Jump to content

BotNet scenario


TerryNZ

Recommended Posts

It's unfortunately my experience also. I find it just sad that there are a hard core of registrars that in my experience resist all compliance and I think that the reasons displayed by Joker for eventually, (after months of abuse reports and a filed ICANN complaint), suspending out and out criminal fraud sites support that, (wrong whois data & payment failure only - I suspect mainly the latter). Having said that, there are many registrars who are responsible and do take action on evidential reports & I think (hope!), that the climate is changing towards empowering or even requiring registrars to make judgements on their clients actions based on evidential reports in exactly the same way that hosts & ISP's do, (occasionally..... :) )

However, it could be argued that unless registrars receive abuse reports that show the extent of their criminal client base then they are unlikely to feel the need for change themselves. I'm sure they are happy 'to be left out of the loop' because the received wisdom is that they 'must not make judgements' and are left alone to practise the Joker mantra, (& I paraphrase slightly - the actual T's & C's version is above somewhere....), "better 100 criminals go unpunished than one innocent client is inconvenienced".

Link to comment
Share on other sites

  • Replies 69
  • Created
  • Last Reply

Not all registrars are equal. Obvious statement. But not all experiences with registrars are the same, either.

Therefore, everyone has their own evaluation of registrars, based on their own experiences. I have been dealing with 13 of them over recent months. Some are very fast (Yahoo! averaged <3 hours) down to zero action. I list them here in order of responsiveness based on my experience. The resonse times quoted are as of today. First time experiences were abysmal by comparison. :-(

Yahoo! < 3 hours

eNom 1.5 days

CSL-Joker 2 days (some exceptions. Need convincing evidence)

Tucows 2 days (varies, needs reminders)

Yesnic (4-5 days)

Tucows/Netfirms (needs cc to Tucows)

Tucows/Bluedomino (same)

Tucows/Baremetal (same)

Beijing Innovative (either acts or ignores, no pattern)

Gandi Sarl (does minimum, directs you to other registrars)

XIN Net (unresponsive, needs nudge from anti-spam.cn)

Recent additions are Cyberconnectics and TLDS Inc/SRSplus, the jury is still out on those.

Knowing how high volume ticketing systems work, having been on that side of the fence for a few years, I expect that non-robotic email gets higher queueing, and trusted email source addresses higher still. So a person who sends requests may find that once they establish a trusted reputation, they receive a queueing priority over the robotics and frequent naggers. I know that is the case with my reports to Tucows, eNom and Yahoo! for example.

Link to comment
Share on other sites

Not all of us have the time and knowhow to do this research. That's why I pay for this service. Of course after reporting for over 2-3 years (lost track) I would like to see some more effective measures that actually have a significant impact on spammers' activities. It feels more and more like this is an upstream fight and it will take a more concerted action and involvement from the internet community to see some results.

Link to comment
Share on other sites

Recent additions are Cyberconnectics and TLDS Inc/SRSplus, the jury is still out on those.

SRSplus removed a nameserver within 24 hours. Impressive!

Not all of us have the time and knowhow to do this research. ...

I can't give you time, but the knowhow is out there, and more and more people are adopting the more effective approach.

One place that has explanations of the nameserver removal method is at

http://web.tebweb.com:8080/cgi-bin/spm_for....pl?b=spam_tips

Link to comment
Share on other sites

Not all of us have the time and knowhow to do this research. That's why I pay for this service. Of course after reporting for over 2-3 years (lost track) I would like to see some more effective measures that actually have a significant impact on spammers' activities. It feels more and more like this is an upstream fight and it will take a more concerted action and involvement from the internet community to see some results.

Don't get discouraged! Although there need to be more ISPs who are convinced of the value of blocklists to control spam, if only more end users like you and me understood that it is a good idea to use blocklists and choose their ISPs accordingly, then we would get to the 'tipping point'

Miss Betsy

Link to comment
Share on other sites

Not all registrars are equal. Obvious statement. But not all experiences with registrars are the same, either.

Therefore, everyone has their own evaluation of registrars, based on their own experiences. I have been dealing with 13 of them over recent months. Some are very fast (Yahoo! averaged <3 hours) down to zero action. I list them here in order of responsiveness based on my experience. The resonse times quoted are as of today. First time experiences were abysmal by comparison. :-(

eNom 1.5 days

CSL-Joker 2 days (some exceptions. Need convincing evidence)

I'll need some convincing evidence, especially regarding Joker & Enom. How about my challenge regarding the criminal fraud domains norwaygroupconsulting.cn, (Joker) & teams-cs.com, (Enom)? Another current Norway scammers one is consultinggroupnorway.cn, (spam received today). If you can get all three suspended in your stated time scale I will be well impressed, perhaps even half way convinced of your 'magic bullet'.... :) (Full spam source code available on request).
Link to comment
Share on other sites

The "web" side of the Internet (as opposed to email, newsgroups, FTP) used to be a whole lot of web sites interconnected via hyperlinks.

Next evolution was the "meta" web net, with the introduction of the Search Engine. Now we had web sites dedicated to cataloging web sites. Part two of this evolution is the "Site Advisory", where instead of cataloging content for search engines, we see site evaluation.

McAfee Site Advisor

Microsoft Phishing Filter

GeoTrust TrustWatch etc

Any Spamhandler (like SpamCop, Postini, Knujon..) who has a large repository of reported spam is in a unique position. By striking up a relationship with the Site Advisory providers, there is a great opportunity to rapidly update site evaluations based on reporting statistics. It would even be possible to automatically load up McAfee Site Advisor with explicit "template" information about sites, including who is supporting them.

For example, it would be easy enough to insert advisories that visitors to sites using the Site Advisor plug-in for Firefox or Internet Explorer would see. Here are 4 examples -

http://www.siteadvisor.com/sites/retoje.info

http://www.siteadvisor.com/sites/prusqet.info

http://www.siteadvisor.com/sites/consultinggroupnorway.cn

http://www.siteadvisor.com/sites/panoter.info

Once registrars see their dirty laundry in public, they will be more inclined to clean up their act. As soon as they remove the access, the advisories disappear from view.

Link to comment
Share on other sites

An interesting approach. It's also interesting to note the different experience I have had with Gandi Sarl. I found their support staff, (Francoise et al), were very helpful in shutting down the Swiss eco-life domains, (the previous incarnation of the Norway Group Consulting scammers). So much so that the Swiss Ecolife money laundering mob moved over to Joker in February of this year and have been with them ever since in their various incarnations, safe in the knowledge that Joker is impervious to reports, (or publicity!), on their criminal activities....

However, it's always a bit more problematic getting action taken against nameserver domains as it is a lot more difficult to prove that they have indeed been registered by the scammers for their own exclusive use as they do not in themselves resolve to a criminal website.

Interesting though those 'site advisories' are, I can't honestly see how the registrars are even going to see them and probably will not even be aware they are there, (unless I am missing something, most of them don't even mention the main site registrar), let alone be phased by them. I don't think for a minute that I am the only one pouring highly evidential abuse reports into Joker, MIT et al about their criminal fraud clients, so they must be aware that there is a lot of ill-feeling concerning their support for criminals but as long as there is no sanction whatsoever against their sponsorship of criminal domains, they couldn't give a 4x about it.

There is plenty of publicity on the net about the Norway Group scammers for instance, e.g. Joe Wein, and all of this documentation has been passed to Joker, but in my experience they regard it as all being covered by their criminal credo, viz: "better 100 criminals prosper rather than one innocent is hurt"

I'm afraid it will take a lot more than a few site advisories to make these accessories to criminal activity change their anti-social behaviour in my view.

I'd love to see them facing legal action by anyone who has suffered financial losses as a result of their client's activities on the basis that they have been made aware of the criminal activity yet have chosen to turn a blind eye to it. I'd certainly be more than happy to provide ample evidence of my own provision of illegal activity domain notifications to Joker to use in evidence against them. Can't see it happening somehow, unfortunately and neither can they - there's the problem.....

Norway group spams forwarded to you Terry re above challenge as requested.... :)

Link to comment
Share on other sites

.. Interesting though those 'site advisories' are, I can't honestly see how the registrars are even going to see them and probably will not even be aware they are there, (unless I am missing something, most of them don't even mention the main site registrar)

SAMPLE REQUEST

You are the persons who are responsible for the reputation of XIN Net Technology.

Please view some of these links from the McAfee Site Advisor. They may be viewed by everyone who visits the pharmacy sites owned by the Russian criminal Leo Kuvayev.

You are requested to cease your company's sponsorship of this criminal. You are requested to remove the name servers that reside on your service.

Those name servers are

ns0.shionmkindefunjas.com

ns0.hertunjinkdastion.com

ns0.hadesunjadukinma.com

ns2.yadesaxinmer.com

Here is a selection from many links to McAfee Site Advisor

http://www.siteadvisor.com/sites/shijundefunkionlshuce.com

http://www.siteadvisor.com/sites/genruinjadesunkion.com

http://www.siteadvisor.com/sites/pertionkdefunkadesin.com

http://www.siteadvisor.com/sites/funhunjionsadecin.com

http://www.siteadvisor.com/sites/hertinkdewiondas.com

http://www.siteadvisor.com/sites/radesinkionshiderun.com

http://www.siteadvisor.com/sites/pertionkdefunjadsi.com

Thank you for your assistance and for protecting your company's good reputation..

Link to comment
Share on other sites

Here is another example.

Received a spam advert for 100watches.net. It is another Polyakov site. An address traversal shows name servers ns1.dnsdomainok.com and ns2.dnsdomainok.com. Whois lookup shows dnsdomainok.com is registered on eNom by good old Paul Gregoire, known alias for Alex. Contact details are bogus.

Request is sent to eNom requesting removal of dnsdomainok.com, and supplying evidence of criminal activity. (eg see the site advisor page). Simple enough, now we await developments.

Link to comment
Share on other sites

It's certainly another way of increasing pressure on recalcitrant criminal supporting registrars. From that point of view it's got to be 'a good thing' & I'm all for that. I would like to think that it may result in some criminal abetting registrars changing their policies, but given the stated entrenched attitude of ones such as Joker I think it's still going to be an uphill struggle. In my experience it's impossible to get them to take immediate action against out and out criminal fraudsters, never mind the 'run of the mill' porn, fake goods and meds pedlars.

A 'top brand' registrar league of shame website would be quite an interesting concept where registrars are 'named & shamed' according to the number of spamming and criminal fraud domains that they continue to hold unmolested. I don't know if something of that nature exists - a quick Google for 'registrar league of shame' doesn't throw up anything. Mind, I still favour the LART approach.... :)

Good luck with Enom - let us know how you get on.

Link to comment
Share on other sites

Terry;

FYI: per Completewhois.

Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006

Please see http://www.completewhois.com/help.htm for command-line options

Use of this server and any information obtained here is allowed only

if you follow our policies at http://www.completewhois.com/policies.htm

Unknown domain: DNSDOMAINOK.COM

[DOMAIN whois information for DNSDOMAINOK.COM ]

Domain Name: DNSDOMAINOK.COM

Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org

TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm

Registry: VeriSign, Inc. - http://www.verisign-grs.com

Registrar: BULKREGISTER, LLC. - http://www.bulkregister.com

Whois Server: whois.bulkregister.com

Name Server[from whois, whois+dns ip]: NS1.DNSDOMAINOK.COM 211.161.3.56

Name Server[from whois, whois+dns ip]: NS2.DNSDOMAINOK.COM 60.200.228.27

Updated Date: 27-Sep-2006

Creation Date: 29-Aug-2006

Expiration Date: 29-Aug-2007

Status: ACTIVE

<SNIP>

Bulk Domain Registration

175 Montreal Road #304

Ottawa, Ontario K1L 6E4

CA

Domain Name: DNSDOMAINOK.COM

Administrative Contact:

Paul Gregoire paulgreg[at]smxbox.com

Bulk Domain Registration

175 Montreal Road #304

Ottawa, Ontario K1L 6E4

CA

Phone: 1-613-482-5333

Fax:

If you are running a d/b on "mr. Gregoire" for X-referencing IPs, there are about 140 additional ns listings available if you do a Domain search on “WHACKHUMEANBILLY.COM”.

It is another Polyakov site

I was operating under the assumption “Gregoire/Bulkregister” was Leo K. What did you pick up on that I missed?

Link to comment
Share on other sites

A 'top brand' registrar league of shame website would be quite an interesting concept where registrars are 'named & shamed' according to the number of spamming and criminal fraud domains that they continue to hold unmolested. I don't know if something of that nature exists - a quick Google for 'registrar league of shame' doesn't throw up anything. Mind, I still favour the LART approach.... :)

They exist

http://rss.uribl.com/nic/

Also a wonderful resource but at the IP block level is http://www.blockalert.com/apnic/

You can replace the apnic with ARIN. RIPE, LACNIC by clicking on them in the left column.

Good luck with Enom - let us know how you get on.

Removal completed within 24 hours.

Terry;

I was operating under the assumption “Gregoire/Bulkregister” was Leo K. What did you pick up on that I missed?

http://www.spamhaus.org/rokso/evidence.las...okso_id=ROK6934

dnsdomainok.com was defined under that nameserver hierarchy.

Link to comment
Share on other sites

They couldn't give forks about it?

I think I know what you're saying, but I'm not sure I'm thinking correctly - is it something like fsck?

Close enough David - it came from the tag line for a beer ad (sounds sort of counter intuitive hung out by itself, you had to see it) anyway, the perpetrators - http://www.lion-nathan.com.au/our+companie...rkins/index.htm
Link to comment
Share on other sites

I'll need some convincing evidence, especially regarding Joker & Enom. How about my challenge regarding the criminal fraud domains norwaygroupconsulting.cn, (Joker) & teams-cs.com, (Enom)? Another current Norway scammers one is consultinggroupnorway.cn, (spam received today). If you can get all three suspended in your stated time scale I will be well impressed, perhaps even half way convinced of your 'magic bullet'.... :) (Full spam source code available on request).

Not as fast as usual, but partly there. Maybe they had a visit from the constabulary.

Thanks, CSL/Joker

http://norwaygroupconsulting.cn [DEAD]

http://www.dnsstuff.com/tools/traversal.ch...g.cn&type=A

One down. (Two across)

Link to comment
Share on other sites

Terry;

http://www.spamhaus.org/rokso/evidence.las...okso_id=ROK6934

dnsdomainok.com was defined under that nameserver hierarchy.

I caught that earlier, but taking a vector (traverse?) from just the 2nd nameserver (it's less confusing than the first one):

Name Server[from whois, whois+dns ip]: NS2.DNSDOMAINOK.COM 60.200.228.27

Updated Date: 27-Sep-2006

Creation Date: 29-Aug-2006

Expiration Date: 29-Aug-2007

Status: ACTIVE

Ref: SBL47145

60.200.228.27/32 is listed on the Spamhaus Block List (SBL)

03-Oct-2006 06:44 GMT | SR02

BP spam hosting

urlsh.com is an URL shortening service. The spamvertised URL redirects* to http://urlsh.com/redirect.php?o26nQGya and on to http://monopoe.com/BestLending/?affiliateid=11117

[* you have to pull the site apart to find it]

[whois.yesnic.com]

-----------------------------------------------

Queried Domain Information as follows

-----------------------------------------------

Domain Name : monopoe.com

::Registrant::

Name : Isaak Wenstien

Email : moneymattershoney[at]gmail.com

Address : 42 Flora Cottages

Zipcode : PL1 1NU

Nation : GD

Tel : +44.02081330788

Fax :

<SNIP>

Also hosting here:

ns2.nameservereasyas123.com A 60.200.228.27

ns4.nameservereasyas123.com A 60.200.228.27

ns1.frowere.com A 60.200.228.27

ns2.dnsdomainok.com A 60.200.228.27

ns2.baaans.com A 60.200.228.27

ns2.bbbbns.com A 60.200.228.27

ns2.ccccns.com A 60.200.228.27

ns2.bzzns.com A 60.200.228.27

swisswatchesdirect.com A 60.200.228.27

www.swisswatchesdirect.com CNAME swisswatchesdirect.com

bibianezz.info A 60.200.228.27

Am I confusing myself due to dual (multiple) domain registrations? Reason being; (too long a chain to post just now) but, swisswatchesdirect eventually leads back to a Verisign/Nordnet registration “wanadoo.com” & etc. (e.g.

; AUTHORITY SECTION:

WANADOO.COM. 17198 IN NS ns10.wanadoo.fr.

WANADOO.COM. 17198 IN NS ns11.wanadoo.fr.)

... which was one of Leo’s favorite porn spam ns ensemble until about February.

Also FYF: mr. Gregoire tries to stay ahead of InterNic registration problems by changing his 'purported' email address every couple of months. Here are a few to add to your files if you don’t have them already.

paulgreg[at]tellnotales.com

paulgreg[at]gauntletmail.com

paulgreg[at]arkahperd.org

paulgreg[at]cedei.net

paulgreg[at]lancmail.com

paulgreg[at]popaccount.com

Happy trails,

Link to comment
Share on other sites

A reverse lookup on 60.200.228.27 reveals 113 sites on the address, besides those name servers you list. The computer is a Sun Java System Web Server/6.1 located at Jiangxi Broadcasting And TV Information Network Ltd. Web server software is Apache/2.0.58 (FreeBSD) PHP/5.1.4

The sites include the usual penis enlargement, sexy housewives and HGH Life crap. Many of the sites there actually redirect, eg to 211.161.3.56

Registrant is consistently Paul Gregoire - paulgreg[at]smxbox.com

His address at #304, 175 Montreal Rd, Ottawa is the non-existent apartment on level 3 of a 2-level building containing a strip club. Apparently he lives an open air lifestyle. He obviously has his head in the clouds, and would not frequent the downstairs club depicted here

Note the address, top left.

Link to comment
Share on other sites

Not as fast as usual, but partly there. Maybe they had a visit from the constabulary.

Thanks, CSL/Joker

http://norwaygroupconsulting.cn [DEAD]

http://www.dnsstuff.com/tools/traversal.ch...g.cn&type=A

One down. (Two across)

They appear to be still slowly taking them out on invalid whois data, (as they did with the previous ten or so I mentioned that I'd already reported), but that generally means that they are going through the ICANN 15 day procedure which is great news for the scammers, but not so good for the potential victims..... :(

I suspect we are getting close to a new incarnation for these crooks....I wonder what it will be next? Swedish consulting Co? Finnish consulting Co? Finninvest Co etc etc? I expect they will hold a brainstorming session on the new name..... :) All answers on a £5 note..... :)

One down. (Two across)
A crossword fan?..... :)

4x - As said, generally from the amusing Castlemaine 4x adverts which received quite an airing over here (UK), based on a play on "couldn't give a xxxx"...... :)

Link to comment
Share on other sites

A reverse lookup on 60.200.228.27 reveals 113 sites on the address, besides those name servers you list
I truncated the list for brevity’s sake.

Many of the sites there actually redirect, eg to 211.161.3.56

I think I have 5 or 6 more somewhere; probably on a backup disk by now. If you want them I’ll see if I can relocate them. I’m quite sure the sites were all taken down.

Happy trails,

Link to comment
Share on other sites

I'll need some convincing evidence, especially regarding Joker & Enom. How about my challenge regarding the criminal fraud domains norwaygroupconsulting.cn, (Joker) & teams-cs.com, (Enom)? Another current Norway scammers one is consultinggroupnorway.cn, (spam received today). If you can get all three suspended in your stated time scale I will be well impressed, perhaps even half way convinced of your 'magic bullet'...

norwaygroupconsulting.cn DEAD (4 days)

consultinggroupnorway.cn DEAD (5 days)

It took 5 days. I entered a trouble ticket for each at www.joker.com and provided evidence. I sent a follow-up quoting the original ticket numbers.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...