|
 Author |
 Registrars - DSTR (currently 3,711 views) |
| dj |
| Posted on: Saturday, January 13th, 2007, 4:46pm |
 |
|
Super Spam Fighter 
Posts: 108
|
I have tried reporting the following sites tothefol.com, retellingsplash.net , penrockyt.net , carrycartrter.com, typewritertune.info, entorwhi.info, theervic.com, sectionshin.info, editopas.net, ekagreem.info, signslife.info, mottledcall.info, itsotherb.info, isorpand.info, pathlengths.info, ermandc.info, moresides.info, moonchess.com, iskagre.info, pirsupplies.info, yosone.info, hurworld.com, emoucan.com, which use the same following nameservers -
* ns1.renedrop.com [83.143.12.252]
* ns1.uiltonthe.net [63.223.11.14]
* ns2.ferrywend.com [83.143.12.252]
* ns2.hebeticbob.com [83.143.12.252]
http://www.dnsstuff.com/tools/whois.ch?ip=renedrop.com
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
http://www.dnsstuff.com/tools/whois.ch?ip=uiltonthe.net
Registrar: Moniker Online Services Inc.
http://www.dnsstuff.com/tools/whois.ch?ip=ferrywend.com
Registrar: XIN NET TECHNOLOGY CORPORATION
http://www.dnsstuff.com/tools/whois.ch?ip=hebeticbob.com
Registrar: DSTR ACQUISITION VII, LLC
--------------------------------------
DSTR have replied -
Recently you requested personal assistance from our on-line support center. Below is a summary of your request and our response.
If this issue is not resolved to your satisfaction, you may reopen it within the next 10 days.
If you would like to update your question, please reply to this message or enter your reply between the brackets below.
[===> Please enter your reply below this line <===]
[===> Please enter your reply above this line <===]
Subject
---------------------------------------------------------------
RE: ICANN Compliance request
Discussion Thread
---------------------------------------------------------------
Response (Mark S) - 01/13/2007 10:58 AM
Hello David, we received your complaint concerning Spam you may have received or Invalid Whois information. Please submit this complaint through our complaint database. For ease of use to you, here is the link where you can directly report spam, whois violations, and/or fraudulent or illegal websites that registered with us. Please note that we cannot take action against domains not registered with us.
https://secure.registerapi.com/services/complaint/complaint.php?siteid=4798
thank you.
How are you supposed to attach spam emails to a report form? With the quantity of spam mail floating around I dont have the time to mess around cutting and pasting email headers and treating one registrar different to all the others. Looks like a delaying tactic to me.
Needless to say I have replied to the email in the hope that they actually read it. |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
|
| Ryan |
| Posted on: Saturday, January 13th, 2007, 6:38pm |
|
|
Spam Fighter 
Posts: 76
|
Dj,
Thanks to you, the following domains with Gandi have been nuked for spam and are now offline:
sectionshin.info
ekagreem.info
signslife.info
isorpand.info
pathlengths.info
ermandc.info
Thanks for the post! 
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
  |
Reply: 1 - 36 |
|
|
| dj |
| Posted on: Monday, January 15th, 2007, 5:38pm |
|
|
Super Spam Fighter
Posts: 108
|
He He He! 
One down now for the next one !!! |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 2 - 36 |
|
|
| dj |
| Posted on: Monday, January 15th, 2007, 6:04pm |
|
|
Super Spam Fighter
Posts: 108
|
If only Beijing Innovative, Xin, Moniker and DSTR would be as good at getting rid of the nameservers
ns1.renedrop.com [83.143.12.252]
ns1.uiltonthe.net [63.223.11.14]
ns2.ferrywend.com [83.143.12.252]
ns2.hebeticbob.com [83.143.12.252]
Just got the following response from DSTR who want there own form used rather than sharing an email with Beijing, Xin and Moniker!
Response (Mark S) - 01/15/2007 08:05 AM
Hello David, I am sorry but all UCE complaints are handled thru the channel I sent you.
Thank you.
Customer - 01/13/2007 02:10 PM
Why is it not possible to deal with this complaint using the mails I have sent you? You have all the evidence included plus copies of the spam emails in question.
I am reporting the use of the hebeticbob.com nameserver by a large number of sites advertised by spam emails and this server is shown as yours.
Please make it so that the spam advertized sites are no longer accessible by removing the address records from the nameservers on your domain.
Please lock out customer access to these domains and set all Addresses records to 0.0.0.0 or 61.61.61.61
Lockout should include these options -
CLIENT DELETE PROHIBITED
CLIENT RENEW PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
TRANSFER PROHIBITED
You are an ICANN accredited registrar and should follow their policies on supporting known spam sites. These sites are part of the notorious MyCanadian Pharmacy site.
See the Better Business Bureau report -
http://www.bbb.org/alerts/article.asp?ID=597
http://web.tebweb.com:8080/cgi-bin/spm_forum/Blah.pl?b=spam_tips,m=116872476
4,s=0
Response (Mark S) - 01/13/2007 10:58 AM
Hello David, we received your complaint concerning Spam you may have received or Invalid Whois information. Please submit this complaint through our complaint database. For ease of use to you, here is the link where you can directly report spam, whois violations, and/or fraudulent or illegal websites that registered with us. Please note that we cannot take action against domains not registered with us.
https://secure.registerapi.com/services/complaint/complaint.php?siteid=4798
thank you.
Customer - 01/11/2007 11:41 AM
Dear Sir
Here is the latest batch of Spam emails received since my last mail promoting the following sites tothefol.com, retellingsplash.net , penrockyt.net , carrycartrter.com, typewritertune.info, entorwhi.info, theervic.com, sectionshin.info, editopas.net, ekagreem.info, signslife.info, mottledcall.info, itsotherb.info, isorpand.info, pathlengths.info, ermandc.info, moresides.info, moonchess.com, iskagre.info, pirsupplies.info, yosone.info, hurworld.com, emoucan.com, which use the same following nameservers -
* ns1.renedrop.com [83.143.12.252]
* ns1.uiltonthe.net [63.223.11.14]
* ns2.ferrywend.com [83.143.12.252]
* ns2.hebeticbob.com [83.143.12.252]
for which you are listed as the registrar.
http://www.dnsstuff.com/tools/traversal.ch?domain=retellingsplash.net
<http://www.dnsstuff.com/tools/traversal.ch?domain=retellingsplash.net&type=
A> &type=A
............etc etc
http://www.dnsstuff.com/tools/traversal.ch?domain=ekagreem.info.com
<http://www.dnsstuff.com/tools/traversal.ch?domain=ekagreem.info.com&type=A>
&type=A
Please note that although dnsstuff reports timeout these nameservers are still active!! Try http://htcwwe.ekagreem.info <http://htcwwe.ekagreem.info/> or http://brtuue.mottledcall.net <http://brtuue.mottledcall.net/> to show this.
Please make it so that the spam advertized site is no longer accessible by removing the address records from the nameservers on your domain above.
Please lock out customer access to these domains and set all Addresses records to 0.0.0.0 or 61.61.61.61
Lockout should include these options -
CLIENT DELETE PROHIBITED
CLIENT RENEW PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
TRANSFER PROHIBITED
Regards |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 3 - 36 |
|
|
| Ryan |
| Posted on: Wednesday, January 17th, 2007, 4:13pm |
|
|
Spam Fighter
Posts: 76
|
One correction for you DJ:
Quoted Text Please lock out customer access to these domains and set all Addresses records to 0.0.0.0 or 61.61.61.61 |
It does not matter what the IP Are - the registrars can put anything there, as long as they are valid IP. Notably 0.0.0.0 is Tucows; 61.61.61.61 is Bejing, 217.70.185.0 is, well, you know... 
Quoted Text
Lockout should include these options -
CLIENT DELETE PROHIBITED
CLIENT RENEW PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
TRANSFER PROHIBITED
|
You forgot the most important: CLIENT HOLD! Otherwise, again, this can depend somewhat on the backoffice apps of the registrar..
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 4 - 36 |
|
|
| MarkGiles |
| Posted on: Thursday, January 18th, 2007, 4:20pm |
|
|
Posts: 363
|
Ryan, can you explain the effect of "Registrar Hold"?
1. Can the registrar put that status into effect?
2. What are the advantages / disadvantages over this as opposed to the list
CLIENT HOLD
CLIENT DELETE PROHIBITED
CLIENT RENEW PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
TRANSFER PROHIBITED |
|
|
|
|
Reply: 5 - 36 |
|
|
| Ryan |
| Posted on: Friday, January 19th, 2007, 2:06am |
|
|
Spam Fighter
Posts: 76
|
Hi Mark,
When telling registrars which codes they 'should' set, there is a whole thing about whether or not you choose EPP or RRP protocols depending on the TLD (for example, .org, .biz, .info and .name use EPP statuses, while .com and .net use EPP status codes).
Quoted Text I made a typo in the above sentence: saying that - via a freudian slip/typo that both used EPP status. This is because until November (for pratical purposes) .com and .net domains used RRP statuses, and it is all rather a mess right now. I meant to say:
(for example, .org, .biz, .info and .name use EPP statuses, while .com and .net use RRP status codes).
Now, of course, VeriSign uses EPP for .com and .net domains. |
Also, ccTLDs are a whole other bag of worms. Actually, I would probably just ask the registrar to suspend the domain, and let them apply the necessary statuses (because of the addition of backoffice apps that they have to manage customer rights as well)...but that's just me.
The following list is are EPP statuses:
CLIENT HOLD
CLIENT DELETE PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
CLIENT RENEW PROHIBITED
TRANSFER PROHIBITED
that is more or less equivalent to the RRP statuses of:
REGISTRAR-HOLD
REGISTRAR-LOCK
So to answer your question, "Registrar Hold" is an RRP status that means that the registrar has placed a status on a domain that prevents its modification or deletion - as well as its inclusion in the zone - though the domain can be renewed and transferred to another registrar.
There have been many changes in recent months in EPP codes, what with Verisign changing protocols and all, and so right now registrars - and other registries as well - are updating their systems to the new protocols. |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 6 - 36 |
|
|
| dj |
| Posted on: Friday, January 19th, 2007, 3:26pm |
|
|
Super Spam Fighter
Posts: 108
|
Getting a little more success with DSTR  after I sent them a long reply to several of their mails wanting me to use their web based reporting system.
Here is the latest exchange of mails -
DSTR 15 Jan
Response (Gary) - 01/15/2007 03:37 PM
Hello David,
I have noticed several of these complaints from you regarding these domains. A few items of consideration:
1: Note that we cannot take action against domains not registered with us.
2: We will need some sort of proof that these domains have been involved in wrongdoing. So far each of the emails you have sent have not contained email header information, addresses sent from, any sort of bad whois information, or anything else that would indicate any illegal activities.
3: Our support personnell are not equipped, allowed, or inclined to handle abuse cases, these are done through our abuse department directly, therefore, please report any abuse incidents through the following link:
https://secure.registerapi.com/services/complaint/complaint.php?siteid=4798
Please include full headers and body of any emails you have received, along with the email address they are sent from, as we will not take action without proof of abuse.
My response 19 Jan
Customer - 01/19/2007 01:40 AM
Dear Gary
Firstly, I am not saying that the mails originated from one of your domains
nor that the mails promote a domain registered with you. I am pointing out
that all these sites are using nameservers on machines belonging to
yourselves, with or without your knowledge.
Because I am not complaining about the source of the messages, the mail
headers is a bit of a red herring. I am not asking you to trace the origin
of the mails.
As far as proof of wrongdoing, firstly this is the reason I am using an
email report so that I can show you the quantity and frequency of mails
being sent, which I could not do using a web based facility.
Secondly these mails do not abide by any standards for commercial mails and
by the CAN-SPAM definitions are spam. ICANN with whom you are accredited
supposedly rules against aiding and abetting spamming.
Thirdly if you check any of these web sites they are for International Legal
RX medications. There are a number of seals at the bottom of the page for
Better Business Bureau (BBB), Verisign Secure Site, and Best International
Pharmacy. Both the BBB and Verisign logos are fake. Check with the BBB and
they will tell you this. http://www.bbb.org/alerts/article.asp?ID=597
Normally these seals will link to their sites. This is a well known spamming
organisation. Their address Pharmacy Corp. 1916 North Church Street, Layton,
UT 84040 is fake. Google the name and see, the web is full of reports on
these people.
DSTR 19 JanResponse (Gary) - 01/19/2007 09:06 AM
Hello David,
This is good information. Unfortunately, if you cannot show any correlation between the senders of this spam and the domains that are on these DNS servers, there is no abuse issue for our network. Now, on the other side of things, if these are fraudulent pharmaceutical or phishing sites, this is an obvious breach of our terms of service. I am contacting the domain owner of HEBETICBOB.COM to get these sites shut down. If the owner is non-compliant, I will take further steps. Please let me know if you have any further questions or concerns.
I think this is progress, but I am a little concerned about several points.
First the issue of "proof of wrongdoing". I have sent 19 emails to them about these sites between 30 Dec 2006 and 14 Jan 2007 each with up to 20 or more attached spam emails as evidence with title such as "do you want to **** all night long?" advertising phoney drug sites. Surely this quantity of spam email is "wrongdoing" without any illegality of the website needed.
Secondly "if you cannot show any correlation between the senders of this spam and the domains that are on these DNS servers, there is no abuse issue for our network". What are they trying to imply here? That some benevolent 3rd party is sending out spam emails out of the goodness of their heart advertising poor innocent "Legal Drugs RX"? By this logic, spamming is perfectly legal as long as you dont use the same system to send out the spams as the site they are advertising!!
What happens if they cant get hold of the Registrant of hebeticbob.com, Pilzek Vichesku of Roumania?
However, while I have been arguing with DSTR the response from the nameservers has changed -
ns1.uiltonthe.net [203.129.232.82] 85.136.20.235 468ms (Moniker)
ns1.renedrop.com [203.129.232.82] 85.136.20.235 484ms (Beijing Innovative)
ns2.ferrywend.com [63.223.11.14] Timeout (XIN)
ns2.hebeticbob.com [216.239.37.99] Timeout (DSTR)
Not sure now whether this means hebeticbob.com and ferrywend.com are dead and gone or just playing dead?
Whether I am now too late with DSTR and hebeticbob or not at least I may have got through to a couple of people at DSTR so that they might react a bit faster with the next one.
I'll update this if/when I hear more from them. |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 7 - 36 |
|
|
| Ryan |
| Posted on: Friday, January 19th, 2007, 3:39pm |
|
|
Spam Fighter
Posts: 76
|
Hi there!
Quoted Text I have sent 19 emails to them about these sites between 30 Dec 2006 and 14 Jan 2007 each with up to 20 or more attached spam emails as evidence with title such as "do you want to **** all night long?" ... |
Registrars "s'en foutent" (don't give a $h1t) too much about the actual message. The important information is in the full header. It is very important that you provide the full header as well, or the example is of no use.
Quoted Text Secondly "if you cannot show any correlation between the senders of this spam and the domains that are on these DNS servers, there is no abuse issue for our network". |
Again, this is very important, and why the full headers are important as well as any other data you have to trace the spam to their nameservers.
Quoted Text What happens if they cant get hold of the Registrant of hebeticbob.com, Pilzek Vichesku of Roumania? |
Then, after 15 days they are obliged by their ICANN accredidation to hold the domain.
Sounds like you were making progress with them! Keep it up!!!!!
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 8 - 36 |
|
|
| dj |
| Posted on: Friday, January 19th, 2007, 5:47pm |
|
|
Super Spam Fighter
Posts: 108
|
Hi Ryan
When reporting multiple spam mails (the only ones I have time to deal with, I concentrate on the ones who send me most (spammers take note, hint hint!!!)) would you suggest pasting in headers for all the messages received or one or a sample?? I believe MS Outlook doesnt pass on the headers if forwarded. What about if they are attachments? I just tried to open one of the emails I attached to one of the reports I sent and I was still able to get to the headers using Outlook by doing View Options and saw as much of the header as I ever can see. If the header is still present in the attached email I dont see their problem?
What is so important in the header for a report like this where I am not complaining to the registrars about the sender of the email but the name servers for the web site being spammed. Surely the header has nothing relevant in it to that?
Quoted Text
Secondly "if you cannot show any correlation between the senders of this spam and the domains that are on these DNS servers, there is no abuse issue for our network".
Again, this is very important, and why the full headers are important as well as any other data you have to trace the spam to their nameservers.
Are you saying that if I spam advertise my website but do it using hacked machines to send out the spam so that there is no physical link between the mail and my site that nobody will do anything about it? If so it explains the amount of spam about.
Dave |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 9 - 36 |
|
|
| MarkGiles |
| Posted on: Sunday, January 21st, 2007, 11:29pm |
|
|
Posts: 363
|
|
|
|
|
Reply: 10 - 36 |
|
|
| MarkGiles |
| Posted on: Monday, January 22nd, 2007, 6:39am |
|
|
Posts: 363
|
EXAMPLE REQUEST TO DSTR
This ws simplified by simply copying the contents of the Site Advisor
Quoted Text Please look at the following link - I have imported its contents for your convenience. Your company has entered into a registration contract with the Internet's most widely known criminal, Alex Polyakov. That contract entitles Polyakov to place a domain name, hebeticbob.com into your registrry, a domain which is then used to resolve access to a name sesrver, ns2.hebeticbob.com. That name server runs on hijacked machines, to resolve access to his illegal web sites, such as topshoplists.info in this case. There are many others. Please join with the other ISPs in shutting out his abuse of your company's services. There is no reason to uphold a contract with known criminals. Should you need legal advice, please contact Jon Praed who specialises in this area. JPraed@i-lawgroup.com SUMMARY http://www.siteadvisor.com/sites/topshoplists.infoCONTENTS ROKSO listed #1 most wanted Cyber criminal Alex Polyakov's site, used for identity theft and CREDIT CARD THEFT. See his criminal record at http://www.spamhaus.org/statistics/spammers.lassoThe whole fake pharmacy site is full of lies, deceit and fraud. WARNING: Placing an order on this site is giving your full credit card details to the Internet's worst criminal. If you have made that mistake, cancel your credit card immediately. Registrars sponsoring this site are found from the nameservers * ns1.renedrop.com * ns1.uiltonthe.net * ns2.ferrywend.com * ns2.hebeticbob.com PARTNERS IN CRIME - WHOM TO CONTACT http://www.dnsstuff.com/tools/whois.ch?ip=renedrop.comRegistrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN Contact: Jeff zhaifeng(at)dns.com.cn http://www.dnsstuff.com/tools/whois.ch?ip=uiltonthe.netRegistrar: Moniker Online Services Inc. Contact: Monte Cahn monte(at)moniker.com support(at)moniker.com http://www.dnsstuff.com/tools/whois.ch?ip=ferrywend.comRegistrar: XIN NET TECHNOLOGY CORPORATION Contact: [email]pantao@xinnet.com[/email] lihm(at)xinnet.com http://www.dnsstuff.com/tools/whois.ch?ip=hebeticbob.comRegistrar: DSTR ACQUISITION VII, LLC Contact: Chris Campbell support(at)registerapi.com ACTION REQUESTED Complain to the registrars asking them to revoke these nameservers. Set nameserver address to blackhole 0.0.0.0 and place the domains on registrar hold. |
|
|
|
|
|
Reply: 11 - 36 |
|
|
| pensioner |
| Posted on: Tuesday, January 23rd, 2007, 5:51pm |
|
|
Posts: 21
|
With thanks to MarkGiles and others, who's contributions I used as a template, I have just send the following mail to DSTR at support@registerapi.com:
"Herewith I fore ward you below this text, the message of an UBE I
received today, advertising the scam website "ED Med Choice Online",
which is run by Rokso-listed Georgi Kara Yacoubain, at
http://printeryml.com. Below that, I copy the original full UBE,
including headers.
http://www.dnsstuff.com/tools/traversal.ch?domain=printeryml.com&type=A
shows that printeryml.com uses the name servers fk.indusfk.com and
in.indusfk.com.
http://www.dnsstuff.com/tools/whois.ch?ip=indusfk.com&cache=off&email=on
shows, that these name servers are registered through DSTR ACQUISITION
VII, LLC.
As DSTR has accepted and upheld a contract to provide services to a
well known criminal. Yacoubain's criminal activities are in
contravention of the Registrar's terms of Services. It is not lawful
to knowingly assist a criminal to commit his crimes.
It is irrelevant that this UBE was sent to me through
francetelecom.com (at about the same time I received an identical UBE
through cegetel.net), as these criminal spam-gangs constantly change
from ISP to send their UBE's.
Though I also report all UBE's to the ISP from which it originates,
these IP-addresses are mere replaceable 'vehicles' for the spammer.
The only way to deal with them effectively is to deprive them from
their bases, like in this case the name servers from DSTR.
Therefore I kindly request you to remove the name servers
fk.indusfk.com and in.indusfk.com by:
1. Setting the nameserver address resolution records to a non-routable
address (eg 0.0.0.0);
2. Setting the EPP status of the zone file to:
CLIENT HOLD
CLIENT DELETE PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
CLIENT RENEW PROHIBITED
TRANSFER PROHIBITED;
3.Alternatively for 2, set the RRP status to:
REGISTRAR-HOLD
REGISTRAR-LOCK.
Thanks in advance for your co-operation."
|
|
|
|
|
Reply: 12 - 36 |
|
|
| pensioner |
| Posted on: Wednesday, January 24th, 2007, 12:41pm |
|
|
Posts: 21
|
Today I forewarded 3 more spams from printeryml.com to DSTR (copy to ICANN);
looks like the NS in.indusfk.com is down, but I doubt DSTR has shut it down, as fk.indusfk.com is still active.
I made a change to my original mail, now mentioning the violations of DSTR's own policy.
It reads now: "...criminal activities are in contravention of your Registration Agreement (in particular of section 10. Acceptable Use Policy, sub a, c, d, f, g, h, k, l, m, n and p). " |
|
|
|
|
Reply: 13 - 36 |
|
|
| Ryan |
| Posted on: Wednesday, January 24th, 2007, 1:15pm |
|
|
Spam Fighter
Posts: 76
|
Good work Pensioner!
Your letter will surely be read by the registrar with utmost seriousness! (it caught my eye at least!)
Let's cross our fingers... |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 14 - 36 |
|
|
Pages: 1, 
Logged
Locked Board