bobbear Posted August 29, 2006 Posted August 29, 2006 [rant]I hate Joker.... I would like to nominate the following candidate registrars for "The Criminal's Choice 2006" 1) Joker 2) MIT For general obstructive behaviour & failure to act on unarguable fully evidenced abuse reports concerning their numerous phishing and money laundering clients. I guess most of us are familiar with the Honda Handle/Swiss Invest/Group Austrian Syndicate criminal money launderers & their latest incarnation "Norway Consulting group". I have been receiving (& reporting), their criminal spams, (5 or 6 a day), for many months, e.g: [any unmunged links are harmless] Hello, ***Would the abuse teams please read the carefully researched, compiled & numbered reports below to see which applies to you & why - thank you*** The Norway Consulting group money laundering criminal fraudsters, (aka Swiss Invest/Global Austrian Syndicate et al), are back once again spamming me with their criminal fraud spams with yet another Joker.com registered domain norway-cons-group.cn. Full link: http://norway-cons-group.cn/index.php?sect_id=6 The company claims to have been formed in 1997, but the domain norway-cons-group.cn was only registered with joker.com on August 26th. 2006. Their criminal spam is filled with Bayesian filter avoidance text and it is propagated using a 'botnet' of infected 'zombie' machines as clearly evidenced below. Their advertised position is the usual "Financial Manager to deal with individual clients" in other words, "Money Laundering Mule". Make no mistake, this is a fake company used for money laundering purposes only - there is no genuine company of that name & no genuine company would use a zombie botnet to propagate spam. 1) Attention abuse[at]nrw.net; abuse[at]joker.com; for the criminal's domain registration norway-cons-group.cn (criminal fraud activity, false whois data, etc) Looking up the 2 norway-cons-group.cn. parent servers: --------------------------Server-----------Response ns1.teams-cs.com [85.234.150.43] 82.207.225.136 82.227.128.20 83.21.139.13 84.121.191.244 85.204.83.174 ns2.teams-cs.com [195.45.33.12] Timeout Note the usual rotating botnet list of 'zombie' IPs and the criminal nameserver domain teams-cs.com which has also only recently been registered with enom.com, (30th. July 2006), and is undoubtedly an integral part of the criminal's own network. 2) Attention abuse[at]enom.com for the criminal's nameserver domain teams-cs.com which has no 'A' record, & was only registered by the criminals on 30th. July 2006. It is an integral part of their 'botnet' setup. (criminal fraud activity, false whois data, etc). 3) Attention abuse[at]euroconnex.net; abuse[at]PoundHost.com for the criminal's active nameserver host IP ns1.teams-cs.com [85.234.150.43] 4) Attention staff[at]iunet.it; gio[at]iunet.it; staff[at]human-interaction.it; massimo.longoni[at]albacom.it for the criminal's nameserver host IP ns2.teams-cs.com [195.45.33.12] (Timing out at present so may be null routed or even fake) Would the abuse teams please take the necessary action to suspend registrations, null route IPs etc. in order to stop this criminal's latest activities. Thank you for your help in fighting internet crime. Please feel free to contact me if you require further details, Kind Regards, <me> E&OE - please report any errors or feedback to sender of this report. Full criminal fraud spam source code follows: ___________________________________________ Return-Path: <ljrktkrfhibpc[at]allsaintsfan.com> Received: from mwinf3214.me.freeserve.com (mwinf3214.me.freeserve.com) by mwinb3006 (SMTP Server) with LMTP; Tue, 29 Aug 2006 07:04:17 +0200 X-Sieve: Server Sieve 2.2 Envelope-to: me[at]freeserve.co.uk Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3214.me.freeserve.com (SMTP Server) with ESMTP id 022181C006B4 for <me[at]freeserve.co.uk>; Tue, 29 Aug 2006 07:04:17 +0200 (CEST) Received: from 193.252.22.143 (unknown [220.93.91.248]) by mwinf3214.me.freeserve.com (SMTP Server) with SMTP id F38681C006BD for <me[at]freeserve.co.uk>; Tue, 29 Aug 2006 07:04:14 +0200 (CEST) X-ME-UUID: 20060829050414997.F38681C006BD[at]mwinf3214.me.freeserve.com Received: from malaysia.net (unknown [103.246.34.147]) by ainmarh.com with SMTP id QLIE26NGA8 for <me[at]freeserve.co.uk>; Mon, 28 Aug 2006 22:04:13 -0800 Received: from aol.com (unknown [120.156.193.112]) by lilypie.com with SMTP id UVPQIHMZTN for <me[at]freeserve.co.uk>; Tue, 29 Aug 2006 06:56:13 +0100 X-Originating-Server: stockscope.com (freecumshoot.com.p4host.com [40.50.76.242]) From: "Norway Consulting GROUP 2006" <jlixhluqhz[at]aol.com> To: "Bob" <me[at]freeserve.co.uk> Subject: Top vacancy of the month! X-Originating-Server: stockscope.com (freecumshoot.com.p4host.com [40.50.76.242]) User-Agent: Pegasus Mail for Win32 (v2.53/R1) X-Mailer: Pegasus Mail for Win32 (v2.53/R1) X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/related; boundary="JKCO_4KUJCL5X3LKPVHEDS" Message-Id: <xxxxxxxxxxx.xxxxxxxxxxx[at]mwinf3214.me.freeserve.com> Date: Tue, 29 Aug 2006 07:04:14 +0200 (CEST) X-me-spamlevel: med X-me-spamrating: 99.992889 X-Antivirus: AVG for E-mail 7.1.405 [268.11.6/428] --JKCO_4KUJCL5X3LKPVHEDS Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: quoted-printable <HTML><HEAD> <META=20http-equiv=3DContent-Type =20content=3D"text/html; =20charset=3D= utf-8"> <META =20content=3D"MSHTML =206.00.2800.1522" =20name=3DGENERA= TOR></HEAD> <BODY =20bgcolor=3D"#FFFFFA" =20text=3D"#57D026"> <a =20hRef=3Dhttp://norway-cons-group.cn/index.php?sect_id=3D6> <img=20src=3D"cid:5U0OMLH9QP" =20border=3D0></a> </p><p><font =20color=3D"#FFFFF6">She walked halfway down the driveway = and looked around, hands on her hips. =20abutting =20cancelling =20I= an =97 " =97 must know nothing of this until we know more!</font></p><p><f= ont =20color=3D"#FFFFF1">But when the farmer in the story finally did tha= t, all he had was a dead goose and a bunch of worthless guts! =20And = they do wonders with prosthetics these days. =20"It's a very special day,= Paul, isn't it? =20No.=20Curds of foam flew everywhere. =20She might= take one casual glance in here and immediately realize in some arcane way= what had happened. =20For a moment Geoffrey Alliburton was not sure wh= o the old man at the door was, and this was not entirely because the bell = had awakened him from a deepening doze.=20bette</font></p> </BODY> </HTML> --JKCO_4KUJCL5X3LKPVHEDS Content-Type: image/gif; name="autism.gif" Content-Transfer-Encoding: base64 Content-ID: <5U0OMLH9QP> Decoded GIF spam body: Working for Norway Consulting Group Norway Consulting Group is a consulting company, operating in corporate consulting market since 1997. Our activities have covered a large number of projects of various sizes and we expect you to be capable of solving various administrative problems and tasks. Looking to work for an organization that offers a challenging environment and excellent benefits? Financial Manager - Part time position An opportunity has arisen to appoint several persons to join the Financial Managers' team, facilitating transfers of money between Norway Consulting Group and our numerous clients worldwide. This part time opportunity is for a friendly, energetic person to provide superior customer service and process customer transactions. We offer opportunity for advancement, excellent compensation and benefits, and a great work environment. You will be responsible for ensuring that bank transfer rules are complied with, providing effective and efficient support to our Managers and customers. We are looking for people who possess the following essential criteria: ? 'A' level standard of education ? Should have customer service or cashier experience, preferably in a bank or credit union ? Good knowledge of banking practice, interpreting financial information ? Able to use money transfer/payment systems like MoneyGram, Western Union, etc ? PC, email, Microsoft word confident user ? Good team working skills, good adaptability, good verbal and written communication skills, ability to work to deadlines, good attention to details. Your efforts and aspiration will be generously rewarded. 2-3 hours a day occupation will bring you 8% commission from the amount of each processed transaction. In return you'll have to strictly follow the procedure, which is essential to fit for the job: 1. Open a bank account (or use the existing one); 2. Upon receiving a notice from our manager about money transfer with your account, promptly apply to your bank and withdraw the sum. 3. Immediately go to one of express money transfer agencies (MoneyGram, Western Union) and transfer this sum in accordance with the details, specified in our notice. 4. Log on to the Internet and send us the details of the transfer. 5. Receive your 8% commission from the total sum of processed transfers during one month. Note: Transfer fees are deducted from the transfer sum, therefore it is free for you. In the first instance applicants should apply in writing stating that you are interested in this position, enclosing a CV. If you are interested in this job and would like to get more information, you are welcome to visit our website: Follow this link to take a visit to our web site! Annette Nygardsmoen I have a registered account with Joker, so I usually report them via their webform as well. Do they acknowledge? - No. Do they take any action? - No. Fortunately not all registrars are so criminal friendly - I know if I reported the same fraud spam to Onlinenic it would be out of the zone in less than an hour. The criminals know this too, so I seldom get criminal fraud spams involving Onlinenic domains any more. What this means of course, is that the registrars like Joker who are apparently content to shelter behind the usual nonesense copouts, "registrars must not make judgements", "better 100 criminals go unpunished than one genuine client suffers", "we cannot take action under ICANN guidelines except against false whois data", etc etc provide a secure home for the criminal fraudsters and are rewarded in their bottom line which really irks me.... What if... ICANN accredited Registrars were obliged, (under the terms of their accreditation agreement), to: 1) Charge for a minimum of 5 years up front for any domain registration. 2) Not activate the domain until payment has cleared. 3) Retain payments on domain suspension/deletion for criminal/spamming fraud activity. 4) Challenge/response verify all whois data: i) Postal address (No PO box numbers allowed) ii) Email address (No webmail accounts allowed) iii) Telephone number (Only landline numbers allowed - no mobile/satellite numbers) 5) Implement & enforce an ICANN standardised AUP that would empower, (& require), the registrar to take specified action on receiving abuse reports regarding spamming and/or criminal fraud activity concerning one of their domains. As far as I am concerned, the registrars are just another link in the spammers chain, and if spam is to be tackled more effectively, then ALL links in the chain have to be vulnerable - you cannot have one part of the chain that considers itself above the law, especially as other parts of the chain regularly now seem to be bombproof..... Discuss.......[/rant]
Recommended Posts
Archived
This topic is now archived and is closed to further replies.