Who hosts this site?

[oldskoolflash]

I have sucesfully shut down 3 websites in a row for this idiot who keeps spamming me. Now is seems he is getting smarter.

Spamcop was never able to resolve the website link of the previous spamvertized websites, but a little legwork yeilded the required info.

This one I am having a little trouble with

http://belfry.thebestpills4u.com/

It resolves to:

Registration Service Provided By: WEB-NAMEZ.COM

Domain servers in listed order:

ns1.drrecommends.info

ns2.yourgoldenhealth.info

ns2.drrecommends.info

ns1.yourgoldenhealth.info

"web-namez" hmmmmmm

That resolves to:

Domain servers in listed order:

24572.mercury.orderbox-dns.com

24572.venus.orderbox-dns.com

24572.earth.orderbox-dns.com

24572.mars.orderbox-dns.com

And the above resolves to:

mercury.orderbox-dns.com = [ 66.135.40.144 ]

Registration Service Provided By: DIRECTI

Contact: 91.2256797500

Website: http://www.directi.com

Domain Name: ORDERBOX-DNS.COM

Leaving me with a reporting address of abuse[at]directi.com

Is that right, could someone confirm?

Ta.

[Wazoo]

http://www.dnsreport.com/tools/dnsreport.c...bestpills4u.com .. shows the usual spammer-controlled DNS server issues of the day

http://www.dnsstuff.com/tools/lookup.ch?na...ls4u.com&type=A

Domain Type Class TTL Answer thebestpills4u.com. A IN 600 220.80.107.190 thebestpills4u.com. NS IN 600 ns1.thebestpills4u.com. thebestpills4u.com. NS IN 600 ns2.thebestpills4u.com. ns1.thebestpills4u.com. A IN 600 220.80.107.190 ns2.thebestpills4u.com. A IN 600 220.80.107.190

(Note DNS running on the same server as the web-site .. not normal and also probably contributing to the time-out issue)

http://www.whois.sc/thebestpills4u.com

Name Server: NS1.DRRECOMMENDS.INFO

ICANN Registrar: CRITICAL INTERNET, INC.

Created: 2005-10-05

Expires: 2006-10-05

Status: ACTIVE

Registration Service Provided By: WEB-NAMEZ.COM

Domain Name: THEBESTPILLS4U.COM

Registrant:

n/a

DAMOC ALBERT (yahoo.com address)

Istriei, Nr. 32

Apart

Bucure'ti,31949

RO

Tel. +40.0213463491

Creation Date: 05-Oct-2005

Expiration Date: 05-Oct-2006

Domain servers in listed order:

ns1.drrecommends.info

ns2.yourgoldenhealth.info

ns2.drrecommends.info

ns1.yourgoldenhealth.info

Status:ACTIVE

Website Status: not active (probably also timed out / blocked)

http://www.dnsstuff.com/tools/tracert.ch?i...bestpills4u.com

220.80.107.190 AS0 IANA-RSVD-0

(but, technically, this could be the compromised system of the moment)

TTL = 53

Country = KR

Time = [Router did not respond]

http://www.dnsstuff.com/tools/whois.ch?ip=...db.net&email=on

route: 220.80.0.0/13

descr: KORnet operation Center(Korea Telecom)

origin: AS4766

mnt-by: MAINT-AS4766

source: RADB

(Probably a waste of time trying to contact these folks)

Jumping directly to Directi wouldn't be appropriate without documentation that indicated no-action taken by WEB-NAMEZ.COM .... I've not checked their page to see what their policies are ... so I'll leave that as "your call" for now ...

[Merlyn]

Lately DirectI has been taking some great measures to remove spammers. I suggest manually larting WEB-NAMEZ.COM with a CC to DirectI.

[oldskoolflash]

Lately DirectI has been taking some great measures to remove spammers. I suggest manually larting WEB-NAMEZ.COM with a CC to DirectI.

33808[/snapback]

Thanks guys - to tell you the truth, I didn't even bother with web-namez.com - their page would not display without cookies enabled. The organisation doesn't sound legit "namez"????! I'll look into them in more detail tommorow and if they look ok i'll lart them and like Merlyn suggests, cc it to directi.

Failing that, I have a friend who works for Pfizer; I may forward the details to them, they are usually pretty efficient in closing down this kind of site!

Thanks again.

[oldskoolflash]

An update.....

Decided to report to DirectI as I didn't like the look of web-namez.com at all. I got the following e-mail from them.

At least it seems like a "human" reply, and they responded extremely quickly....

We have received your complaint for spam from thebestpills4u.com. We are extremely strict and proactive with regards to our terms of usage. Pursuant to our terms of service we have sent WARNING emails to the customer, all the contacts and any associated reseller about this domain. Failing to comply with our terms by the Customer will result in immediate termination of the domain name.

Thank you for contacting our abuse department.

Regards,

DirectI Abuse Team

~~~~~~~~~~~~~~~~~~~~~~~~~~~

Board Line (USA): +1 (415) 240 4171/2

Board Line (India): +91 (22) 5679 7500

FAX (USA): +1 (320) 210 5146

FAX (India): +91 (22) 5679 7508

~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Farelf]

... We are extremely strict and proactive with regards to our terms of usage. Pursuant to our terms of service we have sent WARNING emails to the customer, all the contacts and any associated reseller about this domain. Failing to comply with our terms by the Customer will result in immediate termination of the domain name.

...

33824[/snapback]

Nice work - though if they have trouble apprehending that a site with a name like "thebestpills4u.com" just might contravene their "terms of usage" on a regular basis then their assurances might ring a little hollow. Still - different rules in India (pressure of finding a living for some 50 million extra "workers" each and every year and all that ...)

[Havel]

Lately DirectI has been taking some great measures to remove spammers. I suggest manually larting WEB-NAMEZ.COM with a CC to DirectI.

33808[/snapback]

I'd welcome a place to report the Pfizer piracy. The bestpills4u domain seems to have been suspended by web-namez on 5/10 but it is still sending stuff out. A lot of the spam domains I look up seem to have a home in Korea at: 220.80.107.190

If anyone can find a way to get a reply out of these people, let me know.

Incidentally, I looked up Albert Damoc and found that he seems to work for a Hungarian refugee outfit in Bucharest, which was how I stumbled across this thread.

[tired of conartists]

Host

llyodservicesinc.com

llyodservicesinc.com

llyodservicesinc.com

llyodservicesinc.com

* TTL = Time to Live

A records

Host

llyodservicesinc.com

MX records (mail)

Host

llyodservicesinc.com

llyodservicesinc.com

llyodservicesinc.com

SOA records (Start of Authority)

Host

llyodservicesinc.com

Not sure if this helps but i have recently come across these sites.

Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to [link removed] detailed information. Domain Name: LLYODSERVICESINC.COM Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: [link removed] Name Server: BENJ481502.EARTH.ORDERBOX-DNS.COM Name Server: BENJ481502.MARS.ORDERBOX-DNS.COM Name Server: BENJ481502.MERCURY.ORDERBOX-DNS.COM Name Server: BENJ481502.VENUS.ORDERBOX-DNS.COM Status: clientTransferProhibited Updated Date: 22-jun-2014 Creation Date: 22-jun-2014 Expiration Date: 22-jun-2015 >>> Last update of whois database: Wed, 02 Jul 2014 12:22:40 UTC

Name servers

benj481502.mercury.orderbox-dns.com

IP : 50.23.136.230

Country : United States

benj481502.earth.orderbox-dns.com

IP : 67.15.253.220

Country : United States

Region : TX

City : Houston

ISP : THEPLANET.COM INTERNET SERVICES

Organization : Optical Jungle

Position : 29.775 / -95.613

benj481502.venus.orderbox-dns.com

IP : 50.23.75.45

Country : United States

benj481502.mars.orderbox-dns.com

IP : 184.173.149.222

Country : United States

Useful tools

- See more at: http:/ /wscheck.com/trust-report/llyodservi...h.aWMJjngD.dpuf

173.193.105.241 IP address information

Passive DNS replication

VirusTotal's passive DNS only stores address records. The following domains resolved to the given IP address.

2014-05-30 001565.com

2014-03-10 16flower.com

2013-12-15 3wwbancochile.in

2014-03-10 4seniorcarerx.com

2014-03-10 6rb1.com

2014-03-23 aartidrugs.com

2013-09-11 ajudarcomsaude.org

2013-09-25 alamericatopmodel.com

2013-09-16 arnoldcommunityfoundationfund.com

2014-04-18 aviationanalysis.net

More

Latest detected URLs

Latest URLs hosted in this IP address detected by at least one URL scanner or malicious URL dataset.

1/53 2014-06-28 22:30:06 http:/ /cadastro-hsbc.com/

3/52 2014-06-11 00:52:51 http:/ /update-microsoft.co.uk/showroom/bupdate.exe

1/52 2014-06-06 23:24:34 http:/ /flywayindia.com/%7Escam0/us/cgi-bin/webscr.php

1/52 2014-06-06 02:43:26 http:/ /hostrd.net/1/filenames.php

1/52 2014-05-27 01:16:43 http:/ /brasil23.com/

2/51 2014-05-10 20:39:30 http:/ /microprecisionindustries.com/

2/51 2014-04-14 23:05:11 http:/ /manutekabc.com/

3/51 2014-04-01 06:50:46 http:/ /update-microsoft.co.uk/showroom/update.exe

2/51 2014-03-17 14:42:54 http:/ /systemlink.co.in/

3/52 2014-03-09 02:43:34 http:/ /nakolochka.in/

More

Latest undetected files that were downloaded from this IP address

Latest files that are not detected by any antivirus solution and were downloaded by VirusTotal from the IP address provided.

0/46 2014-06-06 23:24:36 b03f07d20c282cb8d7151e0546e2e3631c882f1e96de8384001d0c87aade75d4

0/47 2013-06-09 06:27:26 a86ff27cc9788fa9e2796a024bc4955f8710cd53690f79ddb1835c45b7c9aeb9

Latest detected files that communicate with this IP address

Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.

49/51 2014-06-06 02:43:21 9c50f43ba57aebfb465abf25d889d6c74d59f56d5525ce42238140448974db50

the last info was from virus total anyways have no clue if this helps but i figure any info is better than no info.

[Edit 2-Jul-2014 2:55 pm EDT by SteveT (turetzsr) to remove hyperlinks to reduce the chance that someone might navigate unintentionally]