domain theft by spammers

[jmassengale]

Can someone explain why it's considered alright to let spammers use your domain name to send out Viagra ads?

I've gone through several waves of this. My domain is blocked at a Portugese ISP where I sometimes write to a friend.

I even think I know who could be behind this - a Scandinavian teenager who runs a pederast site and who thought it was clever to buy up a lot of .us names he doesn't use.

But no one seems to want to do anything but let the spammers continue.

Why?

[Firefly]

I don't know why you think it is "considered alright". In fact, it's illegal according to the US CAN-spam law, and in the past, some major ISPs have sued spammers for forging their domain names to spam.

But the average individual domain owner such as you and I don't have the resources or leverage to do much about it. All we can do is wait it out as the spammers cycle through domains. Note that CAN-spam does not give rights to individuals, only to the federal government.

However, it's very unusual to have a domain NAME blocked - more likely, you share a mail server with a spammer.

[Merlyn]

No it is not legal and your domain should not be blocked. If they (your friends ISP) are blocking on the "From" address then they do not know what they are doing because the "From" address is almost always forged.

[Wazoo]

Can someone explain why it's considered alright to let spammers use your domain name to send out Viagra ads?

But no one seems to want to do anything but let the spammers continue.

Why?

Because most folks are probably like you ... lacking the means of gathering concrete evidence to link the forgery to an individual, the lack of funds to hire the necessary legal folks to actually charge and prosecute the individual doing the forgery, and of course, the likely returns on that investment and possible successful prosecution aren't worth the effort .... That said, perhaps I'm wrong and you do have the means to pursue the lowlife?

[SteveMazur]

Because most folks are probably like you ... lacking the means of gathering concrete evidence to link the forgery to an individual, the lack of funds to hire the necessary legal folks to actually charge and prosecute the individual doing the forgery, and of course, the likely returns on that investment and possible successful prosecution aren't worth the effort ....  That said, perhaps I'm wrong and you do have the means to pursue the lowlife?

8383[/snapback]

How can I locate the troublemaker? Someone/thing has been using my domain to email adds for "The Ultimate Online Pharmaceutical" for a month now. They are damaging the reputation of my company. There must be a way to isolate the root IP Address or some other true identity and return fire.

[StevenUnderwood]

How can I locate the troublemaker?  Someone/thing has been using my domain to email adds for "The Ultimate Online Pharmaceutical" for a month now.  They are damaging the reputation of my company.  There must be a way to isolate the root IP Address or some other true identity and return fire.

37099[/snapback]

1> Have any of your customers mentioned the spam? How do you know it is damaging your reputation? I know I don't take any notice of the forged return addresses of the spam I receive.

2> Have you used spamcop to try and track down the IP sending the junk? If you are simply getting bounces, some of them might contain the original you can use to try and determine the source. Be aware however, that few spammers are using their own machines these days. There are plenty of infected machines more than willing to send their messages for them, leaving little to no tracks at all.

If you have any specific questions, please present some data, or better submit one or more and provide the tracking URL here.

[agsteele]

How can I locate the troublemaker?  Someone/thing has been using my domain to email adds for "The Ultimate Online Pharmaceutical" for a month now.  They are damaging the reputation of my company.  There must be a way to isolate the root IP Address or some other true identity and return fire.

37099[/snapback]

Hi SteveMazur!

I am sure that, with substantial sums of cash to pay lawyers and private investigators, you could track down the information necessary. You even then go to court and seek some form of redress but then you'd have to demonstrate a loss in some form.

If they have committed offences in the counry where they operate then you might be able to persuade the local enforcement agency to take action.

In the end this type of forgery is very common. Most Internet users are experienced in receiving junk from forged addresses and, indeed, most junk received comes from an address from which the recipient has not previously heard.

Typically the forging spammer will move onto somebody else's address in a day or two and life will become more reasonable again.

Andrew

[SteveMazur]

Thanks Andrew. They have been using my domain name now for over a month.

Below is a failed delivery notification that contains the original email. It did have a live link so I was able to visit the originating company site, where I was able to submit a message asking that the company please stop abusing my domain name with their spam junk mail. The company name is Health Suite, and the domain is http://workorist.com. There is no listed address or phone number.

-=-=-=-=-=-=-=-=-=-=-

Hi. This is the qmail-send program at test.dennyp.com.

I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.

<malcomb[at]dennyp.com>:

No such account at this domain.

--- Below this line is a copy of the message.

http://www.spamcop.net/sc?id=z836375246z9b...cc1e0e57c523ebz

Edit: Jeff G. removed the unnecessary and misplaced quoting and the spam copy, replacing the spam copy with a Tracking URL.

[Merlyn]

Your perps:

http://www.spamhaus.org/query/bl?ip=221.7.209.83

[Jeff G.]

There is no listed address or phone number.

37176[/snapback]

Then you've been looking in the wrong lists.

12/04/05 15:10:08 whois workorist.com

.com is a domain of USA & International Commercial

Searches for .com can be run at http://www.crsnic.net/

whois -h whois.crsnic.net workorist.com ...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.

  Domain Name: WORKORIST.COM

  Registrar: WOOHO T&C CO., LTD. D/B/A RGNAMES.COM

  Whois Server: whois.rgnames.com

  Referral URL: http://www.rgnames.com

  Name Server: NS0.HOWODEAL.COM

  Name Server: NS0.HELPAERON.COM

  Status: ACTIVE

  Updated Date: 03-dec-2005

  Creation Date: 02-dec-2005

  Expiration Date: 02-dec-2006

>>> Last update of whois database: Sun, 4 Dec 2005 02:28:28 EST <<<

NOTICE: The expiration date displayed in this record is the date the

registrar's sponsorship of the domain name registration in the registry is

currently set to expire. This date does not necessarily reflect the expiration

date of the domain name registrant's agreement with the sponsoring

registrar.  Users may consult the sponsoring registrar's Whois database to

view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois

database through the use of electronic processes that are high-volume and

automated except as reasonably necessary to register domain names or

modify existing registrations; the Data in VeriSign Global Registry

Services' ("VeriSign") Whois database is provided by VeriSign for

information purposes only, and to assist persons in obtaining information

about or related to a domain name registration record. VeriSign does not

guarantee its accuracy. By submitting a Whois query, you agree to abide

by the following terms of use: You agree that you may use this Data only

for lawful purposes and that under no circumstances will you use this Data

to: (1) allow, enable, or otherwise support the transmission of mass

unsolicited, commercial advertising or solicitations via e-mail, telephone,

or facsimile; or (2) enable high volume, automated, electronic processes

that apply to VeriSign (or its computer systems). The compilation,

repackaging, dissemination or other use of this Data is expressly

prohibited without the prior written consent of VeriSign. You agree not to

use electronic processes that are automated and high-volume to access or

query the Whois database except as reasonably necessary to register

domain names or modify existing registrations. VeriSign reserves the right

to restrict your access to the Whois database in its sole discretion to ensure

operational stability.  VeriSign may restrict or terminate your access to the

Whois database for failure to abide by these terms of use. VeriSign

reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and

Registrars.

Redirecting to WOOHO T&C CO., LTD. D/B/A RGNAMES.COM

whois -h whois.rgnames.com workorist.com ...

Welcome to RGNames.com's WHOIS data service.     

The Data in RGnames' WHOIS database is provided by RGNames

for information purpose, and to assist persons in obtaining

information about or related to a domain name registration record.

RGNames does not guarantee its accuracy. By submitting a WHOIS query,

you agree that you will use this Data only for lawful purposes

ant that, under no circumstances will you use this Data to:

(1) allow, enable, or otherwise support the transmission of mass

unsolicited, commercial advertising or solicitations via e-mail(spam);

or (2) enable high volume, automated, electronic processes that apply to

RGNames (or its systems). RGNames reserves the right to modify

these terms at any time. By submitting this query, you agree to

abide by this policy.

Domain Name: WORKORIST.COM

Domain Status: ACTIVE

Registrar: Wooho T&C Co., Ltd. d/b/a RGNames.com

Referral URL: http://www.RGNames.com

Domain Registration Date....: 2005-12-02 GMT.

Domain Expiration Date......: 2006-12-02 GMT.

Domain Last Updated Date....: 2005-12-03 14:28:06 GMT.

Registrant:

    larry mixson

    10005-C Graduate Lane,

    charlotte, North Carolina 28213

    US 

Administrative, Technical, Billing Contact:

    larry mixson    behindork[at]yahoo.com

    10005-C Graduate Lane,

    charlotte, North Carolina 28213

    US

    (PHONE) +1-704-549-8687    (FAX) +--

 

Domain Name Servers in listed order: 

    NS0.HOWODEAL.COM  211.239.152.141

    NS0.HELPAERON.COM  211.239.152.171

Register a domain name at http://www.rgnames.com.

[lcusdtech]

Administrative, Technical, Billing Contact:

    larry mixson    behindork[at]yahoo.com

    10005-C Graduate Lane,

    charlotte, North Carolina 28213

    US

    (PHONE) +1-704-549-8687    (FAX) +--

Is it just me, or does this look like bogus info?

[turetzsr]

Administrative, Technical, Billing Contact:

    larry mixson    behindork[at]yahoo.com

    10005-C Graduate Lane,

    charlotte, North Carolina 28213

    US

    (PHONE) +1-704-549-8687    (FAX) +--

Is it just me, or does this look like bogus info?

37244[/snapback]

...Not obviously so:

First University Properties College Station Apartments

9216 University City Blvd

Charlotte, NC 28213-3652

(704) 549-8687

[lcusdtech]

The non-capitalized name is what raised my eybrow. But what you got there is the smoking gun.

[agsteele]

They have been using my domain name now for over a month.

37176[/snapback]

With the information provided you have the information to begin whatever action you might consider appropriate to address the situation other than by ignoring it.

I'm not knowledgeable on the options open to you if you are based in the USA but there are many folk around here who probably are.

But I fear that lawyers will need to be consulted unless they are committing criminal acts.

I wish you well in your search for a solution. Please let us know what the outcome is.

Andrew

[DavidT]

Is it just me, or does this look like bogus info?

The address exists, but that doesn't mean that it belongs to the actual registrant or that the names or phone numbers are correct. The phone number belongs to a property management business, and the address is a condo across the street from UNC Charlotte...it's probably a rental, as it seems to be owned by a couple from Perrysburg, Ohio.

DT

[btech]

Is it just me, or does this look like bogus info?

37244[/snapback]

http://maps.google.com/maps?q=10005+Gradua...3&iwloc=A&hl=en

According to Google, it's : First University Properties-College Station Apartments

http://www.google.com/search?sa=X&oi=fwp&pb=f&q=704-549-8687

On another note, I recently had a return from Purdue's system, advising me that a whole slew of addresses were not valid on it's system... because a spammer used my comcast address as a "from". It happens and the ISP your friend has should be using block lists like SCBL, not blocking domains.

[turetzsr]

Is it just me, or does this look like bogus info?

37244[/snapback]

...Not obviously so:

First University Properties College Station Apartments

9216 University City Blvd

Charlotte, NC 28213-3652

(704) 549-8687

37246[/snapback]

http://maps.google.com/maps?q=10005+Gradua...3&iwloc=A&hl=en

According to Google, it's : First University Properties-College Station Apartments

http://www.google.com/search?sa=X&oi=fwp&pb=f&q=704-549-8687

37292[/snapback]

...Well, I guess it's good to know that SBC SMARTPages Reverse Lookup and Google Maps returns more or less the same information .... <g>

[btech]

hahahah DUH! I missed that, somehow.

[turetzsr]

hahahah DUH!  I missed that, somehow.

37327[/snapback]

... <g> Happens to the best! <g>

[DavidT]

...Well, I guess it's good to know that SBC SMARTPages Reverse Lookup and Google Maps returns more or less the same information

(my response deleted...I misunderstood and thought that this referred to the addresses being near each other....nevermind....look further down the thread for some new info)

DT

[DavidT]

On another note, I recently had a return from Purdue's system, advising me that a whole slew of addresses were not valid on it's system... because a spammer used my comcast address as a "from"

Oy, Comcast! They've got a BIG problem with zombied machines spewing spam and not doing much about it. They really should consider locking down their outgoing SMTP, restricting their users to mail going directly through the Comcast servers. That's what other large broadband ISPs have had to do in order to get control of machines spewing worms and spam.

DT

[DavidT]

OK, here's some additional info I discovered after a little poking around:

1. the telephone number in the whois for "workorist.com" has been disconnected (not very surprising). However, their FAX number still seems to work...

2. as already posted here, the number did indeed belong to a Charlotte real-estate and property management firm, however....

3. ...they might have morphed into "Uptown Charlotte Properties" (found at "uptowncharlotteproperties.com" with the same registrant, etc.), but I can't reach the phone number given for that business on an Archive.org cache of their site (their actual site is quite broken) - 704.926.0070 (I get a fast busy signal...the number is also listed on charlotteataglance.com)

4. the most interesting thing I found on the cached pages at Archive.org was the very last name on their "About Us" page:

Larry Mixon, Maintenance Contractor

maintenance[at]uptowncharlotteproperties.com

Larry has been helping buyers and sellers with their maintenance repairs for over 10 years. He stands ready to help our clients with any of their repair needs. Larry is an independent contractor and will perform services to our clients on a contract basis.

That's the name on the whois information mentioned earlier in this thread, so it's possible that the information wasn't all that bogus after all, but that this "Larry Mixon" might indeed be the person behind the domain. It's unclear if the real estate/propery management firm still exists, or if he is still associated with them, but there were enough connections there to make this interesting.

BTW, the domain "workorist.com" isn't resolving today...I could swear that it was yesterday when I checked...its name servers seem to be dead, or something.

(on edit: the domain is registered with a Korean registrar, uses DNS from China, and is hosted in Taiwan...no surprises there, either)

another edit: the domain/website is back up (sporadically...I was able to visit it using Lynx from a Linux-based box)

DT

[lcusdtech]

That is quite interesting. If I was to venture a guess, it looks to me like a spammer has harvested Larry's personal information and used it for domain registration. Quite ingenious. Makes the registration info apear "more" correct. Doesn't fool us though.