Jump to content
Sign in to follow this  
bobbear

'Bomb proof' registrars...

Recommended Posts

I mentioned in a response to a thread about rgnames that totalregistrations (Total Web Solutions) won't accept any abuse report other than false whois data. I wonder what the feeling is about submitting spam abuse reports to them anyhow? Should they be made aware that a good number of their clients are prolific spammers? Why should I have to put up with rolex23 . com etc continually spamming me when they don't want to know??

Share this post


Link to post
Share on other sites

What response have you gotten from info[at]totalregistrations.com or any of the other info on http://www.internic.net/registrars/registrar-131.html per InterNIC - Registrar List, especially with regard to violations of "spamming" per Section 3.4.1. of the Terms and Conditions of "the Registration Agreement between you and Total Web Solutions Limited trading as Total Registrations" at TOTAL REGISTRATIONS : TERMS?

Share this post


Link to post
Share on other sites
What response have you gotten from info[at]totalregistrations.com or any of the other info on http://www.internic.net/registrars/registrar-131.html per InterNIC - Registrar List, especially with regard to violations of "spamming" per Section 3.4.1. of the Terms and Conditions of "the Registration Agreement between you and Total Web Solutions Limited trading as Total Registrations" at TOTAL REGISTRATIONS : TERMS?

34857[/snapback]

I'm glad you asked that... :)

I had a dialogue via the info[at]totalregistrations . com address, the bottom line of which was "Hi Bob,

We cannot take any action unless whois details are incorrect - we do not provide web / mail services and therefore have no acceptable use policy that would allow us to suspend service in cases of alleged spamming - all we can do is suggest that you contact the host responsible.

I'm sorry that I can't be more help.

Kind Regards,

L*****

Domains Department

Total Registrations."

I haven't yet followed it up as I have been ploughing, (plowing... :) ), through other registrars T's & C's trying to get other floods of spam stopped like the 30 odd a day I was getting from roseshoney . com alone up until a couple of days ago, (now ceased) and another 30 odd a day from cooldear . com, (also now ceased). I'll give them another try now you've kindly done that research for me... :) It strikes me that some registrars are reluctant to take action unless you can point out the letter of the agreement they have with their clients to tell them that they do indeed have the power to at least put a registrar-hold on the site and then ultimately cease it.

Share this post


Link to post
Share on other sites

Well, as much as I'd like to see registrars yank spammer sites, I have to side with them in saying "If the registration info is correct, they're doing their job, the host is the one with content/usage AUP's". I.e., the Total Registrations policy Jeff G. was referring to says:

"Total Registrations may make available to you upon your request a catch-all mailbox service ... You warrant that you will not and neither will you suffer or permit any other party to use either the catch-all mailbox service or the individual mailbox forwarding service ... for spamming..."

So, a spamvertised website has nothing to do with their AUP, just a mailbox if they make it available. Again, I would see most people handling that through their host, not their registrar, so it may be referring to a separate service offered by the company.

The real problem is that the registrars push through obviously bogus data for the whois listing. Example:

Cooldear Whois (Enom.com)

and a secondary problem, as per the email address given in the listing above:

Chillblow Whois (Enom.com)

i.e., the Whois protection services that hide all info from the Whois database. Seems to be getting rather common, and there's little way to weed out forged or 'throwaway' listings.

Enom.com has been the top offender in this, at least that I've dealt with. Seems one spammer group in particular pushes the +1.5555555555 phone numbers in all of their listings, and I find more of them every day. Also, so many others now just generate false but legit looking foreign names/addresses (e.g., Roelf Van der Brug who lives all over Amsterdam with a taiwanmedialtd.com admin email address. Whois HERE (SamSpade.org)

Edit: Fixed URL's

Edited by Jank1887

Share this post


Link to post
Share on other sites

Having had a close look at the totalregistration T's & C's you, (& they), appear to be quite right on the lack of provision in their AUP to take down a site on other than on a mailservice abuse issue, unfortunately. I don't know enough about the system to know what the requirements for ICANN registration are, but a standardised robust general AUP should be part of it IMHO.

Personally I don't mind who takes the site down as long as it is accomplished as soon as possible after sufficient evidence of malpractice against an AUP is provided. Like everyone, I'm just sick of floods of spam day after day from exactly the same domains, (optiononions . com are todays target... :angry:). The registrars are earning money from the registrants just as the hosts are, so I don't see a real distinction and it is arguable that the registrars are in a better position to take sites down as they are more regulated and accountable. It may push the cost of registering a site up, but that can only be a good thing as long as every registrar is forced to play on a level playing field. Just my 2p's (2c's) worth......

Share this post


Link to post
Share on other sites

From The ICANN FAQ:

ICANN's role is very limited, and it is not responsible for many issues associated with the Internet, such as financial transactions, Internet content control, spam (unsolicited commercial email), Internet gambling, or data protection and privacy.

Is ICANN the proper authority to report spam?

No. ICANN is a private, non-profit technical coordination body for the Internet's name and numbering systems. The content of an e-mail message, ftp file, or web page bear no inherent relation to the assigned domain name, and therefore fall outside of ICANN's policy-making scope. If you have a problem with the way somebody is using the Internet, you should take it up directly with that person or with the applicable Internet Service Provider or governmental agency depending on the circumstances.

In other words, for ICANN to function properly, it's primary job is to make sure that if you type a URL into your browser, you get the information from the proper site. In addition:
Information about who is responsible for domain names is publicly available to allow rapid resolution of technical problems and to permit enforcement of consumer protection, trademark, and other laws
Thus it's secondary function is to make valid contact information available for all domains, to allow "rapid problem resolution".

ICANN doesn't and shouldn't care about content, legality, or ethics behind the domains. They provide a technical function to maintain operability. Any content enforcement is the responsibility of the host. Apart from any extra services provided by a registrar, their make money by connecting URL's to IP addresses, and even if it's an abusive site, they've done their job honestly and correctly as long as it works. You don't place responsibility with the phone company to stop providing service to the mob because they have conversations about illegal activity (tangential analogy, but hey, I haven't had my coffee yet.)

Now, with regard to my comment about the "hidden" or "protected" whois information, the ICANN FAQ has this to say:

The registrar will make this information available to the public on a "Whois" site. It is however possible to register a domain in the name of a third party, as long as they agree to accept responsibility.
So, that seems to be acceptable. Annoying, but acceptable. If the spammer is willing to pay the extra $10 a month, many registrars provide an "information privacy" service, where they supply aliased info to the whois database, which will supposedly get through to the real person (making it supposedly non-fraudulent contact info). However, I can see where it would be easy for spammers to create their automated dummy registrations, using this to hide obviously bogus contact info.

All that said, basically what it comes down to is this: if their registration info is bogus, sent a complaint through Internic via the Whois Data Problem Report System. I've yet to see a site pulled for this, but it's supposed to work that way. You have to provide a valid name and email address, so I suggest using a Sneakemail address if you're concerned. Also, don't mention spam. They rightfully don't care about spam. Just point out obvious errors and falsifications. E.g., the (555)555-5555 phone numbers, addresses missing information, bogus addresses (if mapquest says it doesn't exist, etc.) Keep the error description very brief and to the point. If the info cannot be 'verified' or corrected, they're supposed to freeze the listing. But, that's the individual registrar's responsibility. (You're complaint gets forwarded to them, they try to take action, etc.)

Also, if you notice one particular registrar keeps pushing really poor data onto the system (e.g., the 50-or-so sites that were probably auto-registered with that bogus phone number), you can file a Registrar Problem Report. Complain about their lack of oversight and recommend their qualifications for accreditation be re-evaluated.

From Registrar Accreditation Agreement:

3.7.7.1 The Registered Name Holder shall provide to Registrar accurate and reliable contact details and promptly correct and update them during the term of the Registered Name registration, including: the full name, postal address, e-mail address, voice telephone number, and fax number if available of the Registered Name Holder; name of authorized person for contact purposes in the case of an Registered Name Holder that is an organization, association, or corporation

3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration.

So, if a Registrar is required to collect said information, and they repeatedly allow false information through, and don't remediate, that seems to be grounds for a complaint.

Edit: Typos, spacing.

Edited by Jank1887

Share this post


Link to post
Share on other sites
if their registration info is bogus, sent a complaint through Internic via the Whois Data Problem Report System.  I've yet to see a site pulled for this, but it's supposed to work that way.  You have to provide a valid name and  email address, so I suggest using a Sneakemail address if you're concerned. Also, don't mention spam.  They rightfully don't care about spam.  Just point out obvious errors and falsifications.  E.g., the (555)555-5555 phone numbers, addresses missing information, bogus addresses (if mapquest says it doesn't exist, etc.) Keep the error description very brief and to the point.  If the info cannot be 'verified' or corrected, they're supposed to freeze the listing.  But, that's the individual registrar's responsibility. (You're complaint gets forwarded to them, they try to take action, etc.)

34902[/snapback]

That page Whois Data Problem Report looks like the following:
Whois Data Problem Report System

Thank you for visiting the Whois Data Problem Report System. This form allows Internet users to submit reports to ICANN-Accredited Registrars concerning incomplete or inaccurate Whois data.

(Important note: If you are trying to update your own contact details associated with a domain you have registered please visit your registrar's website or contact your registrar directly.

All accredited registrars have agreed with ICANN to obtain contact information from registrants, to provide it publicly by a Whois service, and to investigate and correct any reported inaccuracies in contact information for domain names registered through them.

Reports submitted through this facility will be forwarded to the appropriate registrar for handling, and the progress of your report will be tracked.

To submit a Whois Data Problem Report, please begin by entering the domain name in question, along with your name and email address below:

Domain Name:  [Domain with the problem Whois data]

Your Name:  [Your Name]

Your Email:  [A working email address for you]

[submit] [Clear]

Privacy Notice:

This report form requests your personal data and records your IP address in order to prevent frivolous reports or other misuse of this system. This information and the other data you submit on this form will be recorded and forwarded to the registrar responsible for investigating the report. You will be receiving a confirmation email to the address you provide, and we may use your email address to contact you to follow-up on the status of your report.

Comments should be sent to webmaster[at]internic.net

Now, you may ask yourself "what happens if I click the 'Submit' Button on that page?" That's a good question, and I'm here to explain the answer.

Once you click the "Submit" Button on that page, you should be presented with another page, displaying the following information:

InterNIC - Whois Data Problem Report

Domain: [Domain with the problem Whois data]

Report from: [Your Name]

Email: [A working email address for you]

Here is the current whois data for [Domain with the problem Whois data]. Please identify the problem areas in the form below, and submit the report. You will receive a tracking number via the email address you provided. This tracking number must be used to confirm the report. Complete instructions will be included in the confirmation email itself.

Current Whois Data

REGISTRAR WHOIS:

[Reply from the Registrar's Whois Service]

Registrar: [Name of Registrar]

Whois Server: [Registrar's Whois Server]

   

Inaccurate Data Elements (check all that apply)

Registrant Data

Field(s) in Error

Name

Address

Phone/Fax

Email

Please describe the problem

Administrative Contact Data

Field(s) in Error

Name

Address

Phone/Fax

Email

Please describe the problem

Technical Contact Data

Field(s) in Error

Name

Address

Phone/Fax

Email

Please describe the problem

Name Server Data

Field(s) in Error

Names

IP Addresses

Please describe the problem

Registration Dates

Field(s) in Error

Creation Date

Expiration Date

Please describe the problem

If you have any further explanatory comments, please use the text box below.

Important note: Domains with inaccurate whois data may be subject to deletion. If you are attempting to get your registrar to correct inaccurate data about your registration, you should contact your registrar for assistance. If you are the registrant of this domain, and you still want to proceed with filing this report, please check the following box:

[_] I am submitting information about a domain I registered [Generally, you won't want to check this box]

After you complete the above form, please click the "Submit" button below to submit your report. A message will be sent to the email address you gave with a tracking number and a URL you must use to confirm your report. Reports that are not confirmed within 5 days will be discarded automatically.

[submit] [Clear]

Comments should be sent to webmaster[at]internic.net

Note that "Reports that are not confirmed within 5 days will be discarded automatically" is currently untrue. There is, however, the off chance that you will be presented with the following instead:
Sorry, but the Whois Data Problem Report tool cannot currently be used to submit reports for domain names in the TLD ([Top Level Domain of the domain with the problem Whois data]) you entered. Please contact the relevant registrar or registry directly for assistance.
In such case, please follow that advice. Current personal evidence is that TLDs in which "the Whois Data Problem Report tool cannot currently be used to submit reports for domain names" (to my utter consternation) are ccTLDs (all country code Top Level Domains sampled so far, including .US, .WS, .TV, and even .EU), plus .ARPA, .MIL, .GOV, .INT. and .JOBS. I have confirmed that the Whois Data Problem Report tool CAN currently be used to submit reports for domain names in TLDs .AERO, .BIZ, .COM, .COOP, .EDU, .INFO, .MUSEUM (although whois.museum times out at present) .NAME, .NET, and .ORG.

Here's what the confirmation email looks like:

Received: from wdprs.internic.net ([192.0.34.116])

          (envelope-sender <apache[at]wdprs.internic.net>)

          by [Your mailserver] with SMTP

          for <[A working email address for you]>; 24 Oct 2005 14:15:47 -0000

Received: from wdprs.internic.net (localhost.localdomain [127.0.0.1])

by wdprs.internic.net (8.12.10/8.12.10) with ESMTP id j9OECsGr011401

for <[A working email address for you]>; Mon, 24 Oct 2005 07:12:54 -0700

Received: (from apache[at]localhost)

by wdprs.internic.net (8.12.10/8.12.10/Submit) id j9OECrkN011399;

Mon, 24 Oct 2005 07:12:53 -0700

Date: Mon, 24 Oct 2005 07:12:53 -0700

Message-Id: <200510241412.j9OECrkN011399[at]wdprs.internic.net>

From: WDPRS[at]internic.net

To: [A working email address for you]

Reply-to: WDPRS[at]internic.net

Subject: Please Confirm Your Whois Data Problem Report

Hello [your name],

A 'Whois Data Problem Report' has been submitted to Internic.net by you,

or someone claiming to be you, regarding the domain name

'[Domain with the problem Whois data]'.

In order for this report to be entered into our tracking system and

processed further, it must be confirmed.  Reports that are not

confirmed within five days are automatically deleted by the system.

Please carefully review the following copy of your report before

confirming it:

================================================================

Domain: [Domain with the problem Whois data]

Submitted: 2005/10/24 07:12:53

Registrar: [Name of Registrar]

Reporter Name: [Your Name]

Reporter Email: [A working email address for you]

Reporter IPAddr: [Your IP Address used when pressing the "Submit" Button above]

[Whichever of the following apply; only sections, field descriptors, and fields for fields with data appear (that is, no empty sections or fields appear)]

Errors in Registrant Information:

    Name:INCORRECT

    Address:INCORRECT [Note that this item is not strictly required, but can be reported if incorrect]

    Phone:INCORRECT [Note that this item is not strictly required, but can be reported if incorrect]

    Email:INCORRECT [Note that this item is not strictly required, but can be reported if incorrect]

    Description:

[Whatever Registrant Information problem description you provided above]

Errors in Administrative Contact Information:

    Name:INCORRECT

    Address:INCORRECT

    Phone:INCORRECT

    Email:INCORRECT

    Description:

[Whatever Administrative Contact Information problem description you provided above]

Errors in Technical Contact Information:

    Name:INCORRECT

    Address:INCORRECT

    Phone:INCORRECT

    Email:INCORRECT

    Description:

[Whatever Technical Contact Information problem description you provided above]

Errors in Name Server Data:

    Names:INCORRECT

    IP Addresses:INCORRECT [Note that these are not strictly required, but can be reported if incorrect]

    Description:

[Whatever Name Server Data problem description you provided above]

Errors in Registration Dates:

    Creation Date:INCORRECT

    Expiration Date:INCORRECT

    Description:

[Whatever Registration Dates problem description you provided above]

Explanation:

[Whatever further explanatory comments you provided above]

================================================================

                WHOIS INFORMATION AS OF 2005/10/24 07:12:53

REGISTRAR WHOIS:

[Reply from the Registrar's Whois Service]

REGISTRY WHOIS:

[Reply from whois.crsnic.net, the Registry Whois Service]

================================================================

If this report was not submitted by you, please simply disregard it. If

you submitted the report, but it contains errors, please disregard this

version, return to the problem report page at

    http://wdprs.internic.net/

and submit a new report.

If the data above is what you intended to submit, please confirm your

submission by visiting the following URL:

    [Your Confidential Confirmation URL]

Thank you for your help.

Best regards,

InterNIC Whois Data Problem Reports System

Note that "Reports that are not confirmed within five days are automatically deleted by the system" is currently untrue. Once you confirm your intent by clicking on [Your Confidential Confirmation URL] (please do it ASAP to avoid forgetting about it), you should see a page entitled "Thank You" that says "Your report concerning whois data inaccuracy regarding the domain has been confirmed. You will receive an email with further details shortly. Thank you." If you attempt to confirm again by mistake or wish to check the status of your report, the page will be entitled "Confirm Error" and will only show "Current status is '[Current Status]'", where [Current Status] may be queued, sent, followup, or possibly something else. You should very shortly receive another email like the following:
Received: from wdprs.internic.net ([192.0.34.116])

          (envelope-sender <apache[at]wdprs.internic.net>)

          by [your mailserver] with SMTP

          for <[A working email address for you]>; 24 Oct 2005 15:06:04 -0000

Received: from wdprs.internic.net (localhost.localdomain [127.0.0.1])

by wdprs.internic.net (8.12.10/8.12.10) with ESMTP id j9OF3BGr011634

for <[A working email address for you]>; Mon, 24 Oct 2005 08:03:11 -0700

Received: (from apache[at]localhost)

by wdprs.internic.net (8.12.10/8.12.10/Submit) id j9OF3BWb011632;

Mon, 24 Oct 2005 08:03:11 -0700

Date: Mon, 24 Oct 2005 08:03:11 -0700

Message-Id: <200510241503.j9OF3BWb011632[at]wdprs.internic.net>

From: WDPRS[at]internic.net

To: [A working email address for you]

Reply-to: WDPRS[at]internic.net

Subject: Confirmation of Whois Data Problem Report re: [Domain with the problem Whois data]

Hello [Your Name],

Thank you for your submitting and confirming your Whois Data report re: 

[Domain with the problem Whois data].  Your report has been entered into ICANN's database.

A copy of your report will be forwarded directly to the sponsoring

registrar for investigation.  The sponsoring registrar is responsible

for investigating and correcting the data in response to your report as

described in ICANN's "Registrar Advisory Concerning Whois Data Accuracy"

    <http://www.icann.org/announcements/advisory-10may02.htm>. 

For additional background information regarding registrars' Whois data

accuracy obligations, see also the Registrar Advisory Concerning the

'15-day Period' in Whois Accuracy Requirements

    <http://www.icann.org/announcements/advisory-03apr03.htm>. 

As discussed in detail in these advisories, it might legitimately take

up to several weeks for the registrar to take action in response to your

report.

Please save this email as a record of your report.  If you have reason

to believe that the sponsoring registrar may not be fulfilling its

obligations, please forward your copy of this e-mail, along with any

other relevant information, to ICANN's Registrar Liaison department at

<registrar-info[at]icann.org>.  ICANN will review your submission and work

with the registrar to ensure compliance.  Also, in order to assist our

efforts to improve Whois data accuracy, we may contact you later via

e-mail to follow-up concerning the registrar's handling of your report.

Thank you again for taking the time to help improve Whois accuracy by

submitting your report.

Best regards,

InterNIC Whois Data Problem Reports System

The registrar-info[at]icann.org email address above has its own confirmation process FOR EACH AND EVERY EMAIL YOU SEND IT. The confirmation email it sends looks like the following:
Received: from unknown (HELO hudson.icann.org) ([192.0.35.118])

          (envelope-sender <registrar-info[at]hudson.icann.org>)

          by [Your mailserver] with SMTP

          for <[A working email address for you]>; 2 Aug 2005 19:29:38 -0000

Received: (from registrar-info[at]localhost)

by hudson.icann.org (8.11.6/8.11.6) id j72JTcV22079;

Tue, 2 Aug 2005 12:29:38 -0700

Date: Tue, 2 Aug 2005 12:29:38 -0700

Message-Id: <200508021929.j72JTcV22079[at]hudson.icann.org>

From: registrar-info[at]icann.org

To: [A working email address for you]

Subject: ConfirmSystem: registrar-info[at]icann.org [[[Your Confidential Confirmation Code for this email, in a double set of brackets]]]

X-Loop: confirm-system

Precedence: bulk

X-Nonspam: None

X-Antivirus: AVG for E-mail 7.0.338 [267.9.8]

Mime-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Hello, and thank you for your message.

You have sent a message to an email address at ICANN.  Unfortunately, we

collect a tremendous amount of spam, and we have been forced to

implement protective measures.  In order to process your message we need

to confirm that it came from a real email address.  To confirm your

message, you can either:

  1) Reply to this message, without altering the subject line

    The "Re: " added by many mail clients is OK, but please note

    that this method is *not* foolproof.

   

or 

 

  2) Visit the URL

        <http://confirm.icann.org/?s=[Your Confidential Confirmation Code for this email]&l=registrar-info[at]icann.org>

       

If you want to be very sure that your message gets through, do both steps

above -- it does no harm to confirm more than once.

For your reference, the subject of the message you sent was:

  "[Your original subject]"

and it arrived at ICANN approximately Tue Aug  2 12:29:38 2005. [Pacific Time, -0800 PST or -0700 PDT]

Thank you for your interest in ICANN

---------------------------------------------------------------

ConfirmSystem: registrar-info[at]icann.org [[[Your Confidential Confirmation Code for this email, in a double set of brackets]]]

1[sic]

About 47 days later, you should get a followup email message that looks like the following:
Received: from unknown (HELO wdprs.internic.net) ([192.0.34.116])

          (envelope-sender <root[at]wdprs.internic.net>)

          by [Your mailserver] with SMTP

          for <[A working email address for you]>; 23 Oct 2005 08:22:23 -0000

Received: from wdprs.internic.net (localhost.localdomain [127.0.0.1])

by wdprs.internic.net (8.12.10/8.12.10) with ESMTP id j9N8JYGr001201

for <[A working email address for you]>; Sun, 23 Oct 2005 01:19:34 -0700

Received: (from root[at]localhost)

by wdprs.internic.net (8.12.10/8.12.10/Submit) id j9N8JXvJ001199;

Sun, 23 Oct 2005 01:19:33 -0700

Date: Sun, 23 Oct 2005 01:19:33 -0700

Message-Id: <200510230819.j9N8JXvJ001199[at]wdprs.internic.net>

From: WDPRS[at]internic.net

To: [A working email address for you]

Reply-to: WDPRS[at]internic.net

Subject: [Domain with the problem Whois data] -- Whois Data Problem Report

Hello [Your Name],

This message is in follow-up to the Whois Data Problem Report you submitted

on September 05, 2005 regarding [Domain with the problem Whois data].  As indicated to you

at the time of submission, a copy of your report was forwarded to the

sponsoring registrar for investigation.  We would appreciate it if you could

assist us in monitoring registrar compliance with Whois data accuracy

obligations by selecting one of the options below:

    1. The data inaccuracy was corrected.  Please go to the following URL:

    <http://wdprs.internic.net/cgi/followup.cgi?a=r&s=[Your Confidential Confirmation Code for this email]&r=corrected>

    2. The domain has been deleted or re-registered.  Please go to:

    <http://wdprs.internic.net/cgi/followup.cgi?a=r&s=[Your Confidential Confirmation Code for this email]&r=deleted>

    3. The whois data is still inaccurate.  Please go to:

    <http://wdprs.internic.net/cgi/followup.cgi?a=r&s=[Your Confidential Confirmation Code for this email]&r=unchanged>

    4. None of the above.  Please go to:

    <http://wdprs.internic.net/cgi/followup.cgi?a=r&s=[Your Confidential Confirmation Code for this email]&r=other>

For your reference, the current whois data for the domain is appended below.

Thanks again for your assistance.

Best regards,

InterNIC Whois Data Problem Reports System

================================================================

                WHOIS DATA AS OF 2005/10/23 01:15:00

REGISTRAR WHOIS:

[Reply from the Registrar's Whois Service]

REGISTRY WHOIS:

[Reply from whois.crsnic.net, the Registry Whois Service]

================================================================

Please do the requisite research and click the appropriate URL.

A few notes regarding CSL Computer Service Langenbach GmbH d/b/a joker.com:

ALL domains registered through joker.com should be reported, as whois.joker.com does not normally report Name, Address, or Phone/Fax for Administrative and Technical Contacts.

About 8 days after reporting any domain registered through joker.com, you will be blind copied on an email that looks like the following:

Received: from unknown (HELO mail1.joker.csl.de) ([194.245.101.86])

          (envelope-sender <udrp[at]joker.com>)

          by [Your mailserver] with SMTP

          for <[A working email address for you]>; 2 Aug 2005 17:45:23 -0000

Received: (qmail 18676 invoked from network); 2 Aug 2005 17:45:22 -0000

Received: from private.int.joker.csl.de (HELO private.joker.csl.de) (192.168.99.1)

  by mail1.joker.csl.de with SMTP; 2 Aug 2005 17:45:22 -0000

Received: (qmail 13178 invoked by uid 500); 2 Aug 2005 17:45:21 -0000

Date: 2 Aug 2005 17:45:21 -0000

Message-ID: <20050802174521.13177.qmail[at]private.joker.csl.de>

From: udrp[at]joker.com

To:

Reply-to: udrp[at]joker.com

Subject: address complaint for domain: [Domain with the problem Whois data]

To whom it may concern

The domain nrw.net is registered on your behalf at JOKER.COM.

We got an announcement that the address-record of the owner of

this domain may be incomplete or wrong. Therefore we have "freezed"

the status of that domain, so nobody can change anything related

to that domain until the case is finished.

We are acting according the rules set by www.ICANN.org to which

all registrars are bound.

Please report to us by FAX (email will not be accepted) within 14 days

(see also the T&C Art. 5 you agreed to).

  Fax +41 41 758 0548

  Joker.com

  Department of Domains / Invalid Address

  Po Box  458

  CH-6300 Zug

  Switzerland

---------------------------------------------------------------------

I ASSURE that the address of the owner of the domain as shown below

  (mark one of the following 2 sections)

  a) IS CORRECT ..................... [  ] .. continue below at (A)

  B) WILL BE CORRECTED IMMEDIATELY .. [  ] .. continue below at (B)

(You will find the actual whois data at the end of this email.)

---------------------------------------------------------------------

A) IN CASE THE ADDRESS IS CORRECT

If the address of the owner of the domain as shown below is correct,

confirming the correctness by sending a fax with the complete printout

of this mail (including the whois) at Joker.com to +41 41 758 0548.

(enter the requested owner-data, the data should match with the data

as shown by the WHOIS)

  Domain-Owner:

  Full Name in Printing: _________________________________________

  Organization: ________________________________________________

  Date and Signature: ____________ / _____________________________

Please confirm also that the domain is NOT used for UCE / spam.

  I assure that this domain is NOT used for UCE / spam.

  Full Name in Printing: _________________________________________

  Organization: ________________________________________________

  Date and Signature: ____________ / _____________________________

NOTE: Without 2 signatures we do not accept this confirmation.

This notification has to be signed only by the current domain-owner.

---------------------------------------------------------------------

B) IN CASE YOU WANT TO CHANGE THE ADDRESS

You will have to initiate an invalid-address ownerchange.

Login to the joker.com "Servicezone" and select at "Domain Settings"

the "Domain - Owner Change" option (change an incomplete or wrong

address-record) and follow the online-instruction.

Send us the invalid-address documents by fax.

  Fax +41 41 758 0548

It will then be processed at our office.

---------------------------------------------------------------------

Respectfully

Siegfried Langenbach on behalf of udrp[at]joker.com

The address of the following domain is wrong

[info from joker.com's database, some of which (like the contact addresses) is not available via a standard query to whois.joker.com]

---------end whois--------------

In order to preserve the integrity of the process, please make sure that you whitelist apache[at]wdprs.internic.net, WDPRS[at]internic.net, registrar-info[at]hudson.icann.org, registrar-info[at]icann.org, root[at]wdprs.internic.net, and udrp[at]joker.com at [A working email address for you].

Of course, inaccurate whois data can also be submitted for listing in the whois.rfc-ignorant.org zone in accordance with Listing policy for the whois.rfc-ignorant.org zone AKA whois.rfc-ignorant.org listing policy and General Listing Policy.

That's all I've got so far. I'll update when I get more info.

Edit: 2005/10/26 13:55 EDT -0400 Jeff G. spent a lot of time fleshing out this info.

Edit: 2005/10/26 19:33 EDT -0400 Jeff G. updated the TLDs.

Edit: 2006/01/07 22:44 EST -0500 Jeff G. updated the followup email message timing and zapped the emoticons in favor of "B)".

Edited by Jeff G.

Share this post


Link to post
Share on other sites
ICANN doesn't and shouldn't care about content, legality, or ethics behind the domains.  They provide a technical function to maintain operability.  Any content enforcement is the responsibility of the host.  Apart from any extra services provided by a registrar, their make money by connecting URL's to IP addresses, and even if it's an abusive site, they've done their job honestly and correctly as long as it works.  You don't place responsibility with the phone company to stop providing service to the mob because they have conversations about illegal activity (tangential analogy, but hey, I haven't had my coffee yet.)
Not a good analogy! Phone companies will act on cases where abuse of the system such as crank calls or obscene phone calls affect third parties, which is a better analogy to spam. However, you've missed the registrars out of the equation between ICANN and host in your first paragraph. That is important because I wasn't suggesting for a minute that ICANN should take a pro-active role in policing the content of domains - that indeed would not be possible. What I was suggesting was that ICANN should have a role in ensuring that accredited registrars have a standardised AUP in place that would enable the registrars themselves to act, (as they are perfectly capable of doing), on other blatant cases of abuse of the system than just false whois data which I regard as a side issue.

At the moment there are responsible registrars that do have a pro-active AUP in place and will pull registrations if the incontrovertible proof of abuse is presented to them in the correct manner. The point is, they do have that power and I see no reason why more registrars should not be encouraged to use it as the more responsible ones already do.

I've heard the vociferous argument so many times that "only the hosts can be responsible for policing the sites they host". With all due respect, I believe that's a complete cop-out. Unfortunately if that remains the case then I think the situation is lost as they themselves cannot be policed. Any cowboy outfit can set up shop as a host in Guang-Dong province of Outer Mongolia, (no offence to Outer Mongolians everywhere - they're lovely people...), or anywhere in the world and who doesn't give a two-x never mind a four-x about spammers and other abusers of their system.

I've seen my daily spam inexorably climb over the last year or two from 20-30 a day through 40-50, 60-70 and it's now well over a hundred a day with no apparent measure under the current system showing any sign whatsoever of being effective, quite the reverse. I see all the same hosts being reported all the time, I see the SpamCop 'no-masters' increase as abuse teams such as kornet simply give up the unequal struggle and just bounce abuse reports.

The only small victories I have personally achieved have been in persuading the more responsible registrars to pull the sites such as roseshoney . com that bombarded me with more than about 30 spams a day, (I do not have the time to report all of them).

I believe it's time for a more pragmatic and holistic approach to the problem.

Share this post


Link to post
Share on other sites
About 18 days later, you should get another email that looks like the following:

34904[/snapback]

I've been submitting bogus registrations since Oct 3rd, and haven't gotten anything back after the submittal confirmation email. (submitted ~70 domains since then, many of the quite obvious forgery variety).

Share this post


Link to post
Share on other sites

In addition, what's your opinion of the following registrations:

dumpetab-dot-com Whois

I see this format at least 2-5 times a day. Although slightly out of order, the addresses check out on mapquest, all info is present, and the phone number format is correct. However, as I said, I see this identical listing format (last name in caps, zip, city, state in same strange order, code after the persons name. All with spam sites.

It used to be that all the ones that looked like that were all missing the state information, such as:

cosharerha-dot-com whois

(I reported that one 16OCT2005 and it's still there.) Recently the same format has been used, but now the state is included as in the first link.

another:caxedin-dot-com whois

All of those are through bookmyname.com. Now, does that look like a bulk registration scri_pt format, or is that just how bookmyname formats all their listings?

Share this post


Link to post
Share on other sites
In addition, what's your opinion of the following registrations:

35373[/snapback]

In a word: Bad.
All of those are through bookmyname.com.  Now, does that look like a bulk registration scri_pt format, or is that just how bookmyname formats all their listings?

35373[/snapback]

Are you discounting the possibility that it's both? They appear to have strange ways of presenting information in France, which appear inconsistent with USPS regulations. For more contact info, please see http://www.internic.net/registrars/registrar-74.html.

Share this post


Link to post
Share on other sites
Are you discounting the possibility that it's both?

35383[/snapback]

Let's see, would I discount the possibility that spammers came up with a somewhat legitimate looking bogus registration format... Now, that would imply me giving them credit for possessing some sort of intelligence. We know that to not be the case. However, put a million monkeys in front of a million typewriters...

Based on the number of similar spams using the same format, all with different registrations, I figure they're all bogus. Likely pulled from a whitepages listing, telephone book, or something. Unfortunately, according to ICANN, if it's a validly formed address, and the location exists, there's nothing to base a listing complaint on. ICANN doesn't require formatting to meet USPS standards, just that the information be provided, which it is. And, since 95% of them are chinatiatong or whatever, host isn't ever going to remove the site, and there's no grounds for a whois listing complaint, so... they're safe?

Share this post


Link to post
Share on other sites
ICANN doesn't require formatting to meet USPS standards

35426[/snapback]

Do you have a source for that statement? IMHO, if it's not a deliverable address, it's a fake address, and therefore in violation of ICANN's rules, policies, and procedures as implemented in their agreements, as well as RFC1032.

Share this post


Link to post
Share on other sites
Do you have a source for that statement?  IMHO, if it's not a deliverable address, it's a fake address, and therefore in violation of ICANN's rules, policies, and procedures as implemented in their agreements, as well as RFC1032.

35428[/snapback]

I'd like to jump in here if I may. I have an observation and a 'technical' question.

For some time I've found "Joker" to be the registrar for many, many spammers. I've emailed them and filled out their "Report Spammers" web page. Many times I would find the postal and email contact addresses false.

Godaddy used to be real bad at this too.

The "fake" registrations happened in batches, e.g. 'watches1here.com', watch1eshere.com...

It seems to me that Joker and other registrars could screen addresses easily. I often add a 'unique' #Apt # to my online ordering to see who's selling my address.

Occasionally my 'creative' address is rejected, being cross-checked.

*Technical Question:

The spammers that have my Comcast address all use a; "Http://.... watches.com#bogus.org" (substitute .info and others)

This seems to confuse Spamcop and any number of 'refreshes' will not find the "...watches.com". If I manually strip the '#bogus' from the URL Spamcop finds it fine. Here's a real example of a method I used today:

(For this example I made a copy of the unedited URL and then stripped the '#aenmqhcr'.)

<A parse="parsed by recipient" href="h

ttp:

//TgpqF>%2Eqcssgqlnlw3k41m4hggdh1g93ygy%2Ecadiueioam.org"><!-- A parse="parsed by recipient" href="h

ttp:

//TgpqF>%2Eqcssgqlnlw3k41m4hggdh1g93ygy%2Ecadiueioam.org#aenmqhcr" --!>

SpamCop's reply:

"Resolving link obfuscation

http://tgpqf>%2eqcssgqlnlw3k41m4hggdh1g...am.org#aenmqhcr

Percent unescape: http://tgpqf>.qcssgqlnlw3k41m4hggdh1g93...am.org#aenmqhcr

host tgpqf (getting name) no name

tgpqf is not a hostname

Tracking link: http://tgpqf>.qcssgqlnlw3k41m4hggdh1g93...am.org#aenmqhcr

No recent reports, no history available

Cannot resolve http://tgpqf>.qcssgqlnlw3k41m4hggdh1g93...am.org#aenmqhcr

-- after edit --

Resolving link obfuscation

http://tgpqf>%2eqcssgqlnlw3k41m4hggdh1g...ecadiueioam.org

Percent unescape: http://tgpqf>.qcssgqlnlw3k41m4hggdh1g93ygy.cadiueioam.org

host tgpqf (getting name) no name

tgpqf is not a hostname

Tracking link: http://tgpqf>.qcssgqlnlw3k41m4hggdh1g93ygy.cadiueioam.org

[report history]

Resolves to 222.122.52.121

Routing details for 222.122.52.121

[refresh/show] Cached whois for 222.122.52.121 : ip[at]ns.kornet.net abuse[at]kornet.net

Using best contacts abuse[at]kornet.net

BTW this is the first spam I've gotten from an .org address.

Suggestions and wisdom desired!

Thanks

Share this post


Link to post
Share on other sites
Suggestions and wisdom desired!

36137[/snapback]

That certainly does appear to be a bug in SpamCop's Parser. To expedite resolution of it, please email your evidence of it to a SpamCop Admin via service[at]admin.spamcop.net. Thanks!

Share this post


Link to post
Share on other sites

Again we are moving outside the stated purpose of SpamCop and the parser.

If you do anything to force the parcer to find something it would not find on its own you may NOT use SpamCop to send the reports. You need to write the report without any reference to SpamCop and send it on your own.

You are welcome to use the Parser as a tool to help you find addresses, but NOT to send reports. All reports that are sent using the parser must be from original spam messages without alteration (with the exception of munging personal data contained in the message and even then a note should be added to the report that the message has been munged)

Share this post


Link to post
Share on other sites
It seems to me that Joker and other registrars could screen addresses easily.

The operitive word there is "could" ..... but that would also seem to be the case for allowing someone to register 30 to 300 sites a day with what turns out to be a stolen credit card (number) .. it seems like this 'could' be prevented also, yet ....

*Technical Question:

  The spammers that have my Comcast address all use a; "Http://.... watches.com#bogus.org" (substitute .info and others)

36137[/snapback]

Playing with hypothetical information is not enjoyed around here. The request is in existence almost everywhere one looks, please provide a Tracking URL of the spam parse in question. No one here has no knowledge of your experience and/or knowledge of any of the details and processes involved ... there can be more involved with the actual spam than simply changing some characters here and there, header content and construct, MIME types and definitions, construct and content of the URI itself, word-wrapping conditions changing between your various experimental submitals, on and on ... let's allow anyone/everyone involved look at the "real" data ....

Share this post


Link to post
Share on other sites
{snip ...}Playing with hypothetical information is not enjoyed around here.  The request is in existence almost everywhere one looks, please provide a Tracking URL of the spam parse in question.  {...snip}

36142[/snapback]

Hey Wazoo, sorry if I violated Wazoo-tiquette. I do understand hypo-overload.

I was only learning how to use bug-reporting literary license and I did ask for advice so thanks. Thanks to Dbiel too.

Looking back, I thought I gave the audience precise examples further into my message.

I did learn how to reach SpamCop-Abuse. I'm rather surprised that no one ever reported this "#bug.com" type potential bug before.

Share this post


Link to post
Share on other sites

I've no idea what your first lines are supposed to represent ... however, this Forum is full of postings from folks that "knew what they were doing" that were surprised by something overlooked or even "not known" ....your example may be perfect .. or it could something as silly as the removal of data from the string shortened it up enough that word-wrap wasn't an issue ... scenario is that from this side of the screen, there is no one that can tell what else is involved in your submittals .. thus the request for a Tracking URL .. again, that way everyone is talking about the actual / same data ....

Share this post


Link to post
Share on other sites

The two Tracking URLs are required so that we can compare apples to apples - the SpamCop Parser uses some different algorithms when parsing a URL in an entire message vs. parsing a URL as an individual item (on a line by itself).

Share this post


Link to post
Share on other sites
The two Tracking URLs are required so that we can compare apples to apples - the SpamCop Parser uses some different algorithms when parsing a URL in an entire message vs. parsing a URL as an individual item (on a line by itself).

36197[/snapback]

Reasonable. Here's today's spam, pasted into the SC Report spam browser page. (IE6 XP-SP2) (I "refreshed" 5 times, no change to report):

http://www.spamcop.net/sc?id=z828162089z4b...ae886f6332327bz ( Look at this! This forum even puts ...'s in the URL to confuse newbies B) )

Below is the "test" report. I included the following comment to admin.spamcop.net so everyone knows I'm sending a modified spam that's not personal-info related for "bug" testing purposes only. I include this since it appears these 'comments' are not passed to the Report when you view it.

http://www.spamcop.net/sc?id=z828164852z50...50356c0886b48az

!-- Comments for:spambr[at]admin.spamcop.net --!

"This is the original link URL. Tor testing purposes only, the "#stxspx" is edited out of the URL:

<A href="ht

tp:

//xqQMM>%2EfxrkM2IyNTEzOGM4NDBlNDhmMGYxMTk2MWY2%2Espriingwater.com#stxspx">"

!-- END -- Comments for:spambr[at]admin.spamcop.net --!

Share this post


Link to post
Share on other sites

http://www.dnsstuff.com/tools/dnstime.ch?n...ater.com&type=A

first issue, time for DNS results is excessive.

Searching for spriingwater.com A record at j.root-servers.net Got referral to C.GTLD-SERVERS.NET. [took 222 ms]

Searching for spriingwater.com A record at C.GTLD-SERVERS.NET. Got referral to ns1.protectitdnservice.com. [took 4 ms]

Searching for spriingwater.com A record at ns1.protectitdnservice.com. Reports an answer.

Record is:

Domain Type Class TTL Answer spriingwater.com. A IN 3600 222.36.42.116 spriingwater.com. NS IN 3600 ns1.protectitservice.com. spriingwater.com. NS IN 3600 ns2.protectitservice.com. spriingwater.com. NS IN 3600 ns3.protectitservice.com. spriingwater.com. NS IN 3600 ns4.protectitservice.com. ns1.protectitservice.com. A IN 600 222.36.42.123 ns2.protectitservice.com. A IN 600 219.148.3.162

Looking up at ns1.protectitdnservice.com.... Reports 1 A record(s). 613ms.

Looking up at ns2.protectitdnservice.com.... Reports 1 A record(s). 519ms.

Average of all 2 nameservers: 566ms (plus 226ms overhead).

Score: C+

Took off 22 points for >300ms average response time.

Note also the proximity of the web-server and the DNS server ....

whois -h whois.joker.com spriingwater.com ...

domain: spriingwater.com

owner: James Barkley

organization: Protect-it Domain Privacy

email: jbarkley[at]popaccount.com

address: 175 MONTREAL ROAD #304

city: Vanier

state: Ontario

postal-code: K1L 6E4

country: CA

phone: 1-613-482-4834

admin-c: jbarkley[at]popaccount.com#0

tech-c: jbarkley[at]popaccount.com#0

billing-c: joker[at]simm.qc.ca#0

reseller: Registred by: SIMM

reseller: Phone: 1-514-270-4537

nserver: ns1.protectitdnservice.com 221.11.134.38

nserver: ns2.protectitdnservice.com 218.65.209.18

status: lock

created: 2005-11-15 20:09:34 UTC

Notice the shiny "new" date of creation

11/17/05 13:38:10 Slow traceroute spriingwater.com

Trace spriingwater.com (222.36.42.116) ...

61.232.23.230 RTT: 326ms TTL: 0 (No rDNS)

222.36.96.118 RTT: 354ms TTL: 0 (No rDNS)

222.36.42.125 RTT: 358ms TTL: 0 (No rDNS)

* * * failed

* * * failed

Doesn't want one to "get there" or it's down now?

Nope, site is available, wanting to offer up those expensive waches for cheap ...

11/17/05 13:57:44 Browsing http://spriingwater.com/

Fetching http://spriingwater.com/ ...

GET / HTTP/1.1

Host: spriingwater.com

Cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Set-Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxxxxx; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT <----?????

<title>ReplicaWatches - Beautiful and elegant watches without the costly prices.</title>

web-site hosted on a chinatietong.com host, known spam supporter, so that even if resolved, even if a report/complaint had gone out, no action would be taken ...

Your "extra comments" did not end up at "admin.spamcop.net" .. they were included in the report/complaint sent to in internal address used by the SpamCop.net Reporting system to a reporting address worked out between SpamCop.net Admin folks and the "spambr" folks .... The only way SpamCop Admin folks will "see" this is if the "spambr" folks send in their complaint about your reporting practices. (modification of the spam to get results is in violation of the rules)

still working on other things, but will post this for now

Later: testing results have caused an e-mail to be sent upstream on this one.

Share this post


Link to post
Share on other sites
Again we are moving outside the stated purpose of SpamCop and the parser.

If you do anything to force the parcer to find something it would not find on its own you may NOT use SpamCop to send the reports. You need to write the report without any reference to SpamCop and send it on your own.

You are welcome to use the Parser as a tool to help you find addresses, but NOT to send reports. All reports that are sent using the parser must be from original spam messages without alteration (with the exception of munging personal data contained in the message and even then a note should be added to the report that the message has been munged)

36140[/snapback]

The issue of my discovery of a potential bug in SC's parser has been addressed in another branch of this thread.

I do find, however, after using these quoted rules to solve a bug-related issue, this process to have become rather cumbersome.

Might I suggest a separate Lounge ( and an easy way to find it ) explicitly dedicated to 'bugs' and how to report? Possibly a link to the rules. I found this link SC Material Changes to spam sort of buried several layers deep.

I apologize in advance <taking advantage of my newbie status> if I missed it as I was reviewing the ground rules initially.

While I was reviewing the rules at SC Material Changes to spam I discovered a reference to a Base 64 tool that was not available (at least to me) at Base 64 Tool Link.

Thanks again.

Share this post


Link to post
Share on other sites
While I was reviewing the rules at SC Material Changes to spam I discovered a reference to a Base 64 tool that was not available (at least to me) at Base 64 Tool Link.

36231[/snapback]

Please feel free to suggest replacement or removal of that URL (which redirects to http://david.carter-tod.com/base64 on nonexistent host david.carter-tod.com) to service[at]admin.spamcop.net.

Share this post


Link to post
Share on other sites
Please feel free to suggest replacement or removal of that URL (which redirects to http://david.carter-tod.com/base64 on nonexistent host david.carter-tod.com) to service[at]admin.spamcop.net.

36232[/snapback]

Got it. Thanks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×