Welcome, Guest. Please login or register.
Monday, April 21st, 2014, 4:37am
Home Help Calendar Search Register Login

Forum Login
Username: Create a new Account
Password:     Forgot Password

 Board Index    Spam    Spam Fighting Tips & Techniques  ›  How to remove many spammer sites at once
Users Browsing Forum
No Members and 1 Guests

 Pages: 1, 2, 3, 4, 5, 6 : All
Recommend Print
  Author    How to remove many spammer sites at once  (currently 6,287 views)
MarkGiles
Posted on: Friday, September 1st, 2006, 11:35pm Report to Moderator
All-Star


Posts: 363
Next time you get a spam, and you have a few minutes to spare, you might like to take a new approach to stopping the spammers.

Sure you can report it to Spamcop, or Knujon, and leave it at that. But you can do a whole lot better. You can use one spam to shut down between 5 and a hundred sites or more. Let's work through an example of a spam I got today.

SPAMVERTIZED WEB SITE
http://hinrost.net (see also http://hinrost.info)
US DRUGS illegal web site
( currently running on hacked machine at IP address 59.120.127.152, images on Yahoo http://stubsite.info/usd/images/logo.gif )

LOCATE THE NAME SERVERS (addresses are compromised machines)
http://www.dnsstuff.com/tools/traversal.ch?domain=hinrost.net&type=A
(substitute your spam site for hinrost.net)
ns1.urisrets.info [72.164.246.232]
ns1.preort.info [72.164.246.232]
ns2.westwelec.info [212.52.166.78]
ns2.tacttal.info [212.52.166.78]

(truncate the ns1. or ns2. from the domain names, leaving just urisrets.info etc)
FIRST NAME SERVER (ENOM)
http://www.dnsstuff.com/tools/whois.ch?ip=urisrets.info
Domain Name:URISRETS.INFO
Created On:10-Apr-2006 18:13:05 UTC
Last Updated On:31-Aug-2006 10:14:51 UTC
Expiration Date:10-Apr-2007 18:13:05 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK

SECOND NAME SERVER (ENOM)
http://www.dnsstuff.com/tools/whois.ch?ip=westwelec.info
Domain Name:WESTWELEC.INFO
Created On:16-May-2006 14:50:04 UTC
Last Updated On:31-Aug-2006 10:15:06 UTC
Expiration Date:16-May-2007 14:50:04 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK

THIRD NAME SERVER (TUCOWS)
http://www.dnsstuff.com/tools/whois.ch?ip=tacttal.info
Domain Name:TACTTAL.INFO
Created On:15-Apr-2006 15:00:12 UTC
Last Updated On:31-Aug-2006 10:15:25 UTC
Expiration Date:15-Apr-2007 15:00:12 UTC
Sponsoring Registrar:Tucows Inc. (R139-LRMS)
Status:OK

FOURTH NAME SERVER (TUCOWS / CSL GMBH)
http://www.dnsstuff.com/tools/whois.ch?ip=preort.info
Domain Name:  PREORT.INFO
Created On:20-Aug-2006 16:48:21 UTC
Last Updated On:31-Aug-2006 23:09:05 UTC
Expiration Date:20-Aug-2007 16:48:21 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH (R161-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED

COMPLAINTS TO
TUCOWS = compliance at opensrs.org
ENOM = legal at enom.com
You can find these addresses at http://www.icann.org/registrars/accreditation-qualified-list.html

REQUEST TO THE REGISTRAR
=================================
The name servers listed below are used to provide access to the illegal US DRUGS websites
run by the criminal Yambo Financials gang, listed in Spamhaus.

Please lock out customer access to these domains and set all Addresses records to 0.0.0.0

Lockout should include these options
CLIENT DELETE PROHIBITED
CLIENT RENEW PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
TRANSFER PROHIBITED

You can ensure the lockout is successful by using this link
http://www.dnsstuff.com/tools/traversal.ch?domain=hinrost.net&type=A

================================

If the registrars check out the link, and see the illegal sites are using name servers registered through them, they will remove that name server. There may be a few sites resolved by the name servers you have removed. There may be over a hundred. Either way, you have removed many sites that the spammers can no longer spamvertize.

If you act on fresh spam, you can really annoy them by having their sites removed before they have completed a spamming run.

It makes a refreshing change when it is the spammer who is annoyed, doesn't it?

Logged Offline
Private Message
HS
Posted on: Saturday, September 2nd, 2006, 1:32pm Report to Moderator
Guest User



It's a Great Idea!

But for the non-net pro, it's difficult to follow.

If there were just a button and wow!  

Spam. Dead In The Water!
Logged
e-mail Reply: 1 - 78
MarkGiles
Posted on: Thursday, September 7th, 2006, 5:02pm Report to Moderator
All-Star


Posts: 363
I tried to automate it, but it was a bit too hard.

You just start with the spamvertized site, pay it a visit using just the web site part of the link.
eg http://g1a2r3b4a5g6.spammed.com/?junk=34725 becomes simply spammed.com

That's to find out what kind of site it is. Then you need to find out the name servers used to get to it. So you take the site name spammed.com and put it into this link
http://www.dnsstuff.com/tools/traversal.ch?domain=spammed.com&type=A
The result tells you the 2 or 4 name servers.

(You can go to http://www.dnsstuff.com and key it into the top right box for DNS Lookup. On the output, click on "Click here" to get what they call the "transversal" that shows all the name servers at the bottom of the next output screen)

For each name server, you want to complain to the Registrar, so you do a look-up to find them.
eg for a name server like ns1.preort.info you strip it down to just preort.info and put it into this link
http://www.dnsstuff.com/tools/whois.ch?ip=preort.info  

(Or you can go to http://www.dnsstuff.com and key the domain name preort.info  in the third box down, left column, called "Whois info")

That is where you can discover who the registrar company is.

But then, how do you know where to send the complaint? All registrars accredited by ICANN - the goverinig organization - have their contact details listed here.
http://www.icann.org/registrars/accreditation-qualified-list.html

You go there and do a find (Ctrl-F or Edit / Find) to locate the registrar. Once you've done that a few times, and you know the registrar contact from a previous complaint, you don't need that last step.

Then you email them a complaint. You can copy the links used above to document why they are responsible for the name server that supports the spamvertized site. If the site itself is illegal, be sure to point that out.

It isn't really rocket-science. Anyone can do it, and the payoff in spammer frustration makes the effort well worthwhile.  Registrars do not like to be seen to be acting on the side of the Internet crime syndicates. It doesn't do anything positive for their business reputation, and scares off shareholders.
Logged Offline
Private Message Reply: 2 - 78
MarkGiles
Posted on: Saturday, September 23rd, 2006, 7:38pm Report to Moderator
All-Star


Posts: 363
I get hundreds of spams for pharmacy sites. The subject is always of the form PHAxyzRMA where xyz varies. When I look up the name servers, there are only six.

ns0.avuihdesunhawio.com     sponsored by DNS.COM.CN
ns0.sadewunmkedefuna.com sponsored by DNS.COM.CN
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN    
ns2.yadesaxinmer.com sponsored by XIN Net
ns3.ovdesaxinme.com sponsored by DNS.COM.CN

You can email requests to remove these nameservers to the official registrar contacts at
"Li Wei"<liwei@dns.com.cn>, litao@dns.com.cn, abuse@anti-spam.cn
"Zhao Le"<registrar@xinnet.com>, abuse@anti-spam.cn

China's anti-spam team will also take an interest. They take pride in the reduction of spam in China.

In your complaint, refer to the known criminal Leo Kuvayev. He is listed at Chinese sites
http://www.anti-spam.cn/ShowArticle.php?id=3169
http://www.chinaemail.com.cn/laji/flzblack/200607/6134.html

You are entitled to send a request with the spam attached for each such spam that you receive.  If everyone did that, the message that we will not tolerate registrars who sponsor criminals will be heard loud and clear.

Join the campaign.
Logged Offline
Private Message Reply: 3 - 78
randyt67
Posted on: Saturday, September 23rd, 2006, 8:38pm Report to Moderator
New Member


Posts: 10
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN    
are down by the way
If these could be shut down it would be nice.
ns2.briggsadnstratton.com
ns1.briggsadnstratton.com
email 'NOC at NRW.NET'

Anyway, the reason I'm here.  
I received many spams for http://www.priuproadl.info Pharma Shop today.

I sent a complaint to dnsprofessioanals1k@yahoo.com (yes, I figured it was fake at the beginning) for TLDS INC.
It bounced of course. The nameservers are ns2.goalz.biz ns1.goalz.biz
I guess I'm outta luck here, huh?

Logged Offline
Private Message Reply: 4 - 78
MarkGiles
Posted on: Sunday, September 24th, 2006, 8:25pm Report to Moderator
All-Star


Posts: 363

Quoted from randyt67
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN    
are down by the way

Not quite yet:
http://www.dnsstuff.com/tools/traversal.ch?domain=badewinkdasatun.com&type=A


Quoted Text

If these could be shut down it would be nice.
ns2.briggsadnstratton.com
ns1.briggsadnstratton.com
email 'NOC at NRW.NET'

You need to do some more homework. An obvious approach is to notify joker.com of the copyright infringement of the Briggs and Stratton trademark. Fire a copy off to B&S, too. They would love to tackle that one.

Quoted Text

Anyway, the reason I'm here.  
I received many spams for http://www.priuproadl.info Pharma Shop today.

I sent a complaint to dnsprofessioanals1k@yahoo.com (yes, I figured it was fake at the beginning) for TLDS INC.
It bounced of course. The nameservers are ns2.goalz.biz ns1.goalz.biz
I guess I'm outta luck here, huh?


No, you are on the right path. Let's do a whois on goalz.biz
http://www.dnsstuff.com/tools/whois.ch?ip=goalz.biz&email=on
Sponsoring Registrar:                        TLDS INC.

Ask ICANN where to send a compliance request
http://www.icann.org/registrars/accreditation-qualified-list.html

TLDS L.L.C. d/b/a SRSPlus (United States)
http://www.srsplus.com
... SRSplus is a business unit and a wholly owned subsidiary of Network Solutions, LLC, an industry leader in Web identity services.

   Tel: (570) 708-8787
   Email: partnersupport@srsplus.com

Phone or email them. If you have problems, go to Network Solutions, the parent company at
Tel: 703.668.4600
Email: customerservice@networksolutions.com

(Better still, you should cc them on any email anyway, so that the parent can see what the subsidiary is doing to protect the company image)




Logged Offline
Private Message Reply: 5 - 78
randyt67
Posted on: Monday, September 25th, 2006, 8:35pm Report to Moderator
New Member


Posts: 10
Thanks, Mark.  I fired off those emails.  

I guess those weird hxxxx nameservers came back because I checked as I typed that mail.  DNSSTUFF had a timeout for those when I was about to send off another complaint.  I assumed incorrectly they were down I guess.

Logged Offline
Private Message Reply: 6 - 78
MarkGiles
Posted on: Thursday, September 28th, 2006, 9:22pm Report to Moderator
All-Star


Posts: 363
Yup. If you get a timeout on doing a traversal like Leo Kevayev's servers at
http://www.dnsstuff.com/tools/traversal.ch?domain=miteryanfades.com&type=A

you need to do a second attempt before you know it is really timing out.
One of them is permanently timing out, the other only occasionally.

And even then, it may be transitory.  The "pipe" to the site can sometimes be pretty sluggish.

Logged Offline
Private Message Reply: 7 - 78
spamjammer
Posted on: Saturday, September 30th, 2006, 8:17pm Report to Moderator
New Member


Posts: 1
Mark;

Just wondering; how do you deal with K's redirects embedded in the URL extensions?

Rapatska (his favorite programmer) often has decoy sites that respond to TL domain query chains; but, substituting random strings (or risking being identified by using the real article) take you to the payload site.  These are almost always on completely different servers on different Net Blocks.

I haven't been much pestered by the Yambo Group on bogus financial or Rx Spam; but the above used to apply to K's Porn Spam spew before he sold most of it off last winter.

BTW: I haven't had any success using proxies to probe K's/Barnu Rapatska's sites of course; they get 'sniffed-out' and redirected PDQ.

sj
Logged Offline
Private Message Reply: 8 - 78
MarkGiles
Posted on: Sunday, October 1st, 2006, 8:54pm Report to Moderator
All-Star


Posts: 363

Quoted from spamjammer
how do you deal with K's redirects embedded in the URL extensions?

K? Is that Kuvayev? I thought Rapatska was either Panov or his partner in crime. Please elaborate.
Now to your question.

I am not sure why you are asking.  But I am guessing at 2 reasons

1. concern at being tracked if you click on a URL that has imbedded detection of the email addressee
Answer- I go to the site of the de-obfuscated URL's domain name.If that fails, I go to the full URL. The reason for going to the spamvertized site is to find out what it is. If I am going to complain about it, I need to know whether it is a legitimate site, tasteless site, or outright illegal site. I can word the complaint accordingly

2. concern that an automated tool will not get to the right place
I want to get to the redirected site. Some operations spam a hundred sites that all redirect to the central one. The hope is that SpamCop will focus on the front ends, and leave the home site unscathed. Pharma Shop is an example.


Quoted Text

Rapatska (his favorite programmer) often has decoy sites that respond to TL domain query chains; but, substituting random strings (or risking being identified by using the real article) take you to the payload site.  These are almost always on completely different servers on different Net Blocks.

The redirected site is where I want to be.


Quoted Text

I haven't been much pestered by the Yambo Group on bogus financial or Rx Spam; but the above used to apply to K's Porn Spam spew before he sold most of it off last winter.
OK


Quoted Text

BTW: I haven't had any success using proxies to probe K's/Barnu Rapatska's sites of course; they get 'sniffed-out' and redirected PDQ.


Any more specifics, or do you want to keep it out of public display?

Logged Offline
Private Message Reply: 9 - 78
MarkGiles
Posted on: Monday, October 2nd, 2006, 7:40pm Report to Moderator
All-Star


Posts: 363
Here is a case in point. I will leave out all the URLs and keep it short.
You get a spam advertizing watches123.net. You do the address traversal and find the nameservers. They are ns1.dnsdomainok.com and ns2.dnsdomainok.com.

Now you do the Whois lookup on dnsdomainok.com. The registrar is eNom Inc.
The name of the registrant is "Paul Gregoire" so you do a Google search on him.
It turns out to be a frequently used alias for Alex Polyakov according to Spamhaus.
The given contact address is fake, too.

So you send your evidence off to eNom, requesting removal of dnsdomainok.com and wait for developments.
Logged Offline
Private Message Reply: 10 - 78
MarkGiles
Posted on: Thursday, October 5th, 2006, 6:06pm Report to Moderator
All-Star


Posts: 363
It is 3 days since that last posting. After a follow-up message, the registrar removed the name server, and its backup name server as requested.  Now it just so happens that the name servers removed also provided access to web sites for Hoodia Life and HGH Life besides Exquisite Watches. If you looked up the address of the site, you would find that in fact there were
1,980
web server domain names running there, all accessed through the same name servers.

The bottom line is that today, 1,980 web sites were no longer responding. They were all running 3 days ago, but the complaints (in total 3 emails) have knocked them all out.

He should not have sent me that spam for 123watches.net.
Logged Offline
Private Message Reply: 11 - 78
MarkGiles
Posted on: Saturday, October 7th, 2006, 6:34pm Report to Moderator
All-Star


Posts: 363
Alex Polyakov and his gang have been busy rebuilding his lost infrastructure. He lost over 2,000 fake watches, HGH Life and Hoodia Life sites when the registrar removed the nameserver that they were all defined under.

Now he has to take time off from spamming to creating new ones, and to transfer some of his favorite old ones to new nameservers. We can see how busy he has been.

Removed Site . . . . New nameservers
100watches.net . . . ns1.ucraineanu.com ns2.ucraineanu.com
abcofhghtwo.com .. ns3.dnsdomainplus.com ns4.dnsdomainplus.com
all-the-watches.net  ns1.ucraineanu.com ns2.ucraineanu.com

All of his work will be to no avail when the registrars remove the new nameserver domains.

Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=ucraineanu.com
Registered by "Paul Gregoire" alias Alex Polyakov.
And this domain is in turn resolved by these domain servers in listed order:
   ns1.dnsgoldone.com
   ns2.dnsgoldone.com

Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=dnsgoldone.com
Registered by Paul Gregoire / Alex Polyakov
Can we do it again?
Domain servers in listed order:
  NS1.DNSWHOISGOOD.COM          222.180.219.173              
  NS2.DNSWHOISGOOD.COM          222.180.219.173    

Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=DNSWHOISGOOD.COM
Once again, registered by Paul Gregoire / Alex Polyakov
Domain servers in listed order:
  NS5.DNSQWICK.COM              221.194.68.63                
  NS6.DNSQWICK.COM              221.194.68.63    

How long can this go on?
dnsqwick.com is also registered by the same fake registrant.
Illegal domains to remove:

Registrar: eNom Inc
. . . dnsdomainplus.com
. . . dnsqwick.com
. . . dnswhoisgood.com  
. . . dnsgoldone.com

Registrar: ABR Products DBA = MISK.COM
. . . ucraineanu.com                  


Registrars do not have any time for known Internet criminals. And Alex's record, and his use of the Paul Gregoire alias are well documented at Spamhaus in the ROKSO Top 10 http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6934

Logged Offline
Private Message Reply: 12 - 78
Quake14
Posted on: Thursday, October 19th, 2006, 11:57am Report to Moderator
New Member


Posts: 4
This is a great technique I will be looking in to.

Instead of reporting on all of the kited domains and zombified cable modem users, go for the source.  Knock out their infrastructure.

That is among the most satisfying antispam stories I have ever read.  
Logged Offline
Private Message Reply: 13 - 78
dj
Posted on: Thursday, October 26th, 2006, 4:53am Report to Moderator
Super Spam Fighter



Posts: 108
I have been trying this on some of the more persistant spams I get with varying success. Beijing Innovative (ha!) in particular seem oblivious to mails.

I have had a lot of mails recently promoting pbouvet.com, maxxtests.com, cationyamer.com and lettersmate.com. Tracing these all gives the same result, four name servers - ns1.fantastish.info. ns1.trashbream.com. ns2.concessiondog.info. ns2.fastundslow.com. When I do the dns lookup for pbouvet.com, maxxtests.com, cationyamer.com and lettersmate.com, they all give the name servers followed by timeout. I can still get at all the sites though.

Not sure what these means?????

Also a lot of them dont give a straight url but instead have something like - "outbind://102-00000000ACC7D6789F91BB498C2D2B88E630F37DC4B02900/" What are these????

I'm sure there is someone out there that can answer these.

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 14 - 78
MarkGiles
Posted on: Thursday, October 26th, 2006, 2:43pm Report to Moderator
All-Star


Posts: 363
Answering the first question - ignore the timeout. What it means is this.

Having realised that his nameservers are being tested to see if they are up or down, Alex has looked into forums like this to see how it is done. He has found that people are using the dnsstuff website to perform the test. So he has tried to be clever. He wants to fool people into thinking that his illegally hijacked nameservers are no longer running. So he has put in a modification on the nameserver itself, that refuses access to the IP address of dnsstuff.com. That's why you are seeing a timeout.

So ignore any timeout you see, and report the nameserver to the registrar in the normal way.
You will know when all of the nameservers are failing when the website fails to load.

Here are the five nameservers for those sites and similar ones

ns2.fastundslow.com      Beijing Innovative
ns2.concessiondog.info   Tucows Edit: REMOVED NOV 9
ns1.islandjoke.info         Tucows Edit: REMOVED NOV 9
ns1.fantastish.info          Gandi Sarl Edit: REMOVED NOV 17
ns1.trashbream.com       Blue Domino

Once the registrar sets the status to not transferable and locked out from the client, and sets the address to 0.0.0.0, the compliance request is complete. Until then, the registrar is guilty of sponsoring known criminals and being complicit in the crime.
Logged Offline
Private Message Reply: 15 - 78
MarkGiles
Posted on: Tuesday, October 31st, 2006, 3:32pm Report to Moderator
All-Star


Posts: 363
Key reporting contacts by Registrar. The full list is at ICANN
http://www.icann.org/registrars/accreditation-qualified-list.html

Aztus     admin@aztus.com                    
Baremetal.com     support@baremetal.com                    
Beijing Innovative     liwei@dns.com.cn,     huyan@dns.com.cn, abuse@anti-spam.cn, spam@ccert.edu.cn              
Bluedomino.com     domreg@bluedomino.com                    
CSL     http://www.joker.com               website form    
CyberConnectics     support@cybcon.com                    
eNom     legal@enom.com                    
Gandi Sarl     icann@gandi.net                    
Intercosmos     sig@intercosmos.com                    
Misk     support@misk.com                    
MIT     help@melbourneit.com.au     ?              
Netfirms     support@netfirms.com                    
OnlineNic     icann@onlinenic.com                    
ResellerClub     http://resellerclub.com/report-abuse/whois/                    
TLDS     partnersupport@srsplus.com                    
TUCOWS     compliance@opensrs.org                    
XIN Net     registrar@xinnet.com,  pantao@xinnet.com, abuse@anti-spam.cn, spam@ccert.edu.cn          
Yesnic     abuse@yesnic.com                    
Logged Offline
Private Message Reply: 16 - 78
dj
Posted on: Friday, November 3rd, 2006, 2:36pm Report to Moderator
Super Spam Fighter



Posts: 108
I'd like to propose Beijing Innovative as the worst registrars as far as reporting spam.

I sent them a mail containing 16 spam emails promoting ui398.com which has yu563.com as the name server to them on 21 September this year. Since then I have sent them over 200 emails reporting this site and hl523.com, ui730.com, ui728.com, af370.com, ui727.com, ui725.com, JF132.com, FG679.com, by131.com, af367.com, fg327, and 5656fg.com.

As far as I can see they are all still up and running.

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 17 - 78
tracker
Posted on: Tuesday, November 7th, 2006, 6:02pm Report to Moderator
Frequent Contributor


Posts: 41
I’ve been trying to use this approach, however being a greenhorn at this I’ve found the process to be very time consuming with quite a bit of page flipping, copying and pasting, and confusion.  Perhaps someone can point out my error in the following.

lakeandletis.com is one of the many scam sites that we’ve seen and one that I attempted to follow through on.  One of the several name servers is ns2.ssauceboat.info, registered by gandi.net, but when I contacted gandi.net I received a note:

“The domain you mention, lakeandletis.com, is not registered by Gandi, but by 4DOMAINS.COM…”

Gandi lists several name servers associated with lakeandletis.com, including ssauceboat.info, and then states, “Gandi is not a web host. The domain used as the nameserver name SSAUCEBOAT.INFO, is registered via Gandi, but is not a nameserver of Gandi. We therefore have no control over its use, as that is not within the bounds of our mandate as a registrar.”

So… I wonder if anyone could decipher this for me.
Logged Offline
Private Message Reply: 18 - 78
MarkGiles
Posted on: Wednesday, November 8th, 2006, 2:46pm Report to Moderator
All-Star


Posts: 363
Gandi has a contract with a criminal, who has registered the domain name ssauceboat.info (as well as its companion fddnode.info)
EVIDENCE
http://www.dnsstuff.com/tools/whois.ch?ip=ssauceboat.info

Within the "zone file" for sscauceboat.info, there are a number of records. The important ones are the Address records that point to the nameservers. ns2.ssauceboat.info is the name of the nameserver and it has an Address record. This has pointed to different IP addresses over the past few weeks, such as today - 218.26.34.9 and previously
68.157.135.101 - 83.143.12.252  - 81.3.139.92 - 195.96.156.154
Each of these addresses is an illegally hijacked nameserver machine.

Gandi Sarl is suggesting that they have no responsibility, and that you need to address the registrar of the spamvertized website. This argument is invalid, because ssauceboatinfo has been registered with Gandi Sarl. It has been registered by a known, notorious criminal, Alex Polyakov. By refusing to cancel their contract, Gandi Sarl is aiding a criminal in the commission of his crimes. In every civilised country this is also a criminal act. Gandi Sarl needs to be reminded of that, not in a threatening way, but as useful legal advice.

The fact that they have yet to comprehend this point of law should be publicly advertiised. For example, http://www.siteadvisor.com/sites/crampfoot.com

EDIT: On Nov 16 - 17 after much discussion, Gandi SAS removed these nameservers and joined in with other registrars who do not sponsor criminals:
ns2.dogmatrust.info
ns2.crudefuel.info
ns1.apricothangar.info
ns2.fddnode.info
ns2.ssauceboat.info
ns1.fantastish.info
ns1.herecentral.info
ns1.calldesk.info
ns2.abioticxref.info
ns2.nolisrize.info
ns2.preasworst.info

Thanks to the Gandi team who worked on this!
Logged Offline
Private Message Reply: 19 - 78
MarkGiles
Posted on: Wednesday, November 8th, 2006, 6:57pm Report to Moderator
All-Star


Posts: 363
Other illegal fake pharmacy scam sites that Gandi Sarl aka Gandi SAS was sponsoring access to using ssauceboat.info include

> International Legal RX
mannersport.info
pophighest.com
reamsufferer.com
thetramore.com
topstokhold.com

> My Canadian Pharmacy
askshow.info
cliosev.com
cliosev.info
crampfoot.com
cvopler.info
dorotybop.biz
dorotybop.us
eparun.info
fadsore.info
fandet.net
feoter.net
fradnol.info
garagedaw.info
garrisonblock.info
garrisonblock.info
gobetir.com
haindar.info
illupet.info
inisert.info
inisert.net
irowel.com
ispover.info
ispover.net
marksmanpod.info
parbom.info
parbom.net
pathincom.info
quozar.net
radiosand.com
rexito.net
ssunboat.com
theftinvasion.info
unitagony.info
unrespi.info
urveli.info
urveli.net


> US Drugs
pritlea.net

Edit: As of Nov 17, Gandi Sarl / Gandi SAS is an ICANN accredited registrar who no longer sponsors crime.
Logged Offline
Private Message Reply: 20 - 78
tracker
Posted on: Thursday, November 9th, 2006, 10:13pm Report to Moderator
Frequent Contributor


Posts: 41
I get about a dozen emails from Polyakov each day, including the typical Canadian and International Pharmacy phishing scams.  Needless to say, I’m a bit disappointed in some of the registrars.  It seems that many simply don’t want to be bothered, even when the issues come down to fraud.  They want to pass the buck.  Others make it very difficult to communicate with them, whereas they require you to fill out their online forms, take a ticket – like standing in line – and then expect nothing.  I’m beginning to think that the registrars need to be weeded out as well as the scam artists that they harbor.


Quoted from dj
I'd like to propose Beijing Innovative as the worst registrars as far as reporting spam.


DJ, I’ve tried to make my reports to DNS.COM.CN (Beijing Innovative) simple and to the point, but like you… no response.  Here is the last one I sent.

BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD.


Name Server: BM1.REGGAENS.COM
Name Server: BM2.REGGAENS.COM

Being used for Internet fraud abuse by:
http://4z9oszai91rhnmmx9m4f9m4m.vaporishmf.com/
http://v80f1qj90s0qwvd6ivdo0ddd.vaporishmf.com/
http://nib1sia0bvbionnlan5lsnn5.vaporishmf.com/
http://8tw4wmvswqw39qqlvqqldqq8.vaporishmf.com/
http://gtl0mtmc3d3bhgyr3gyrlgyg.vaporishmf.com/
http://ipovownsornvjii6oii6oi00.vaporishmf.com/
http://ly9z8y8grbrg4llj83l1ql33.vaporishmf.com/
http://2fpm8f8y7h7x3k2v722v7kkk.vaporishmf.com/
http://idn26downf5v1iitn0ib50ii.vaporishmf.com/
http://0p6voe5so9nd1i0ooiioo0ii.vaporishmf.com/
http://c7zeipiqh9hpvuunzuunzccu.vaporishmf.com/
 

BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD.

NS1.SOUPEDMO.NET
NS2.SOUPEDMO.NET

Being used for Internet fraud abuse by:
http://hybhfyaszccel.aygifmf2fig5vbs5xssnfssa.eyesightff.com


Please lock out customer access to these domains and set all address records to 0.0.0
Do not allow your servers to be used for fraudulent use.

Logged Offline
Private Message Reply: 21 - 78
MarkGiles
Posted on: Sunday, November 12th, 2006, 8:30pm Report to Moderator
All-Star


Posts: 363
The site advisors on those spam sites are good reading http://www.siteadvisor.com/sites/eyesightff.com
Logged Offline
Private Message Reply: 22 - 78
spamislame
Posted on: Monday, November 13th, 2006, 10:37am Report to Moderator
Spam Fighter


Posts: 66
I also added a review.

It's actually super easy to find lots of evidence against this particular "brand." Interesting...

SiL
Logged Offline
Private Message Reply: 23 - 78
tracker
Posted on: Monday, November 13th, 2006, 10:46pm Report to Moderator
Frequent Contributor


Posts: 41
Oh yeah, I love this one that was pointed out about the safety in ordering from them,

"When you are in the final check out mode you will be transferred to the site of the online processor that ensures the Fort Knott security of your all transactions."

I wonder how long it takes for most readers to get back up from rolling around on the floor?
Logged Offline
Private Message Reply: 24 - 78
MarkGiles
Posted on: Friday, November 17th, 2006, 5:56pm Report to Moderator
All-Star


Posts: 363
NOVEMBER 17, 2006

Alex Polyakov's spamming and illegal machine hijacking operation has been registering domains on registrar Gandi SAS - amongst others. Some of these domains were used as nameservers,  which these criminals run on illegally hijacked machines. The nameservers in turn resolve access to illegally hijacked webservers. Those webservers run his illegally spammed pharmacy and fake watch scams. And yes, those scams are also illegal, too.

When faced with all of this evidence of crime, Gandi SAS thought better about being seen to be part of the Polyakov crime scene. The following Polyakov nameservers are no longer functioning after Gandi SAS withdrew their support

ns2.dogmatrust.info
ns2.crudefuel.info
ns1.apricothangar.info
ns2.fddnode.info
ns2.ssauceboat.info
ns1.fantastish.info
ns1.herecentral.info
ns1.calldesk.info
ns2.abioticxref.info
ns2.nolisrize.info
ns2.preasworst.info

The Pharmacy Alert Security Team (and millions of frustrated spammed Internet users) applauds Gandi's decision.
Logged Offline
Private Message Reply: 25 - 78
Ryan
Posted on: Wednesday, November 29th, 2006, 3:38pm Report to Moderator
Spam Fighter



Posts: 76

Quoted from tracker

“Gandi is not a web host. The domain used as the nameserver name SSAUCEBOAT.INFO, is registered via Gandi, but is not a nameserver of Gandi. We therefore have no control over its use, as that is not within the bounds of our mandate as a registrar.”

So… I wonder if anyone could decipher this for me.


Dude, I think that e-mail reply actually came from me! Ha Ha Ha!

The difference was between the physical default nameservers for e-mail forwarding and whatnot (ex. full1.gandi.net...), as opposed to registering a domain name through Gandi that was used as a nameserver or domain for spam, which under the 'old policy' could only be shut off if the whois info was invalid.

Sorry, I should have been more clear about that!  At any rate, we got that ba$tard in the end...  

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 26 - 78
spamislame
Posted on: Wednesday, November 29th, 2006, 4:55pm Report to Moderator
Spam Fighter


Posts: 66
Ryan: Do you work for Gandi S?

SiL
Logged Offline
Private Message Reply: 27 - 78
MarkGiles
Posted on: Wednesday, November 29th, 2006, 8:02pm Report to Moderator
All-Star


Posts: 363

Quoted from Ryan


Dude, I think that e-mail reply actually came from me! Ha Ha Ha!

The difference was between the physical default nameservers for e-mail forwarding and whatnot (ex. full1.gandi.net...), as opposed to registering a domain name through Gandi that was used as a nameserver or domain for spam, which under the 'old policy' could only be shut off if the whois info was invalid.

Sorry, I should have been more clear about that!  At any rate, we got that ba$tard in the end...  


Sure enough. Too many registrars act in accordance solely with the limitations set by ICANN - cancel on invalid whois.

All registrars need to understand that any country's national and (where applicable) state laws preclude any commercial organisation from assisting (or aiding and abetting, or being complicit with) a criminal. By continuing to honour a contract which is providing a service to a criminal, the registrar is effectively committing a crime. It often takes a while to reach that realisation, but once understood, there is no legal alternative but to withdraw the contracted service. That means locking out the contracted domain from the criminal so it cannot continue to be used in the commission of the crime.

Only then is a registrar upholding the law, and keeping their reputation intact, and law enforcement from the door. Gandi SAS has reached that point, and looks ready to wipe the spammers out of their registry with more vigour than ever.

Ace of Domains is still on the journey.

Logged Offline
Private Message Reply: 28 - 78
Ryan
Posted on: Wednesday, November 29th, 2006, 11:53pm Report to Moderator
Spam Fighter



Posts: 76
Amen!

(not the registrar ha ha...)

As is turns out, there is great new legislation in France that makes spamming illegal...

Also, with an updated terms of sale contract you can pretty much go to town.

But you are right, when all registrars care about is money, they will stick to just the strict ICANN rules.

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 29 - 78
MarkGiles
Posted on: Tuesday, December 5th, 2006, 5:11am Report to Moderator
All-Star


Posts: 363
ACE OF DOMAINS is still providing a safe haven for Alex Polyakov (alias Alex Blood, alias Paul Gregoire) and here is all the incriminating evidence

=============================================================

Open correspondence with Ace of Domains and ICANN who accredits them

http://forum.icann.org/lists/registrar/msg00073.html

http://forum.icann.org/lists/registrar/msg00070.html

Here is Polyakov's operation exposed

http://spamhater.zoomshare.com

Registrars who support his crimes, and registrars who don't

http://spamhater.zoomshare.com/2.shtml

Evidence in Spamhaus of Alex Polyakov finding a safe haven at Ace of Domains
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7159

and to top it all off, a selection of just two McAfee Site Advisor postings out of hundreds for  Polyakov scam sites supported by this registrar

http://www.siteadvisor.com/sites/supedkeyellow.com

http://www.siteadvisor.com/sites/dogzdoom.com

Proof that Ace of Domains registered technollogy.com is used as a nameserver for over 2,000 of Polyakov's scam sites. When Spamhaus listed his nameserver (sportystuuff.com) he transferred all the 2,015 sites under them to technollogyhere.com. See the transfer taking place on the Ace of Domains registered domain used as his nameserver

http://dailychanges.com/detail.....;changes=0&act=a

That's how many crime scenes this registrar is sponsoring.

Internet observers are now rebranding Ace of Domains to "A s s" of Domains. It will take so many rolls of tissue paper to clean up their act.

=============================================================
Logged Offline
Private Message Reply: 30 - 78
MarkGiles
Posted on: Monday, December 11th, 2006, 1:42pm Report to Moderator
All-Star


Posts: 363
Crossposted from another forum, for Gandi's action -

I just attempted to figure out why a pharma shop website was suddenly running more javascript than usual. I got some interesting evidence which I am passing along here, as well as to my usual law enforcement outlets.

DO NOT visit any of these sites, especially if you run any flavor of IE.

Domain which was spammed:

Code:
http://writersboll.info/


Which in turn redirects you to:

Code:
http://postaltag.info/?ec1e98dfdd5778S408059d8S9e62acb8


That site uses obfuscated javascript in the footer of the page in an attempt to load iframe content from:

Code:
http://mynetwork.hk/404.php


That page contains 100% pathetically obfuscated javascript code which in turn attempts to load yet another iframe from:

Code:
http://mynetwork.hk/external.php


THAT page: contains XMLHTTP download and installation of the following items:

* New registry setting: clsidD96C556-65A3-11D0-983A-00C04FC29E36 (That's a Remote Data Service object, allowing the execution of code from a remote source.)
* hxxp : / / mynetwork.hk/win32_update.exe (my Symantec instantly disabled this. It's called the "Bloodhound Exploit")
[ http://www.symantec.com/security_response/writeup.jsp?docid=2006-041114-2838-99 ]
* Attempts to run via shell the abovementioned exe file.

From the Symantec site:

Quote:
Bloodhound.Exploit.64 is a heuristic detection for the Vulnerability in MDAC Function Could Allow Code Execution issue.

An attacker who exploits this vulnerability could execute arbitrary code with the privileges of the logged-on user. The attack has be launched by visiting a website that hosts the malicious code. The exploit requires no user interaction to trigger.


So Pharma Shop, as a spam operation, is now directly associated with the following activities:

- 419 scamming via alleged Russian wife / date scams
- 419 scamming via alleged dead dictator emails
- Lottery scam emails
- (Obviously) illegal pharmaceutical sales (if indeed they do sell anything.)
- Credit card fraud

And now:

- Malicious virus install and execution.

I want to kill these bastards. I mean that. I want to get to the bottom of who's allowing these domains to exist.

Original site's DNS is via globedns.biz, located in Russia. All contact info is (of course) fake.
mynetwork.hk's dns is via: NS1.BABIESAREINN.NET, a gandi sarl authorized domain.

Code:

  Server Name: NS1.BABIESAREINN.NET
  IP Address: 69.154.76.126
  Registrar: GANDI
  Whois Server: whois.gandi.net
  Referral URL: http://www.gandi.net


This is outrageous behavior.

SiL
Logged Offline
Private Message Reply: 31 - 78
Ryan
Posted on: Monday, December 11th, 2006, 3:27pm Report to Moderator
Spam Fighter



Posts: 76
Hi Mark,

BABIESAREINN.NET is already suspended...

NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service"

On a separate topic, how do you identify an Alex P scheme? Are there special clues that can be spotted? What do you go by?

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 32 - 78
MarkGiles
Posted on: Monday, December 11th, 2006, 6:21pm Report to Moderator
All-Star


Posts: 363
sportystuuff.com
50.0% of queries will end in failure at 60.200.246.242 (ns1.sportystuuff.com) - query timed out
50.0% of queries will end in failure at 221.4.243.136 (ns2.sportystuuff.com) - query timed out

technollogyhere.com
100.0% of queries will end in failure at 221.194.111.55 (ns1.technollogyhere.com) - query timed out

That's 1,950 sites no longer accessible today. Alex takes a palpable hit.
Logged Offline
Private Message Reply: 33 - 78
MarkGiles
Posted on: Monday, December 11th, 2006, 7:36pm Report to Moderator
All-Star


Posts: 363

Quoted from Ryan
Hi Mark,

Sorry to beat you to it (maybe not, lol!), but...

BABIESAREINN.NET is already suspended...


Gandi has gone from snail to lightning !!


Quoted Text
NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service"

Hors de combat and hors d'oeuvres

Quoted Text

On a separate topic, how do you identify an Alex P scheme? Are there special clues that can be spotted? What do you go by?


Some ideas:
1.
Naming convention of 2-4 English words joined, and more recently one or two extra characters thrown in. Samples

stormegkdboxes.com
quitkherfunnyyes.com
deskhrtkrouble.com
watchskesforumom.com

Not conclusive, just a sign

2.
Name of registrant - often totally fictitious, but sometimes easily identified as a known alias, listed in Spamhaus in his ROKSO records.

3.
Once his sites are identified, then he is identifiable by the site itself. Known examples are

My Canadian Pharmacy
International Legal RX
US Drugs / American Pharmacy
Canadian Health&Care
Exquisite Replicas
HGH Life
Hoodia Life

Note:
Sites that are not his, but attributable to ROKSO #2 Leo Kuvayev, are

Toronto Pharmacy
Pharmacy Express
Health Suite
Health Nation
ED Choice
Finest RX
Special RX
Software Downloads

Conclusion
There are just some of the techniques used. Spamhaus and good old Google always help add weight to the evidence.



 
Logged Offline
Private Message Reply: 34 - 78
MarkGiles
Posted on: Tuesday, December 12th, 2006, 1:59pm Report to Moderator
All-Star


Posts: 363

Quoted from Ryan
Hi Mark,

Sorry to beat you to it (maybe not, lol!), but...

BABIESAREINN.NET is already suspended...

NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service"


Please review the nameserver resolution provided at
http://www.dnsstuff.com/tools/traversal.ch?domain=mynetwork.hk&type=A

Gandi needs to lock out the domain from update / delete / transfer and set address records for ns1 to something unworkable as was done for ns2 - ns5
ns1.samooosa.info [75.18.211.177]      213.190.217.23 213.22.136.210 213.22.65.212 85.242.206.204 87.72.80.150      
ns2.samooosa.info [217.70.185.0]     Timeout      
ns3.samooosa.info [217.70.185.0]     Timeout      
ns4.samooosa.info [217.70.185.0]     Timeout      
ns5.samooosa.info [217.70.185.0]     Timeout      


---
One horse is still in service
Logged Offline
Private Message Reply: 35 - 78
MarkGiles
Posted on: Tuesday, December 12th, 2006, 2:36pm Report to Moderator
All-Star


Posts: 363
Sample spam tracked back to ROKSO # 1 "Alex Polyakov"
Spamvertized domain URL
Code
http://www.minsiteksonata.com/

See http://www.dnsstuff.com/tools/traversal.ch?domain=minsiteksonata.com&type=A
Name servers on sportystuuff.com, which is listed under Polyakov's criminal record evidence in Spamhaus
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7159
Logged Offline
Private Message Reply: 36 - 78
MarkGiles
Posted on: Wednesday, December 13th, 2006, 1:12am Report to Moderator
All-Star


Posts: 363
He seems to be wrestling them back. How well are they locked out by Gandi? Who is the mole?

ns1.babiesareinn.net [69.208.153.223]     202.144.125.229 217.132.148.210 59.93.73.240 68.252.96.1 69.208.153.223    
ns2.babiesareinn.net [202.144.125.229]     202.144.125.229 217.132.148.210 59.93.73.240 68.252.96.1 69.208.153.223    
ns3.babiesareinn.net [217.70.185.0]     Timeout    
ns4.babiesareinn.net [217.70.185.0]     Timeout    
ns5.babiesareinn.net [217.70.185.0]     Timeout    

Domain Name: BABIESAREINN.NET
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: NS3.BABIESAREINN.NET
Name Server: NS4.BABIESAREINN.NET
Name Server: NS1.BABIESAREINN.NET
Name Server: NS2.BABIESAREINN.NET
Name Server: NS5.BABIESAREINN.NET
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
Updated Date: 12-Dec-2006

ClientUpdate not prohibited?  How about Registrar Hold?
Logged Offline
Private Message Reply: 37 - 78
Ryan
Posted on: Wednesday, December 13th, 2006, 2:05pm Report to Moderator
Spam Fighter



Posts: 76
Hi all,

For all who are interested, if one does not see a ClientUpdate Prohibited on a Gandi-registered domain, that does not mean that the client can a priori update the information. In certain cases, back office operations have the same effect by restricting user rights on the web interface (ex. ability to change IP addresses, etc...).  

So, for those who care:

ns1.babiesareinn.net [217.70.185.0]     Timeout      
ns2.babiesareinn.net [217.70.185.0]     Timeout      
ns3.babiesareinn.net [217.70.185.0]     Timeout      
ns4.babiesareinn.net [217.70.185.0]     Timeout      
ns5.babiesareinn.net [217.70.185.0]     Timeout

and

ns1.samooosa.info  [217.70.185.0]    

and

many others...



A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 38 - 78
MarkGiles
Posted on: Wednesday, December 13th, 2006, 3:25pm Report to Moderator
All-Star


Posts: 363
Pretty soon, Gandi will be blacklisted by the whole spammer community. Congratulations.

---
I love the smell of 217.70.185.0 in the morning
Logged Offline
Private Message Reply: 39 - 78
Ryan
Posted on: Wednesday, December 13th, 2006, 3:33pm Report to Moderator
Spam Fighter



Posts: 76

That would (will) be a great day indeed....

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 40 - 78
tracker
Posted on: Wednesday, December 13th, 2006, 4:47pm Report to Moderator
Frequent Contributor


Posts: 41
Here are a couple notes back from registrars:

Hello,

The problem that you have brought to our notice relates to how the below mentioned domain names are involved in SPAM abuse:

domain name: TRQ2ME.COM

We are extremely strict and proactive with regards to our terms of usage. Pursuant to our terms of service we have already Suspended this domain name.

For reporting any Abuse from a domain name registered with Registrar Directi.com, please send an e-mail to abuse@publicdomainregistry.com.

Moreover, you may report Spam for domain names either Registered through Registrar DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM or Hosted on our Servers from our website at http://www.publicdomainregistry.com/contactus/report-spam/ and Whois Inaccuracy of domain names Registered through us at http://www.publicdomainregistry.com/contactus/report-false-whois/.

Regards,

Karna Kumar Jain

PublicDomainRegistry Abuse Desk

PublicDomainRegistry Spam Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-spam/

PublicDomainRegistry False Whois Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-false-whois/


And from Netfirms:

Hello,

Thank-you for your e-mail enquiry.
Please be advised that we have disabled this site.
Netfirms provides legitimate web hosting services and has a ZERO tolerance policy towards these violations.

Regards,

Todd
Netfirms Inc.
http://www.netfirms.com


Unfortunately, nothing can be done about the Chinese registered nameservers.
Logged Offline
Private Message Reply: 41 - 78
tracker
Posted on: Wednesday, December 13th, 2006, 4:58pm Report to Moderator
Frequent Contributor


Posts: 41
In case someone wants to bug Polykov a bit, I just received 12 of his scam messages.  He's really been pushing the first two sites.

http://samonrize.com/  (2 messages)
http://adsuchinmdeska.com/    (5 messages)
http://greatsearched.com
http://wrldbmrsvqljlws.plussearched.com/?cvuaivnyfddjetf
http://ntlqgp.wasteceiling.net/?67251773
http://slendersix.com/
http://www.kepleer.com

Some bad news is that I'm trying to figure out why Tucows is rejecting my domain/dns abuse reports.

"<banterwebhelp1@tucows.com>: host emd2-imta.prosp.tucows.com[64.97.156.1] said:
   550 Requested action not taken: excessive spam content (in reply to end of
   DATA command)"

Does that indicate that I've been reporting too much Polykov spam???  What good does it do to report this stuff if your emails don't make it through?
Logged Offline
Private Message Reply: 42 - 78
spamislame
Posted on: Wednesday, December 13th, 2006, 10:44pm Report to Moderator
Spam Fighter


Posts: 66

Quoted from tracker
Some bad news is that I'm trying to figure out why Tucows is rejecting my domain/dns abuse reports.

"<banterwebhelp1@tucows.com>: host emd2-imta.prosp.tucows.com[64.97.156.1] said:
   550 Requested action not taken: excessive spam content (in reply to end of
   DATA command)"

Does that indicate that I've been reporting too much Polykov spam???  What good does it do to report this stuff if your emails don't make it through?


What I usually do in that case is send a more generic email. quoting nothing, which outlines that you wish to bring to their attention one or more domains which are abusing their terms of service. Zip up a file containing the spam messages and post them to your file host of choice (you may notice I stick with mytempdir.com) Include the link to that file in your email and ensure that you tell them it is virus free and contains data that has not made it through their email server's spam filters.

It blows my mind when spam / abuse email addresses reject the very messages we're supposed to report to them. I understand they must be bombarded day in and day out by idiot spammers but come on.

Anyway I hope that helps.

SiL
Logged Offline
Private Message Reply: 43 - 78
tracker
Posted on: Thursday, December 14th, 2006, 10:26am Report to Moderator
Frequent Contributor


Posts: 41
SiL, I understand you fully.  At first I was quoting and inserting "evidence" within my emails, since some Registrars can't do anything without it.  However,  the rejected email to Tucows was simply the following:

 
The following domain registered by TUCOWS INC. is engaged in email spam, phishing, and fraud abuse:

http://samonrize.com/

These domains are using nameservers:

ns1.anatomyabstract.com.ns-not-in-service.org [0.0.0.0]
ns1.poertodas.com [83.143.12.252]   Registrar:     BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
ns2.grettnos.com [63.223.11.14]   Registrar:     XIN NET TECHNOLOGY CORPORATION
ns2.seveopd.com [63.223.11.14]   Registrar:     XIN NET TECHNOLOGY CORPORATION


Please lock out customer access to these domains and set all address records to 0.0.0

Do not support Internet fraud abuse


Unfortunately, BEIJING INNOVATIVE LINKAGE TECHNOLOGY and XIN NET TECHNOLOGY CORPORATION do not respond to abuse reports, but you can make a small difference.  Thank you.
Logged Offline
Private Message Reply: 44 - 78
MarkGiles
Posted on: Thursday, December 14th, 2006, 3:43pm Report to Moderator
All-Star


Posts: 363
You will see a list of nameservers including those, at the blog entry in http://spamhater.zoomshare.com
Logged Offline
Private Message Reply: 45 - 78
tracker
Posted on: Thursday, December 14th, 2006, 6:32pm Report to Moderator
Frequent Contributor


Posts: 41

Quoted from MarkGiles
You will see a list of nameservers including those, at the blog entry in http://spamhater.zoomshare.com


I love the pic of the Subway Sandwich shop.  Who would have thought that they were dispensing drugs for ED!  I knew there was something special about those pastrami sandwiches...

Mark you've included just one more link pointing to the fight against spam.  I can't keep track of how many there are!  So many people literally ticked off about it, and yet so little actually being accomplished!
Logged Offline
Private Message Reply: 46 - 78
tracker
Posted on: Sunday, December 17th, 2006, 1:03pm Report to Moderator
Frequent Contributor


Posts: 41
Can anyone get through to Tucows???  All of my email is being rejected.  Polykov, or Yambo, has been bombarding people with their http://samonrize.com/ phishing site, registered by Tucows.  Unfortunately, with Tucows rejecting my email I can't do a thing about it.
Logged Offline
Private Message Reply: 47 - 78
Ryan
Posted on: Sunday, December 17th, 2006, 1:16pm Report to Moderator
Spam Fighter



Posts: 76
What are the addresses you are using to contact them? I'll try and find another one.

When you say they are rejecting your e-mails, can you provide more information (ex. the full header of the message you get in return etc...)?  (so we can see if there is a technical reason for your mails being rejected instead of human)

Have you tried e-mailing them from a different e-mail address (it is not impossible that they have blacklisted your e-mail address(es)?

A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 48 - 78
MarkGiles
Posted on: Sunday, December 17th, 2006, 4:15pm Report to Moderator
All-Star


Posts: 363

Quoted from tracker
Can anyone get through to Tucows???  All of my email is being rejected.  Polykov, or Yambo, has been bombarding people with their http://samonrize.com/ phishing site, registered by Tucows.  Unfortunately, with Tucows rejecting my email I can't do a thing about it.


It used to be compliance@opensrs.org

But for te latest, see
http://www.icann.org/registrars/accreditation-qualified-list.html
which gives
Quoted Text
Tucows Inc. (Canada)
http://www.tucows.com
Tucows Inc. (Canada) http://resellers.tucows.com Team up with the world's largest wholesale domain registrar. Competitive wholesale prices, the most experienced support team in the business, no hidden fees, and a complete suite of order and management tools available through OpenSRS. A full range of wholesale services to choose from: 13 TLDs, email, managed DNS, and digital certificates . Tel: 416 535 0123 Email: sales@opensrs.org

   Tel: 416 535 0123
   Email: banterwebhelp1@tucows.com
and
http://www.internic.net/regist.html
Quoted Text
Tucows Inc.
96 MOWAT AVENUE
Toronto, Ontario M6K 3M1
Canada
416 535 0123
banterwebhelp1@tucows.com

Tel: 416 535 0123
Email: sales@opensrs.org


OK?
Logged Offline
Private Message Reply: 49 - 78
MarkGiles
Posted on: Sunday, December 17th, 2006, 4:53pm Report to Moderator
All-Star


Posts: 363
Let's see now,  samonrize.com - one spam, what can we learn from it?

Looking up the nameservers
http://www.dnsstuff.com/tools/traversal.ch?domain=samonrize.com&type=A
We find four of them, shown as
    ns1.anatomyabstract.com.ns-not-in-service.org.
    ns1.poertodas.com.
    ns2.grettnos.com.
    ns2.seveopd.com.
Domain anatomyabstract.com was removed by Tucows on request
> Domain status: clientHold, clientTransferProhibited, clientUpdateProhibited
Nicely locked out, and address record fixed too:
> ns1.anatomyabstract.com.ns-not-in-service.org [0.0.0.0]

So who are the noncompliant registrars?

1. http://www.dnsstuff.com/tools/whois.ch?ip=poertodas.com
Beijing Innovative Linkage Technology - email zaifeng@dns.com.nn

2. http://www.dnsstuff.com/tools/whois.ch?ip=grettnos.com
XIN Net - email registrar@xinnet.com

3. http://www.dnsstuff.com/tools/whois.ch?ip=seveopd.com
XIN Net - same again

What other domains have been registered and spammed under these same nameservers?
http://rss.uribl.com/ns/seveopd_com.html

#1     widgetbirds.com     ... Wed, 29 Nov 2006 12:02:05 +0000
#2     firenigheit.com     .. Tue, 28 Nov 2006 19:55:51 +0000
#3     arbiktrarium.com     ... Tue, 28 Nov 2006 08:56:33 +0000
#4     denounceringe.net     ... Tue, 28 Nov 2006 03:06:38 +0000
#5     towelsoil.info     ... Tue, 28 Nov 2006 03:02:56 +0000
#6     risehandful.com     ... Tue, 28 Nov 2006 03:01:44 +0000
#7     finedoots.info     ... Tue, 28 Nov 2006 02:59:38 +0000
#8     raznine.info     ... Tue, 28 Nov 2006 02:58:33 +0000
#9     plivaxis.com     ... Tue, 28 Nov 2006 02:08:21 +0000

#1 My Canadian Pharmacy
#2 My Canadian Pharmacy
#3 parked domain
#4 parked domain
#5 unknown
#6 unknown
#7 US Drugs
#8 US Drugs
#9 US Drugs

Alex Polyakov / Yambo territory.  You can sure learn a lot just from one spam.
Logged Offline
Private Message Reply: 50 - 78
tracker
Posted on: Sunday, December 17th, 2006, 9:45pm Report to Moderator
Frequent Contributor


Posts: 41
It was obvious that XIN NET & Beijing Tech wouldn't do anything, however, I was hoping that at least Tucows could delete the users domain under their registry.

The address I've been using for Tucows has been banterwebhelp1@tucows.com, with the following message returned, as mentioned previously:

<banterwebhelp1@tucows.com>: host emd2-imta.prosp.tucows.com[64.97.156.1] said:
   550 Requested action not taken: excessive spam content (in reply to end of
   DATA command)
Logged Offline
Private Message Reply: 51 - 78
MarkGiles
Posted on: Monday, December 18th, 2006, 4:02pm Report to Moderator
All-Star


Posts: 363
Try compliance at opensrs.org
Logged Offline
Private Message Reply: 52 - 78
MarkGiles
Posted on: Wednesday, December 20th, 2006, 12:29am Report to Moderator
All-Star


Posts: 363
Beijing Innovative Linkage Technology has been steadily purging Leo Kuvayev's spam sites


IP Address         Name server removed by Beijing     Date
61.61.61.61        ns.kertuijingenfunhadesun.com     19-Dec
61.61.61.61        ns.badesruikinherungans.com       19-Dec
61.61.61.61        ns0.vckionldesunjas.com           19-Dec
61.61.61.61        ns0.quijindeshkinmas.com          14-Dec
221.194.111.14     ns0.kilonherunhasedun.com         14-Dec
61.61.61.61        ns0.avuihdesunhawio.com           11-Dec
61.61.61.61        ns0.sadewunmkedefuna.com          11-Dec
61.61.61.61        ns.vaserunkiontunhdetunhas.com    11-Dec
61.61.61.61        ns.baserunkintunhdefunhas.com     11-Dec


That's a load of spammed sites (over 1,000) removed.
Logged Offline
Private Message Reply: 53 - 78
Dave
Posted on: Tuesday, December 26th, 2006, 5:16am Report to Moderator
New Member


Posts: 19
Beijing Innovative Linkage Technology has been steadily purging Leo Kuvayev's spam sites


IP Address         Name server removed by Beijing     Date
61.61.61.61        ns.kertuijingenfunhadesun.com     19-Dec
61.61.61.61        ns.badesruikinherungans.com       19-Dec
61.61.61.61        ns0.vckionldesunjas.com           19-Dec
61.61.61.61        ns0.quijindeshkinmas.com          14-Dec
221.194.111.14     ns0.kilonherunhasedun.com         14-Dec
61.61.61.61        ns0.avuihdesunhawio.com           11-Dec
61.61.61.61        ns0.sadewunmkedefuna.com          11-Dec
61.61.61.61        ns.vaserunkiontunhdetunhas.com    11-Dec
61.61.61.61        ns.baserunkintunhdefunhas.com     11-Dec


That's a load of spammed sites (over 1,000) removed

Removed?
What does this mean? I have just received a Spam mail  re
ferunhandesunjintungandsa.com
The nameservers/ are

 Name Server.......... ns0.hertunjinkdastion.com
 Name Server.......... ns0.vckionldesunjas.com
Has it been re-instated?
Logged Offline
Private Message Reply: 54 - 78
Dave
Posted on: Tuesday, December 26th, 2006, 5:26am Report to Moderator
New Member


Posts: 19
Same goes for    

pasdrtionkintungandesunjin.com
Logged Offline
Private Message Reply: 55 - 78
MarkGiles
Posted on: Tuesday, December 26th, 2006, 5:08pm Report to Moderator
All-Star


Posts: 363
Inthis case Leo used two nameservers to resolve access to his sites. One he registered with Chinese registrar Beijing Interactive Linkage Technology, the other with Chinese registrar XIN Net. Both registrars are accredited by ICANN, a toothless organisation that hands out accreditations but does nothing to ensure quality of service and compliance to requests. So it is up to us to be persistent and specific in our compliance requests.

In this case, Beijing Innovative Linkage Technology has listened to complaints that they are providing a safe haven for a convicted criminal, Leo Kuvayev. They have decided to terminate their contracts with him, and render his name servers inoperative.

XIN Net has yet to see the error of its ways, and is bringing shame and disgrace to the People's Republic of China by not matching Beijing's response. It would be helpful if more people advise them of the error of their ways. Complaints should be made as an "ICANN COMPLIANCE REQUEST" that they set the status of domain hertunjinkdastion.com to
clientDeleteProhibited
 clientTransferProhibited
 clientUpdateProhibited
and the Address records should be changed  to a blackhole such as 61.61.61.61.

Address complaints to registrar@xinnet.com with copies to pantao@xinnet.com, lihm@xinnet.com, abuse@anti-spam.cn, spam@ccert.edu.cn

You will find that similar information has been placed into the McAfee SiteAdvisor messages at http://www.siteadvisor.com/sites/ferunhandesunjintungandsa.com
Logged Offline
Private Message Reply: 56 - 78
MarkGiles
Posted on: Tuesday, December 26th, 2006, 6:13pm Report to Moderator
All-Star


Posts: 363
Examples to illustrate

IP Address         Name server removed by Beijing     Date
61.61.61.61        ns.kertuijingenfunhadesun.com     19-Dec
61.61.61.61        ns.badesruikinherungans.com       19-Dec

Look at the status of one of these
 Domain Name: KERTUIJINGENFUNHADESUN.COM
 Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
 Whois Server: whois.dns.com.cn
 Referral URL: http://www.dns.com.cn
 Name Server: NS.KERTUIJINGENFUNHADESUN.COM
 Name Server: NS0.KERTUIJINGENFUNHADESUN.COM
 Status: clientHold
 Updated Date: 19-dec-2006

Although as you can see this pair of nameservers were invalidated by Beijing, they failed to prevent transfer of the domains under them. So the spammed domains, such as

    runhenfanseyionkenrunhansa.com    
    shudeinkionmdefun.com    
    vaserunhfandesikintunhan.com    
    daseriokintunhandesungan.com    
    basewunhertinhanlionkun.com    
    resdefankderunhanstion.com

have been moved to these new name servers registered at XIN Net  

ns.pasedinkiondetinjdas.com
ns.mdefunjderionsade.com

The bottom line is that
(a) Leo is losing out at one registrar, and has shifted this part of his operation to another.
(b) Registrars must be requested to set the status of the name server domain to clientTransferProhibited
Logged Offline
Private Message Reply: 57 - 78
Dave
Posted on: Monday, January 8th, 2007, 2:53pm Report to Moderator
New Member


Posts: 19
Hi Mark- im losing the plot (I do try and report as many as I can)   as Icann dont seem bothered.

latest one ive looked at is  22RX.com using clues previously provided by yourself and DNS Stuff

Registrar:     BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Status:        clientTransferProhibited
Dates:         Created 07-dec-2006   Updated 30-dec-2006  Expires 07-dec-2007
DNS Servers:   NS0.YADEXSIKINGANS.COM  NS0.FADESUTIONGFEDRIN.COM  

which suggests the registrar is  BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

However a search on  NS0.YADEXSIKINGANS.COM  NS0.FADESUTIONGFEDRIN.COM  
has  XIN NET as the registrar for the nameservers.



WHOIS results for fadesutiongfedrin.com
Generated by http://www.DNSstuff.com

Registrar:     XIN NET TECHNOLOGY CORPORATION
Status:        ok
Dates:         Created 21-dec-2006   Updated 21-dec-2006  Expires 21-dec-2007
DNS Servers:   NS2.XINNETDNS.COM  NS2.XINNET.CN  




So Who should I be sending the Block request to?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Secondly  - only yesterday I  did this search and sent off Block Request to the registrars for the name servers   2@beijing 1@moniker  &1@Xin net


Domain Name: MIZALDO.HK
Contract Version:       HKDNR latest version  
 

Registrant Contact Information:


Holder English Name (It should be the same as your legal name on your HKID card or other relevant documents): ANTONIO NACRUR
Holder Chinese Name:
Email: ******@safe-mail.net
Domain Name Commencement Date: 2006-12-21
Country: US
Expiry Date:  2007-12-22  
Re-registration Status:  Complete  
Name of Registrar: HKDNR
Account Name: HK1772050T

Technical Contact:

First name: ANTONIO    
Last name: NACRUR  
Company Name: ANTONIO NACRUR    


Name Servers Information:

NS1.XETOPNET.COM  
NS2.LOERJAMM.COM  
NS1.THEBLACKRAINS.NET  
NS2.ASDERDUB.COM  


AND today on this search ive got this:

WHOIS results for justlom.com
Generated by http://www.DNSstuff.com

Registrar:     NETFIRMS, INC.
Status:        ok
Dates:         Created 13-dec-2006   Updated 21-dec-2006  Expires 13-dec-2007
DNS Servers:   NS2.ASDERDUB.COM  NS1.THEBLACKRAINS.NET  NS1.XETOPNET.COM  NS2.LOERJAMM.COM  


I JUST CANT KEEP UP WITH IT  partly because I dont understand it  dont the registrars
see the name servers that they are using are blacklisted in many places such as URIBL.com
or dont they care
Logged Offline
Private Message Reply: 58 - 78
MarkGiles
Posted on: Monday, January 8th, 2007, 6:04pm Report to Moderator
All-Star


Posts: 363
Spammers know that people are tracking them down and shutting them down. So they try to outwit us by covering their tracks.

When you do a WHOIS lookup on a domain, you get back a lot of useful information. The information is what was recorded at the tiime of registration, and includes the nameservers chosen to resolve the domain name to an address. Because the spammers know that this information is a weakness, they set out to get around it.  They change to a different set of name servers, maybe even on a different registrar.

Let's look at your example, 22rx.com today
The domain is registered on Beijing Innovative
http://www.dnsstuff.com/tools/whois.ch?ip=22rx.com&email=on

You can complain there to have just that one site taken down.

But you can go higher than that. Where are the nameservers?
http://www.dnsstuff.com/tools/traversal.ch?domain=22rx.com&type=A

ns0.rxlist1.com [58.215.65.230]      195.138.198.96 81.177.22.174      
ns0.fadesutiongfedrin.com [58.215.74.24]     195.138.198.96 81.177.22.174      

Two nameservers, one created on domain rxlist1.com (that's new) and the other on old faithful fadesutiongfedrin.com.  The former nameserver (NS0.YADEXSIKINGANS.COM) has not responded since Jan 1. Thanks XIN Net! And thanks to all the complainers, too.

Who is the registrar for the new nameserver?
http://www.dnsstuff.com/tools/whois.ch?ip=rxlist1.com&email=on
Beijing Innovative, back on Nov 24

Who is the registrar for the old one?
http://www.dnsstuff.com/tools/whois.ch?ip=fadesutiongfedrin.com&email=on
XIN Net back on Dec 21

Where are these two name servers? Look up the IP addresses
http://www.dnsstuff.com/tools/whois.ch?ip=58.215.65.230&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=58.215.74.24&email=on

The whole range 58.208.0.0 - 58.223.255.255 is administered by China Telecom

Notice that there are not one but two addresses for the website. So he is running it on a primary and secondary at 195.138.198.96 and 81.177.22.174      

Where are the 22RX web sites located?
http://www.dnsstuff.com/tools/whois.ch?ip=195.138.198.96&email=on
> Hostbizua.com in the Ukraine
http://www.dnsstuff.com/tools/whois.ch?ip=81.177.22.174&email=on
> Netplace.ru in Russia

So he has lost one of his nameservers, and had to replace it with another.  His name servers are registered on two different registrars in PRC, and running on two machines in an address range administered by China Telecom. 22RX.com runs on two tandem servers, one in Ukraine, one in Russia.

OK for part one.


Logged Offline
Private Message Reply: 59 - 78
MarkGiles
Posted on: Monday, January 8th, 2007, 6:17pm Report to Moderator
All-Star


Posts: 363
re MIZALDO.HK - an Illegal RX site, you have it exactly right.


Quoted Text
AND today on this search ive got this:

WHOIS results for justlom.com
Generated by http://www.DNSstuff.com

Registrar:     NETFIRMS, INC.
Status:        ok
Dates:         Created 13-dec-2006   Updated 21-dec-2006  Expires 13-dec-2007
DNS Servers:   NS2.ASDERDUB.COM  NS1.THEBLACKRAINS.NET  NS1.XETOPNET.COM  NS2.LOERJAMM.COM  


Requesting Netfirms (affiliate of Tucows, both in Toronto) to act on this will take out one of the literally THOUSANDS of Illegal RX sites. Better to request the nameservers be inactivated, as before. See the title of this thread.


Quoted Text
I dont understand it  dont the registrars
see the name servers that they are using are blacklisted in many places such as URIBL.com
or dont they care


Guess what? I asked that question of myself, too. I got no answer. Then I got an idea. I asked some of the registrars. The result was dramatic. I know two registrars who were delighted to learn about this uribl lookup method, and do precisely that!

So don't ask yourself. Don't ask this forum. Ask the registrars, and teach them how to do it.
Logged Offline
Private Message Reply: 60 - 78
Dave
Posted on: Thursday, January 11th, 2007, 2:53pm Report to Moderator
New Member


Posts: 19
Thanks - a few more clues for me and others I hope.I did ask Netfirms - (Probably not the right question and possibly not the right tone- but they were good enough to reply
but again I dont fully understand their answer.
" Hello, Thank you for your e-mail.
Please be advised that the domains(s) you have listed are not hosted with Netfirms.  While the domains were originally registered through Netfirms, we have no affiliation with them other than the registration themselves.

If you are receiving spam from these domains, we recommend that you contact the host provider currently hosting these domains and file your complaint with them.

Netfirms is listed as the technical contact for these domains because they were registered through us.  However, there is nothing that we can do in regards to your complaint since the spam e-mail you are receiving is coming from a different host provider and mail server.

Therefore, we recommend that you refrain from sending us any further notifications regarding your spam complaints as these will need to be re-directed to the host provider for the domain you are filing a complaint against.

We thank you for your compliance in this matter.

Regards,

Todd
Netfirms Inc.
http://www.netfirms.com

Thank you,

Netfirms Support Team
Netfirms Inc.
http://www.netfirms.com


-----Original Message-----
From:   Dave
Date:   Monday, January 08, 2007  03:13 PM
To:   support@netfirms.com (support@netfirms.com)
Subject:  Domain - http://www.justlom.com

Domain Name: www.justlom .com

Hi I have received an email from
JUSTLOM.COM  and you appear to be the registrars.  The name servers they
are using are blacklisted on many sites throughout the world and I just wonder why
when you are ICANN registered you can allow this to go on?
The site they are using is at best gathering credit card information and at worst selling illegal drugs.
Dont you have laws in america or canada to stop that sort of thing.
Logged Offline
Private Message Reply: 61 - 78
Ryan
Posted on: Thursday, January 11th, 2007, 3:15pm Report to Moderator
Spam Fighter



Posts: 76
Their key words:

"...other than the registration themselves..."

They are taking the cowardly position that they are immune to the action of the domain, since they are not hosting the site.








A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 62 - 78
MarkGiles
Posted on: Thursday, January 11th, 2007, 3:16pm Report to Moderator
All-Star


Posts: 363
Hi Dave,
You need to approach it differently. You are not complaining because the site was spammed, you are comlaining because they are sponsoring a criminal operation.

Take a look at the useful and somewhat amusing entries in the McAfee Site Advisor details at
http://www.siteadvisor.com/sites/justlom.com

You need do little more than to ask Netfirms to read it, and decide whether they should continue to risk their reputation in continuing to do business with Alex Polyakov.
Logged Offline
Private Message Reply: 63 - 78
Ryan
Posted on: Thursday, January 11th, 2007, 3:22pm Report to Moderator
Spam Fighter



Posts: 76
Absolutely. Mark is right on the ball there Dave.

They need to take a stand like this: http://www.gandibar.net/post/2007/01/11/Gandi-fights-back-against-domain-abuse

(Ok - that cat is DEFINATELY out of the bag now. what the hell. Anyway, check out the hidden reference to this forum in the title, and please visit and voice your support!!  

Other solutions? You bet!!

Why not throw their own contracts in their faces?

Look at Point 2 of their "Domain Registration Agreement", it states,

Quoted Text
"...nor the manner in which it is used infringes the legal rights of a third party, and that the Domain Name is not being registered for any unlawful purpose...."



A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
Logged Offline
Site Private Message Reply: 64 - 78
Dave
Posted on: Thursday, February 1st, 2007, 3:45pm Report to Moderator
New Member


Posts: 19
Hi - still on the case with your help this time it is shares- dont usually bother with them
but this one caught my interest as it wasnt the usual Image spam stuff.


"You are subscribed to leandershantaserver.com with the email address *********@*********.
If you wish to be excluded from future leandershantaserver.com mailings,
please click here
or write us at:
21218 St Andrews Blvd #323, Boca Raton, FL 33433 "

naturally I did neither ( subscribed eh, I dont think so )
leandershantaserver.com  is blacklisted on Uribl  and registrar is

Registrar:     TUCOWS INC.
Status:        ok
Dates:         Created 19-sep-2006   Updated 19-sep-2006  Expires 19-sep-2007
DNS Servers:   NS1.LEANDERSHANTASERVER.COM  NS2.LEANDERSHANTASERVER.COM  

I was about to write to Tucows.inc but - what does this mean

Domain     Type     Class     TTL     Answer
leandershantaserver.com.     A     IN     60     69.30.227.40
leandershantaserver.com.     A     IN     60     69.30.227.34
leandershantaserver.com.     NS     IN     60     ns2.leandershantaserver.com.
leandershantaserver.com.     NS     IN     60     ns1.leandershantaserver.com.
ns1.leandershantaserver.com.     A     IN     60     69.30.227.34
ns2.leandershantaserver.com.     A     IN     60     69.30.227.40

- - - - - - - - - - - -  - -  - - - -  - --  - - - - - - - -
WHOIS results for 69.30.227.40
Generated by http://www.DNSstuff.com

Location: United States [City: ]


Using 0 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).


OrgName:    WholeSale Internet
OrgID:      WHOLE-125
Address:    1102 Grand
Address:    Suite 905
City:       Kansas City
StateProv:  MO
PostalCode: 64106
Country:    US

NetRange:   69.30.192.0 - 69.30.255.255
CIDR:       69.30.192.0/18
NetName:    WHOLESALEINTERNET
NetHandle:  NET-69-30-192-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.KCNOC.COM
NameServer: NS2.KCNOC.COM
- - - - - - - -- -- - - - -- - - - - - -- - - -- - -- - --- -
WHOIS results for KCNOC.COM
Generated by http://www.DNSstuff.com

Registrar:     ENOM, INC.
Status:        clientTransferProhibited
Dates:         Created 19-jun-2003   Updated 12-nov-2006  Expires 19-jun-2007
DNS Servers:   DNS1.NAME-SERVICES.COM  DNS2.NAME-SERVICES.COM  DNS3.NAME-SERVICES.COM  DNS4.NAME-SERVICES.COM  DNS5.NAME-SERVICES.COM  

I was referred to whois.enom.com; I'm looking it up there.


An old "favourite"???!!

So whilst I would be more than happy to write to Tucows  should it be Tucows or ENOM or both?

I did ask in a previous post if anyone -Giles? could explain DNS traversal in  very simple terms but couldnt see a response.

Im off to Burma (myanmar) for a couple of weeks but if anyone can post a reply Ill get on to it when I get back.
Logged Offline
Private Message Reply: 65 - 78
MarkGiles
Posted on: Thursday, February 1st, 2007, 4:09pm Report to Moderator
All-Star


Posts: 363
Please edit or modify your posting, and remove your email address.
Logged Offline
Private Message Reply: 66 - 78
MarkGiles
Posted on: Thursday, February 1st, 2007, 4:15pm Report to Moderator
All-Star


Posts: 363
You would complain about leandershantaserver.com to Tucows (compliance at opensrs.org) - this is the most effective.

The complaint about the IP address where their system is hosted would go to Wholesale Internet's abuse dept
OrgAbuseHandle: NETWO1111-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-314-431-5200
OrgAbuseEmail:  abuse at wholesaleinternet.com
Logged Offline
Private Message Reply: 67 - 78
MarkGiles
Posted on: Tuesday, February 27th, 2007, 11:41pm Report to Moderator
All-Star


Posts: 363
Capital Networks (Pacnames) is an unresponsive registrar. They provide the domain for the name servers ns1.srul5.com and ns2.srul5.com. There are over 250 OEM Software sites selling obviously pirated software. It is more worthwhile reporting these to the Business Software Alliance (www.bsa.org) than to the registrar.

But today, all of these sites are failing to load. Take a few at random
http://oemblagodat.com
http://recover-oem.com
http://oemschaste.com
http://cyber-oem.com

It's gratifying to see hundreds of illegal scam sites fail all at once.
Logged Offline
Private Message Reply: 68 - 78
pensioner
Posted on: Thursday, March 1st, 2007, 11:49am Report to Moderator
Frequent Contributor


Posts: 21
A few questions and remarks.
1. At February 1st 4.15 pm Mark wrote the address to complain to Tucows. How come this address is not listed in the InterNIC Registrar list? I will try the address Mark provided, as mails to the listed banterwebhelp1 at tucows.com bounce;
2. I find Ace of Domains also a very unresponsive registar. In the last weeks I have sent them -using the complainterator- numerous motivated removal requests for driedoutdns.com and hairyolddns.com. With each request I included the original full UBE, and pointed out the violations of ICANN and CAN-SPAM Act terms (including cc's to ICANN and FTC). Each time I DO get a confirmation mail from ICANN, but nada from Moniker or FTC;
3. Since I started using the complainterator, using hotmail to send the complaints, the following has happened: spam at my yahoo and gmail has almost stopped. I used to get there several daily spams for Pharmacy Express, haven't seen Leo's spam for days now. However spam at my hotmail (=sending complaints address) has sharply increased with spam almost exclusively from Polyakov, originating from driedoutdns and haryolddns;
4. I am unable to tackle the (prun-) spam I receive at hotmail. Until recently that was about the only spam I got at hotmail, but persistent: once a day for well over a year. The original spam (variations like "SEXUALY--ExpLiCIT") linked through a yahoo.uk-account has ceased, but has been moved to zoneedit.com, where the name servers ns7,8 and 9 were used (the subject is now referring to incest and/or older women).
Upon removal requests for zoneedit.com to Dotster, I got replies from zoneedit.com, that the abused site has been "suspended". Nice, but the spamvertized sites behind those links are still running.
As complainterator once suggested me to send a removal request for yahoo.com, I guess that zoneedit.com itself is not the spammer. What approach to take? Like I now do, continue to ask zoneedit to remove ns7~9.zoneedit.com?

In addition to 3 : I get the impression that after starting to make removal requests (i.e. using the complainterator) my gmail and yahoo seem to have been 'white-washed' by Leo (not the effect I wanted, but better than no result at all). It looks like Polyakov gets pissed of by the complainterator. He moved his spam from my gmail and yahoo to my "offending?" hotmail.
Also -though he is sloppy- yesterday I noticed that several of his spamvertized links did not resolve at first attempt. They did resolve when I used a proxy (most recent case, about 1 hour ago, Exquisite Replicas at http://www.betsfrends.com) I also noticed that the information I get from a 'whois' at domaintools.com is now minimal, or there even is no info at all.

Resuming, spamverizing has shifted from gmail and yahoo to hotmail for:
Pharma Shop.
ED Pill Store,
Exquisite Replicas
Hoodia...

Spamvertizing for Pharmacy Express has -temporarily- stopped.

Apart from my other questions, I would like to know if other people using the complainterator have seen a similar change.
Logged Offline
Private Message Reply: 69 - 78
MarkGiles
Posted on: Tuesday, March 20th, 2007, 4:54pm Report to Moderator
All-Star


Posts: 363
Complainterator has looked up the DNS servers that give access to rxstation.org
http://www.dnsstuff.com/tools/traversal.ch?domain=rxstation.org&type=A
It gets back the name servers as
ns1.dns.com.cn [218.30.114.205]
ns2.dns.com.cn [218.244.47.6]

These two name servers are owned by the registrar, Beijing Innovative Linkage Technology to resolve a huge number of their legitimate customers' web sites and email services.
It is therefore not appropriate to allow Complainterator to generate a request to remove the name servers, because that would shut down a multitude of legitimate sites.

Instead, you need to send an email requesting Beijing to remove the web site rxstation.org from their name servers.
Logged Offline
Private Message Reply: 70 - 78
MarkGiles
Posted on: Monday, April 23rd, 2007, 5:17pm Report to Moderator
All-Star


Posts: 363
Version 11 of the automated complaint generation tool has been posted in the forum at
http://thecarpcstore.com/phpbb2/viewforum.php?f=4

It generates complaints to the registrars of a spammed site's name servers, and now it also generates a omplaint to the registrar of the spammed site itself.

Used in conjunction with Spamcop,  you can respond to a spam for a web site with complaints to
1. the ISP for the origin of the spam (Spamcop)
2. the ISP for the web site (Spamcop)
3. the registrar for the spammed domain (Complainterator)
4. the registrars for the name servers (Complainterator)
Logged Offline
Private Message Reply: 71 - 78
dj
Posted on: Sunday, April 29th, 2007, 3:36pm Report to Moderator
Super Spam Fighter



Posts: 108
Just downloaded Complainterator v11 (for the first time)  

Send to Knujon, report to Spamcop, run Complainterator, delete.  

What more could anyone want?

That would be "no more spam" .................and world peace!

(with acknowledgement to Gracie Hart)


Two small snags -
New Dream Network
jeffc@dreamhost.com was the address given in ICANN which then bounced.
<jeffc@dreamhost.com>: Recipient address rejected: User unknown in virtual alias table)
Went to their website and found abuse@dreamhost.com and when I got an automated reply from using that it gave me abuse-replies@dreamhost.com which will avoid the automated reply.

Godaddy
(reason: 554 refused mailfrom because of SPF policy) <abuse@godaddy.com>


Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 72 - 78
dj
Posted on: Sunday, May 6th, 2007, 4:21am Report to Moderator
Super Spam Fighter



Posts: 108
Used the Complainerator to report a spam email to WILD WEST DOMAINS (now theres a name!) and got the following reply   -

Our support staff has responded to your request, details of which are described below:

Discussion Notes
Support Staff Response
Dear *****,

Thank you for contacting support. Unfortunately, we are unable to assist you with this issue because we do not host the domain name that you provided. You must contact the hosting provider with your concerns. You can typically determine who the hosting provider is by the Name Servers that are provided on a Whois Search.

Regards,

Adam S
Customer Inquiry
Registrar: WILD WEST DOMAINS, INC.

Dear Registrar

This is a request for you to remove the spamvertized domain wonderblogs.com

EVIDENCE

From this link, you can see that your company is the spammed site's
registrar

* http://www.dnsstuff.com/tools/whois.ch?ip=wonderblogs.com

ACTION
Removal instructions for spammed domains are in this link
* http://www.spamtrackers.eu/wiki/index.php?title=Registrar_Advice

Thank you for your efforts to reduce spam and to keep criminals from abusing
your terms of service.

Regards

***************

--------------------------------------------------------------------------------

If you need further assistance with this matter, please reply to this email or contact customer service at 480-505-8857 and reference Incident ID: *********.

Thanks,
Wild West Domains

Dave

"Now its personal"  "Don't get mad, get even!"
Logged Offline
Private Message Reply: 73 - 78
MarkGiles
Posted on: Tuesday, May 8th, 2007, 10:17pm Report to Moderator
All-Star


Posts: 363
Adam S is technically correct. Wild West Domains does not "host" the web site.

But then, the request did not state that they did.


Quoted Text
From this link, you can see that your company is the spammed site's registrar

* http://www.dnsstuff.com/tools/whois.ch?ip=wonderblogs.com


As the registrar, they have accepted a contract with the registrant, whose details are sown in that link.
Quoted Text
Registrant:
  Adil Mohammed
  Flat 3, 30 St Lawrence Terrace
  London, London W10 5SX
  United Kingdom

  Registered through: DomainRightNow
  Domain Name: WONDERBLOGS.COM
     Created on: 05-Nov-05
     Expires on: 05-Nov-07
     Last Updated on: 30-Aug-06


Note the creation date.

If you really believe this site should be removed, you have two options.  

1. Respond with a request that they remove the site by setting it to Client Hold.
2. Request the ISP to remove it - as follows
a. what is its IP address? ping http://www.wonderblogs.com
>> wonderblogs.com [216.86.146.129]
b. Lookup the owner of that IP
http://www.dnsstuff.com/tools/whois.ch?ip=216.86.146.129&email=on
c. Forward the request to the abuse dept



Logged Offline
Private Message Reply: 74 - 78
gentlemike2
Posted on: Tuesday, August 28th, 2007, 9:22pm Report to Moderator
New Member


Posts: 4
Okay,  Let me see if I understand all this:

I got an e-mail from phaonica dot com today.  It is registered by Sammy Lee of Liquid Ventures Inc.  It redirects to a site --- herbalonez  dot com registered to Danny Lee of Healthworldwide Inc.  herbalonez advertises p**** enlargement products.

The name servers for phaonica are:
ns1.met-dns.com
ns2.met-dns.com
ns3.met-dns.com
ns4.met-dns.com

The name servers for herbalonez are:

ns2.chechiewaz67.com
ns1.chechiewaz67.com

All of these name servers are registered with Beijing Innovative Linkage Technology Inc. (No surprise there).

So, I should e-mail Beijing Innovative and request that the met-dns.com servers be taken down, or the chechiewaz67 servers be taken down, or both?

What is my specific complaint?

Who do I cc this to?

I really want to get this down, so I can teach others.  I will write up a how to on my own site's spam awareness forum, and spread the word on this technique.

This is new to me, forgive me for being a little slow.  Rest assured, when I get it down, I will be using the technique with vigor and enthusiasm.

Gentlemike2
Logged Offline
Private Message Reply: 75 - 78
MarkGiles
Posted on: Wednesday, August 29th, 2007, 6:59am Report to Moderator
All-Star


Posts: 363
Thanks for asking.  Here is the evidence relating to that site.  First of all, what do others think about it - what are their reviews?  See the McAfee Site Advisor reviews at
http://www.siteadvisor.com/sites/phaonica.com/
(For any spammed site, you can simply replace the site name in that link.)

Next, who is the registrar? A whois lookup shows this
  Domain Name: PHAONICA.COM
  Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
  Whois Server: whois.joker.com
  Referral URL: http://www.joker.com
  Name Server: NS1.MET-DNS.COM
  Name Server: NS2.MET-DNS.COM
  Name Server: NS3.MET-DNS.COM
  Name Server: NS4.MET-DNS.COM
  Status: clientDeleteProhibited
  Status: clientRenewProhibited
  Status: clientTransferProhibited
  Status: clientUpdateProhibited
  Updated Date: 27-aug-2007
  Creation Date: 27-aug-2007
  Expiration Date: 27-aug-2008

You can go to the http://www.joker.com web site and complain there.

Who is the registrar for met-dns.com?
  Domain Name: MET-DNS.COM
  Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
  Whois Server: whois.dns.com.cn
..
 Creation Date: 24-aug-2007

You can complaint to B.I.L.T. and request the name servers to be suspended,
because they are used solely for resolving illegally spammed sites.

But as you have noticed, this is just one of the front-ends that redirect to the Elite Herbal site, herbalonez.com

Who is its registrar?  
 Domain Name: HERBALONEZ.COM
  Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

Its name servers are listed as follows
Nameserver(s) according to NS-records  
Internal lookup      Address      Reverse      Liststatus      Country      URIBL associated domains      Comment
ns2.chechiewaz67.com      216.243.251.247      216.243.251.247      Blacklisted      United States      URIBL       SBL55229 |
ns1.chechiewaz67.com      216.243.251.247      216.243.251.247      Blacklisted      United States      URIBL       SBL55229 |

The registrar for the name servers?
  Domain Name: CHECHIEWAZ67.COM
  Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN

You can see that both the herbalonez.com web site and its name servers are all on the same IP address, 216.243.251.247 - that's fortuitous.  Who is the ISP who is responsible for that IP?

OrgName:    Matrix Consulting Group
Address:    108 West 13th Street
City:       Wilmington
StateProv:  DE
PostalCode: 19801
Country:    US

So who to contact?

ABUSE280-ARIN
MCG Abuse Staff
+1-302-476-2747

 MCG Support Staff
 +1-302-476-2747
 support@matrix-cg.net

Now there is a whole lot of contacts. How do you convince them that this site is no good?
Well, the European Spam Wikipedia has an entry describing Elite Herbal web site at
http://www.spamtrackers.eu/wiki/index.php?title=Herbal_King
Also the site advisor referenced above is useful evidence. Likewise the one for the redirected site:
http://www.siteadvisor.com/sites/herbalonez.com/ (3 pages of "reviews")


If all that sounds like hard work, there is a quicker way.
The Complainterator tool at http://www.complainterator.com automates the process of complaining to the registrars.  You would run it once for phaonica.com, and again for herbalonez.com

The complaints about the IP address can be achieved by joining up with Spamcop, and submitting a spam to them.

Over to you.
Logged Offline
Private Message Reply: 76 - 78
Spam_Killer
Posted on: Friday, September 28th, 2007, 1:18pm Report to Moderator
New Member


Posts: 2
Hi everyone,

I notify each domain URL's and use the complainterator spam tool.

I use OpenRBL http://openrbl.org/ to look up the URL  to get the IP address. To find the URL "Fake IP address" I click the IP Whois on openRBL.  

I notify the spammer's URL's and terminate them, also I notify the owner's of the spammer's URL's and terminate them.

Things I added to the complainterator spam tool letterhead.

1) news.admin.net-abuse.sightings  
2) http://moensted.dk/spam/ stuff on that website.
Logged Offline
Private Message Reply: 77 - 78
MarkGiles
Posted on: Tuesday, October 2nd, 2007, 12:01am Report to Moderator
All-Star


Posts: 363
If a registrar is a bit slow taking down spammed sites, you can always pont them at the public postings which reveal that they are sponsoring crime.

Foe example,  German registrar COMPUTER SERVICES LANGENBACH GMBH doing business as JOKER.COM has been slow to remove the hundreds of Elite Pharmacy spammed sites. They seem happy to take the criminals' money that pay for the registrations, and they appear delighted to be associated with the criminals.  

But I don't know if they are happy to be so publicly revealed as associating with criminals.

http://www.siteadvisor.com/sites/dansmerc.com
http://www.siteadvisor.com/sites/sanadanj.com
http://www.siteadvisor.com/sites/dreschen.net
http://www.siteadvisor.com/sites/santialt.com
http://www.siteadvisor.com/sites/domonity.com
http://www.siteadvisor.com/sites/donmaung.com
http://www.siteadvisor.com/sites/breenbee.com
http://www.siteadvisor.com/sites/saticice.com
http://www.siteadvisor.com/sites/dmlaudio.com
http://www.siteadvisor.com/sites/dremwl.com
http://www.siteadvisor.com/sites/beanirs.com
http://www.siteadvisor.com/sites/penilesystems.com
http://www.siteadvisor.com/sites/reyazi.net
http://www.siteadvisor.com/sites/dapello.com
http://www.siteadvisor.com/sites/eabtes.com
http://www.siteadvisor.com/sites/bomarlin.com
http://www.siteadvisor.com/sites/vfsca.com
http://www.siteadvisor.com/sites/daogouit.com
http://www.siteadvisor.com/sites/daleforma.com
http://www.siteadvisor.com/sites/vetasro.com
http://www.siteadvisor.com/sites/schoolir.com
http://www.siteadvisor.com/sites/daisydream.net
http://www.siteadvisor.com/sites/dalprad.com
http://www.siteadvisor.com/sites/daistpath.com
http://www.siteadvisor.com/sites/daisycoo.com
http://www.siteadvisor.com/sites/schenns.com
http://www.siteadvisor.com/sites/vevays.com
http://www.siteadvisor.com/sites/viddgals.com
http://www.siteadvisor.com/sites/docmods.com
http://www.siteadvisor.com/sites/dogfam.com
http://www.siteadvisor.com/sites/bbcarbiv.com
http://www.siteadvisor.com/sites/vicbcp.com
http://www.siteadvisor.com/sites/saspor.com
http://www.siteadvisor.com/sites/thepeniswizard.com
http://www.siteadvisor.com/sites/verizozn.com
http://www.siteadvisor.com/sites/sasyup.com
http://www.siteadvisor.com/sites/sapdancr.com
http://www.siteadvisor.com/sites/saravill.com
http://www.siteadvisor.com/sites/sapdqnce.com
http://www.siteadvisor.com/sites/savoviv.com
http://www.siteadvisor.com/sites/satrioni.com
http://www.siteadvisor.com/sites/scbnj.com
http://www.siteadvisor.com/sites/pjvaiams.com

It is not a pretty picture.  We should all call upon CSL to clean up their act.

There is more information on the Elite Herbal web sites at
http://www.spamtrackers.eu/wiki/index.php?title=Herbal_King
Logged Offline
Private Message Reply: 78 - 78
 Pages: 1, 2, 3, 4, 5, 6 : All
Recommend Print

Locked Board Board Index    Spam Fighting Tips & Techniques  [ previous | next ] Switch to:

Thread Rating

There have been 1 votes for this thread.
 
Forum Rules
You may not post new threads
You may not post new threads
You may not post polls
You may not post attachments
HTML is off
Blah Code is on
Smilies are on

Powered by E-Blah Platinum 9 © 2001-2005