|
 Author |
 How to remove many spammer sites at once (currently 2,639 views) |
| MarkGiles |
| Posted on: Friday, September 1st, 2006, 11:35pm |
 |
|
Posts: 363
|
Next time you get a spam, and you have a few minutes to spare, you might like to take a new approach to stopping the spammers.
Sure you can report it to Spamcop, or Knujon, and leave it at that. But you can do a whole lot better. You can use one spam to shut down between 5 and a hundred sites or more. Let's work through an example of a spam I got today.
SPAMVERTIZED WEB SITE
http://hinrost.net (see also http://hinrost.info)
US DRUGS illegal web site
( currently running on hacked machine at IP address 59.120.127.152, images on Yahoo http://stubsite.info/usd/images/logo.gif )
LOCATE THE NAME SERVERS (addresses are compromised machines)
http://www.dnsstuff.com/tools/traversal.ch?domain=hinrost.net&type=A
(substitute your spam site for hinrost.net)
ns1.urisrets.info [72.164.246.232]
ns1.preort.info [72.164.246.232]
ns2.westwelec.info [212.52.166.78]
ns2.tacttal.info [212.52.166.78]
(truncate the ns1. or ns2. from the domain names, leaving just urisrets.info etc)
FIRST NAME SERVER (ENOM)
http://www.dnsstuff.com/tools/whois.ch?ip=urisrets.info
Domain Name:URISRETS.INFO
Created On:10-Apr-2006 18:13:05 UTC
Last Updated On:31-Aug-2006 10:14:51 UTC
Expiration Date:10-Apr-2007 18:13:05 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
SECOND NAME SERVER (ENOM)
http://www.dnsstuff.com/tools/whois.ch?ip=westwelec.info
Domain Name:WESTWELEC.INFO
Created On:16-May-2006 14:50:04 UTC
Last Updated On:31-Aug-2006 10:15:06 UTC
Expiration Date:16-May-2007 14:50:04 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
THIRD NAME SERVER (TUCOWS)
http://www.dnsstuff.com/tools/whois.ch?ip=tacttal.info
Domain Name:TACTTAL.INFO
Created On:15-Apr-2006 15:00:12 UTC
Last Updated On:31-Aug-2006 10:15:25 UTC
Expiration Date:15-Apr-2007 15:00:12 UTC
Sponsoring Registrar:Tucows Inc. (R139-LRMS)
Status:OK
FOURTH NAME SERVER (TUCOWS / CSL GMBH)
http://www.dnsstuff.com/tools/whois.ch?ip=preort.info
Domain Name: PREORT.INFO
Created On:20-Aug-2006 16:48:21 UTC
Last Updated On:31-Aug-2006 23:09:05 UTC
Expiration Date:20-Aug-2007 16:48:21 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH (R161-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
COMPLAINTS TO
TUCOWS = compliance at opensrs.org
ENOM = legal at enom.com
You can find these addresses at http://www.icann.org/registrars/accreditation-qualified-list.html
REQUEST TO THE REGISTRAR
=================================
The name servers listed below are used to provide access to the illegal US DRUGS websites
run by the criminal Yambo Financials gang, listed in Spamhaus.
Please lock out customer access to these domains and set all Addresses records to 0.0.0.0
Lockout should include these options
CLIENT DELETE PROHIBITED
CLIENT RENEW PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
TRANSFER PROHIBITED
You can ensure the lockout is successful by using this link
http://www.dnsstuff.com/tools/traversal.ch?domain=hinrost.net&type=A
================================
If the registrars check out the link, and see the illegal sites are using name servers registered through them, they will remove that name server. There may be a few sites resolved by the name servers you have removed. There may be over a hundred. Either way, you have removed many sites that the spammers can no longer spamvertize.
If you act on fresh spam, you can really annoy them by having their sites removed before they have completed a spamming run.
It makes a refreshing change when it is the spammer who is annoyed, doesn't it?
 |
|
|
|
|
|
| HS |
| Posted on: Saturday, September 2nd, 2006, 1:32pm |
|
|
Guest User
|
It's a Great Idea!
But for the non-net pro, it's difficult to follow.
If there were just a button and wow!
Spam. Dead In The Water! |
|
 Logged |
|
|
 |
Reply: 1 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, September 7th, 2006, 5:02pm |
|
|
Posts: 363
|
I tried to automate it, but it was a bit too hard.
You just start with the spamvertized site, pay it a visit using just the web site part of the link.
eg http://g1a2r3b4a5g6.spammed.com/?junk=34725 becomes simply spammed.com
That's to find out what kind of site it is. Then you need to find out the name servers used to get to it. So you take the site name spammed.com and put it into this link
http://www.dnsstuff.com/tools/traversal.ch?domain=spammed.com&type=A
The result tells you the 2 or 4 name servers.
(You can go to http://www.dnsstuff.com and key it into the top right box for DNS Lookup. On the output, click on "Click here" to get what they call the "transversal" that shows all the name servers at the bottom of the next output screen)
For each name server, you want to complain to the Registrar, so you do a look-up to find them.
eg for a name server like ns1.preort.info you strip it down to just preort.info and put it into this link
http://www.dnsstuff.com/tools/whois.ch?ip=preort.info
(Or you can go to http://www.dnsstuff.com and key the domain name preort.info in the third box down, left column, called "Whois info")
That is where you can discover who the registrar company is.
But then, how do you know where to send the complaint? All registrars accredited by ICANN - the goverinig organization - have their contact details listed here.
http://www.icann.org/registrars/accreditation-qualified-list.html
You go there and do a find (Ctrl-F or Edit / Find) to locate the registrar. Once you've done that a few times, and you know the registrar contact from a previous complaint, you don't need that last step.
Then you email them a complaint. You can copy the links used above to document why they are responsible for the name server that supports the spamvertized site. If the site itself is illegal, be sure to point that out.
It isn't really rocket-science. Anyone can do it, and the payoff in spammer frustration makes the effort well worthwhile. Registrars do not like to be seen to be acting on the side of the Internet crime syndicates. It doesn't do anything positive for their business reputation, and scares off shareholders. |
|
|
|
 |
Reply: 2 - 80 |
|
|
| MarkGiles |
| Posted on: Saturday, September 23rd, 2006, 7:38pm |
|
|
Posts: 363
|
I get hundreds of spams for pharmacy sites. The subject is always of the form PHAxyzRMA where xyz varies. When I look up the name servers, there are only six.
ns0.avuihdesunhawio.com sponsored by DNS.COM.CN
ns0.sadewunmkedefuna.com sponsored by DNS.COM.CN
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN
ns2.yadesaxinmer.com sponsored by XIN Net
ns3.ovdesaxinme.com sponsored by DNS.COM.CN
You can email requests to remove these nameservers to the official registrar contacts at
"Li Wei"<liwei@dns.com.cn>, litao@dns.com.cn, abuse@anti-spam.cn
"Zhao Le"<registrar@xinnet.com>, abuse@anti-spam.cn
China's anti-spam team will also take an interest. They take pride in the reduction of spam in China.
In your complaint, refer to the known criminal Leo Kuvayev. He is listed at Chinese sites
http://www.anti-spam.cn/ShowArticle.php?id=3169
http://www.chinaemail.com.cn/laji/flzblack/200607/6134.html
You are entitled to send a request with the spam attached for each such spam that you receive. If everyone did that, the message that we will not tolerate registrars who sponsor criminals will be heard loud and clear.
Join the campaign. |
|
|
|
|
Reply: 3 - 80 |
|
|
| randyt67 |
| Posted on: Saturday, September 23rd, 2006, 8:38pm |
|
|
Posts: 10
|
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN
are down by the way
If these could be shut down it would be nice.
ns2.briggsadnstratton.com
ns1.briggsadnstratton.com
email 'NOC at NRW.NET'
Anyway, the reason I'm here.
I received many spams for http://www.priuproadl.info Pharma Shop today.
I sent a complaint to dnsprofessioanals1k@yahoo.com (yes, I figured it was fake at the beginning) for TLDS INC.
It bounced of course. The nameservers are ns2.goalz.biz ns1.goalz.biz
I guess I'm outta luck here, huh?
|
|
|
|
|
Reply: 4 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, September 24th, 2006, 8:25pm |
|
|
Posts: 363
|
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN
are down by the way |
Not quite yet:
http://www.dnsstuff.com/tools/traversal.ch?domain=badewinkdasatun.com&type=A
Quoted Text
If these could be shut down it would be nice.
ns2.briggsadnstratton.com
ns1.briggsadnstratton.com
email 'NOC at NRW.NET'
|
You need to do some more homework. An obvious approach is to notify joker.com of the copyright infringement of the Briggs and Stratton trademark. Fire a copy off to B&S, too. They would love to tackle that one.
Quoted Text Anyway, the reason I'm here. I received many spams for http://www.priuproadl.info Pharma Shop today. I sent a complaint to dnsprofessioanals1k@yahoo.com (yes, I figured it was fake at the beginning) for TLDS INC. It bounced of course. The nameservers are ns2.goalz.biz ns1.goalz.biz I guess I'm outta luck here, huh? |
No, you are on the right path. Let's do a whois on goalz.biz
http://www.dnsstuff.com/tools/whois.ch?ip=goalz.biz&email=on
Sponsoring Registrar: TLDS INC.
Ask ICANN where to send a compliance request
http://www.icann.org/registrars/accreditation-qualified-list.html
TLDS L.L.C. d/b/a SRSPlus (United States)
http://www.srsplus.com
... SRSplus is a business unit and a wholly owned subsidiary of Network Solutions, LLC, an industry leader in Web identity services.
Tel: (570) 708-8787
Email: partnersupport@srsplus.com
Phone or email them. If you have problems, go to Network Solutions, the parent company at
Tel: 703.668.4600
Email: customerservice@networksolutions.com
(Better still, you should cc them on any email anyway, so that the parent can see what the subsidiary is doing to protect the company image)
|
|
|
|
|
Reply: 5 - 80 |
|
|
| randyt67 |
| Posted on: Monday, September 25th, 2006, 8:35pm |
|
|
Posts: 10
|
Thanks, Mark. I fired off those emails.
I guess those weird hxxxx nameservers came back because I checked as I typed that mail. DNSSTUFF had a timeout for those when I was about to send off another complaint. I assumed incorrectly they were down I guess.
|
|
|
|
|
Reply: 6 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, September 28th, 2006, 9:22pm |
|
|
Posts: 363
|
Yup. If you get a timeout on doing a traversal like Leo Kevayev's servers at
http://www.dnsstuff.com/tools/traversal.ch?domain=miteryanfades.com&type=A
you need to do a second attempt before you know it is really timing out.
One of them is permanently timing out, the other only occasionally.
And even then, it may be transitory. The "pipe" to the site can sometimes be pretty sluggish.
|
|
|
|
|
Reply: 7 - 80 |
|
|
| spamjammer |
| Posted on: Saturday, September 30th, 2006, 8:17pm |
|
|
Posts: 1
|
Mark;
Just wondering; how do you deal with K's redirects embedded in the URL extensions?
Rapatska (his favorite programmer) often has decoy sites that respond to TL domain query chains; but, substituting random strings (or risking being identified by using the real article) take you to the payload site. These are almost always on completely different servers on different Net Blocks.
I haven't been much pestered by the Yambo Group on bogus financial or Rx Spam; but the above used to apply to K's Porn Spam spew before he sold most of it off last winter.
BTW: I haven't had any success using proxies to probe K's/Barnu Rapatska's sites of course; they get 'sniffed-out' and redirected PDQ.
sj |
|
|
|
|
Reply: 8 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, October 1st, 2006, 8:54pm |
|
|
Posts: 363
|
how do you deal with K's redirects embedded in the URL extensions? |
K? Is that Kuvayev? I thought Rapatska was either Panov or his partner in crime. Please elaborate.
Now to your question.
I am not sure why you are asking. But I am guessing at 2 reasons
1. concern at being tracked if you click on a URL that has imbedded detection of the email addressee
Answer- I go to the site of the de-obfuscated URL's domain name.If that fails, I go to the full URL. The reason for going to the spamvertized site is to find out what it is. If I am going to complain about it, I need to know whether it is a legitimate site, tasteless site, or outright illegal site. I can word the complaint accordingly
2. concern that an automated tool will not get to the right place
I want to get to the redirected site. Some operations spam a hundred sites that all redirect to the central one. The hope is that SpamCop will focus on the front ends, and leave the home site unscathed. Pharma Shop is an example.
Quoted Text
Rapatska (his favorite programmer) often has decoy sites that respond to TL domain query chains; but, substituting random strings (or risking being identified by using the real article) take you to the payload site. These are almost always on completely different servers on different Net Blocks.
|
The redirected site is where I want to be.
Quoted Text
I haven't been much pestered by the Yambo Group on bogus financial or Rx Spam; but the above used to apply to K's Porn Spam spew before he sold most of it off last winter.
|
OK
Quoted Text
BTW: I haven't had any success using proxies to probe K's/Barnu Rapatska's sites of course; they get 'sniffed-out' and redirected PDQ.
|
Any more specifics, or do you want to keep it out of public display?
|
|
|
|
|
Reply: 9 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, October 2nd, 2006, 7:40pm |
|
|
Posts: 363
|
Here is a case in point. I will leave out all the URLs and keep it short.
You get a spam advertizing watches123.net. You do the address traversal and find the nameservers. They are ns1.dnsdomainok.com and ns2.dnsdomainok.com.
Now you do the Whois lookup on dnsdomainok.com. The registrar is eNom Inc.
The name of the registrant is "Paul Gregoire" so you do a Google search on him.
It turns out to be a frequently used alias for Alex Polyakov according to Spamhaus.
The given contact address is fake, too.
So you send your evidence off to eNom, requesting removal of dnsdomainok.com and wait for developments. |
|
|
|
|
Reply: 10 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, October 5th, 2006, 6:06pm |
|
|
Posts: 363
|
It is 3 days since that last posting. After a follow-up message, the registrar removed the name server, and its backup name server as requested. Now it just so happens that the name servers removed also provided access to web sites for Hoodia Life and HGH Life besides Exquisite Watches. If you looked up the address of the site, you would find that in fact there were
1,980
web server domain names running there, all accessed through the same name servers.
The bottom line is that today, 1,980 web sites were no longer responding. They were all running 3 days ago, but the complaints (in total 3 emails) have knocked them all out.
He should not have sent me that spam for 123watches.net. |
|
|
|
|
Reply: 11 - 80 |
|
|
| MarkGiles |
| Posted on: Saturday, October 7th, 2006, 6:34pm |
|
|
Posts: 363
|
Alex Polyakov and his gang have been busy rebuilding his lost infrastructure. He lost over 2,000 fake watches, HGH Life and Hoodia Life sites when the registrar removed the nameserver that they were all defined under.
Now he has to take time off from spamming to creating new ones, and to transfer some of his favorite old ones to new nameservers. We can see how busy he has been.
Removed Site . . . . New nameservers
100watches.net . . . ns1.ucraineanu.com ns2.ucraineanu.com
abcofhghtwo.com .. ns3.dnsdomainplus.com ns4.dnsdomainplus.com
all-the-watches.net ns1.ucraineanu.com ns2.ucraineanu.com
All of his work will be to no avail when the registrars remove the new nameserver domains.
Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=ucraineanu.com
Registered by "Paul Gregoire" alias Alex Polyakov.
And this domain is in turn resolved by these domain servers in listed order:
ns1.dnsgoldone.com
ns2.dnsgoldone.com
Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=dnsgoldone.com
Registered by Paul Gregoire / Alex Polyakov
Can we do it again?
Domain servers in listed order:
NS1.DNSWHOISGOOD.COM 222.180.219.173
NS2.DNSWHOISGOOD.COM 222.180.219.173
Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=DNSWHOISGOOD.COM
Once again, registered by Paul Gregoire / Alex Polyakov
Domain servers in listed order:
NS5.DNSQWICK.COM 221.194.68.63
NS6.DNSQWICK.COM 221.194.68.63
How long can this go on?
dnsqwick.com is also registered by the same fake registrant.
Illegal domains to remove:
Registrar: eNom Inc
. . . dnsdomainplus.com
. . . dnsqwick.com
. . . dnswhoisgood.com
. . . dnsgoldone.com
Registrar: ABR Products DBA = MISK.COM
. . . ucraineanu.com
Registrars do not have any time for known Internet criminals. And Alex's record, and his use of the Paul Gregoire alias are well documented at Spamhaus in the ROKSO Top 10 http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6934
|
|
|
|
|
Reply: 12 - 80 |
|
|
| Quake14 |
| Posted on: Thursday, October 19th, 2006, 11:57am |
|
|
Posts: 4
|
This is a great technique I will be looking in to.
Instead of reporting on all of the kited domains and zombified cable modem users, go for the source. Knock out their infrastructure.
That is among the most satisfying antispam stories I have ever read.  |
|
|
|
|
Reply: 13 - 80 |
|
|
| dj |
| Posted on: Thursday, October 26th, 2006, 4:53am |
|
|
Super Spam Fighter 
Posts: 108
|
I have been trying this on some of the more persistant spams I get with varying success. Beijing Innovative (ha!) in particular seem oblivious to mails.
I have had a lot of mails recently promoting pbouvet.com, maxxtests.com, cationyamer.com and lettersmate.com. Tracing these all gives the same result, four name servers - ns1.fantastish.info. ns1.trashbream.com. ns2.concessiondog.info. ns2.fastundslow.com. When I do the dns lookup for pbouvet.com, maxxtests.com, cationyamer.com and lettersmate.com, they all give the name servers followed by timeout. I can still get at all the sites though.
Not sure what these means?????
Also a lot of them dont give a straight url but instead have something like - "outbind://102-00000000ACC7D6789F91BB498C2D2B88E630F37DC4B02900/" What are these????
I'm sure there is someone out there that can answer these. |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 14 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, October 26th, 2006, 2:43pm |
|
|
Posts: 363
|
Answering the first question - ignore the timeout. What it means is this.
Having realised that his nameservers are being tested to see if they are up or down, Alex has looked into forums like this to see how it is done. He has found that people are using the dnsstuff website to perform the test. So he has tried to be clever. He wants to fool people into thinking that his illegally hijacked nameservers are no longer running. So he has put in a modification on the nameserver itself, that refuses access to the IP address of dnsstuff.com. That's why you are seeing a timeout.
So ignore any timeout you see, and report the nameserver to the registrar in the normal way.
You will know when all of the nameservers are failing when the website fails to load.
Here are the five nameservers for those sites and similar ones
ns2.fastundslow.com Beijing Innovative
ns2.concessiondog.info Tucows Edit: REMOVED NOV 9
ns1.islandjoke.info Tucows Edit: REMOVED NOV 9
ns1.fantastish.info Gandi Sarl Edit: REMOVED NOV 17
ns1.trashbream.com Blue Domino
Once the registrar sets the status to not transferable and locked out from the client, and sets the address to 0.0.0.0, the compliance request is complete. Until then, the registrar is guilty of sponsoring known criminals and being complicit in the crime. |
|
|
|
|
Reply: 15 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, October 31st, 2006, 3:32pm |
|
|
Posts: 363
|
Key reporting contacts by Registrar. The full list is at ICANN
http://www.icann.org/registrars/accreditation-qualified-list.html
Aztus admin@aztus.com
Baremetal.com support@baremetal.com
Beijing Innovative liwei@dns.com.cn, huyan@dns.com.cn, abuse@anti-spam.cn, spam@ccert.edu.cn
Bluedomino.com domreg@bluedomino.com
CSL http://www.joker.com website form
CyberConnectics support@cybcon.com
eNom legal@enom.com
Gandi Sarl icann@gandi.net
Intercosmos sig@intercosmos.com
Misk support@misk.com
MIT help@melbourneit.com.au ?
Netfirms support@netfirms.com
OnlineNic icann@onlinenic.com
ResellerClub http://resellerclub.com/report-abuse/whois/
TLDS partnersupport@srsplus.com
TUCOWS compliance@opensrs.org
XIN Net registrar@xinnet.com, pantao@xinnet.com, abuse@anti-spam.cn, spam@ccert.edu.cn
Yesnic abuse@yesnic.com
|
|
|
|
|
Reply: 16 - 80 |
|
|
| dj |
| Posted on: Friday, November 3rd, 2006, 2:36pm |
|
|
Super Spam Fighter
Posts: 108
|
I'd like to propose Beijing Innovative as the worst registrars as far as reporting spam.
I sent them a mail containing 16 spam emails promoting ui398.com which has yu563.com as the name server to them on 21 September this year. Since then I have sent them over 200 emails reporting this site and hl523.com, ui730.com, ui728.com, af370.com, ui727.com, ui725.com, JF132.com, FG679.com, by131.com, af367.com, fg327, and 5656fg.com.
As far as I can see they are all still up and running. |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 17 - 80 |
|
|
| tracker |
| Posted on: Tuesday, November 7th, 2006, 6:02pm |
|
|
Posts: 41
|
I’ve been trying to use this approach, however being a greenhorn at this I’ve found the process to be very time consuming with quite a bit of page flipping, copying and pasting, and confusion. Perhaps someone can point out my error in the following.
lakeandletis.com is one of the many scam sites that we’ve seen and one that I attempted to follow through on. One of the several name servers is ns2.ssauceboat.info, registered by gandi.net, but when I contacted gandi.net I received a note:
“The domain you mention, lakeandletis.com, is not registered by Gandi, but by 4DOMAINS.COM…”
Gandi lists several name servers associated with lakeandletis.com, including ssauceboat.info, and then states, “Gandi is not a web host. The domain used as the nameserver name SSAUCEBOAT.INFO, is registered via Gandi, but is not a nameserver of Gandi. We therefore have no control over its use, as that is not within the bounds of our mandate as a registrar.”
So… I wonder if anyone could decipher this for me. |
|
|
|
|
Reply: 18 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, November 8th, 2006, 2:46pm |
|
|
Posts: 363
|
Gandi has a contract with a criminal, who has registered the domain name ssauceboat.info (as well as its companion fddnode.info)
EVIDENCE
http://www.dnsstuff.com/tools/whois.ch?ip=ssauceboat.info
Within the "zone file" for sscauceboat.info, there are a number of records. The important ones are the Address records that point to the nameservers. ns2.ssauceboat.info is the name of the nameserver and it has an Address record. This has pointed to different IP addresses over the past few weeks, such as today - 218.26.34.9 and previously
68.157.135.101 - 83.143.12.252 - 81.3.139.92 - 195.96.156.154
Each of these addresses is an illegally hijacked nameserver machine.
Gandi Sarl is suggesting that they have no responsibility, and that you need to address the registrar of the spamvertized website. This argument is invalid, because ssauceboatinfo has been registered with Gandi Sarl. It has been registered by a known, notorious criminal, Alex Polyakov. By refusing to cancel their contract, Gandi Sarl is aiding a criminal in the commission of his crimes. In every civilised country this is also a criminal act. Gandi Sarl needs to be reminded of that, not in a threatening way, but as useful legal advice.
The fact that they have yet to comprehend this point of law should be publicly advertiised. For example, http://www.siteadvisor.com/sites/crampfoot.com
EDIT: On Nov 16 - 17 after much discussion, Gandi SAS removed these nameservers and joined in with other registrars who do not sponsor criminals:
ns2.dogmatrust.info
ns2.crudefuel.info
ns1.apricothangar.info
ns2.fddnode.info
ns2.ssauceboat.info
ns1.fantastish.info
ns1.herecentral.info
ns1.calldesk.info
ns2.abioticxref.info
ns2.nolisrize.info
ns2.preasworst.info
Thanks to the Gandi team who worked on this! |
|
|
|
|
Reply: 19 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, November 8th, 2006, 6:57pm |
|
|
Posts: 363
|
Other illegal fake pharmacy scam sites that Gandi Sarl aka Gandi SAS was sponsoring access to using ssauceboat.info include
> International Legal RX
mannersport.info
pophighest.com
reamsufferer.com
thetramore.com
topstokhold.com
> My Canadian Pharmacy
askshow.info
cliosev.com
cliosev.info
crampfoot.com
cvopler.info
dorotybop.biz
dorotybop.us
eparun.info
fadsore.info
fandet.net
feoter.net
fradnol.info
garagedaw.info
garrisonblock.info
garrisonblock.info
gobetir.com
haindar.info
illupet.info
inisert.info
inisert.net
irowel.com
ispover.info
ispover.net
marksmanpod.info
parbom.info
parbom.net
pathincom.info
quozar.net
radiosand.com
rexito.net
ssunboat.com
theftinvasion.info
unitagony.info
unrespi.info
urveli.info
urveli.net
> US Drugs
pritlea.net
Edit: As of Nov 17, Gandi Sarl / Gandi SAS is an ICANN accredited registrar who no longer sponsors crime. |
|
|
|
|
Reply: 20 - 80 |
|
|
| tracker |
| Posted on: Thursday, November 9th, 2006, 10:13pm |
|
|
Posts: 41
|
|
|
|
|
Reply: 21 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, November 12th, 2006, 8:30pm |
|
|
Posts: 363
|
|
|
|
|
Reply: 22 - 80 |
|
|
| spamislame |
| Posted on: Monday, November 13th, 2006, 10:37am |
|
|
Posts: 66
|
I also added a review.
It's actually super easy to find lots of evidence against this particular "brand." Interesting...
SiL |
|
|
|
|
Reply: 23 - 80 |
|
|
| tracker |
| Posted on: Monday, November 13th, 2006, 10:46pm |
|
|
Posts: 41
|
Oh yeah, I love this one that was pointed out about the safety in ordering from them,
"When you are in the final check out mode you will be transferred to the site of the online processor that ensures the Fort Knott security of your all transactions."
I wonder how long it takes for most readers to get back up from rolling around on the floor? |
|
|
|
|
Reply: 24 - 80 |
|
|
| MarkGiles |
| Posted on: Friday, November 17th, 2006, 5:56pm |
|
|
Posts: 363
|
NOVEMBER 17, 2006
Alex Polyakov's spamming and illegal machine hijacking operation has been registering domains on registrar Gandi SAS - amongst others. Some of these domains were used as nameservers, which these criminals run on illegally hijacked machines. The nameservers in turn resolve access to illegally hijacked webservers. Those webservers run his illegally spammed pharmacy and fake watch scams. And yes, those scams are also illegal, too.
When faced with all of this evidence of crime, Gandi SAS thought better about being seen to be part of the Polyakov crime scene. The following Polyakov nameservers are no longer functioning after Gandi SAS withdrew their support
ns2.dogmatrust.info
ns2.crudefuel.info
ns1.apricothangar.info
ns2.fddnode.info
ns2.ssauceboat.info
ns1.fantastish.info
ns1.herecentral.info
ns1.calldesk.info
ns2.abioticxref.info
ns2.nolisrize.info
ns2.preasworst.info
The Pharmacy Alert Security Team (and millions of frustrated spammed Internet users) applauds Gandi's decision. |
|
|
|
|
Reply: 25 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, November 29th, 2006, 3:38pm |
|
|
Spam Fighter 
Posts: 76
|
“Gandi is not a web host. The domain used as the nameserver name SSAUCEBOAT.INFO, is registered via Gandi, but is not a nameserver of Gandi. We therefore have no control over its use, as that is not within the bounds of our mandate as a registrar.”
So… I wonder if anyone could decipher this for me.
|
Dude, I think that e-mail reply actually came from me! Ha Ha Ha!
The difference was between the physical default nameservers for e-mail forwarding and whatnot (ex. full1.gandi.net...), as opposed to registering a domain name through Gandi that was used as a nameserver or domain for spam, which under the 'old policy' could only be shut off if the whois info was invalid.
Sorry, I should have been more clear about that! At any rate, we got that ba$tard in the end...  |
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
 |
Reply: 26 - 80 |
|
|
| spamislame |
| Posted on: Wednesday, November 29th, 2006, 4:55pm |
|
|
Posts: 66
|
Ryan: Do you work for Gandi S?
SiL |
|
|
|
|
Reply: 27 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, November 29th, 2006, 8:02pm |
|
|
Posts: 363
|
Dude, I think that e-mail reply actually came from me! Ha Ha Ha! The difference was between the physical default nameservers for e-mail forwarding and whatnot (ex. full1.gandi.net...), as opposed to registering a domain name through Gandi that was used as a nameserver or domain for spam, which under the 'old policy' could only be shut off if the whois info was invalid. Sorry, I should have been more clear about that! At any rate, we got that ba$tard in the end... |
Sure enough. Too many registrars act in accordance solely with the limitations set by ICANN - cancel on invalid whois.
All registrars need to understand that any country's national and (where applicable) state laws preclude any commercial organisation from assisting (or aiding and abetting, or being complicit with) a criminal. By continuing to honour a contract which is providing a service to a criminal, the registrar is effectively committing a crime. It often takes a while to reach that realisation, but once understood, there is no legal alternative but to withdraw the contracted service. That means locking out the contracted domain from the criminal so it cannot continue to be used in the commission of the crime.
Only then is a registrar upholding the law, and keeping their reputation intact, and law enforcement from the door. Gandi SAS has reached that point, and looks ready to wipe the spammers out of their registry with more vigour than ever.
Ace of Domains is still on the journey.
|
|
|
|
|
Reply: 28 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, November 29th, 2006, 11:53pm |
|
|
Spam Fighter
Posts: 76
|
Amen!
(not the registrar ha ha...)
As is turns out, there is great new legislation in France that makes spamming illegal... 
Also, with an updated terms of sale contract you can pretty much go to town.
But you are right, when all registrars care about is money, they will stick to just the strict ICANN rules.
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 29 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 5th, 2006, 5:11am |
|
|
Posts: 363
|
|
|
|
|
Reply: 30 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, December 11th, 2006, 1:42pm |
|
|
Posts: 363
|
Crossposted from another forum, for Gandi's action -
I just attempted to figure out why a pharma shop website was suddenly running more javascript than usual. I got some interesting evidence which I am passing along here, as well as to my usual law enforcement outlets.
DO NOT visit any of these sites, especially if you run any flavor of IE.
Domain which was spammed:
Code:
http://writersboll.info/
Which in turn redirects you to:
Code:
http://postaltag.info/?ec1e98dfdd5778S408059d8S9e62acb8
That site uses obfuscated javascript in the footer of the page in an attempt to load iframe content from:
Code:
http://mynetwork.hk/404.php
That page contains 100% pathetically obfuscated javascript code which in turn attempts to load yet another iframe from:
Code:
http://mynetwork.hk/external.php
THAT page: contains XMLHTTP download and installation of the following items:
* New registry setting: clsid D96C556-65A3-11D0-983A-00C04FC29E36 (That's a Remote Data Service object, allowing the execution of code from a remote source.)
* hxxp : / / mynetwork.hk/win32_update.exe (my Symantec instantly disabled this. It's called the "Bloodhound Exploit")
[ http://www.symantec.com/security_response/writeup.jsp?docid=2006-041114-2838-99 ]
* Attempts to run via shell the abovementioned exe file.
From the Symantec site:
Quote:
Bloodhound.Exploit.64 is a heuristic detection for the Vulnerability in MDAC Function Could Allow Code Execution issue.
An attacker who exploits this vulnerability could execute arbitrary code with the privileges of the logged-on user. The attack has be launched by visiting a website that hosts the malicious code. The exploit requires no user interaction to trigger.
So Pharma Shop, as a spam operation, is now directly associated with the following activities:
- 419 scamming via alleged Russian wife / date scams
- 419 scamming via alleged dead dictator emails
- Lottery scam emails
- (Obviously) illegal pharmaceutical sales (if indeed they do sell anything.)
- Credit card fraud
And now:
- Malicious virus install and execution.
I want to kill these bastards. I mean that. I want to get to the bottom of who's allowing these domains to exist.
Original site's DNS is via globedns.biz, located in Russia. All contact info is (of course) fake.
mynetwork.hk's dns is via: NS1.BABIESAREINN.NET, a gandi sarl authorized domain.
Code:
Server Name: NS1.BABIESAREINN.NET
IP Address: 69.154.76.126
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
This is outrageous behavior.
SiL |
|
|
|
|
Reply: 31 - 80 |
|
|
| Ryan |
| Posted on: Monday, December 11th, 2006, 3:27pm |
|
|
Spam Fighter
Posts: 76
|
Hi Mark,
BABIESAREINN.NET is already suspended...
NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service"
On a separate topic, how do you identify an Alex P scheme? Are there special clues that can be spotted? What do you go by?
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 32 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, December 11th, 2006, 6:21pm |
|
|
Posts: 363
|
sportystuuff.com
50.0% of queries will end in failure at 60.200.246.242 (ns1.sportystuuff.com) - query timed out
50.0% of queries will end in failure at 221.4.243.136 (ns2.sportystuuff.com) - query timed out
technollogyhere.com
100.0% of queries will end in failure at 221.194.111.55 (ns1.technollogyhere.com) - query timed out
That's 1,950 sites no longer accessible today. Alex takes a palpable hit. |
|
|
|
|
Reply: 33 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, December 11th, 2006, 7:36pm |
|
|
Posts: 363
|
Hi Mark,
Sorry to beat you to it (maybe not, lol!), but...
BABIESAREINN.NET is already suspended... |
Gandi has gone from snail to lightning !!
Quoted Text NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service" |
Hors de combat and hors d'oeuvres
Quoted Text
On a separate topic, how do you identify an Alex P scheme? Are there special clues that can be spotted? What do you go by?
|
Some ideas:
1.
Naming convention of 2-4 English words joined, and more recently one or two extra characters thrown in. Samples
stormegkdboxes.com
quitkherfunnyyes.com
deskhrtkrouble.com
watchskesforumom.com
Not conclusive, just a sign
2.
Name of registrant - often totally fictitious, but sometimes easily identified as a known alias, listed in Spamhaus in his ROKSO records.
3.
Once his sites are identified, then he is identifiable by the site itself. Known examples are
My Canadian Pharmacy
International Legal RX
US Drugs / American Pharmacy
Canadian Health&Care
Exquisite Replicas
HGH Life
Hoodia Life
Note:
Sites that are not his, but attributable to ROKSO #2 Leo Kuvayev, are
Toronto Pharmacy
Pharmacy Express
Health Suite
Health Nation
ED Choice
Finest RX
Special RX
Software Downloads
Conclusion
There are just some of the techniques used. Spamhaus and good old Google always help add weight to the evidence.
|
|
|
|
|
Reply: 34 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 12th, 2006, 1:59pm |
|
|
Posts: 363
|
Hi Mark, Sorry to beat you to it (maybe not, lol!), but... BABIESAREINN.NET is already suspended... NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service" |
Please review the nameserver resolution provided at
http://www.dnsstuff.com/tools/traversal.ch?domain=mynetwork.hk&type=A
Gandi needs to lock out the domain from update / delete / transfer and set address records for ns1 to something unworkable as was done for ns2 - ns5
ns1.samooosa.info [75.18.211.177] 213.190.217.23 213.22.136.210 213.22.65.212 85.242.206.204 87.72.80.150
ns2.samooosa.info [217.70.185.0] Timeout
ns3.samooosa.info [217.70.185.0] Timeout
ns4.samooosa.info [217.70.185.0] Timeout
ns5.samooosa.info [217.70.185.0] Timeout
---
One horse is still in service |
|
|
|
|
Reply: 35 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 12th, 2006, 2:36pm |
|
|
Posts: 363
|
|
|
|
|
Reply: 36 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, December 13th, 2006, 1:12am |
|
|
Posts: 363
|
He seems to be wrestling them back. How well are they locked out by Gandi? Who is the mole?
ns1.babiesareinn.net [69.208.153.223] 202.144.125.229 217.132.148.210 59.93.73.240 68.252.96.1 69.208.153.223
ns2.babiesareinn.net [202.144.125.229] 202.144.125.229 217.132.148.210 59.93.73.240 68.252.96.1 69.208.153.223
ns3.babiesareinn.net [217.70.185.0] Timeout
ns4.babiesareinn.net [217.70.185.0] Timeout
ns5.babiesareinn.net [217.70.185.0] Timeout
Domain Name: BABIESAREINN.NET
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: NS3.BABIESAREINN.NET
Name Server: NS4.BABIESAREINN.NET
Name Server: NS1.BABIESAREINN.NET
Name Server: NS2.BABIESAREINN.NET
Name Server: NS5.BABIESAREINN.NET
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
Updated Date: 12-Dec-2006
ClientUpdate not prohibited? How about Registrar Hold? |
|
|
|
|
Reply: 37 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, December 13th, 2006, 2:05pm |
|
|
Spam Fighter
Posts: 76
|
Hi all,
For all who are interested, if one does not see a ClientUpdate Prohibited on a Gandi-registered domain, that does not mean that the client can a priori update the information. In certain cases, back office operations have the same effect by restricting user rights on the web interface (ex. ability to change IP addresses, etc...).
So, for those who care:
ns1.babiesareinn.net [217.70.185.0] Timeout
ns2.babiesareinn.net [217.70.185.0] Timeout
ns3.babiesareinn.net [217.70.185.0] Timeout
ns4.babiesareinn.net [217.70.185.0] Timeout
ns5.babiesareinn.net [217.70.185.0] Timeout
and
ns1.samooosa.info [217.70.185.0]
and
many others...
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 38 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, December 13th, 2006, 3:25pm |
|
|
Posts: 363
|
Pretty soon, Gandi will be blacklisted by the whole spammer community. Congratulations.
---
I love the smell of 217.70.185.0 in the morning |
|
|
|
|
Reply: 39 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, December 13th, 2006, 3:33pm |
|
|
Spam Fighter
Posts: 76
|
That would (will) be a great day indeed....
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 40 - 80 |
|
|
| tracker |
| Posted on: Wednesday, December 13th, 2006, 4:47pm |
|
|
Posts: 41
|
Here are a couple notes back from registrars:
Hello,
The problem that you have brought to our notice relates to how the below mentioned domain names are involved in SPAM abuse:
domain name: TRQ2ME.COM
We are extremely strict and proactive with regards to our terms of usage. Pursuant to our terms of service we have already Suspended this domain name.
For reporting any Abuse from a domain name registered with Registrar Directi.com, please send an e-mail to abuse@publicdomainregistry.com.
Moreover, you may report Spam for domain names either Registered through Registrar DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM or Hosted on our Servers from our website at http://www.publicdomainregistry.com/contactus/report-spam/ and Whois Inaccuracy of domain names Registered through us at http://www.publicdomainregistry.com/contactus/report-false-whois/.
Regards,
Karna Kumar Jain
PublicDomainRegistry Abuse Desk
PublicDomainRegistry Spam Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-spam/
PublicDomainRegistry False Whois Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-false-whois/
And from Netfirms:
Hello,
Thank-you for your e-mail enquiry.
Please be advised that we have disabled this site.
Netfirms provides legitimate web hosting services and has a ZERO tolerance policy towards these violations.
Regards,
Todd
Netfirms Inc.
http://www.netfirms.com
Unfortunately, nothing can be done about the Chinese registered nameservers. |
|
|
|
|
Reply: 41 - 80 |
|
|
| tracker |
| Posted on: Wednesday, December 13th, 2006, 4:58pm |
|
|
Posts: 41
|
|
|
|
|
Reply: 42 - 80 |
|
|
| spamislame |
| Posted on: Wednesday, December 13th, 2006, 10:44pm |
|
|
Posts: 66
|
Some bad news is that I'm trying to figure out why Tucows is rejecting my domain/dns abuse reports.
"<banterwebhelp1@tucows.com>: host emd2-imta.prosp.tucows.com[64.97.156.1] said:
550 Requested action not taken: excessive spam content (in reply to end of
DATA command)"
Does that indicate that I've been reporting too much Polykov spam??? What good does it do to report this stuff if your emails don't make it through? |
What I usually do in that case is send a more generic email. quoting nothing, which outlines that you wish to bring to their attention one or more domains which are abusing their terms of service. Zip up a file containing the spam messages and post them to your file host of choice (you may notice I stick with mytempdir.com) Include the link to that file in your email and ensure that you tell them it is virus free and contains data that has not made it through their email server's spam filters.
It blows my mind when spam / abuse email addresses reject the very messages we're supposed to report to them. I understand they must be bombarded day in and day out by idiot spammers but come on.
Anyway I hope that helps.
SiL |
|
|
|
|
Reply: 43 - 80 |
|
|
| tracker |
| Posted on: Thursday, December 14th, 2006, 10:26am |
|
|
Posts: 41
|
SiL, I understand you fully. At first I was quoting and inserting "evidence" within my emails, since some Registrars can't do anything without it. However, the rejected email to Tucows was simply the following:
The following domain registered by TUCOWS INC. is engaged in email spam, phishing, and fraud abuse:
http://samonrize.com/
These domains are using nameservers:
ns1.anatomyabstract.com.ns-not-in-service.org [0.0.0.0]
ns1.poertodas.com [83.143.12.252] Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
ns2.grettnos.com [63.223.11.14] Registrar: XIN NET TECHNOLOGY CORPORATION
ns2.seveopd.com [63.223.11.14] Registrar: XIN NET TECHNOLOGY CORPORATION
Please lock out customer access to these domains and set all address records to 0.0.0
Do not support Internet fraud abuse
Unfortunately, BEIJING INNOVATIVE LINKAGE TECHNOLOGY and XIN NET TECHNOLOGY CORPORATION do not respond to abuse reports, but you can make a small difference. Thank you. |
|
|
|
|
Reply: 44 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, December 14th, 2006, 3:43pm |
|
|
Posts: 363
|
|
|
|
|
Reply: 45 - 80 |
|
|
| tracker |
| Posted on: Thursday, December 14th, 2006, 6:32pm |
|
|
Posts: 41
|
I love the pic of the Subway Sandwich shop. Who would have thought that they were dispensing drugs for ED! I knew there was something special about those pastrami sandwiches...
Mark you've included just one more link pointing to the fight against spam. I can't keep track of how many there are! So many people literally ticked off about it, and yet so little actually being accomplished! |
|
|
|
|
Reply: 46 - 80 |
|
|
| tracker |
| Posted on: Sunday, December 17th, 2006, 1:03pm |
|
|
Posts: 41
|
| Can anyone get through to Tucows??? All of my email is being rejected. Polykov, or Yambo, has been bombarding people with their http://samonrize.com/ phishing site, registered by Tucows. Unfortunately, with Tucows rejecting my email I can't do a thing about it. |
|
|
|
|
Reply: 47 - 80 |
|
|
| Ryan |
| Posted on: Sunday, December 17th, 2006, 1:16pm |
|
|
Spam Fighter
Posts: 76
|
What are the addresses you are using to contact them? I'll try and find another one.
When you say they are rejecting your e-mails, can you provide more information (ex. the full header of the message you get in return etc...)? (so we can see if there is a technical reason for your mails being rejected instead of human)
Have you tried e-mailing them from a different e-mail address (it is not impossible that they have blacklisted your e-mail address(es)?
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 48 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, December 17th, 2006, 4:15pm |
|
|
Posts: 363
|
Can anyone get through to Tucows??? All of my email is being rejected. Polykov, or Yambo, has been bombarding people with their http://samonrize.com/ phishing site, registered by Tucows. Unfortunately, with Tucows rejecting my email I can't do a thing about it. |
It used to be compliance@opensrs.org
But for te latest, see
http://www.icann.org/registrars/accreditation-qualified-list.html
which gives
Quoted Text Tucows Inc. (Canada) http://www.tucows.comTucows Inc. (Canada) http://resellers.tucows.com Team up with the world's largest wholesale domain registrar. Competitive wholesale prices, the most experienced support team in the business, no hidden fees, and a complete suite of order and management tools available through OpenSRS. A full range of wholesale services to choose from: 13 TLDs, email, managed DNS, and digital certificates . Tel: 416 535 0123 Email: sales@opensrs.org Tel: 416 535 0123 Email: banterwebhelp1@tucows.com |
and
http://www.internic.net/regist.html
Quoted Text Tucows Inc.
96 MOWAT AVENUE
Toronto, Ontario M6K 3M1
Canada
416 535 0123
banterwebhelp1@tucows.com
Tel: 416 535 0123
Email: sales@opensrs.org |
OK?
|
|
|
|
|
Reply: 49 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, December 17th, 2006, 4:53pm |
|
|
Posts: 363
|
Let's see now, samonrize.com - one spam, what can we learn from it?
Looking up the nameservers
http://www.dnsstuff.com/tools/traversal.ch?domain=samonrize.com&type=A
We find four of them, shown as ns1.anatomyabstract.com.ns-not-in-service.org.
ns1.poertodas.com.
ns2.grettnos.com.
ns2.seveopd.com. Domain anatomyabstract.com was removed by Tucows on request
> Domain status: clientHold, clientTransferProhibited, clientUpdateProhibited
Nicely locked out, and address record fixed too:
> ns1.anatomyabstract.com.ns-not-in-service.org [0.0.0.0]
So who are the noncompliant registrars?
1. http://www.dnsstuff.com/tools/whois.ch?ip=poertodas.com
Beijing Innovative Linkage Technology - email zaifeng@dns.com.nn
2. http://www.dnsstuff.com/tools/whois.ch?ip=grettnos.com
XIN Net - email registrar@xinnet.com
3. http://www.dnsstuff.com/tools/whois.ch?ip=seveopd.com
XIN Net - same again
What other domains have been registered and spammed under these same nameservers?
http://rss.uribl.com/ns/seveopd_com.html
#1 widgetbirds.com ... Wed, 29 Nov 2006 12:02:05 +0000
#2 firenigheit.com .. Tue, 28 Nov 2006 19:55:51 +0000
#3 arbiktrarium.com ... Tue, 28 Nov 2006 08:56:33 +0000
#4 denounceringe.net ... Tue, 28 Nov 2006 03:06:38 +0000
#5 towelsoil.info ... Tue, 28 Nov 2006 03:02:56 +0000
#6 risehandful.com ... Tue, 28 Nov 2006 03:01:44 +0000
#7 finedoots.info ... Tue, 28 Nov 2006 02:59:38 +0000
#8 raznine.info ... Tue, 28 Nov 2006 02:58:33 +0000
#9 plivaxis.com ... Tue, 28 Nov 2006 02:08:21 +0000
#1 My Canadian Pharmacy
#2 My Canadian Pharmacy
#3 parked domain
#4 parked domain
#5 unknown
#6 unknown
#7 US Drugs
#8 US Drugs
#9 US Drugs
Alex Polyakov / Yambo territory. You can sure learn a lot just from one spam.
|
|
|
|
|
Reply: 50 - 80 |
|
|
| tracker |
| Posted on: Sunday, December 17th, 2006, 9:45pm |
|
|
Posts: 41
|
It was obvious that XIN NET & Beijing Tech wouldn't do anything, however, I was hoping that at least Tucows could delete the users domain under their registry.
The address I've been using for Tucows has been banterwebhelp1@tucows.com, with the following message returned, as mentioned previously:
<banterwebhelp1@tucows.com>: host emd2-imta.prosp.tucows.com[64.97.156.1] said:
550 Requested action not taken: excessive spam content (in reply to end of
DATA command) |
|
|
|
|
Reply: 51 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, December 18th, 2006, 4:02pm |
|
|
Posts: 363
|
| Try compliance at opensrs.org |
|
|
|
|
Reply: 52 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, December 20th, 2006, 12:29am |
|
|
Posts: 363
|
Beijing Innovative Linkage Technology has been steadily purging Leo Kuvayev's spam sites
IP Address Name server removed by Beijing Date
61.61.61.61 ns.kertuijingenfunhadesun.com 19-Dec
61.61.61.61 ns.badesruikinherungans.com 19-Dec
61.61.61.61 ns0.vckionldesunjas.com 19-Dec
61.61.61.61 ns0.quijindeshkinmas.com 14-Dec
221.194.111.14 ns0.kilonherunhasedun.com 14-Dec
61.61.61.61 ns0.avuihdesunhawio.com 11-Dec
61.61.61.61 ns0.sadewunmkedefuna.com 11-Dec
61.61.61.61 ns.vaserunkiontunhdetunhas.com 11-Dec
61.61.61.61 ns.baserunkintunhdefunhas.com 11-Dec
That's a load of spammed sites (over 1,000) removed. |
|
|
|
|
Reply: 53 - 80 |
|
|
| Dave |
| Posted on: Tuesday, December 26th, 2006, 5:16am |
|
|
Posts: 19
|
Beijing Innovative Linkage Technology has been steadily purging Leo Kuvayev's spam sites
IP Address Name server removed by Beijing Date
61.61.61.61 ns.kertuijingenfunhadesun.com 19-Dec
61.61.61.61 ns.badesruikinherungans.com 19-Dec
61.61.61.61 ns0.vckionldesunjas.com 19-Dec
61.61.61.61 ns0.quijindeshkinmas.com 14-Dec
221.194.111.14 ns0.kilonherunhasedun.com 14-Dec
61.61.61.61 ns0.avuihdesunhawio.com 11-Dec
61.61.61.61 ns0.sadewunmkedefuna.com 11-Dec
61.61.61.61 ns.vaserunkiontunhdetunhas.com 11-Dec
61.61.61.61 ns.baserunkintunhdefunhas.com 11-Dec
That's a load of spammed sites (over 1,000) removed
Removed?
What does this mean? I have just received a Spam mail re
ferunhandesunjintungandsa.com
The nameservers/ are
Name Server.......... ns0.hertunjinkdastion.com
Name Server.......... ns0.vckionldesunjas.com
Has it been re-instated? |
|
|
|
|
Reply: 54 - 80 |
|
|
| Dave |
| Posted on: Tuesday, December 26th, 2006, 5:26am |
|
|
Posts: 19
|
Same goes for
pasdrtionkintungandesunjin.com |
|
|
|
|
Reply: 55 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 26th, 2006, 5:08pm |
|
|
Posts: 363
|
Inthis case Leo used two nameservers to resolve access to his sites. One he registered with Chinese registrar Beijing Interactive Linkage Technology, the other with Chinese registrar XIN Net. Both registrars are accredited by ICANN, a toothless organisation that hands out accreditations but does nothing to ensure quality of service and compliance to requests. So it is up to us to be persistent and specific in our compliance requests.
In this case, Beijing Innovative Linkage Technology has listened to complaints that they are providing a safe haven for a convicted criminal, Leo Kuvayev. They have decided to terminate their contracts with him, and render his name servers inoperative.
XIN Net has yet to see the error of its ways, and is bringing shame and disgrace to the People's Republic of China by not matching Beijing's response. It would be helpful if more people advise them of the error of their ways. Complaints should be made as an "ICANN COMPLIANCE REQUEST" that they set the status of domain hertunjinkdastion.com to
clientDeleteProhibited
clientTransferProhibited
clientUpdateProhibited
and the Address records should be changed to a blackhole such as 61.61.61.61.
Address complaints to registrar@xinnet.com with copies to pantao@xinnet.com, lihm@xinnet.com, abuse@anti-spam.cn, spam@ccert.edu.cn
You will find that similar information has been placed into the McAfee SiteAdvisor messages at http://www.siteadvisor.com/sites/ferunhandesunjintungandsa.com |
|
|
|
|
Reply: 56 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 26th, 2006, 6:13pm |
|
|
Posts: 363
|
Examples to illustrate
IP Address Name server removed by Beijing Date
61.61.61.61 ns.kertuijingenfunhadesun.com 19-Dec
61.61.61.61 ns.badesruikinherungans.com 19-Dec
Look at the status of one of these
Domain Name: KERTUIJINGENFUNHADESUN.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: NS.KERTUIJINGENFUNHADESUN.COM
Name Server: NS0.KERTUIJINGENFUNHADESUN.COM
Status: clientHold
Updated Date: 19-dec-2006
Although as you can see this pair of nameservers were invalidated by Beijing, they failed to prevent transfer of the domains under them. So the spammed domains, such as
runhenfanseyionkenrunhansa.com
shudeinkionmdefun.com
vaserunhfandesikintunhan.com
daseriokintunhandesungan.com
basewunhertinhanlionkun.com
resdefankderunhanstion.com
have been moved to these new name servers registered at XIN Net
ns.pasedinkiondetinjdas.com
ns.mdefunjderionsade.com
The bottom line is that
(a) Leo is losing out at one registrar, and has shifted this part of his operation to another.
(b) Registrars must be requested to set the status of the name server domain to clientTransferProhibited |
|
|
|
|
Reply: 57 - 80 |
|
|
| Dave |
| Posted on: Monday, January 8th, 2007, 2:53pm |
|
|
Posts: 19
|
Hi Mark- im losing the plot (I do try and report as many as I can) as Icann dont seem bothered.
latest one ive looked at is 22RX.com using clues previously provided by yourself and DNS Stuff
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Status: clientTransferProhibited
Dates: Created 07-dec-2006 Updated 30-dec-2006 Expires 07-dec-2007
DNS Servers: NS0.YADEXSIKINGANS.COM NS0.FADESUTIONGFEDRIN.COM
which suggests the registrar is BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
However a search on NS0.YADEXSIKINGANS.COM NS0.FADESUTIONGFEDRIN.COM
has XIN NET as the registrar for the nameservers.
WHOIS results for fadesutiongfedrin.com
Generated by http://www.DNSstuff.com
Registrar: XIN NET TECHNOLOGY CORPORATION
Status: ok
Dates: Created 21-dec-2006 Updated 21-dec-2006 Expires 21-dec-2007
DNS Servers: NS2.XINNETDNS.COM NS2.XINNET.CN
So Who should I be sending the Block request to?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Secondly - only yesterday I did this search and sent off Block Request to the registrars for the name servers 2@beijing 1@moniker &1@Xin net
Domain Name: MIZALDO.HK
Contract Version: HKDNR latest version
Registrant Contact Information:
Holder English Name (It should be the same as your legal name on your HKID card or other relevant documents): ANTONIO NACRUR
Holder Chinese Name:
Email: ******@safe-mail.net
Domain Name Commencement Date: 2006-12-21
Country: US
Expiry Date: 2007-12-22
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1772050T
Technical Contact:
First name: ANTONIO
Last name: NACRUR
Company Name: ANTONIO NACRUR
Name Servers Information:
NS1.XETOPNET.COM
NS2.LOERJAMM.COM
NS1.THEBLACKRAINS.NET
NS2.ASDERDUB.COM
AND today on this search ive got this:
WHOIS results for justlom.com
Generated by http://www.DNSstuff.com
Registrar: NETFIRMS, INC.
Status: ok
Dates: Created 13-dec-2006 Updated 21-dec-2006 Expires 13-dec-2007
DNS Servers: NS2.ASDERDUB.COM NS1.THEBLACKRAINS.NET NS1.XETOPNET.COM NS2.LOERJAMM.COM
I JUST CANT KEEP UP WITH IT partly because I dont understand it dont the registrars
see the name servers that they are using are blacklisted in many places such as URIBL.com
or dont they care |
|
|
|
|
Reply: 58 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, January 8th, 2007, 6:04pm |
|
|
Posts: 363
|
Spammers know that people are tracking them down and shutting them down. So they try to outwit us by covering their tracks.
When you do a WHOIS lookup on a domain, you get back a lot of useful information. The information is what was recorded at the tiime of registration, and includes the nameservers chosen to resolve the domain name to an address. Because the spammers know that this information is a weakness, they set out to get around it. They change to a different set of name servers, maybe even on a different registrar.
Let's look at your example, 22rx.com today
The domain is registered on Beijing Innovative
http://www.dnsstuff.com/tools/whois.ch?ip=22rx.com&email=on
You can complain there to have just that one site taken down.
But you can go higher than that. Where are the nameservers?
http://www.dnsstuff.com/tools/traversal.ch?domain=22rx.com&type=A
ns0.rxlist1.com [58.215.65.230] 195.138.198.96 81.177.22.174
ns0.fadesutiongfedrin.com [58.215.74.24] 195.138.198.96 81.177.22.174
Two nameservers, one created on domain rxlist1.com (that's new) and the other on old faithful fadesutiongfedrin.com. The former nameserver (NS0.YADEXSIKINGANS.COM) has not responded since Jan 1. Thanks XIN Net! And thanks to all the complainers, too.
Who is the registrar for the new nameserver?
http://www.dnsstuff.com/tools/whois.ch?ip=rxlist1.com&email=on
Beijing Innovative, back on Nov 24
Who is the registrar for the old one?
http://www.dnsstuff.com/tools/whois.ch?ip=fadesutiongfedrin.com&email=on
XIN Net back on Dec 21
Where are these two name servers? Look up the IP addresses
http://www.dnsstuff.com/tools/whois.ch?ip=58.215.65.230&email=on
http://www.dnsstuff.com/tools/whois.ch?ip=58.215.74.24&email=on
The whole range 58.208.0.0 - 58.223.255.255 is administered by China Telecom
Notice that there are not one but two addresses for the website. So he is running it on a primary and secondary at 195.138.198.96 and 81.177.22.174
Where are the 22RX web sites located?
http://www.dnsstuff.com/tools/whois.ch?ip=195.138.198.96&email=on
> Hostbizua.com in the Ukraine
http://www.dnsstuff.com/tools/whois.ch?ip=81.177.22.174&email=on
> Netplace.ru in Russia
So he has lost one of his nameservers, and had to replace it with another. His name servers are registered on two different registrars in PRC, and running on two machines in an address range administered by China Telecom. 22RX.com runs on two tandem servers, one in Ukraine, one in Russia.
OK for part one.
|
|
|
|
|
Reply: 59 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, January 8th, 2007, 6:17pm |
|
|
Posts: 363
|
re MIZALDO.HK - an Illegal RX site, you have it exactly right.
Quoted Text AND today on this search ive got this: WHOIS results for justlom.com Generated by http://www.DNSstuff.comRegistrar: NETFIRMS, INC. Status: ok Dates: Created 13-dec-2006 Updated 21-dec-2006 Expires 13-dec-2007 DNS Servers: NS2.ASDERDUB.COM NS1.THEBLACKRAINS.NET NS1.XETOPNET.COM NS2.LOERJAMM.COM |
Requesting Netfirms (affiliate of Tucows, both in Toronto) to act on this will take out one of the literally THOUSANDS of Illegal RX sites. Better to request the nameservers be inactivated, as before. See the title of this thread.
Quoted Text I dont understand it dont the registrars
see the name servers that they are using are blacklisted in many places such as URIBL.com
or dont they care |
Guess what? I asked that question of myself, too. I got no answer. Then I got an idea. I asked some of the registrars. The result was dramatic. I know two registrars who were delighted to learn about this uribl lookup method, and do precisely that!
So don't ask yourself. Don't ask this forum. Ask the registrars, and teach them how to do it.
|
|
|
|
|
Reply: 60 - 80 |
|
|
| Dave |
| Posted on: Thursday, January 11th, 2007, 2:53pm |
|
|
Posts: 19
|
Thanks - a few more clues for me and others I hope.I did ask Netfirms - (Probably not the right question and possibly not the right tone- but they were good enough to reply
but again I dont fully understand their answer.
" Hello, Thank you for your e-mail.
Please be advised that the domains(s) you have listed are not hosted with Netfirms. While the domains were originally registered through Netfirms, we have no affiliation with them other than the registration themselves.
If you are receiving spam from these domains, we recommend that you contact the host provider currently hosting these domains and file your complaint with them.
Netfirms is listed as the technical contact for these domains because they were registered through us. However, there is nothing that we can do in regards to your complaint since the spam e-mail you are receiving is coming from a different host provider and mail server.
Therefore, we recommend that you refrain from sending us any further notifications regarding your spam complaints as these will need to be re-directed to the host provider for the domain you are filing a complaint against.
We thank you for your compliance in this matter.
Regards,
Todd
Netfirms Inc.
http://www.netfirms.com
Thank you,
Netfirms Support Team
Netfirms Inc.
http://www.netfirms.com
-----Original Message-----
From: Dave
Date: Monday, January 08, 2007 03:13 PM
To: support@netfirms.com (support@netfirms.com)
Subject: Domain - http://www.justlom.com
Domain Name: www.justlom .com
Hi I have received an email from
JUSTLOM.COM and you appear to be the registrars. The name servers they
are using are blacklisted on many sites throughout the world and I just wonder why
when you are ICANN registered you can allow this to go on?
The site they are using is at best gathering credit card information and at worst selling illegal drugs.
Dont you have laws in america or canada to stop that sort of thing. |
|
|
|
|
Reply: 61 - 80 |
|
|
| Ryan |
| Posted on: Thursday, January 11th, 2007, 3:15pm |
|
|
Spam Fighter
Posts: 76
|
Their key words:
"...other than the registration themselves..."
They are taking the cowardly position that they are immune to the action of the domain, since they are not hosting the site.
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 62 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, January 11th, 2007, 3:16pm |
|
|
Posts: 363
|
Hi Dave,
You need to approach it differently. You are not complaining because the site was spammed, you are comlaining because they are sponsoring a criminal operation.
Take a look at the useful and somewhat amusing entries in the McAfee Site Advisor details at
http://www.siteadvisor.com/sites/justlom.com
You need do little more than to ask Netfirms to read it, and decide whether they should continue to risk their reputation in continuing to do business with Alex Polyakov. |
|
|
|
|
Reply: 63 - 80 |
|
|
| Ryan |
| Posted on: Thursday, January 11th, 2007, 3:22pm |
|
|
Spam Fighter
Posts: 76
|
Absolutely. Mark is right on the ball there Dave.
They need to take a stand like this: http://www.gandibar.net/post/2007/01/11/Gandi-fights-back-against-domain-abuse
(Ok - that cat is DEFINATELY out of the bag now. what the hell. Anyway, check out the hidden reference to this forum in the title, and please visit and voice your support!!
Other solutions? You bet!!
Why not throw their own contracts in their faces?
Look at Point 2 of their "Domain Registration Agreement", it states,
Quoted Text "...nor the manner in which it is used infringes the legal rights of a third party, and that the Domain Name is not being registered for any unlawful purpose...." |
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 64 - 80 |
|
|
| Dave |
| Posted on: Thursday, February 1st, 2007, 3:45pm |
|
|
Posts: 19
|
Hi - still on the case with your help this time it is shares- dont usually bother with them
but this one caught my interest as it wasnt the usual Image spam stuff.
"You are subscribed to leandershantaserver.com with the email address *********@*********.
If you wish to be excluded from future leandershantaserver.com mailings,
please click here
or write us at:
21218 St Andrews Blvd #323, Boca Raton, FL 33433 "
naturally I did neither ( subscribed eh, I dont think so )
leandershantaserver.com is blacklisted on Uribl and registrar is
Registrar: TUCOWS INC.
Status: ok
Dates: Created 19-sep-2006 Updated 19-sep-2006 Expires 19-sep-2007
DNS Servers: NS1.LEANDERSHANTASERVER.COM NS2.LEANDERSHANTASERVER.COM
I was about to write to Tucows.inc but - what does this mean
Domain Type Class TTL Answer
leandershantaserver.com. A IN 60 69.30.227.40
leandershantaserver.com. A IN 60 69.30.227.34
leandershantaserver.com. NS IN 60 ns2.leandershantaserver.com.
leandershantaserver.com. NS IN 60 ns1.leandershantaserver.com.
ns1.leandershantaserver.com. A IN 60 69.30.227.34
ns2.leandershantaserver.com. A IN 60 69.30.227.40
- - - - - - - - - - - - - - - - - - - -- - - - - - - - -
WHOIS results for 69.30.227.40
Generated by http://www.DNSstuff.com
Location: United States [City: ]
Using 0 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
OrgName: WholeSale Internet
OrgID: WHOLE-125
Address: 1102 Grand
Address: Suite 905
City: Kansas City
StateProv: MO
PostalCode: 64106
Country: US
NetRange: 69.30.192.0 - 69.30.255.255
CIDR: 69.30.192.0/18
NetName: WHOLESALEINTERNET
NetHandle: NET-69-30-192-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.KCNOC.COM
NameServer: NS2.KCNOC.COM
- - - - - - - -- -- - - - -- - - - - - -- - - -- - -- - --- -
WHOIS results for KCNOC.COM
Generated by http://www.DNSstuff.com
Registrar: ENOM, INC.
Status: clientTransferProhibited
Dates: Created 19-jun-2003 Updated 12-nov-2006 Expires 19-jun-2007
DNS Servers: DNS1.NAME-SERVICES.COM DNS2.NAME-SERVICES.COM DNS3.NAME-SERVICES.COM DNS4.NAME-SERVICES.COM DNS5.NAME-SERVICES.COM
I was referred to whois.enom.com; I'm looking it up there.
An old "favourite"???!!
So whilst I would be more than happy to write to Tucows should it be Tucows or ENOM or both?
I did ask in a previous post if anyone -Giles? could explain DNS traversal in very simple terms but couldnt see a response.
Im off to Burma (myanmar) for a couple of weeks but if anyone can post a reply Ill get on to it when I get back. |
|
|
|
|
Reply: 65 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, February 1st, 2007, 4:09pm |
|
|
Posts: 363
|
| Please edit or modify your posting, and remove your email address. |
|
|
|
|
Reply: 66 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, February 1st, 2007, 4:15pm |
|
|
Posts: 363
|
You would complain about leandershantaserver.com to Tucows (compliance at opensrs.org) - this is the most effective.
The complaint about the IP address where their system is hosted would go to Wholesale Internet's abuse dept
OrgAbuseHandle: NETWO1111-ARIN
OrgAbuseName: Network Abuse
OrgAbusePhone: +1-314-431-5200
OrgAbuseEmail: abuse at wholesaleinternet.com |
|
|
|
|
Reply: 67 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, February 27th, 2007, 11:41pm |
|
|
Posts: 363
|
Capital Networks (Pacnames) is an unresponsive registrar. They provide the domain for the name servers ns1.srul5.com and ns2.srul5.com. There are over 250 OEM Software sites selling obviously pirated software. It is more worthwhile reporting these to the Business Software Alliance (www.bsa.org) than to the registrar.
But today, all of these sites are failing to load. Take a few at random
http://oemblagodat.com
http://recover-oem.com
http://oemschaste.com
http://cyber-oem.com
It's gratifying to see hundreds of illegal scam sites fail all at once. |
|
|
|
|
Reply: 68 - 80 |
|
|
| pensioner |
| Posted on: Thursday, March 1st, 2007, 11:49am |
|
|
Posts: 21
|
A few questions and remarks.
1. At February 1st 4.15 pm Mark wrote the address to complain to Tucows. How come this address is not listed in the InterNIC Registrar list? I will try the address Mark provided, as mails to the listed banterwebhelp1 at tucows.com bounce;
2. I find Ace of Domains also a very unresponsive registar. In the last weeks I have sent them -using the complainterator- numerous motivated removal requests for driedoutdns.com and hairyolddns.com. With each request I included the original full UBE, and pointed out the violations of ICANN and CAN-SPAM Act terms (including cc's to ICANN and FTC). Each time I DO get a confirmation mail from ICANN, but nada from Moniker or FTC;
3. Since I started using the complainterator, using hotmail to send the complaints, the following has happened: spam at my yahoo and gmail has almost stopped. I used to get there several daily spams for Pharmacy Express, haven't seen Leo's spam for days now. However spam at my hotmail (=sending complaints address) has sharply increased with spam almost exclusively from Polyakov, originating from driedoutdns and haryolddns;
4. I am unable to tackle the (prun-) spam I receive at hotmail. Until recently that was about the only spam I got at hotmail, but persistent: once a day for well over a year. The original spam (variations like "SEXUALY--ExpLiCIT") linked through a yahoo.uk-account has ceased, but has been moved to zoneedit.com, where the name servers ns7,8 and 9 were used (the subject is now referring to incest and/or older women).
Upon removal requests for zoneedit.com to Dotster, I got replies from zoneedit.com, that the abused site has been "suspended". Nice, but the spamvertized sites behind those links are still running.
As complainterator once suggested me to send a removal request for yahoo.com, I guess that zoneedit.com itself is not the spammer. What approach to take? Like I now do, continue to ask zoneedit to remove ns7~9.zoneedit.com?
In addition to 3 : I get the impression that after starting to make removal requests (i.e. using the complainterator) my gmail and yahoo seem to have been 'white-washed' by Leo (not the effect I wanted, but better than no result at all). It looks like Polyakov gets pissed of by the complainterator. He moved his spam from my gmail and yahoo to my "offending?" hotmail.
Also -though he is sloppy- yesterday I noticed that several of his spamvertized links did not resolve at first attempt. They did resolve when I used a proxy (most recent case, about 1 hour ago, Exquisite Replicas at http://www.betsfrends.com) I also noticed that the information I get from a 'whois' at domaintools.com is now minimal, or there even is no info at all.
Resuming, spamverizing has shifted from gmail and yahoo to hotmail for:
Pharma Shop.
ED Pill Store,
Exquisite Replicas
Hoodia...
Spamvertizing for Pharmacy Express has -temporarily- stopped.
Apart from my other questions, I would like to know if other people using the complainterator have seen a similar change. |
|
|
|
|
Reply: 69 - 80 |
|
|
| dfrancocci |
| Posted on: Tuesday, March 20th, 2007, 8:17am |
|
|
Posts: 2
|
Hi. I wonder if you can tell me how to handle the following spamvertized pharmacy site: rxstation.org?
The Complainterator gets stuck trying to find COM.CN. What's happening with this one?
Dominic Francocci |
|
|
|
|
Reply: 70 - 80 |
|
|
| dfrancocci |
| Posted on: Tuesday, March 20th, 2007, 9:00am |
|
|
Posts: 2
|
I notice that Complainterator 10 offers to skip or cancel when it gets to this point. Thanks. But what is going on with this domain?
DF |
|
|
|
|
Reply: 71 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, March 20th, 2007, 4:54pm |
|
|
Posts: 363
|
Complainterator has looked up the DNS servers that give access to rxstation.org
http://www.dnsstuff.com/tools/traversal.ch?domain=rxstation.org&type=A
It gets back the name servers as
ns1.dns.com.cn [218.30.114.205]
ns2.dns.com.cn [218.244.47.6]
These two name servers are owned by the registrar, Beijing Innovative Linkage Technology to resolve a huge number of their legitimate customers' web sites and email services.
It is therefore not appropriate to allow Complainterator to generate a request to remove the name servers, because that would shut down a multitude of legitimate sites.
Instead, you need to send an email requesting Beijing to remove the web site rxstation.org from their name servers. |
|
|
|
|
Reply: 72 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, April 23rd, 2007, 5:17pm |
|
|
Posts: 363
|
Version 11 of the automated complaint generation tool has been posted in the forum at
http://thecarpcstore.com/phpbb2/viewforum.php?f=4
It generates complaints to the registrars of a spammed site's name servers, and now it also generates a omplaint to the registrar of the spammed site itself.
Used in conjunction with Spamcop, you can respond to a spam for a web site with complaints to
1. the ISP for the origin of the spam (Spamcop)
2. the ISP for the web site (Spamcop)
3. the registrar for the spammed domain (Complainterator)
4. the registrars for the name servers (Complainterator) |
|
|
|
|
Reply: 73 - 80 |
|
|
| dj |
| Posted on: Sunday, April 29th, 2007, 3:36pm |
|
|
Super Spam Fighter
Posts: 108
|
Just downloaded Complainterator v11 (for the first time)
Send to Knujon, report to Spamcop, run Complainterator, delete.
What more could anyone want?
That would be "no more spam" .................and world peace!
(with acknowledgement to Gracie Hart)
Two small snags -
New Dream Network
jeffc@dreamhost.com was the address given in ICANN which then bounced.
<jeffc@dreamhost.com>: Recipient address rejected: User unknown in virtual alias table)
Went to their website and found abuse@dreamhost.com and when I got an automated reply from using that it gave me abuse-replies@dreamhost.com which will avoid the automated reply.
Godaddy
(reason: 554 refused mailfrom because of SPF policy) <abuse@godaddy.com>
|
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 74 - 80 |
|
|
| dj |
| Posted on: Sunday, May 6th, 2007, 4:21am |
|
|
Super Spam Fighter
Posts: 108
|
Used the Complainerator to report a spam email to WILD WEST DOMAINS (now theres a name!) and got the following reply  -
Our support staff has responded to your request, details of which are described below:
Discussion Notes
Support Staff Response
Dear *****,
Thank you for contacting support. Unfortunately, we are unable to assist you with this issue because we do not host the domain name that you provided. You must contact the hosting provider with your concerns. You can typically determine who the hosting provider is by the Name Servers that are provided on a Whois Search.
Regards,
Adam S
Customer Inquiry
Registrar: WILD WEST DOMAINS, INC.
Dear Registrar
This is a request for you to remove the spamvertized domain wonderblogs.com
EVIDENCE
From this link, you can see that your company is the spammed site's
registrar
* http://www.dnsstuff.com/tools/whois.ch?ip=wonderblogs.com
ACTION
Removal instructions for spammed domains are in this link
* http://www.spamtrackers.eu/wiki/index.php?title=Registrar_Advice
Thank you for your efforts to reduce spam and to keep criminals from abusing
your terms of service.
Regards
***************
--------------------------------------------------------------------------------
If you need further assistance with this matter, please reply to this email or contact customer service at 480-505-8857 and reference Incident ID: *********.
Thanks,
Wild West Domains |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 75 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, May 8th, 2007, 10:17pm |
|
|
Posts: 363
|
Adam S is technically correct. Wild West Domains does not "host" the web site.
But then, the request did not state that they did.
As the registrar, they have accepted a contract with the registrant, whose details are sown in that link.
Quoted Text Registrant:
Adil Mohammed
Flat 3, 30 St Lawrence Terrace
London, London W10 5SX
United Kingdom
Registered through: DomainRightNow
Domain Name: WONDERBLOGS.COM
Created on: 05-Nov-05
Expires on: 05-Nov-07
Last Updated on: 30-Aug-06 |
Note the creation date.
If you really believe this site should be removed, you have two options.
1. Respond with a request that they remove the site by setting it to Client Hold.
2. Request the ISP to remove it - as follows
a. what is its IP address? ping http://www.wonderblogs.com
>> wonderblogs.com [216.86.146.129]
b. Lookup the owner of that IP
http://www.dnsstuff.com/tools/whois.ch?ip=216.86.146.129&email=on
c. Forward the request to the abuse dept
|
|
|
|
|
Reply: 76 - 80 |
|
|
| gentlemike2 |
| Posted on: Tuesday, August 28th, 2007, 9:22pm |
|
|
Posts: 4
|
Okay, Let me see if I understand all this:
I got an e-mail from phaonica dot com today. It is registered by Sammy Lee of Liquid Ventures Inc. It redirects to a site --- herbalonez dot com registered to Danny Lee of Healthworldwide Inc. herbalonez advertises p**** enlargement products.
The name servers for phaonica are:
ns1.met-dns.com
ns2.met-dns.com
ns3.met-dns.com
ns4.met-dns.com
The name servers for herbalonez are:
ns2.chechiewaz67.com
ns1.chechiewaz67.com
All of these name servers are registered with Beijing Innovative Linkage Technology Inc. (No surprise there).
So, I should e-mail Beijing Innovative and request that the met-dns.com servers be taken down, or the chechiewaz67 servers be taken down, or both?
What is my specific complaint?
Who do I cc this to?
I really want to get this down, so I can teach others. I will write up a how to on my own site's spam awareness forum, and spread the word on this technique.
This is new to me, forgive me for being a little slow. Rest assured, when I get it down, I will be using the technique with vigor and enthusiasm.
Gentlemike2 |
|
|
|
|
Reply: 77 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, August 29th, 2007, 6:59am |
|
|
Posts: 363
|
Thanks for asking. Here is the evidence relating to that site. First of all, what do others think about it - what are their reviews? See the McAfee Site Advisor reviews at
http://www.siteadvisor.com/sites/phaonica.com/
(For any spammed site, you can simply replace the site name in that link.)
Next, who is the registrar? A whois lookup shows this
Domain Name: PHAONICA.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: NS1.MET-DNS.COM
Name Server: NS2.MET-DNS.COM
Name Server: NS3.MET-DNS.COM
Name Server: NS4.MET-DNS.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 27-aug-2007
Creation Date: 27-aug-2007
Expiration Date: 27-aug-2008
You can go to the http://www.joker.com web site and complain there.
Who is the registrar for met-dns.com?
Domain Name: MET-DNS.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
..
Creation Date: 24-aug-2007
You can complaint to B.I.L.T. and request the name servers to be suspended,
because they are used solely for resolving illegally spammed sites.
But as you have noticed, this is just one of the front-ends that redirect to the Elite Herbal site, herbalonez.com
Who is its registrar?
Domain Name: HERBALONEZ.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Its name servers are listed as follows
Nameserver(s) according to NS-records
Internal lookup Address Reverse Liststatus Country URIBL associated domains Comment
ns2.chechiewaz67.com 216.243.251.247 216.243.251.247 Blacklisted United States URIBL SBL55229 |
ns1.chechiewaz67.com 216.243.251.247 216.243.251.247 Blacklisted United States URIBL SBL55229 |
The registrar for the name servers?
Domain Name: CHECHIEWAZ67.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
You can see that both the herbalonez.com web site and its name servers are all on the same IP address, 216.243.251.247 - that's fortuitous. Who is the ISP who is responsible for that IP?
OrgName: Matrix Consulting Group
Address: 108 West 13th Street
City: Wilmington
StateProv: DE
PostalCode: 19801
Country: US
So who to contact?
ABUSE280-ARIN
MCG Abuse Staff
+1-302-476-2747
MCG Support Staff
+1-302-476-2747
support@matrix-cg.net
Now there is a whole lot of contacts. How do you convince them that this site is no good?
Well, the European Spam Wikipedia has an entry describing Elite Herbal web site at
http://www.spamtrackers.eu/wiki/index.php?title=Herbal_King
Also the site advisor referenced above is useful evidence. Likewise the one for the redirected site:
http://www.siteadvisor.com/sites/herbalonez.com/ (3 pages of "reviews")
If all that sounds like hard work, there is a quicker way.
The Complainterator tool at http://www.complainterator.com automates the process of complaining to the registrars. You would run it once for phaonica.com, and again for herbalonez.com
The complaints about the IP address can be achieved by joining up with Spamcop, and submitting a spam to them.
Over to you. |
|
|
|
|
Reply: 78 - 80 |
|
|
| Spam_Killer |
| Posted on: Friday, September 28th, 2007, 1:18pm |
|
|
Posts: 2
|
Hi everyone,
I notify each domain URL's and use the complainterator spam tool.
I use OpenRBL http://openrbl.org/ to look up the URL to get the IP address. To find the URL "Fake IP address" I click the IP Whois on openRBL.
I notify the spammer's URL's and terminate them, also I notify the owner's of the spammer's URL's and terminate them.
Things I added to the complainterator spam tool letterhead.
1) news.admin.net-abuse.sightings
2) http://moensted.dk/spam/ stuff on that website. |
|
|
|
|
Reply: 79 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, October 2nd, 2007, 12:01am |
|
|
Posts: 363
|
|
|
|
|
Reply: 80 - 80 |
|
|
Pages: 
Locked Board