Jump to content

I hate Joker....

bobbear

By bobbear
in SpamCop Lounge

Recommended Posts

bobbear Advanced Member

bobbear

Posted
Posted

[rant]I hate Joker....

I would like to nominate the following candidate registrars for "The Criminal's Choice 2006"

1) Joker

2) MIT

For general obstructive behaviour & failure to act on unarguable fully evidenced abuse reports concerning their numerous phishing and money laundering clients.

I guess most of us are familiar with the Honda Handle/Swiss Invest/Group Austrian Syndicate criminal money launderers & their latest incarnation "Norway Consulting group". I have been receiving (& reporting), their criminal spams, (5 or 6 a day), for many months, e.g:

[any unmunged links are harmless]

Hello,

***Would the abuse teams please read the carefully researched, compiled &

numbered reports below to see which applies to you & why - thank you***

The Norway Consulting group money laundering criminal fraudsters, (aka Swiss

Invest/Global Austrian Syndicate et al), are back once again spamming me

with their criminal fraud spams with yet another Joker.com registered domain

norway-cons-group.cn. Full link:

http://norway-cons-group.cn/index.php?sect_id=6

The company claims to have been formed in 1997, but the domain

norway-cons-group.cn was only registered with joker.com on August 26th.

2006. Their criminal spam is filled with Bayesian filter avoidance

text and it is propagated using a 'botnet' of infected 'zombie' machines as

clearly evidenced below.

Their advertised position is the usual "Financial Manager to deal with

individual clients" in other words, "Money Laundering Mule". Make no

mistake, this is a fake company used for money laundering purposes only -

there is no genuine company of that name & no genuine company would use a

zombie botnet to propagate spam.

1) Attention abuse[at]nrw.net; abuse[at]joker.com; for the criminal's domain

registration norway-cons-group.cn (criminal fraud activity, false whois

data, etc)

Looking up the 2 norway-cons-group.cn. parent servers:

--------------------------Server-----------Response

ns1.teams-cs.com [85.234.150.43] 82.207.225.136 82.227.128.20 83.21.139.13

84.121.191.244 85.204.83.174

ns2.teams-cs.com [195.45.33.12] Timeout

Note the usual rotating botnet list of 'zombie' IPs and the criminal

nameserver domain teams-cs.com which has also only recently been registered

with enom.com, (30th. July 2006), and is undoubtedly an integral part of the

criminal's own network.

2) Attention abuse[at]enom.com for the criminal's nameserver domain

teams-cs.com which has no 'A' record, & was only registered by the criminals

on 30th. July 2006. It is an integral part of their 'botnet' setup.

(criminal fraud activity, false whois data, etc).

3) Attention abuse[at]euroconnex.net; abuse[at]PoundHost.com for the criminal's

active nameserver host IP ns1.teams-cs.com [85.234.150.43]

4) Attention staff[at]iunet.it; gio[at]iunet.it; staff[at]human-interaction.it;

massimo.longoni[at]albacom.it for the criminal's nameserver host IP

ns2.teams-cs.com [195.45.33.12] (Timing out at present so may be null routed

or even fake)

Would the abuse teams please take the necessary action to suspend

registrations, null route IPs etc. in order to stop this criminal's latest

activities.

Thank you for your help in fighting internet crime.

Please feel free to contact me if you require further details,

Kind Regards,

<me>

E&OE - please report any errors or feedback to sender of this report.

Full criminal fraud spam source code follows:

___________________________________________

Return-Path: <ljrktkrfhibpc[at]allsaintsfan.com>

Received: from mwinf3214.me.freeserve.com (mwinf3214.me.freeserve.com)

by mwinb3006 (SMTP Server) with LMTP; Tue, 29 Aug 2006 07:04:17 +0200

X-Sieve: Server Sieve 2.2

Envelope-to: me[at]freeserve.co.uk

Received: from me-wanadoo.net (localhost [127.0.0.1])

by mwinf3214.me.freeserve.com (SMTP Server) with ESMTP id 022181C006B4

for <me[at]freeserve.co.uk>; Tue, 29 Aug 2006 07:04:17 +0200

(CEST)

Received: from 193.252.22.143 (unknown [220.93.91.248])

by mwinf3214.me.freeserve.com (SMTP Server) with SMTP id F38681C006BD

for <me[at]freeserve.co.uk>; Tue, 29 Aug 2006 07:04:14 +0200

(CEST)

X-ME-UUID: 20060829050414997.F38681C006BD[at]mwinf3214.me.freeserve.com

Received: from malaysia.net (unknown [103.246.34.147])

by ainmarh.com with SMTP id QLIE26NGA8

for <me[at]freeserve.co.uk>; Mon, 28 Aug 2006

22:04:13 -0800

Received: from aol.com (unknown [120.156.193.112])

by lilypie.com with SMTP id UVPQIHMZTN

for <me[at]freeserve.co.uk>; Tue, 29 Aug 2006 06:56:13

+0100

X-Originating-Server: stockscope.com (freecumshoot.com.p4host.com

[40.50.76.242])

From: "Norway Consulting GROUP 2006" <jlixhluqhz[at]aol.com>

To: "Bob" <me[at]freeserve.co.uk>

Subject: Top vacancy of the month!

X-Originating-Server: stockscope.com (freecumshoot.com.p4host.com

[40.50.76.242])

User-Agent: Pegasus Mail for Win32 (v2.53/R1)

X-Mailer: Pegasus Mail for Win32 (v2.53/R1)

X-Priority: 3 (Normal)

MIME-Version: 1.0

Content-Type: multipart/related;

boundary="JKCO_4KUJCL5X3LKPVHEDS"

Message-Id: <xxxxxxxxxxx.xxxxxxxxxxx[at]mwinf3214.me.freeserve.com>

Date: Tue, 29 Aug 2006 07:04:14 +0200 (CEST)

X-me-spamlevel: med

X-me-spamrating: 99.992889

X-Antivirus: AVG for E-mail 7.1.405 [268.11.6/428]

--JKCO_4KUJCL5X3LKPVHEDS

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>

<META=20http-equiv=3DContent-Type =20content=3D"text/html;

=20charset=3D=

utf-8">

<META =20content=3D"MSHTML =206.00.2800.1522" =20name=3DGENERA=

TOR></HEAD>

<BODY =20bgcolor=3D"#FFFFFA" =20text=3D"#57D026">

<a =20hRef=3Dhttp://norway-cons-group.cn/index.php?sect_id=3D6>

<img=20src=3D"cid:5U0OMLH9QP" =20border=3D0></a>

</p><p><font =20color=3D"#FFFFF6">She walked halfway down the driveway =

and looked around, hands on her hips. =20abutting =20cancelling =20I=

an =97 " =97 must know nothing of this until we know more!</font></p><p><f=

ont =20color=3D"#FFFFF1">But when the farmer in the story finally did tha=

t, all he had was a dead goose and a bunch of worthless guts! =20And =

they do wonders with prosthetics these days. =20"It's a very special day,=

Paul, isn't it? =20No.=20Curds of foam flew everywhere. =20She might=

take one casual glance in here and immediately realize in some arcane way=

what had happened. =20For a moment Geoffrey Alliburton was not sure wh=

o the old man at the door was, and this was not entirely because the bell =

had awakened him from a deepening doze.=20bette</font></p>

</BODY>

</HTML>

--JKCO_4KUJCL5X3LKPVHEDS

Content-Type: image/gif; name="autism.gif"

Content-Transfer-Encoding: base64

Content-ID: <5U0OMLH9QP>

Decoded GIF spam body:

Working for Norway Consulting Group

Norway Consulting Group is a consulting company, operating in corporate

consulting market since 1997. Our activities have covered a large number of

projects of various sizes and we expect you to be capable of solving various

administrative problems and tasks. Looking to work for an organization that

offers a challenging environment and excellent benefits?

Financial Manager - Part time position

An opportunity has arisen to appoint several persons to join the Financial

Managers' team, facilitating transfers of money between Norway Consulting

Group and our numerous clients worldwide. This part time opportunity is for

a friendly, energetic person to provide superior customer service and

process customer transactions. We offer opportunity for advancement,

excellent compensation and benefits, and a great work environment.

You will be responsible for ensuring that bank transfer rules are complied

with, providing effective and efficient

support to our Managers and customers.

We are looking for people who possess the following essential criteria:

? 'A' level standard of education

? Should have customer service or cashier experience, preferably in a bank

or credit union

? Good knowledge of banking practice, interpreting financial information

? Able to use money transfer/payment systems like MoneyGram, Western Union,

etc

? PC, email, Microsoft word confident user

? Good team working skills, good adaptability, good verbal and written

communication skills, ability to work to deadlines, good attention to

details.

Your efforts and aspiration will be generously rewarded. 2-3 hours a day

occupation will bring you 8% commission from the amount of each processed

transaction. In return you'll have to strictly follow the procedure, which

is essential to fit for the job:

1. Open a bank account (or use the existing one);

2. Upon receiving a notice from our manager about money transfer with your

account, promptly apply to your bank and withdraw the sum.

3. Immediately go to one of express money transfer agencies (MoneyGram,

Western Union) and transfer this sum in accordance with the details,

specified in our notice.

4. Log on to the Internet and send us the details of the transfer.

5. Receive your 8% commission from the total sum of processed transfers

during one month.

Note: Transfer fees are deducted from the transfer sum, therefore it is free

for you.

In the first instance applicants should apply in writing stating that you

are interested in this position, enclosing a CV.

If you are interested in this job and would like to get more information,

you are welcome to visit our website:

Follow this link to take a visit to our web site!

Annette Nygardsmoen

I have a registered account with Joker, so I usually report them via their webform as well. Do they acknowledge? - No. Do they take any action? - No.

Fortunately not all registrars are so criminal friendly - I know if I reported the same fraud spam to Onlinenic it would be out of the zone in less than an hour. The criminals know this too, so I seldom get criminal fraud spams involving Onlinenic domains any more.

What this means of course, is that the registrars like Joker who are apparently content to shelter behind the usual nonesense copouts, "registrars must not make judgements", "better 100 criminals go unpunished than one genuine client suffers", "we cannot take action under ICANN guidelines except against false whois data", etc etc provide a secure home for the criminal fraudsters and are rewarded in their bottom line which really irks me....

What if...

ICANN accredited Registrars were obliged, (under the terms of their accreditation agreement), to:

1) Charge for a minimum of 5 years up front for any domain registration.

2) Not activate the domain until payment has cleared.

3) Retain payments on domain suspension/deletion for criminal/spamming fraud activity.

4) Challenge/response verify all whois data:

i) Postal address (No PO box numbers allowed)

ii) Email address (No webmail accounts allowed)

iii) Telephone number (Only landline numbers allowed - no mobile/satellite numbers)

5) Implement & enforce an ICANN standardised AUP that would empower, (& require), the registrar to take specified action on receiving abuse reports regarding spamming and/or criminal fraud activity concerning one of their domains.

As far as I am concerned, the registrars are just another link in the spammers chain, and if spam is to be tackled more effectively, then ALL links in the chain have to be vulnerable - you cannot have one part of the chain that considers itself above the law, especially as other parts of the chain regularly now seem to be bombproof.....

Discuss.......[/rant]

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...