victory3x3 Posted June 20, 2004 Share Posted June 20, 2004 These hosers have been sending out spam for weeks now, and yet SC doesn’t seem to consistently report the site to anyone. ? http://www.samspade.org/t/lookat?a=http%3A...ww.refifast.biz Shows data can be found on them Only intermittently SC sends reports to: 1075557751 ( http://www.refifast.biz/aff/affiliate.php?uid=53 ) To: nospam[at]hanaro.com 1075557740 ( http://www.refifast.biz/aff/affiliate.php?uid=53 ) To: spamrelay[at]certcc.or.kr The rest of the time SC completely ignores the site. ? Any idea why the inconsistency? They are obviously in the business of mass-spamming. I'd love to see them lose their resources. Link to comment Share on other sites More sharing options...
WB8TYW Posted June 20, 2004 Share Posted June 20, 2004 Sometimes the spamcop.net parser does not detect links, so it does not file a report. Cancelling and resubmitting sometimes works better. There are some web hosts that ignore spamcop.net reports, and based on what you have provided, this web site is on one of them. As web site reports do not feed the blocking lists, it really does not seem to matter if a report is sent to an ISP that ignores spamcop.net complaints or not. According to posts on news.admin.net-abuse.email, the SpamAssasin 3.0 Beta knows how to lookup the I.P. addresses of web sites againsts the sbl-xbl.spamhaus.org which allows the detection of this type of spam. In most cases the web site that the spammer is using is already listed in the sbl-xbl.spamhaus.org. If you really want to damage the web sites, learn about how to use the whois tools on the internet to look up the owner record of the domain being spamvertised. Those records are required to be accurate, and the domain registrar is required to suspend the domain if they are not. Other spamfighters have reported success in getting domains removed. And if you go that route, concentrate on domains that are used for the DNS servers for spammers. In this case the domain is a U.S. domain, so if the spam was not compliant with the U.S. can-spam law, and the domain registration is accurate, than if you are also in the U.S. it should be a trivial case for your ISP or the your State Attorney general to file charges against them. If the registration is wrong, then you should be able to get the domain suspended. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
JosephK Posted June 20, 2004 Share Posted June 20, 2004 One of the latest spams from refifast.biz was missing the quotes on the URLs in the HREF tags (quoted-printable encoding). Interestingly all the IMG tags had the quotes. The SC parser did not find any of the HREF tags. Inserting the quotes fixed that problem, but it might be pointing to a bug in the parser. Off the top of my head, I don't recall whether the quotes are required by the HTML spec. Link to comment Share on other sites More sharing options...
ewv Posted June 20, 2004 Share Posted June 20, 2004 Often the parser will claim no links were found but if you simply reload the page to reprocess it, it will find them. It's still a nuisance, and you often don't know if only some links are missed. A lot of things work in html for one or more kinds of browser but which are not part of one of the many standards. If a link is live and works in some email html display it should be reported. If it is not live but displays a functioning spam domain it should still be reported. Reporting spammers to domain registrars has mixed results. Sometimes they pay attention but often don't bother. One type of spam domain that can occasionally be removed that way is a .us top level domain name with a foreign registrant address. Sometimes even a resistrant's foreign email is phony, and that is grounds enough for canning the domain name. You can also sometimes get the spammer's domain registration address removed by his ISP, then go after the domain, but it is often difficult or impossible to get the ISP to pay attention to the complaint; they filter out and trash all complaints without their IP address in the headers because they don't want to bother with forged From addresses. Likewise for functioning spammer addresses in the body of the spam. It's of course impossible to get anyone to pay attention to your explanation because they don't even look at your attempts to communicate with them. It's the email equivalent of telephone menu maze operators trained to be a barrier between customers and anyone with responsibility on anything they don't want to bother with ("let me transfer you" -- infinite hold -- dead line -- start over in menu maze, etc.). There should be a way to blacklist ISPs who ignore such complaints. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 21, 2004 Share Posted June 21, 2004 Inserting the quotes fixed that problem, but it might be pointing to a bug in the parser. Please note, it is against spamcop rules to modify the spam in any way in order to find links it would not ordinarily find. Link to comment Share on other sites More sharing options...
turetzsr Posted June 21, 2004 Share Posted June 21, 2004 Inserting the quotes fixed that problem, but it might be pointing to a bug in the parser. Please note, it is against spamcop rules to modify the spam in any way in order to find links it would not ordinarily find. ...Is that really true? I thought the prohibition was only against submitting reports of such modified spams. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 21, 2004 Share Posted June 21, 2004 Actually, Steve T. is more accurate than I was. You can modify the spam to get it to parse, but if you hit the Submit reports button, you are breaking the rules. Link to comment Share on other sites More sharing options...
turetzsr Posted June 21, 2004 Share Posted June 21, 2004 Actually, Steve T. is more accurate than I was. <snip> ...Oh, boy, now we're all going to get to see hell freezing over! <g> Link to comment Share on other sites More sharing options...
bugsy2 Posted June 23, 2004 Share Posted June 23, 2004 I've got some good news...www.REFIFAST.BIZ has been suspended. Look at the email I received from GoDaddy.com on 22 June... Thank you for contacting the GoDaddy.com spam and Abuse Department. We have suspended the REFIFAST.BIZ domain name for violations of our spam and Abuse policies. Please allow 24-48 hours for this action to take full effect. Sincerely, spam and Abuse Department GoDaddy.com Take a look at the WHOIS info now... Domain servers in listed order: NS1.SUSPENDED-FOR.spam-AND-ABUSE.COM NS2.SUSPENDED-FOR.spam-AND-ABUSE.COM YEEHAH (for now). Now if I can only get dvdsforabuck.com to leave me alone... :angry: Jeanine Link to comment Share on other sites More sharing options...
Wazoo Posted June 23, 2004 Share Posted June 23, 2004 Congrats Jeanine !!!!! These kinds of feedback messages are just so special <g> Though suspecting that you weren't the only person reporting this issue, you must take credit for aiding and assisting for sure. A job well done. Thanks for the work and the feedback <g> Link to comment Share on other sites More sharing options...
bugsy2 Posted June 23, 2004 Share Posted June 23, 2004 Well, I've got bad news... The person who was behind the REFIFAST.BIZ is under another domain (and registrar). It is called REFIDIRECT.INFO under gandi.net. I'm getting slammed with spam. What the hell do I do now?? It's like this guy jumps from registrar to registrar with the frequency of a cheap ham radio... WHOIS INFO Domain ID:D5995848-LRMS Domain Name:REFIDIRECT.INFO Created On:15-Jun-2004 22:12:59 UTC Expiration Date:15-Jun-2005 22:12:59 UTC Sponsoring Registrar:R191-LRMS Status:ACTIVE Status:OK Registrant ID:C4845072-LRMS Registrant Name:Olson Financial Services, SA Registrant Organization:James Olson Registrant Street1:424 E. Central Blvd, #3304 Registrant City:Orlando Registrant State/Province:Florida Registrant Postal Code:32801 Registrant Country:US Registrant Email:d1a57c2fab110c850b8d14fd735356ac-851951[at]owner.gandi.net Admin ID:C4844981-LRMS Admin Name:James Olsen Admin Organization:Olsen Financial Services, SA Admin Street1:424 E. Central Blvd., #3304 Admin City:Orlando Admin State/Province:Florida Admin Postal Code:32801 Admin Country:US Admin Phone:+1.3212068203 Admin Email:olson[at]tcfbmail.com Billing ID:C1249598-LRMS Billing Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Billing Organization:GANDI sarl Billing Street1:see also whois.gandi.net Billing City:Paris Billing Postal Code:F-75003 Billing Country:FR Billing Email:support[at]gandi.net Tech ID:C1249598-LRMS Tech Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Tech Organization:GANDI sarl Tech Street1:see also whois.gandi.net Tech City:Paris Tech Postal Code:F-75003 Tech Country:FR Tech Email:support[at]gandi.net Name Server:NS1.REFIGROUP.INFO Name Server:NS2.REFIGROUP.INFO Link to comment Share on other sites More sharing options...
Wazoo Posted June 23, 2004 Share Posted June 23, 2004 That sucks ... you noted GoDaddy's remarks as being dated 22 June, yet this new listing shows; reg_created: 2004-06-15 22:12:59 expires: 2005-06-15 22:12:59 created: 2004-06-16 00:13:01 changed: 2004-06-16 00:13:01 Looks like they were ready for the GoDaddy whacking. Or possibly like the Ralsky mode of operation, burn a half-dozen domain names a day ..??? Link to comment Share on other sites More sharing options...
bugsy2 Posted June 23, 2004 Share Posted June 23, 2004 The wonderful people who brought us REFIFAST.BIZ and REFIDIRECT.INFO has another spam-filled domain called WEBREFI.INFO. Got more spam...guess I really pissed him off...I don't know why... Questions: Why is Gandi supplying the tech and billing support for them and what exactly does "CLIENT HOLD" mean? Suspended or just a slap on the wrist from the principal? Domain ID:D5995849-LRMS Domain Name:WEBREFI.INFO Created On:15-Jun-2004 22:13:02 UTC Last Updated On:23-Jun-2004 15:54:19 UTC Expiration Date:15-Jun-2005 22:13:02 UTC Sponsoring Registrar:R191-LRMS Status:CLIENT HOLD Status:OK Registrant ID:C4845072-LRMS Registrant Name:Olson Financial Services, SA Registrant Organization:James Olson Registrant Street1:424 E. Central Blvd, #3304 Registrant City:Orlando Registrant State/Province:Florida Registrant Postal Code:32801 Registrant Country:US Registrant Email:d1a57c2fab110c850b8d14fd735356ac-851951[at]owner.gandi.net Admin ID:C4844981-LRMS Admin Name:James Olsen Admin Organization:Olsen Financial Services, SA Admin Street1:424 E. Central Blvd., #3304 Admin City:Orlando Admin State/Province:Florida Admin Postal Code:32801 Admin Country:US Admin Phone:+1.3212068203 Admin Email:olson[at]tcfbmail.com Billing ID:C1249598-LRMS Billing Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Billing Organization:GANDI sarl Billing Street1:see also whois.gandi.net Billing City:Paris Billing Postal Code:F-75003 Billing Country:FR Billing Email:support[at]gandi.net Tech ID:C1249598-LRMS Tech Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Tech Organization:GANDI sarl Tech Street1:see also whois.gandi.net Tech City:Paris Tech Postal Code:F-75003 Tech Country:FR Tech Email:support[at]gandi.net Name Server:NS1.REFIGROUP.INFO Name Server:NS2.REFIGROUP.INFO Link to comment Share on other sites More sharing options...
Wazoo Posted June 23, 2004 Share Posted June 23, 2004 The wonderful people who brought us REFIFAST.BIZ and REFIDIRECT.INFO has another spam-filled domain called WEBREFI.INFO Just had someone posting over in the newsgroups this morning, doing her happy dance, as she'd just received her copy of the GoDaddy e-mail you referenced ... I felt so bad by posting that she needed to come over here and see how short your victory dance turned out to be <g> what exactly does "CLIENT HOLD" mean I would generally take it (also based on the dates involved in these last two domain registrations) that it would appear that more fuel has been added to the last suggested "Ralsky mode" ... the "client hold" at this point would suggest that this domain is just "parked" at present, such that it's not necessarily "active" .. probably just waiting for the second one you identified to get closed. Then this one will bet "turned on" Why is Gandi supplying the tech and billing support There are a number of hosting services these days offering a means of "hiding" the real owner and addresses of the actual domain holder/registrant, usually for a bit of an extra fee. In looking through Gandi's site last evening, I could get to "login" points for these accounts, but of course, not having the password <g> But there does seem to be some remote configuration capability allowed, which probably includes setting up DNS and such ... Link to comment Share on other sites More sharing options...
bugsy2 Posted June 24, 2004 Share Posted June 24, 2004 I'll do another snoopy dance...please read the following from Gandi... The domain webrefi.info was suspended by Gandi for violations of our contract. If AR41-gandi appears as technical and billing contact does not mean that we are their hosting company. For somes registries we cannot create one administrative technical and billing contact for each domain; For .ORG .BIZ .INFO .NAME and .BE domain names, the Whois displays Gandi [*] for some contacts. Some registries have limited the number of administrative, technical and billing contacts. Moreover we need to standardize the contacts for all the registries. Thus we have decided to send to these registries the Gandi contact. As the Whois is an extract from their databases, your domain name may appear with some contacts associated to Gandi (except the registrant's one). It does not mean that you can not manage your domain: in Gandi's database, we have registered your handle properly. We have improved our Whois display. So you can see two things: the registry's database and Gandi's database (whois -h whois.gandi.net format for the experts). [*] according to the registry: AR41-GANDI for .ORG .BIZ .NAME .COM .NET C1249598-LRMS for .INFO ga457, ar962 and gb1738 for .BE If you need to contact us again regarding the same issue, please reply this message and leave the tracking number, [225517-1088011322], in the subject of your e-mail. Best regards, Soraya GANDI Support Team I"ll just do a quick "YAY" before the other boot falls... Link to comment Share on other sites More sharing options...
Wazoo Posted June 25, 2004 Share Posted June 25, 2004 I"ll just do a quick "YAY" before the other boot falls... That's a great plan, Jeanine ... if it's of any value, sharing your "YAY" has been a bright spot in the day! Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.