Jump to content

Strange registrar


bobbear

Recommended Posts

I'm getting a whole load of 'phishing' scams lately that I normally manually report to the registrars & nameserver hosts & hosts. There's not normally a problem - I use dnsstuff.com to derive the whois data and dns traversal data & normally have a good success rate at nailing them. However - this latest batch has me puzzled....

Their registrar is bluefractal.com who are ICANN accredited and listed in the Internic database with a website listed as bluefractal.com. When I first clicked on the Internic bluefractal website link it came up with a bluefractal page with a "this website is under construction" banner. Strange, I thought, what sort of registrar doesn't have a website???? Now when I click on it I get a redirect to a Latvian based registrar, 1r.eu (1st Registrar) who claims to be an ICANN registered TLD registrar, but I cannot see them listed on the Internic site & I've seen a rather suspicious post on webhosting forums about them.

Needless to say - abuse reports to support[at]bluefractal.com are going unanswered......

Anyone cast any light on this?

Link to comment
Share on other sites

whois -h whois.crsnic.net bluefractal.com ...

Redirecting to DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM

whois -h whois.PublicDomainRegistry.com bluefractal.com ...

Registration Service Provided By: RESELLERCLUB

Contact: +1.4152361970

Website: http://www.resellerclub.com

Domain Name: BLUEFRACTAL.COM

Registrant:

LogicBoxes

Domain Manager (domain.manager[at]logicboxes.com)

330, Link Way Estate

Link Road

Malad (W)

Mumbai

Maharashtra,400064

IN

Tel. +91.2266797575

Creation Date: 01-Jul-2004

Expiration Date: 01-Jul-2007

Domain servers in listed order:

dns1.bluefractal.com

dns2.bluefractal.com

dns3.bluefractal.com

dns4.bluefractal.com

Administrative Contact:

LogicBoxes

Domain Manager (domain.manager[at]logicboxes.com)

330, Link Way Estate

Link Road

Malad (W)

Mumbai

Maharashtra,400064

IN

Tel. +91.2266797575

Technical Contact:

LogicBoxes

Domain Manager (domain.manager[at]logicboxes.com)

330, Link Way Estate

Link Road

Malad (W)

Mumbai

Maharashtra,400064

IN

Tel. +91.2266797575

Billing Contact:

LogicBoxes

Domain Manager (domain.manager[at]logicboxes.com)

330, Link Way Estate

Link Road

Malad (W)

Mumbai

Maharashtra,400064

IN

Tel. +91.2266797575

Status:ACTIVE

08/27/06 19:09:34 Slow traceroute bluefractal.com

Trace bluefractal.com (64.34.209.213) ...

216.187.115.234 RTT: 41ms TTL: 96 (OC48-POS0-0.wdc-sp2-cor-1.peer1.net bogus rDNS: host not found [authoritative])

216.187.115.238 RTT: 42ms TTL: 96 (OC48-POS6-0.wdc-sbsp2-dis-1.serverbeach.com bogus rDNS: host not found [authoritative])

64.34.209.213 RTT: 53ms TTL: 53 (bluefractal.com ok)

08/27/06 19:10:26 IP block 64.34.209.213

Trying 64.34.209.213 at ARIN

Trying 64.34.209 at ARIN

Peer 1 Network Inc. PEER1-BLK-08 (NET-64-34-0-0-1)

64.34.0.0 - 64.34.255.255

ServerBeach PEER1-SERVERBEACH-04 (NET-64-34-208-0-1)

64.34.208.0 - 64.34.215.255

08/27/06 19:10:56 Browsing http://bluefractal.com/

Fetching http://bluefractal.com/ ...

GET / HTTP/1.1

Host: bluefractal.com

<title>Under Construction</title>

08/27/06 19:12:42 Browsing http://www.resellerclub.com/

Fetching http://www.resellerclub.com/ ...

GET / HTTP/1.1

Host: www.resellerclub.com

content="ResellerClub - The Best ICANN accredited Reseller Registrar, Enabling WebHosts Worldwide">

<a href="/products/domain-registration/">

<h4>Domain Registration</h4>

<p>A comprehensive basket of TLDs for<br>your Customers and Resellers </p>

Basically, it appears that the bluefractal.com Domain expired .... now owned by what appears to be some type of bottom-feeder that collects expired Domain names .... little research done on that site, warning you/others of flash, java scri_pt, and other garbage .....

Link to comment
Share on other sites

Thanks - looks like you went much the same path I did.... :) I assumed bluefractal had gone T/U, (their domain registration statistics were not too impressive...... :) )

The curiosity is the current redirect to 1r.eu (I assumed rightly or wrongly that logicboxes had sold bluefractal.com on), who rang alarm bells with me and I wondered if I shall see a lot more phishing scam domains & their associated money laundering domains registered with them in future....

I hope I'm wrong - it's bad enough with open proxies and bombproof hosts & service providers, but a bombproof registrar, (other than Joker and MIT etc that is..... :) ), reinforces another weak link in the chain of vulnerability of these out and out criminals....

Link to comment
Share on other sites

  • 3 months later...

So, MIT is a bombproof registrar? But they are in Australia, aren't they? I thought australian law was strict on spam

Too bad if the situation is as described.

That's why russian spammers register sites at MIT. damn

But what about Afilias? they are subsidiaries to Afilias, at least as comes to .INFO domain. Does not Afilias break their contract for such reasons?!

Link to comment
Share on other sites

So, MIT is a bombproof registrar? But they are in Australia, aren't they? I thought australian law was strict on spam
I don't think we're talking about the Melbourne Institute of Technology here (nor the Royal Melbourne Institute of Technology) - Massachusetts maybe? But anyway, Australian law is tough on spammers only - the senders. IIUC the provider (called the "carrier" in the Act) is specifically exonerated. Idiot legislators.
Link to comment
Share on other sites

I see.

Yes, that's bad enough. So, providers (let alone registrars) are off procecution, just like elsewhere.

But did anyone here try to appeal to Afilias themselves? I didn't yet, I wonder what to expect.

As to MIT - it is Melbourne IT Ltd. Quoted below is the whois data:

Street1: Level 2, 120 King Street

Street2:

Street3:

City: Melbourne

State/Province: Vic

Postal Code: 3000

Country: AU

Phone: 61.386242

Phone Ext.:

Fax: 61.396284

Fax Ext.:

Email: cdm[at]melbourneit.com.au

Created On: 24-Jul-2001 14:12:13 UTC

Last Updated On: 25-Oct-2006 12:11:12 UTC

Status: OK

Admin ID: 2234948

Admin ID: C2234948-LRMS

Admin Name: Steven Karabatsos

Admin Organization: Melbourne IT Ltd

Admin Phone: 613.86242

Admin Phone Ext.:

Admin Fax: 613.86242

Admin Fax Ext.:

Admin Email: infonotices[at]prod.internetnamesww.com

I wonder whether this data is false too :))) like data of their registered clients. If I were in Melbourne, I would try to find out. For sure. But they are at the other side of the globe. I can probably make a phone call, but it is too expensive from Russia

Link to comment
Share on other sites

As to MIT - it is Melbourne IT Ltd. Quoted below is the whois data:...

I wonder whether this data is false too :))) like data of their registered clients. If I were in Melbourne, I would try to find out. For sure. But they are at the other side of the globe. I can probably make a phone call, but it is too expensive from Russia

Thanks for that Serge. Using Australian WhitePages that appears legitimate, except the phone number is "partial". Actual number is listed (+61 3) 8624 2400 (phone + fax) also another fax - listed elsewhere - (+61 3) 9620 2388 but there is also an enquiry number 1300 654 677 (which *may* be a "local call rate" number, that is not full charge IIUC and is elsewhere shown as being attended 24/7). Also there is a website www.melbourneit.com.au which confirms the above (also lists a heap of overseas offices including London and Stockholm - there are 2 [different] "contact" pages in different places).

Stuff in the whitepages should be reasonably reliable on account of several tiers of government oversight looking over the shoulders of Australian businesses (and they say they're listed in the ASX - Australian Stock Exchange - another overseer). I think there should be no difficulty in contacting them.

Link to comment
Share on other sites

Thank you very much. I will have another chance to take on them, I'm sure. Their recent spammers week-tour.info and tour-excurs.info are silent sharp since November 30, probably spam-promotion contract expired. Though blah-blah registrant information like Ivanov Petr (means same that John Doe) and Lenina St. (means same that Central Highway) is still there for tour-excurs.info. And the Moscow phone number is false - they say they sell hydraulic hoists there and do not know nothing about Ivanov Petr and tours and the internet itself.

Could you also help me with the whois issue? There is a russian provider Arbatek in Moscow. They seem blackhats. I wonder maybe there is a larger provider who sponsored them their address space. The whois says (for the spammer www.ztour.ru):

person: Alexander Shpagin

address: 15, Leningradskoe shosse

e-mail: sysadm[at]arbatek.ru

remarks: phone: +7 095 1057610

phone: +7 495 1057610

remarks: fax-no: +7 095 1057610

fax-no: +7 495 1057610

nic-hdl: AS1695-RIPE

source: RIPE # Filtered

remarks: modified for Russian phone area changes

route: 217.106.0.0/15

descr: RTCOMM-RU

origin: AS8342

mnt-by: AS8342-MNT

source: RIPE # Filtered

What does this routing info mean? is it possible to find by this the larger provider (or who is distributing address space in the Internet at all?)

Link to comment
Share on other sites

I don't think we're talking about the Melbourne Institute of Technology here <snip>

It was the registrar melbourneit.com.au I was referring to as 'bombproof' on the evidence of hundreds of 'phishing' criminals I reported to them earlier this year, (I've been out of action recently due to medical problems & surgery, so I don't know what their current position is), with no action taken on their part. They used to take the "domain activity is nothing to do with us" position in exactly the same way that Joker do, although Joker phrase it differently in their T's & C's, viz: "We are not taking the chance to "hurt" one innocent under 100 fraudulent registrants." Basically registrars like MIT, Joker & others are not required under their respective countries current legislation to take action against their criminal clients even when their criminal activity is notified to them & is evidentially indisputable, so they don't want to know. The words 'social responsibility' don't seem to be in their vocabulary.

Australian law is tough on spammers only - the senders. IIUC the provider (called the "carrier" in the Act) is specifically exonerated. Idiot legislators.
Precisely - I couldn't have phrased it better myself. The sooner registrars are forced to accept some responsibility for the crimes committed by their clients, (when they are made aware of them), the better. When I say "crimes" I am specifically referring to phishing, money transfer fraud and other (criminal law) defined felonious activity. The sooner spam is similarly defined, also the better IMHO.

Having just got out of hospital it's taken me several hours just to dig out the few wanted emails among thousands of spam emails.... This cannot go on like this....

Link to comment
Share on other sites

bobbear respect

Joker's nice phrase «We are not taking the chance to "hurt" one innocent under 100 fraudulent registrants»

should be far more precisely worded as:

«We are not taking the chance to "hurt" one innocent penny out of our pocket for a 100 sheer evident cases of fraud»

Also, social responsibility is a good point.

Social responsibility is the prime duty of parlamentarians. They are even payed for it.

But they neglect it — no legislation against spam-friendly providers and registrars, worldwide.

It is interesting – does the Australian law against spam-senders work?

That is – since that law is in effect, has there been any noticeable reduction in domestic spam?

And how big is the responsibility of spammer under this law?

Link to comment
Share on other sites

It is interesting �€“ does the Australian law against spam-senders work?

That is �€“ since that law is in effect, has there been any noticeable reduction in domestic spam?

And how big is the responsibility of spammer under this law?

There has been, as far as I know, just the one prosecution (successful). This was of a "notable" spammer - the guy who (unsuccessfully) sued a SPEWS reporter some years previously. Briefly discussed in the SC Newsgroups a month or two ago, link introduced was spam blitz: WA firm fined $5.5m ("WA" meaning Western Australia in these parts, not Washington, one difference being about a million square miles). The notorious suing of the SPEWS spam reporter by this unabashed spammer is covered in Aunty Jack(?), SPEWS on Which/T3 (from a great height) and other places.

No more than 1% (rough estimate) of the spam I receive at work (Australian address in Australia) is from Australian sources and is promptly reported, without visible effect, to both ACMA (the Communications and Media Authority) which has responsibility and the provider abuse address. The proportion I receive at home is even less (but may be ISP filtered) although this spam is mostly to a "US" address (attglobal). However it is not hard to find Australian addresses on the blocklists (not on SC so much these days but that is possibly a consequence the increased deployment of botnets - individual IP addresses not getting to the trip point - and possibly due to changes in the effective weighting of SC user reports over the past few years). There is no specific legislative provision for Australian spam received elsewhere1.

The roll out of the Australian spam Act was mentioned in these pages "at the time" in 2004 Aussie spam Act, Penalties apply from April 10. The maximum penalty being AUD1,100,000 per day which includes the steep increase for repeat offences. The newspaper link in that post no longer works but the link to the actual legislation does.

Bottom line - it undoubtedly has some effect, the objective assessment of which would be somewhere in the large gap between "what the legislators make it out to be" and "very little". Many observers say it is impossible to legislate against spam and indeed the jurisdictional difficulties (national/state laws, international "phenomenon") mean the impact is "disappointing" in the broader picture. Though all is not lost - many AUPs in Europe prohibit activity which is illegal in other countries thus the Australian Act has some effect outside its borders. So we Australians are making some effort. Note the Australian Act applies to UCE - proof of "bulk" distribution is not required, a most positive innovation the legislators somehow managed to get right, God bless their little white cotton socks.

[1Added - Re "No specific provision outside the national borders." That's assuming a bit, there is provision to take into account spamming activities "elesewhere" but I am assuming any prosecution would stem from spamming activities within Australia, similar activity elsewhere, if proven, being supporting rather than primary evidence but it certainly may be taken into account in penalty determination. I think the "willingness to engage" on the part of ACMA and contributing agencies would have to increase a great deal before this had any practical effect. The difficulty and cost of cross-border co-operation should not be underestimated.]

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...