Do domain Hosts collude with spammers?

[maxmillion]

Hi,

I'm new to this forum though I have been a subscriber of the spamcop service for almost a year.

I receive spam from a prolific spammer, who offers business seminars. I receive around 200 and rising every 4 to 10 days.

I have a catchall email setup for my domain, and the spammer is exploiting that by sending to a[at]mydomain .com, then b[at]mydomain, then c[at] etc. You get the picture? Clearly these are not addresses I would use, and certainly would never have used them to register for anything anywhere. In addition, I run my business alone, so there are no other users of my domain email.

The spammer sends html spam which I am loathe to open and report because I understand they can track them and thereby confirm the validity of an email addy. Consequently, I report two spams each time they arrive (and always the same To: address). I also use a service called Cloudmark SafetyBar which is now called Cloudmark Desktop. This enables me to mark the messages as spam without opening them. It is very effective in keeping my main inbox clear, but it doesn't stop the spammer when they change servers or domains or IP addresses.

Now here's the thing. The spam being sent does not appear to be forged headers or some such. But they appear to be sent from a valid (and different!) domain each time. These domains are registered with a particular web host - and since I started tracking this, I have noticed the same details for each domain that has been registered; these are the four most recent; biteseminars.co.uk, bitereplied.co.uk, vf-businessmail.co.uk and now ukseminarcompany.co.uk.

Each has the same or similar registrant - Paul Smythe or Paul Smith.

All are registered with Registrant type: UK Individual

All provide this disclaimer for Registrant's address:

The registrant is a non-trading individual who has opted to have their

address omitted from the WHOIS service.

All have the same Registrant's agent:

PIPEX Communications Hosting Ltd t/a 123-Reg.co.uk [Tag = 123-REG]

URL: http://www.123-reg.co.uk

And almost all are registered around the time of the spam - the latest, ukseminarcompany.co.uk has this date.

Relevant dates:

Registered on: 27-Jan-2006

Inside the mail they have a phone number to call in order to request removal. Of course they never answer that phone. The "office" address is a mailbox in a nearby village.

Sorry, it is a long message... but nearly done

And my query?

1) Why do they register as non-trading when they clearly are traders? Who polices nominet or the registration service? Have they not lied on their registration form?

2) If the Registrant's agent is the same in each case, surely they can refuse any additional domain registrations by the spammer?

3) and then share that information with nominet and other agents to prevent spammers like this from registering other domains for the express purpose of sending spam.

4) Could the registrant's agent be in cahoots with the spammer? I have provided detailed headers etc, but they respond with very inane and inappropriate answers, and have the attitude "It's nothing to do with us".

5) In addition, Trading Standards Dept for the area (where the spammers mailbox is) appear unwilling or unable to take action.

So what should or could be done?

I appreciate your answers and advice. I did read through the FAQ's but could find nothing similar. If anybody wants headers, body etc, I am happy to supply.

Thanks

Michael Hoeben

in Milton Keynes, UK

[Farelf]

... I have a catchall email setup for my domain, and the spammer is exploiting that by sending to a[at]mydomain .com, then b[at]mydomain, then c[at] etc. You get the picture? Clearly these are not addresses I would use, and certainly would never have used them to register for anything anywhere. In addition, I run my business alone, so there are no other users of my domain email. ...

39763[/snapback]

Hi Michael - sounds strikingly similar to the thread started at http://forum.spamcop.net/forums/index.php?...indpost&p=36350

I can't answer your queries but is there any chance host-it.co is involved? Posting a tracking URL http://forum.spamcop.net/forums/index.php?...topic=4473#TURL or http://forum.spamcop.net/forums/index.php?showtopic=4498 would definitely be a good idea.

[maxmillion]

Hi Michael - sounds strikingly similar to the thread started at http://forum.spamcop.net/forums/index.php?...indpost&p=36350

I can't answer your queries but is there any chance host-it.co is involved?  Posting a tracking URL http://forum.spamcop.net/forums/index.php?...topic=4473#TURL or http://forum.spamcop.net/forums/index.php?showtopic=4498 would definitely be a good idea.

39767[/snapback]

Thanks Farelf. (for your reply and managing to read it all!)

It is not host-it company. I assumed that this was the domain host as shown when doing a WHOIS

All have the same Registrant's agent:

PIPEX Communications Hosting Ltd t/a 123-Reg.co.uk [Tag = 123-REG]

Here are a few tracking urls, and I haven't reported as many of them as I would like, but I understood that simply opening an html mail can provide confirmation of a valid address.

3 Nov 2005: http://www.spamcop.net/sc?id=z822913419z2a...b0dc364206ca4cz

3 Nov 2005: http://www.spamcop.net/sc?id=z822758489zf1...6ac8bd8a3c665bz

27 Jan 2006: http://www.spamcop.net/sc?id=z865152270zac...8e0729b2325b09z

28 Jan 2006: http://www.spamcop.net/sc?id=z865241569z96...3c260cd77a19b8z

28 Jan 2006: http://www.spamcop.net/sc?id=z865241144z12...cbc540537da9dez

29 Jan 2006: http://www.spamcop.net/sc?id=z865451000z5b...b208baebbd8b66z

Michael

[agsteele]

5) In addition, Trading Standards Dept for the area (where the spammers mailbox is) appear unwilling or unable to take action.

So what should or could be done?

39763[/snapback]

Hi Michael,

Thanks for your observations.

In the UK it isn't the responsibility of trading standards departments to tackle spam - although they will investigate rogue traders offering goods or services in ways which are illegal.

The Information Commissioner will tackle spam complaints.

But both come with a proviso that the person or organisation has to be based in the UK for action to be taken. Since most of the spam originates outside the UK and for non-UK entities there is little that can be done for the bulk of spam.

If you are receiving spam with an identifiable UK source then the Information Commissioner's website has the necessary forms etc. They do respond to complaints and do take action - normally starting with advising the culprit and escalating if justified complaints continue.

Andrew

[Farelf]

Michael,

Have you also tried kicking your complaint to the upstream owner? Accouring to dnsstuff that would be (above live-servers-net) Mark Wood at Fasthosts Internet Limited - ref http://www.dnsstuff.com/tools/whois.ch?ip=217.174.254.250 and click for email address to be turned on.

[maxmillion]

Michael,

Have you also tried kicking your complaint to the upstream owner?  Accouring to dnsstuff that would be (above live-servers-net) Mark Wood at Fasthosts Internet Limited - ref http://www.dnsstuff.com/tools/whois.ch?ip=217.174.254.250 and click for email address to be turned on.

39787[/snapback]

Thanks for your advice. I emailed what I thought was the company that registered the domain

Registrant's agent:

PIPEX Communications Hosting Ltd t/a 123-Reg.co.uk [Tag = 123-REG]

URL: http://www.123-reg.co.uk

and as yet they have done nothing except register another domain on 1st February - and I'm receiving the 500 or so spams from that domain now.

But I will call / email Fasthosts and check with the site of the Information Commissioner.

Meanwhile, I have blocked the catchall account which is inconvenient, and have had to change dozens of email addresses on forums, newsgroups etc, so that I only have one account which in the short term will reduce the sheer volume from these cretins.

Thanks again.

Michael

[InvisiBill]

The spammer sends html spam which I am loathe to open and report because I understand they can track them and thereby confirm the validity of an email addy.

39763[/snapback]

I use Thunderbird, but most modern email clients now allow you to view emails as plaintext. You might be able to view the source by right-clicking on the message in your inbox, without actually having to open the message. If your current client doesn't support that, you could also consider one of the many free "email checker" programs. Many of those will let you see the entire source of the email, which you could paste into SpamCop's form for reporting. I use MailWasher Pro, which can actually report spam to SC and delete the junk before even opening your regular mail client.

FYI, HTML emails track you by containing links (such as embedded images) that use a unique URL. If their webserver records a request for this unique URL, then they know that someone looked at the email, and thus the email address is valid. I'm not sure that spammers are even still doing this, as it requires some degree of personalization of the email (so that each spam has its own unique URL) and it also requires checking the webserver logs to see if the URL has been requested (which admittedly could be mostly automated).

[Jeff G.]

FYI, HTML emails track you by containing links (such as embedded images) that use a unique URL. If their webserver records a request for this unique URL, then they know that someone looked at the email, and thus the email address is valid. I'm not sure that spammers are even still doing this, as it requires some degree of personalization of the email (so that each spam has its own unique URL) and it also requires checking the webserver logs to see if the URL has been requested (which admittedly could be mostly automated).

40482[/snapback]

Some of them still are doing this.

[turetzsr]

<snip>

The spammer sends html spam which I am loathe to open and report because I understand they can track them and thereby confirm the validity of an email addy.

<snip>

39763[/snapback]

...Many e-mail clients will allow you to forward the spam as an attachment, so you don't have to actually open it. This is what I do (I use Microsoft Outlook 2003) to avoid the problem you aptly raise.

[imapshed]

Michael,

To solve your email problem you should not employ a postmaster catchall account, instead use only specific email addresses for your business and check only these, employ a good spam filtering service... similarly, only virus filtered email, and finally use mail client software that reads mail in plain-text by default, rather than HTML; this way you can mop up (delete) any stray nasties without risk to yourself.

My approach with time on my hands...

I got a seminar invite from these guys on 25th January... Wanting money up front? Sounded like spam, esp going to an unused address x[at]domain. The email arrived from biteseminars.co.uk, but references the domain ukseminarbookings.co.uk - which has a website where the seminars are advertised and the sales offer made, including an indication that they are VAT registered.

1. I went to Nominet and had the inconsistent registration data corrected: owner name made public - Nominet staff had received this spam too!

2. Contacted the registrar: www.123-reg.co.uk - part of the Pipex group

They were very clear about bulk/unsolicited email: "We would disable your account and disable the domain name. We would also ask you to transfer the domain name away" [contact me for a copy of the email from 123-reg]

Sending info to abuse at dial.pipex.co.uk in the case of 123-reg registrants, and helpdesk at newnet.co.uk in the case of ukisp.co.uk registrants ought to help these Domain companies to sort out the problem.

I will email them again with a link to this page, but you need to forward email with full headers, and perhaps a link to this page...

3. Hit 'em where it hurts: I looked up the mailing address: it is within an outlet of Mailboxes Etc part of the global mailboxes Etc franchise network... MBE-Bedford

Mailboxes Bedford

So I contacted them and requested they take action, i.e. withdraw services to this individual - last year I persuaded the helpful Mailboxes in Cambridge to withdraw services from the well known spammer Peter Francis-MacRae ...prior to his being jailed:

theregister - Peter Francis-MacRae - spammer in prison

It cannot have made his life any easier having to find a new home for all those pre-addressed envelopes!!

I suggest you contact the Bedford Mailboxes ETC branch to persuade them further. info at 021.mbe.uk.com

The subject of spamming would appear to break clause 6 of their 'Mailbox Service Agreement': MBE Mailbox Service Agreement

4. I talked to the variously named Phil Sabin, Phil Underwood, John Murry, Paul Smith and Paul Smythe... depending on which Whois you look up and how they reply to your complaining emails.

In response to: "Your email appears to be from Phil Sabin, yet is signed Phil Underwood.... things just do not seem to add up... ?"

He replied: "There seem to be plenty of people out their who vent their frustration on spam in general on us - we are the one that has a phone number and contact details...I am sometimes cautious as to what name is used" [!!]

Are there any other domains?

ukseminarbooking.co.uk

biteseminars.co.uk

ukseminarcompany.co.uk

I think complaining is the best bet, include the registry, e.g. nominet, Nameserver company, hosting company, and mailing address company is applicable - noting the spam issue and referring to this page, supplying email with full headers when requested. Spammers often use serviced mailboxes, rather than real office addresses.

Companies trading with these individuals deserve a bad press if they take no action.

Then there is always the route of taking a small claims court action if the email address is not a business email address: How to Sue a UK Spammer - the register

[spam-spotter]

I receive spam from a prolific spammer, who offers business seminars. I receive around 200 and rising every 4 to 10 days.

Does anyone know if bitesize seminars et al. has any links with Business Growth Resources Ltd.:

"more time, more sales, more profit..."

or. Getting more interesting...

Lyness Accountancy Practice (obviously likes the financial savings they think spamming will bring?)

Registrant's address:

78 Birmingham Street

Oldbury

West Midlands

Oldbury

West Midlands

B69 4EB

GB

(Which is the same as Business Growth Resources Ltd.)

I've been in correspondence with Ian Woodall (Ian[at]lyness.co.uk)

who emailed me and confirmed that he has commissioned a broadcast today.

SS.