10 worst registrars

[Telarin]

For those of you that aren't signed up with Knujon, they provided an interesting link in my reports this morning. By analyzing reports, they have rated the 10 worst registrars, based on the Proportion of spammed domains to total domains registered. Have a look here. I suggest we all boycott all of these registrars, as there is no reason for this level of irresponsibility from what is supposed to be an ICANN accredited registrar.

http://www.knujon.com/registrars/

[StevenUnderwood]

For those of you that aren't signed up with Knujon, they provided an interesting link in my reports this morning. By analyzing reports, they have rated the 10 worst registrars, based on the Proportion of spammed domains to total domains registered. Have a look here. I suggest we all boycott all of these registrars, as there is no reason for this level of irresponsibility from what is supposed to be an ICANN accredited registrar.

Funny that Joker is on that list since SpamCop was originally registered through them until an (at the time) famous incident. http://www.julianhaight.com/jokerstupidity.shtml

[ld650]

For a while I was trying to document eNom's spam support on their wikipedia page, but one of their employees of their parent company (Demand Media) is on the friendly with a few wikipedia admins and has done a pretty decent job of scrubbing their page squeaky clean. A glance through the edit history is pretty revealing.

[Merlyn]

For a while I was trying to document eNom's spam support on their wikipedia page,

Enom's support or lack of it?

[rconner]

Got a spam today (tracking link) calling out spam site at "heardgive dot cn." It was a botnet hosted domain (nslookup returned about 20 addresses). Here's what I got from domain-whois:

$ whois heardgive . cn
Domain Name: heardgive . cn
ROID: 20071204s10001s42303010-cn
Domain Status: ok
Registrant Organization: theNoun
Registrant Name: HimNil
Administrative Email: goto[at]bedwoman.cn
Sponsoring Registrar: 厦门åŽå•†ç››ä¸–网络有é™å…¬å¸
Name Server:ns0.nameedns1.com
Name Server:ns0.renewwdns1.com
Registration Date: 2007-12-04 21:00
Expiration Date: 2008-12-04 21:00

This is a pretty sorry registration record all the way around; you can't possibly make a case that this is any wise ICANN compliant. By the way, Systran gives the following translation for the "Sponsoring Registrar:" "Xiamen Chinese businessman prosperous times network limited company."

Prosperous times, indeed. Limited, indeed. Sheesh. OK, ICANN, howz about these guys?

-- rick

[Farelf]

I have been complaining (in my usually shy and restrained way) about 厦门华商盛世网络有限公司 - Xiamen group - in the SiteAdvisor reviews for months in relation to the endless succession of Google AdWords phishing sites they sponsor (and 广东时代互联科技有限公司 - Guangdong - before them, though to the possible credit of the latter they may have stopped accepting the things).

Forget about ICANN, this is the condoning or complicency in blatent criminality and, it's been going on for so long the same charge of corruption must surely apply to the regional government and perhaps to the PRC government as well. Though they may prefer to run with 'incompetence' for the usual political reasons. That and the fact that corruption in China can be a capital (no pun) offence - though I have the feeling that economic crimes against foreigners are more likely to be regarded as service to the state, call me unkind if you must.

BUT, all that aside, I must say that is the most amusing set of fake registrant's data I have seen in many a day. No doubt it gave the registrar a few chuckles as well. The phish sites just use meaningless jumbles of letters (as are the domain names). No fun in them.

[Devilwolf]

I've been going around with eNOM myself about all the spam sites with bogus contact info being registered thru their reseller Namecheap.com. When I faxed 10 pages of 30+ day old ICANN whois data problem reports that where unresolved. That finally got a response and they seem to be killing the domains, but so far have not taken action against namecheap's contrived ignorance.

Anyone else have any experiences with Namecheap.com on the spam front?

Almost all of the YAHOO SPIM I get comes from sites registered thru namecheap.

[Farelf]

...I've been going around with eNOM myself about all the spam sites with bogus contact info being registered thru their reseller Namecheap.com. When I faxed 10 pages of 30+ day old ICANN whois data problem reports that where unresolved. That finally got a response and they seem to be killing the domains, but so far have not taken action against namecheap's contrived ignorance. ...

To go a little O/T - I suppose namecheap can always change services but maybe complaints to the referral service shouldn't be overlooked as another way to gain their attention.

H:\>whosip -r Namecheap.com

WHOIS Source: ARIN

IP Address: 216.180.235.117

Country: USA - Georgia

Network Name: GNAXNET

Owner Name: Global Net Access, LLC

From IP: 216.180.224.0

To IP: 216.180.255.255

Allocated: Yes

Contact Name: Global Net Access, LLC

Address: 1100 White St SW, Atlanta

Email: engineering[at]gnax.net

Abuse Email: abuse[at]gnax.net

Phone: +1-404-230-9150

Fax:

...

# ARIN WHOIS database, last updated 2008-06-18 19:10

Global Net Access, LLC

abuse[at]gnax.net

GNAX TOS doesn't get specific but

...Customer will not, and will not permit others to, use any Service(s) (i) for any unlawful or illegal purpose or in connection with or in furtherance of any unlawful or illegal activity, (ii) in violation of any applicable law or regulation, (iii) in a manner that will, or is likely to, infringe the copyright, trademark, trade secret or other intellectual property rights of others or violate the right of privacy, publicity or other personal rights of others, or (iv) in connection with any conduct or activity that is, in the sole opinion of GNAX, defamatory, indecent, obscene, offensive, threatening, abusive, hateful, tortious or violative of the rights of any other person or entity;...

certainly covers some possible grounds.

[Devilwolf]

Farelf... I like the way your mind works...

[Devilwolf]

Well its looks like the Yahoo Spimmer has moved to a new register after eNOM started killing his domains with 20 mins of me reporting them. He is now using estdomains.

Maybe that article has put some fear into eNOM as a US company.

[rconner]

Well its looks like the Yahoo Spimmer has moved to a new register after eNOM started killing his domains with 20 mins of me reporting them. He is now using estdomains.

Maybe that article has put some fear into eNOM as a US company.

Awesome. I looked at some of these domains myself, and they are looking like the Wicked Witch of the West when the house fell on her. Good job!

-- rick

[Devilwolf]

As much as I hate the spam, its kind of fun peeling back the layers. A lot of the SPIM has been advertising a dating site in florida... Registered with a real address, but fake ph#...

Today I had the inspiration of running the domain owner's name thru the Dept of Corp site in Florida, and low and behold she filed her corporation papers with her correct home ph#.

Call the number, and the women who answered did not say I had the wrong number when I asked for the women named, but when I told her I was calling about spam, she then denied that she was the person listed.

I think she is just a front for the real owners here in California, but I'd guess she is not gonna be happy about her boss' spam victims having her home ph#.

[Devilwolf]

estdomains should be added to the worst list. When I finally beat the SPIMMER off Namecheap and ENOM he moved to estdomains. When I sent estdomains the same proof of SPIM reports that eNOM would act on, here is that they said (after taking a week).

Hello,

Kindly note that Estdomains

is the Domain Registrar, not the hosting company, thus, according to the

ICANN rules, we are dealing only with the domains, which are involved in

Email spam, child pornography distribution, or display Inaccurate Whois

Information. We ask you not to send us any letters regarding the domains

registered with us, which are involved in any other type of activity. The

responsibility for such domains is on their hosting company, thus, you

should better write them. You can find this information using different

web-services, we recommend you to use http://www.whois.sc/, it gives you all

information about hosting company when you search for a domain and after

that click on IP address at the right of the page.

Regards,

Abuse Team

Estdomains appears to have no AUP, and is listed in some reviews as being the register of choice for scammers next to Joker.

[btech]

I use the Complainterator for the domain and nameserver reporting... love it.

[Devilwolf]

Maybe Estdomains has a lurker on here, as they promptly emailed me after I posted that, and killed the domain.

Complainterator seems to blow chunks on my computer, may it doesn't like Firefox 3

[DavidT]

All this week, I've been battling a steady stream of spams hitting my wife's email address (which then forwards to a SpamCop email account). Almost 100% of them were spamvertising products/scams on domains registered at MONIKER, which was #6 on the KnujOn list (but 2nd highest for site volume, and 1st for innaccuracy count).

All of the spams originated on IPs belonging to Krypt.com, a webhost in Southern California, but from somewhere around 50 unique IPs, rather than just a few. All of the domains/websites are hosted by E-insites.com of Washington. I processed SpamCop reports on all of the items, and then called Krypt.com a few days into the spam run to see if they had a clue. They told me that spam reports shouldn't be going to their "hostmaster" or "info" addresses, but rather to "abuse" at either Krypt or VPLS, their parent company. I then added that address to my subsequent reports, and even sent a bunch of items directly to them, but the spamming continued, unabated.

So, I posted negative messages on WebHostingTalk.com about the spamming coming from Krypt, and because they advertise there regularly, one of their reps got wind of my post and rose to their defense ("we have White Hat status from SpamHaus," yada yada...). I kept up the pressure until he agreed to private communications about the problem and after going through the usual excuses ("we notified the customer, but they have 48 hours to respond"), action was finally taken and the spamming seems to have stopped.

I also sent "To Whom It May Concern" warnings to E-insites and to the owner of Moniker (Monte Cahn), advising them that I've seen lawsuits against them and would be willing to join in and testify about their apparent "bulletproof spam hosting" arrangements. I doubt they'll respond, but it's fun tweaking their beaks.

In any case, I think Krypt was very cooperative and killed the account(s) responsible for the actual transmission of the spam, so this is at least a partial "confirmed kill." Part of my success with Krypt was that before my reporting, their SenderBase/IronPort reputation was "good" but after a few dozen of my reports, I saw it degraded to "neutral." They seemed interested in protecting their server reputation.

DT

[g4mby]

Anyone else have any experiences with Namecheap.com on the spam front?

A few months ago I found several domains used for spamming had been dumped in the Namecheap Marketplace, for sale at around $5 to $15. As far as I could see they were first registered at Namecheap and not transferred in. The common link was that they were all for sale by the same Namecheap user whose user-name revealed some interesting references when searched for in Google. What surprised me was the implied size of the spamming operations that some of these domains had been used for. The SenderBase site confirmed some of my findings. These domains should of course been killed rather than made available to an innocent party wanting to pick-up a cheap domain with an attractive name.

I now look at Namecheap in a slightly different light.

[Devilwolf]

[at]g4mby

Should post your namecheap story on the "Namecheap supports spammers?" thread on webhosting talk... The Owner of NC hang out on there, and he has such entertaining temper tantrums when people post about she spammy clients.

[at]davidT - read your posts on WHT... Great! I've found posting on WHT is often a good way to either get some humor, or occasionally shame a reg/host into taking action. They really seem to hate anti-spam activists over there.

[DavidT]

[at]davidT - read your posts on WHT... Great! I've found posting on WHT is often a good way to either get some humor, or occasionally shame a reg/host into taking action. They really seem to hate anti-spam activists over there.

I'm getting that impression...but I don't care if they like me, as long as my postings either elicit positive response from recalcitrant/irresponsible hosts, or shine some light on spam-friendly hosts.

I've got a new one today....I think I'll post a new topic here, since it's not specifically registrar-related.

DT

[Devilwolf]

Dynadot in San Mateo CA seems to be a spam/spim friendly anonymous register. Here is their reply to the Better Business Bureau in regards to SPIM for a domain that they allow to hide behind their proxy service.

Contact Name and Title: Dynadot Staff

Contact Phone: (650)585-1961

Contact Email: abuse at dynadot

Hello,

First of all, please note that Mr. ______ is not our customer. He does not have a Dynadot account with us. Mr. Falk is submitting a complaint against the actions of our customer, Mike Smith, who has registered zonebone dot com with Dynadot.

Also, this complaint is in regards to a Yahoo IM (instant message) 'spam' message. The current laws state that spam is a bulk and unsolicited email message. There are no laws concerning IM 'spam' messages. Furthermore, Dynadot has no control over Yahoo's IM service. Shouldn't Mr. Falk be submitting a complaint against Yahoo! since he is technically a customer of their instant messaging service?

We ask that the BBB dismiss this case completely since it appears that Mr. Falk is submitting his complaint in regards to the wrong company.

Best Regards,

Dynadot Staff

Does it appear to my fellow readers that Dynadot has just admitted to allowing its customer to spam, and is unrepentant about it?

zonebone

Registrant:

Mike Smith c/o Dynadot Privacy

PO Box 701

San Mateo, CA 94401

US

Mike Smith may be the spammer, but his business address is Dynadot, and Dynadot is getting paid to hide his real address and contact info.

[rconner]

Does it appear to my fellow readers that Dynadot has just admitted to allowing its customer to spam, and is unrepentant about it?

Their response certainly points in that direction, but domain registrations are, as always, very squishy things.

I assume you have tried quoting Dynadot's TOS back at them. I loooked at the Dynadot TOS (which is here), and it is certainly up to snuff as these policies go. They say that they may suspend services to any customer who uses their services "...in association with morally objectionable activities," which are denoted with an open-ended definition that includes "...the transmission of unsolicited mail or 'spam' (or) activities that ... defame, slander, harass, embarrass, threaten, abuse, or harm third parties." One might well put continued IM spamming into one or more of these buckets. This definition doesn't even seem to require that the immoral activities be carried out directly using Dynadot resources (e.g., mail hosts), which is pretty comprehensive as spam policies go. Of course, they have given themselves an out by saying that they "may suspend" (not "will suspend") violators of the policy. If "Mike Smith" is a long-time customer without much history of complaints, or perhaps the beneficiary of a "pink contract" with Dynadot, it could be hard to get Dynadot to dislodge him as a practical matter.

Their claim that you need to take this up with Yahoo might be defensible by analogy with SMTP spam (because as far as I know IM, Yahoo actually is the "spam source" -- as well as the sink -- of the offending IM messages). However, the fact that Yahoo may also be responsible does not let Dynadot or its registrant off the hook, especially given the comprehensive wording of Dynadot's TOS. It's their policy, they wrote it, they should carry it out or else stand in breach of it.

The business about IM not being e-mail is a bit disingenuous on their part, and might be an avenue worthy of further pursuit. "Electronic mail" is a descriptive term, not a defining one: it could apply to dinosaurs like X.400 or PROFS, or proprietary systems like MS Exchange, just as well as it does to SMTP. One can even put SMS and IM into this category without much mental effort. I took a look at CAN spam to see whether there might be a crisp definition of "email message" (i.e., one that might include SMTP but exclude IM, SMS, or the like), but I didn't find one, so the lawyers and their expert witnesses could choose up sides to argue as to whether an IM is or is not an electronic mail message. To me, however, saying that IM isn't a form of electronic mail may be setting up a distinction without a difference (as my semantics prof used to say).

To sum up, I'd argue that the continued IM spamming constitutes "morally objectionable activity" under one or more clauses of Dynadot's own published TOS, so the onus is on Dynadot to show why they need not enforce the TOS on the registrant. Nor does their claim that "IM is not e-mail" stand much scrutiny (at least not where CAN spam is involved).

-- rick

[Farelf]

...Does it appear to my fellow readers that Dynadot has just admitted to allowing its customer to spam, and is unrepentant about it?...

No question about it. But they are saying it is legal/lawful which may be the case (though the line between spim & spam ... is pretty nebulous with 'convergence' and all).

...Mike Smith may be the spammer, but his business address is Dynadot, and Dynadot is getting paid to hide his real address and contact info.

IIUC a registrar may 'proxy' for a registrant but is then responsible (to all intents and purposes *is* the registrant). But 'Dynadot Privacy' (along with PrivacyProtect.org and others of like nature) don't quite do that - they supposedly just protect the data from misuse/scraping. Until shown to do otherwise - and to do 'otherwise' in a systematic or habitual way, I suppose. In practice of course, they surely are mere refuges for many spammers - and (who knows?) maybe some few 'legitimate' persons of a 'retiring disposition'.

I get the impression that the Dynadot people are quite adept at skating on thin ice. Unfortunately it is not hard for such mavericks to be smarter than the legislators and other 'rule makers'.

[Devilwolf]

Well correct me if I'm wrong, but email does seem to imply that a sender has some level of legal right to send their data thru another company servers. When I email mom, I don't have to agree to a TOS/AUP for every computer my email crosses - just my ISP.

But in order to send an IM, you have to have an acct with an IM provider, and most IM providers have policies that prohibit SPIMming, BOTnets, auto-responders, using automated CAPTCHA breakers. So the spimmer is accessing a computer that they don't have permission to access, which should make the act of spimming a form of illegal computer access.

It would be nice if Yahoo got off their ass, but they are on verge of bankruptcy or waiting to be acquired by someone, so they have probably fired the one guy working the abuse desk... they have never shown the level of aggressiveness against spammers that microsoft, AOL and even Earthlink have.

But even if spimming is "legal", I think dynadot screwed up by allowing some abuse desk jockey to answer my compliant with the BBB in such a off handed way, since it shows willful blindness, and they have not yet gotten the complaints I filed with the CA attorney general office. I'm playing up the "what about the children" angle with them, because the sites that spimmer advertises have XXX porn right on the welcome screen, and we all know that chldren's heads explode when they see porn (and our Gov Terminator has his panties in knot about child porn right now, he is looking for companies to bully similar to how the NY AG made all the major ISP (RR, AOL, AT&T, Sprint) eliminate Usenet access last month).

Also if I state that I'm not satisfied with their response (which I'm not) it counts as a black mark with the BBB (and they are a paying member).

Bill Smith can't be that important a client, he is a new client, started with them on July 1st after I drove him off Namecheap, eNOM, and Estdomians, but I guess times are tough, and every spam Dollars counts.

Oh Dynadot is in San Mateo, CA. That is also the regional HQ for the US Postal Inspectors... I wonder if Dynadot has a CMRA permit

[Devilwolf]

There is an article today in the LA Times about Demand Media, which owns eNom. Its seems we're seeing the same revolving door of spammers and spyware distributors who get caught, get a slap on the wrist, and then "re-invent themselves".

Demand Media is run by Richard Rosenblatt who has had...

brushes with controversy. The Federal Trade Commission sued IMall (founded by Rosenblatt) and two other founders -- but not Rosenblatt -- in 1999, accusing them of misleading customers with unrealistic tales about the money they could earn selling ads on their Web pages.

In 2005, then-New York Atty. Gen. Eliot Spitzer sued Intermix (run by Rosenblatt), alleging that it conned millions of consumers into installing ad-spewing spyware on their computers.

Both of those cases settled for millions of dollars without admissions of guilt. Still pending is a suit brought by Intermix investors who say Rosenblatt and other directors sold the Los Angeles company to News Corp. too cheaply because of sweetheart deals that included accelerated stock-option vesting and indemnification for any alleged misdeeds. Rosenblatt said he was proud of the price he won for a company with a 2004 market value of $70 million.

Big Business loves spammers its since Demand Media has gotten

Oak Investment Partners invested in 2006, as did Spectrum Equity Investors. Goldman, Sachs & Co. joined them in 2007. Their stakes value the company at $1 billion, and they hope to sell stock to the public next year.

We really need to work up the social stigma of being a spammer/malware distributor to at least that of pedophile...

Although his desire for Venture Capital is probably why one of Rosenblatt;s minions at DM was so quick to kill off 20+ spammer domains when I started threaten to file regulator complaints.

[ugnn]

...but I don't care if they like me, as long as my postings either elicit positive response from recalcitrant/irresponsible hosts, or shine some light on spam-friendly hosts.

Careful how and where you post.

I posted to CastleCops following the KnujON post

"Should KnujOn back off of rogue registrars"

I gave a resounding YES, and followed with several links to my articles ANTI-spam, ANTI-KITING, ANTI-DOMAIN TASTING

Several hours later one of my domains was knocked out, and I had to sift through 5,845 spams which were received in a 1-hour period. Lost two days of email sorting things out.

Not a pretty sight.

:angry: