363
|
Other illegal fake pharmacy scam sites that Gandi Sarl aka Gandi SAS was sponsoring access to using ssauceboat.info include
> International Legal RX
mannersport.info
pophighest.com
reamsufferer.com
thetramore.com
topstokhold.com
> My Canadian Pharmacy
askshow.info
cliosev.com
cliosev.info
crampfoot.com
cvopler.info
dorotybop.biz
dorotybop.us
eparun.info
fadsore.info
fandet.net
feoter.net
fradnol.info
garagedaw.info
garrisonblock.info
garrisonblock.info
gobetir.com
haindar.info
illupet.info
inisert.info
inisert.net
irowel.com
ispover.info
ispover.net
marksmanpod.info
parbom.info
parbom.net
pathincom.info
quozar.net
radiosand.com
rexito.net
ssunboat.com
theftinvasion.info
unitagony.info
unrespi.info
urveli.info
urveli.net
> US Drugs
pritlea.net
Edit: As of Nov 17, Gandi Sarl / Gandi SAS is an ICANN accredited registrar who no longer sponsors crime. |
|
|
|
|
Reply: 20 - 80 |
|
|
| tracker |
| Posted on: Thursday, November 9th, 2006, 10:13pm |
|
|
Posts: 41
|
|
|
|
|
Reply: 21 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, November 12th, 2006, 8:30pm |
|
|
Posts: 363
|
|
|
|
|
Reply: 22 - 80 |
|
|
| spamislame |
| Posted on: Monday, November 13th, 2006, 10:37am |
|
|
Posts: 66
|
I also added a review.
It's actually super easy to find lots of evidence against this particular "brand." Interesting...
SiL |
|
|
|
|
Reply: 23 - 80 |
|
|
| tracker |
| Posted on: Monday, November 13th, 2006, 10:46pm |
|
|
Posts: 41
|
Oh yeah, I love this one that was pointed out about the safety in ordering from them,
"When you are in the final check out mode you will be transferred to the site of the online processor that ensures the Fort Knott security of your all transactions."
I wonder how long it takes for most readers to get back up from rolling around on the floor? |
|
|
|
|
Reply: 24 - 80 |
|
|
| MarkGiles |
| Posted on: Friday, November 17th, 2006, 5:56pm |
|
|
Posts: 363
|
NOVEMBER 17, 2006
Alex Polyakov's spamming and illegal machine hijacking operation has been registering domains on registrar Gandi SAS - amongst others. Some of these domains were used as nameservers, which these criminals run on illegally hijacked machines. The nameservers in turn resolve access to illegally hijacked webservers. Those webservers run his illegally spammed pharmacy and fake watch scams. And yes, those scams are also illegal, too.
When faced with all of this evidence of crime, Gandi SAS thought better about being seen to be part of the Polyakov crime scene. The following Polyakov nameservers are no longer functioning after Gandi SAS withdrew their support
ns2.dogmatrust.info
ns2.crudefuel.info
ns1.apricothangar.info
ns2.fddnode.info
ns2.ssauceboat.info
ns1.fantastish.info
ns1.herecentral.info
ns1.calldesk.info
ns2.abioticxref.info
ns2.nolisrize.info
ns2.preasworst.info
The Pharmacy Alert Security Team (and millions of frustrated spammed Internet users) applauds Gandi's decision. |
|
|
|
|
Reply: 25 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, November 29th, 2006, 3:38pm |
|
|
Spam Fighter 
Posts: 76
|
“Gandi is not a web host. The domain used as the nameserver name SSAUCEBOAT.INFO, is registered via Gandi, but is not a nameserver of Gandi. We therefore have no control over its use, as that is not within the bounds of our mandate as a registrar.”
So… I wonder if anyone could decipher this for me.
|
Dude, I think that e-mail reply actually came from me! Ha Ha Ha!
The difference was between the physical default nameservers for e-mail forwarding and whatnot (ex. full1.gandi.net...), as opposed to registering a domain name through Gandi that was used as a nameserver or domain for spam, which under the 'old policy' could only be shut off if the whois info was invalid.
Sorry, I should have been more clear about that! At any rate, we got that ba$tard in the end...  |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
 |
Reply: 26 - 80 |
|
|
| spamislame |
| Posted on: Wednesday, November 29th, 2006, 4:55pm |
|
|
Posts: 66
|
Ryan: Do you work for Gandi S?
SiL |
|
|
|
|
Reply: 27 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, November 29th, 2006, 8:02pm |
|
|
Posts: 363
|
Dude, I think that e-mail reply actually came from me! Ha Ha Ha! The difference was between the physical default nameservers for e-mail forwarding and whatnot (ex. full1.gandi.net...), as opposed to registering a domain name through Gandi that was used as a nameserver or domain for spam, which under the 'old policy' could only be shut off if the whois info was invalid. Sorry, I should have been more clear about that! At any rate, we got that ba$tard in the end... |
Sure enough. Too many registrars act in accordance solely with the limitations set by ICANN - cancel on invalid whois.
All registrars need to understand that any country's national and (where applicable) state laws preclude any commercial organisation from assisting (or aiding and abetting, or being complicit with) a criminal. By continuing to honour a contract which is providing a service to a criminal, the registrar is effectively committing a crime. It often takes a while to reach that realisation, but once understood, there is no legal alternative but to withdraw the contracted service. That means locking out the contracted domain from the criminal so it cannot continue to be used in the commission of the crime.
Only then is a registrar upholding the law, and keeping their reputation intact, and law enforcement from the door. Gandi SAS has reached that point, and looks ready to wipe the spammers out of their registry with more vigour than ever.
Ace of Domains is still on the journey.
|
|
|
|
|
Reply: 28 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, November 29th, 2006, 11:53pm |
|
|
Spam Fighter
Posts: 76
|
Amen!
(not the registrar ha ha...)
As is turns out, there is great new legislation in France that makes spamming illegal... 
Also, with an updated terms of sale contract you can pretty much go to town.
But you are right, when all registrars care about is money, they will stick to just the strict ICANN rules.
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 29 - 80 |
|
|
Pages: 
Logged
Locked Board