Jump to content

Yahoo Instant Messenger Spam Issues


Devilwolf
 Share

Recommended Posts

I've been getting about 2-10 spams per day sent over Yahoo Messenger. I had some initial success going after the spammers by getting their domains yanked for invalid registration info, and in some cases the hosts would also suspend the domain.

The spam works like this

1) you get an yahoo IM that reads like this

rockykidd841 (1/10/2008 12:49:21 AM): U gotta check this out,BRAND NEW Dating Site !! http://www [dot] 22muchfun[/url] [dot] com

I added the "[dot]" part in case we're not supposed to post links (been a few years since I've been in here

the website 22muchfun autoforwards to a dating or porn site. (site varies, since I'm also been going after the sites, some of whom are major players like singlesnet and true.)

When I first got a spam from 22muchfun I was able to get the registration and the hosting killed.

The spammer then moved over to private domain registration at aplus.net.

22muchfun is hosted in china by scn.com.cn , which I have cc'd on the reports, but they are probably a spammer friend chicom host.

I've complained to aplus.net, and they are claiming that I can't prove 22muchfun is spamming because anyone can send a IM with a website link, and since they are only the register it is not their problem.

But if they are providing 22muchfun with anonymous domain registration, they are providing a service that gives the spammer protection while the spammer is running their bot.net.

They claim the IM are not spam, because you can't prove it came from the spammer seems just wrong. Won't the same logic then mean that web sites advertised in email spam should not be terminated because you can NEVER prove that the party who owns the website is the same as the party who sends the email.

It seems to me that aplus.net is black hat because their policies seem very pro spammer.

Here is the last email I got from aplus.net where the basically tell me its not their problem.

Reported the spams to yahoo, but I think yahoo just ignores them. Even found the site that sells the software to hack yahoo servers to send the spam, and tried to report it to yahoo, and yahoo claims there is nothing they can do (I suspect that yahoo's abuse desk doesn't speak/read English).

I've also having the same issue with Godaddy, which also have a spammer friend private domain registration, they make pretty much the same claims. If you want DG to take action, you have to sue the spammer, and PAY godaddy.

In response to your latest and previous Emails, out Technical Manager has investigated the situation and his response is below.

----------------------------------------------------------------------------------------------------------

There are several reasons why this is beyond anything we can do. First of all, we do not host the site. The domain is registered with us, but that does not make us liable for the content. It would be up to the hosting provider to deal with this customer. The second thing is that sending messages through yahoo messenger is not spam, or at least cannot be proven to be spam. This is because I can go and log in to Yahoo and send out a message inviting people to go to microsoft.com. This does not make microsoft.com the spammer, this makes me the spammer. This person needs to contact yahoo and have yahoo take action against the usernames that are sending out such messages. Again, we cannot be responsible for the content of an IM, or for the content of the hosting plan given the fact that we do not have any control over the files. Suspending the domain is also out of the question because we aren't allowed to suspend a domain unless it hasn't been paid. If you'd like more information, I can try to get it, but honestly this isn't our problem, nor is there anything we can do to prevent/stop it.

As far as the privacy, the reason people purchase privacy is so people do not know who owns a domain, regardless of the reason. Ralph can confirm this, but I think we can only provide that information to authorities and certainly not to any person who asks for it. Our customer has paid us to hide this information for him and we are required to do so unless the authorities request that information. This is the policy with every domain registrar, and there are millions of domains that are this way.

Thanks.

Best Regards,

James D.

Technical Manager

Aplus.Net (www.aplus.net) "Everything for your online business"

---------------------------------------------------------------------------------------------------------

Therefore, and as I originally communicated to you, there is nothing we can do for you. I agree with James in that your best path is to complain to Yahoo.

I can understand the need for private domain registration if you are a private party running a domain for personal use. But if someone is running a business (and organized crime is a business, criminal income is taxable as business income), and that business is selling a product or service, it seems down right unethical to offer a service that allows a business to be unaccountable for its actions.

It seems like aplus.net is engaging in willful blindness of its clients criminal acts. I use the term criminal, because yahoo states on its AUP that it considers spamming thru its servers to be a criminal act, and the majority of spammers do seem to be linked to organized crime and gangsterism.

Anyone here have any experience with fight spammers who hide behind anonymous domain registration? My only idea has been to file a false advertising complaint against aplus.net for not honoring its anti-spam policies, and hoping that Yahoo will eventually wake up and do something.

Moderator edit: broke link.

Edited by turetzsr
Link to comment
Share on other sites

I've complained to aplus.net, and they are claiming that I can't prove 22muchfun is spamming because anyone can send a IM with a website link, and since they are only the register it is not their problem.
According to ICANN, proxy registrants are considered to be the registrants of record even though they are acting on behalf of others (go to http://www.icann.org/registrars/ra-agreement-17may01.htm#3 and scroll down to section 3.7.7.3):
  • "Any Registered Name Holder that intends to license use of a domain name to a third party is nonetheless the Registered Name Holder of record and is responsible for providing its own full contact information and for providing and updating accurate technical and administrative contact information adequate to facilitate timely resolution of any problems that arise in connection with the Registered Name. A Registered Name Holder licensing use of a Registered Name according to this provision shall accept liability for harm caused by wrongful use of the Registered Name, unless it promptly discloses the identity of the licensee to a party providing the Registered Name Holder reasonable evidence of actionable harm."

This means that if aplus is holding the proxy (i.e., is the "registered name holder that intends to license"), and you can show "reasonable evidence of actionable harm" (and we'll let the lawyers argue as to what this is or who is empowered to provide it) aplus is responsible for abuse of the domain unless they provide you with the identity of the "true" registrant. Perhaps you might use these magic words in your next discussion with aplus, maybe cc'ing to ICANN.

Since they are the registrants of record, they are essentially telling you that they don't care that spam is being used to promote "their" domain. This puts them on an equal moral footing with most hardcore spammers.

They claim the IM are not spam, because you can't prove it came from the spammer seems just wrong. Won't the same logic then mean that web sites advertised in email spam should not be terminated because you can NEVER prove that the party who owns the website is the same as the party who sends the email.
Proving "ownership" shouldn't be the issue. We aren't prosecutors nor forensic accountants. We do, however, have a say in the reputation of the website operator. If I operate a clean domain, but have a rogue affiliate (or Joe Jobber) or two, then your reports would tell me that there's a problem affecting my domain (ergo my business) that I need to take care of (and I should ultimately be grateful to you for those reports). Of course, like your pals at 22muchfun, I might not give a rat sass. Unfortunately, there will always be someone who will take my money for net services (or will let me steal them), even if I don't care about your complaints.

It seems to me that aplus.net is black hat because their policies seem very pro spammer.
Not many registrars are what we would call snowy-white in this regard. Many (if not most) see their duty starting and stopping with registration, and avoid spam enforcement like the measles. My own registrar (gkg.net) is, on the other hand, very white-hat in this regard.

Reported the spams to yahoo, but I think yahoo just ignores them. Even found the site that sells the software to hack yahoo servers to send the spam, and tried to report it to yahoo, and yahoo claims there is nothing they can do (I suspect that yahoo's abuse desk doesn't speak/read English).
Can't be of much help here, I know very little about IM other than how to spell it.

I can understand the need for private domain registration if you are a private party running a domain for personal use. But if someone is running a business (and organized crime is a business, criminal income is taxable as business income), and that business is selling a product or service, it seems down right unethical to offer a service that allows a business to be unaccountable for its actions.
I can agree to a point, but proxy registration is very popular among all kinds of people (including your humble correspondent). One thing that it does for me (and others) is to keep our e-mail addresses and other data out of the hands of people who "scrape" whois for marketing leads (or worse). The protection here is that the proxy registrants are supposed to be responsible for any abuse (unless they unmask the true registrants), but as we see this doesn't always happen.

-- rick

on edit: de-garbled some parts of my post

Edited by rconner
Link to comment
Share on other sites

OUTSTANDING!

Well I filed a fraud complaint against aplus.net with the CA Attorney General office. If they don't reject the complaint out of hand (many consumers affairs agencies will not handle spam complaints) I'll use that to back up the compliant.

In the meanwhile I'll see what I can open up with ICANN.

That is also interesting because that seems to make aplus.net a unregistered CMRA (Commercial Mail Rec'ing Agency) because it is providing a mailing address for third parties to use. So, I now have the idea of getting the US Postal Service in on this on the grounds that aplus is providing a anonymous physical mail box for the spammer.

Thank you.

Link to comment
Share on other sites

Well, not surprising, the register told me to go pound sand...

Aplus.Net is the "Registrar", not the "Registered Name Holder." The Registered name holder is our customer and the provision you site refers to his responsibilities as the "Registered Name Holder" if he were to license the domain to another party. This is my read on the situation and it is subject to confirmation by our legal department.

So off to visit ICANN....

Anyone else dealing with IM Spim spam? Would be especially interested if anyone else is getting SPIM for xxxblackbook.com or singlesnet.

Link to comment
Share on other sites

Well, not surprising, the register told me to go pound sand...

So off to visit ICANN....

Aplus is being coy. Yes, they are the registrar, but it is THEIR NAME that appears as the registrant. Their "just a registrar" claim would hold water if not for the fact that they provided the proxy registration data (for which they probably charged five or ten bucks, this is usually an optional and premium service).

Just goes to show that, to use a football analogy (which I am completely unqualified to wield), reporting spam activity to a domain registrar is like a Hail-Mary play: it probably won't get you anywhere, but if it works it does so spectacularly.

Same could probably be said of reporting registrars to ICANN, according to what I hear.

-- rick

Link to comment
Share on other sites

<snip>

The spam works like this

1) you get an yahoo IM that reads like this

rockykidd841 (1/10/2008 12:49:21 AM): U gotta check this out,BRAND NEW Dating Site !! ht tp://www. 22muchfun[/url] [dot] com

I added the "[dot]" part in case we're not supposed to post links (been a few years since I've been in here

<snip>

...Thank you, that is appreciated! :) <g> However, the link still works (at least in Mozilla Firefox). After I post this, I'm going to take the liberty of editing your original post to break it there, as well.
Link to comment
Share on other sites

I actually had some success with getting Singlesnet to fire AzoogleAds which was hiring the spammers to promote their clients. Every time I got a spam that links to any site with an ad for Singlesnet I filed a complaint with the Better Business Bureau for privacy and unethical sales practices.

It kind of tricky to get the BBB involved. If you mention anything about criminal acts they will not get involved. So I have to carefully make in into false and deceptive advertising with high pressure sales tactics issues.

Link to comment
Share on other sites

One of the private domain registered, privacyprotect.org, accepted my screen shot of spim as proof of spam, and turned off the anonymous feature.

The domain comes up to a real address in VERY VERY rural Kansas, so I contacted the town manager by email to ask if the web site owner had the proper fees and permits to run a brothel/adult entertainment business and is he paying the proper business taxes for that class of business.

Link to comment
Share on other sites

I actually had some success with getting Singlesnet to fire AzoogleAds which was hiring the spammers to promote their clients. Every time I got a spam that links to any site with an ad for Singlesnet I filed a complaint with the Better Business Bureau for privacy and unethical sales practices.

It kind of tricky to get the BBB involved. If you mention anything about criminal acts they will not get involved. So I have to carefully make in into false and deceptive advertising with high pressure sales tactics issues.

Devilwolf;

You're not alone. Since Azooglelodites are now 'spIMming', perhaps they understood the "agreement" (judgement?) to suggest that it behooved them to diversify.

http://blog.affiliatetip.com/archives/azoo...torney-general/

http://myfloridalegal.com/__852562220065EE...ht=0,azoogleads

Attorney General Bill McCollum today [November 7, 2007] unveiled a sophisticated team to combat internet-related fraud and simultaneously announced the first agreement reached by the newly-created CyberFraud Task Force. The task force, which takes action against companies who defraud consumers online, is part of the Attorney General’s efforts to make the internet safer for Florida consumers. Housed in the Attorney General’s Economic Crimes Division, the task force today reached a $1 million agreement with internet marketer Azoogle (Azoogleads US Inc.), a New York company that creates and manages internet marketing of cell phone products.

Getting the city manager to levy a bus tax on the target operation address appeals to my sense of righteous retribution, but it would be unenforceable. The county/municipal "assessors" would have to have access to all his hard drives every couple of years and do a forensic audit thereon .... way out of their bailiwick and totally impractical.

Edited by rooster
Link to comment
Share on other sites

You're not alone. Since Azooglelodites are now 'spIMming', perhaps they understood the "agreement" (judgement?) to suggest that it behooved them to diversify.

http://blog.affiliatetip.com/archives/azoo...torney-general/

http://myfloridalegal.com/__852562220065EE...ht=0,azoogleads

Getting the city manager to levy a bus tax on the target operation address appeals to my sense of righteous retribution, but it would be unenforceable. The county/municipal "assessors" would have to have access to all his hard drives every couple of years and do a forensic audit thereon .... way out of their bailiwick and totally impractical.

Well the SPIM has dropped to zero over the past few days, so yahoo probably closed what every loop hole the spimmers are using.

I actually found the company that is selling the spim ware, get them to email me (in PDF) their catalog of spamware and tried to report them to yahoo, but they seem to refuse to take any security/exploit reports from mere mortals, my email was forwarded to the abuse dept, and the abuse department said there is nothing they can do, because its out of their scope of duties.

If anyone on here is a journalist or media.. I'd be more then happy to share a copy of catalog, and show you some websites that help hook-up malware coders and spammers.

Link to comment
Share on other sites

  • 2 months later...

I use the Trillian Basic chat program on my machine which has an AOL IM and a Yahoo IM account setup. I only receive spim on the Yahoo account and only over the last few months. I have record of it back to 02/04/2008 and since then have received 17 of them or about 3-4 a week (though I don't always keep Yahoo IM open 24x7).

I don't know if upgrading to full Trillian would help or if they provide other blocks that are not in the free program. I also haven't contacted Yahoo about this yet as it was only a minor annoyance at the time of once every other week but not that it is happening several times a week it is a hassle and I might also be able to help our customers and clients who might also have this problem or be proactive in even preventing them from receiving it.

They all seem to have a similar layout to what Devilwolf described but all of mine tend to have the same layout of the name (shown at the bottom). Also, my IMs are sometimes in the form of:

  • amy_qw5o2n4: ycz check out my hobby in website :-) shhhh http://www [dot] JENNYSPROFILE [dot] com
  • alleyndsrgr: egm he<blue>y, <black>I ju<black>st p<red>ut <red>a pi<orange>c o<blue>n we<green>bsit<blue>e!

Usernames that I have noticed are:

  • matthiewjwifdhaj
  • ellynnwitzz
  • anjelazgeniaz
  • daisizjannellez
  • debeezhildegardez
  • deloriazwilonez
  • gerrizgaylez
  • joscelinzmayz
  • julesalzzonenrfekrm
  • melisandrazbonniez
  • sianazcasseyz
  • stacyzhelsaz
  • timzrubiz
  • giraudwmcvk
  • alleyndsrgr
  • amy_qw5o2n4
  • yesenia_ws53

Link to comment
Share on other sites

The yahoo account ID are all generated using a scri_pt or bot or paying nigerians to sit around and sign up for IDs...

I looked at the one sample you posted, which ultimately forwards to a site called xxxblackbook dot com

with a referral ID of

http://www.xxxblackbook [dot] com/?s=geolist&geo=1&r=lc125001&rand=1

lc125001 is the spammers payment ID

Although xxxblackbook claims to be taking action against the spammers, my own opinion is that they have just warned their hackers gangs not to spam my IDs after I made a lot of trouble for the hosting company, beanfield [dot] net.

I have a personal contact at beanfield if you want to contact them, but beanfield is not willing to take action against xxxblackbook, they also give the "rogue affiliate" excuse.

Found this site with some good info on xxxblackbook's links to organized crime.

http://matchent.com/wpress/?q=node/231

I use the Trillian Basic chat program on my machine which has an AOL IM and a Yahoo IM account setup. I only receive spim on the Yahoo account and only over the last few months. I have record of it back to 02/04/2008 and since then have received 17 of them or about 3-4 a week (though I don't always keep Yahoo IM open 24x7).

Edited by Devilwolf
Link to comment
Share on other sites

I don't know if upgrading to full Trillian would help or if they provide other blocks that are not in the free program.

Buyer beware! I upgraded my Trillian a while ago in order to gain a feature that they advertised (Groupwise Messenger access) and the feature did not work.

I'm happily using Pidgin (found at Pidgin.im) and don't seem to have any problem with spim, but YMMV.

DT

Link to comment
Share on other sites

DavidT - Thanks for the tip about Pidgin. I just downloaded it and see some additional features that Trillian did not have (such as the "Only allow users on my Buddy list to contact me"). It also incorporates a great many more IM clients such as Google and MySpace and these were separate programs from Trillian that I had to run so now I *finally* have an all-in-one chat client.

The AIM options actually allow use of their proxy server for file transfers and direct IM which, although it may be slower, does not reveal your real IP address. Interesting. Thanks again.

Sidenote: I received a spam email sent to my cell phone today and don't know how to capture any "header" details about it. Darn they are getting good now. Time to go have a talk with Verizon tomorrow.

Link to comment
Share on other sites

You're welcome, Darren. BTW, if you're going to use Pidgin, and like to have "toaster pop ups" in the corner of your screen when people come and go, then you might want to download and install the "Guifications" plugin. I use the "Pidgin 2.0.0" theme of Guifications and like the effect. The plugin is available here:

http://plugins.guifications.org/trac

DT

Link to comment
Share on other sites

  • 3 months later...

Well I'm been hammering at my spimmer's favorite affiliate program (sex search com dot com). I'm been working on the theory, if you can't beat the spammers, beat everyone they work with and for.

Finally got moniker to enforce the Whois Data Accuracy, and the owner of the above site had to post her home phone on her whois info in order to get her website turned back on. (Yes it is her real ph#, I checked it against her incorporation papers, which florida posts online).

Sent one of the Spimmer's Prefered Register's CEO into a screaming fit on WHT when start writing about how his company was aiding and abetting RICO by allow an ongoing criminal enterprise to register domains with fake contact info.

Driven the Spimmer off 5 different registers, unfortunately he has settled in with a register in the Kleptocracy of China now.

I'm also decided to declare war on "get a free lancer dot com" as they seem to be allowing a lot of SPIMware writers and Yahoo Acct Stealers to buy and sell on their site.

Do a search on there on "CAPTCHA" and there are dozens and dozens of people offering anti-CAPTCHA services.

Link to comment
Share on other sites

Finally got moniker to enforce the Whois Data Accuracy

That's surprising, in that Moniker.com is in the top 10 of "The 10 Worst Registrars in terms of spam advertised junk product sites and compliance failure" maintained by KnujOn.com (see this forum topic and this link).

My wife's email account was hit for a week by spammers hiding behind private Moniker registrations, and the domains are still resolving, despite complaints sent directly to the owner of Moniker.

DT

Link to comment
Share on other sites

That's surprising, in that Moniker.com is in the top 10 of "The 10 Worst Registrars in terms of spam advertised junk product sites and compliance failure" maintained by KnujOn.com (see this forum topic and this link).

My wife's email account was hit for a week by spammers hiding behind private Moniker registrations, and the domains are still resolving, despite complaints sent directly to the owner of Moniker.

Domain cloaking I have noticed seem to exist to allow spammers and registers to stay in bed. Its allows them to stall on enforcing AUP by weeks or months. I've found that even supposed white hat registers like Godaddy will drag the feet on cracking down on spammers who use their proxy services.

I can see no reason why a business needs a proxy/anonymous domain. I can understand using them for purely personal sites, but consumers have a RIGHT to know the legal address for business. A Business that hides its legal address is up to no good.

Usually I just start filing complaints with the Attorney General office and/or the BBB (which one spam friendly register calls the BBB "extortionists").

It did take me almost 7 months to get Moniker to crack down ONE site's bad registration data.

Link to comment
Share on other sites

I can see no reason why a business needs a proxy/anonymous domain. I can understand using them for purely personal sites, but consumers have a RIGHT to know the legal address for business. A Business that hides its legal address is up to no good.

The reason is that much email spam and other unsolicited contact comes through domain registrations. I do not hide the information for my companies sites, but I do use a specific address and report all spam that comes to that address. I also complain to all mailings that I can prove got their information from the registration (due to specific information used only there).

Link to comment
Share on other sites

I would think the 'legal address' would be the physical address and landline phone number and contact person.

I can understand the problems about the email contact. But the domain name should be available for any business on the internet - otherwise how would you do business? And there should be a way to contact that business via snail mail and telephone with a name (which can be gotten from the Secretary of State, after all, wherever they have incorporated).

Private individuals could use the registrar address, but not anyone who is doing business on the internet.

Miss Betsy

Link to comment
Share on other sites

Although xxxblackbook claims to be taking action against the spammers, my own opinion is that they have just warned their hackers gangs not to spam my IDs after I made a lot of trouble for the hosting company, beanfield [dot] net.

I have a personal contact at beanfield if you want to contact them, but beanfield is not willing to take action against xxxblackbook, they also give the "rogue affiliate" excuse.

I would like to try contacting them as well. I've been getting alot of spam from xxxblackbook as well and agree that the registrar bears at least some of the responsibility. I'm also not sure if I believe that they are taking action against spammers. I get spIM that directs me to their homepage, not to a particular member's page.

Link to comment
Share on other sites

  • 8 months later...

xxxblackbook is back to spamming. They took a break for about 9 months, but them seemed to have found a new trick..

They registered domains thru namecheap enom, then namecheap contracts with gigenet for proxy hosting, so the spimvertised domains appear to be hosted by gigenet, but gigenet (which I think is a two person firm) acts as cut-out for namecheap, and protects namecheap with the old "Its a client of our client's client excuse"

But in the end all the spim goes back to beanfield.net client xxxblackbook

Link to comment
Share on other sites

They are also using .ws domains, because that TLD seems to have very weak rules about domains with fake contact info. I spoke with Leo at wsdomains.ws who said there is little they can (or are willing to do) to crack down on affiliates who register domains with fake contact info in the .ws TLD

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...