The ICANN is a sock puppet of the US Dept of Commerce. If the US Govt wanted spam stopped, ICANN would enforce its rules quickly and spammers would lose their domains so fast there would be no point in spamming any more. Spam is company policy. They want to get rid of the public SMTP email system and replace it with something centralized with back doors for govt and advertisers.

Imagine what would happen if 60 Minutes did an expose on Microsoft’s and Yahoo’s role in the Nigeria fraud spam. Now ask why they never will.

Your site, as well as mine, were used as reference sites for the ICANN team to look at as domains that have been used as hijacked senders. Since you mention it on your front page it seemed appropriate to include.

You seem to be fighting the good fight, but may I ask why my domain name is listed in the “Dear ICANN team” mail(s) cited above? I hope it is as an example of the victimized and not the perpetrators. If so, please make this more clear in future.

My domain [veino dot com] has been victimized in the same way by this “fake sender” scheme. I and it are not part of the origination of this scourge. I too get 0->~50 bounced messages returned to me daily, whenever the mood hits them for some more SPAMming (interestingly enough they seem to be now using a x weeks on, y weeks off approach; the traffic ebbs and flows).

The thing that really ticks me off is that I am losing more and more email addresses at my domain… as I need to disable them due to the faked outgoing addresses becoming incoming SPAM targets, after they apparently end up in some other victim’s address book (and subsequent virus target?). Some of them turn out to be desireable or valid addresses at my domain, and now they are trashed. So not only am I being robbed of my time in filtering the bounces, but the value of my domain is being impacted.

I have archived every mail returned from the SPAM activities and live in the good old state of Massachusetts, so I will be giving the AG’s office a call. I have had similar problems with the lack of effective registrar response to those I see cited above. In my experience, you were lucky even to get a reply… I’ve not experienced even that, when I’ve complained to the registrars.

DonV

yourgoldenhealth.info drrecommends.info themeds.info yourmedz.info

-and more recently- yourbestmedz.info healzymen.info

As I dug through these domains trying to get these shut down, as they seem to serve only for spamming domains, I found something interesting in common for all six of them: Tucows.com. I didn’t even know they were a registrar for internet domains. In fact, they happen to be known to ICANN as R139-LRMS. They have registered, and continue to hold registration status “OK” for all six of these domains. I have contacted tucows, and they refuse to do anything about this.
I have since taken my complaint to ICANN, and have not yet received any response from them. I brought this to ICANN on the merit of the fact that of the original four, three of them are registered to invalid email addresses (hence bad WHOIS data). Nothing has changed in response to that, either.

Any ideas from anywhere would be great. The first four domains all resolve to a Chineese ISP (chinamobile.com) for the ns1..info address, with their ns2..info addresses resolving to a Korean ISP. Trying to get through to these ISPs has been almost impossible. I am in the process of working with their CERT teams, but that is excrutiatingly slow going.

See http://www.icann.org/announcements/advisory-03apr03.htm Note reason 1 for immediate domain suspension: ‘The customer’s “willful provision of inaccurate or unreliable information” ‘

Yep, that is our Leo.

Report these domains to ICANN here: http://wdprs.internic.net/

If the registrar refuses to do anything, you can report here: (this implies having contacted the registrar directly at addresses found at http://www.internic.net/contact.html) http://reports.internic.net/cgi/registrars/problem-report.cgi

Alternatively, if you believe you have valid proof that the registrar is deliberately not honouring his registrar agreement(see http://www.icann.org/registrars/ra-agreement-10nov99.htm), mail registrar-info@icann.org.

Best of luck.

Regards

E

• kjz

Each of these two have at least one alias name that they also own and register under. It also doesn’t seem that they do anything to actually verify the information given to them.

If you’re looking to get the domains shut down due to bad registrant info, I would recommend going after the email address. For some reason spammers like to use yahoo addresses (because they’re free, I suppose). If you show yahoo proof that the yahoo address is being used to register spamming internet domains, they will shut down the email account, and then you can pass that data back to the registrant and/or ICANN as bad WHOIS data.

Happy hunting…

Registrant: JEFF westbury (PM4ZV) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x

Administrative Contact: JEFF westbury (ETMVB) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x

Technical Contact: JEFF westbury (PM4ZV) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x

Billing Contact: JEFF westbury (XWPYF) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x

Record last updated on 2005-08-19 00:00:00 Record created on 2005-08-17 00:00:00 Record expires on 2006-08-17 00:00:00 I have since reported this group to internic, by emailing “abuse@internic.net”. We’ll see if that does anything, as abuse@aplus.net certainly doesn’t. On the same note, I’ve also tried the support link on aplus.net, which leads to a “chat” window. In the window, you’ll see any of a variety of names, accompanies by one of about 5 “real pictures”. The chat seems to be driven by a bot, as they never say anything useful other than to send your complaint to “abuse@aplus.net”.

Lart away at http://wdprs.internic.net/ (Invalid whois data)

“17. They seem to have hijacked my domain name as well for their fake FROM headers. The web addresses in the message have domain names that trace back to the same Jeff Westbury, IP of web server 221.11.133.68 is in China.”

Or is Leo Kuvayev still evolving? more likely ….

Domain Name : mirooteryci.com (MIROOT2-BMN-DOM) Registrar : BookMyName Whois Server : whois.bookmyname.com Referral URL : https://www.bookmyname.com

Registrant / Admin Contact : PERSON Jeff WESTBURY (WESTBU18-BMN-PE)

77 BEAK STREET 118

w1f9db London UNITED KINGDOM phone : 13473285225 fax : e-mail : JohsephWinst@yahoo.com

Billing Contact : PERSON Jeff WESTBURY (WESTBU18-BMN-PE)

77 BEAK STREET 118

w1f9db London UNITED KINGDOM phone : 13473285225 fax : e-mail : JohsephWinst@yahoo.com

Technical Contact : PERSON Jeff WESTBURY (WESTBU18-BMN-PE)

77 BEAK STREET 118

w1f9db London UNITED KINGDOM phone : 13473285225 fax : e-mail : JohsephWinst@yahoo.com

Domain servers : ns0.hostsbackop.com (NHC124-BMN-HST)

ns1.hostsbackop.com (NHC125-BMN-HST)

However, looking at NS! Registrant: Individual 77 BEAK STREET 118 London, GB w1f9db GB 13473285225

Domain Name: HOSTSBACKOP.COM

Administrative Contact: Winst, Johseph JohsephWinst@yahoo.com 77 BEAK STREET 118 London, GB w1f9db GB 13473285225

Technical Contact: Winst, Johseph JohsephWinst@yahoo.com 77 BEAK STREET 118 London, GB w1f9db GB 13473285225

Record last updated 08-15-2005 05:28:07 PM Record expires on 08-15-2006 Record created on 08-15-2005

Domain servers in listed order: NS0.HOSTSBACKOP.COM 222.47.94.32 NS1.HOSTSBACKOP.COM 61.234.241.246

<http://www.spamcop.net/sc?id=z796153090z5b763850c042ec7bed4cb0040cd5d220z>

which leads to a website:

<gggthx.bcunbrentmh.com>.

Doing a little ‘nslookup’ digging, I find that bcunbrentmh.com’s authority DNS records are at ns0.mammonnnjff.com and ns1.mammonnnjff.com. When I set my DNS server to ns0.mammonnnjff.com, and look up gggthx.bcunbrentmh.com, it then claims there that the DNS authority records are ns1.raperconnn.biz and ns1.raperconnn.biz.

Interesting name, ‘raperconnn’??

Further, gggthx.bcunbrentmh.com having an IPv4 address of 222.47.78.229 == the IPv4 address of ns1.raperconnn.biz == the IPv4 address of ns0.mammonnnjff.com!!

> set debug
> gggthx.bcunbrentmh.com
Server:  ns0.mammonnnjff.com
Address:  222.47.78.229

;; res_mkquery(0, gggthx.bcunbrentmh.com, 1, 1)
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 61633, rcode = NOERROR
        header flags:  response, auth. answer, want recursion
        questions = 1,  answers = 1,  authority records = 2,  additional = 2

    QUESTIONS:
        gggthx.bcunbrentmh.com, type = A, class = IN
    ANSWERS:
    ->  gggthx.bcunbrentmh.com
        internet address = 222.47.78.229
        ttl = 259200 (3D)
    AUTHORITY RECORDS:
    ->  bcunbrentmh.com
        nameserver = ns1.raperconnn.biz
        ttl = 259200 (3D)
    ->  bcunbrentmh.com
        nameserver = ns2.raperconnn.biz
        ttl = 259200 (3D)
    ADDITIONAL RECORDS:
    ->  ns1.raperconnn.biz
        internet address = 222.47.78.229
        ttl = 259200 (3D)
    ->  ns2.raperconnn.biz
        internet address = 221.11.133.68
        ttl = 259200 (3D)

------------
Name:    gggthx.bcunbrentmh.com
Address:  222.47.78.229

[Querying whois.neulevel.biz]
[whois.neulevel.biz]
Domain Name:                                 RAPERCONNN.BIZ
Domain ID:                                   D10251032-BIZ
Sponsoring Registrar:                        NETWORK SOLUTIONS INC.
Sponsoring Registrar IANA ID:                2
Domain Status:                               clientTransferProhibited
Registrant ID:                               39651578
Registrant Name:                             DEAN WESTBURY
Registrant Address1:                         177 Beak Street
Registrant City:                             London
Registrant State/Province:                   GB
Registrant Postal Code:                      W1F 9DB
Registrant Country:                          Great Britain (UK)
Registrant Country Code:                     GB
Registrant Phone Number:                     +1.13473285225
Registrant Email:                            jeff_resale_domainz@yahoo.co.uk
Administrative Contact ID:                   39723119
Administrative Contact Name:                 Dean Westbury
Administrative Contact Organization:         NA
Administrative Contact Address1:             77 Beak Street, #118
Administrative Contact City:                 London
Administrative Contact State/Province:       GB
Administrative Contact Postal Code:          w1f9db
Administrative Contact Country:              Great Britain (UK)
Administrative Contact Country Code:         GB
Administrative Contact Phone Number:         +1.13473285225
Administrative Contact Email:                deanwestbury@pookmail.com
Billing Contact ID:                          39651578
Billing Contact Name:                        DEAN WESTBURY
Billing Contact Address1:                    177 Beak Street
Billing Contact City:                        London
Billing Contact State/Province:              GB
Billing Contact Postal Code:                 W1F 9DB
Billing Contact Country:                     Great Britain (UK)
Billing Contact Country Code:                GB
Billing Contact Phone Number:                +1.13473285225
Billing Contact Email:                       jeff_resale_domainz@yahoo.co.uk
Technical Contact ID:                        39723119
Technical Contact Name:                      Dean Westbury
Technical Contact Organization:              NA
Technical Contact Address1:                  77 Beak Street, #118
Technical Contact City:                      London
Technical Contact State/Province:            GB
Technical Contact Postal Code:               w1f9db
Technical Contact Country:                   Great Britain (UK)
Technical Contact Country Code:              GB
Technical Contact Phone Number:              +1.13473285225
Technical Contact Email:                     deanwestbury@pookmail.com
Name Server:                                 NS1.RAPERCONNN.BIZ
Name Server:                                 NS2.RAPERCONNN.BIZ
Created by Registrar:                        NETWORK SOLUTIONS INC.
Last Updated by Registrar:                   NETWORK SOLUTIONS INC.
Domain Registration Date:                    Fri Jul 01 13:15:42 GMT 2005
Domain Expiration Date:                      Fri Jun 30 23:59:59 GMT 2006
Domain Last Updated Date:                    Tue Jul 26 16:25:34 GMT 2005

>>>> Whois database was last updated on: Sun Aug 14 23:05:04 GMT 2005 <<<<

  (NeuLevel, Inc. disclaimers and terms omitted.)

I wonder if this problem could be attacked by going to the sponsoring registrar for the DNS, Network Solutions?

I hope this helps. -David

Did it ever stop? Did you somehow get them to stop?

Today is the 12th of August.

ICANN has done njada. But then ICANN has of late become nothing more than a lot of hot air. Despite concrete proof of wrong doings by registrars, they do zip. $$$$$$?

Registrars have done njada. $$$$$$?

Party is Russian, in fact it is Leo Kuvayev.

Anybody in Massachusetts, you may wish to phone up Attorney General Tom Reilly’s Hotline. “Attorney General Reilly’s Consumer Hotline at (617) 727-8400″

The Russian “Mr Westbury” New Yorker may have a bit of a suprise comming.

http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1426

http://reports.internic.net/cgi/registrars/problem-report.cgi

• kjz

Valid or not, he listed jeffwestbury@pookmail.com as his contact address. I sent an E-mail to that address placing him ON NOTICE under the provisions of the CAN-SPAM Act that my address is off limits to spam and that I would file criminal (felony?) charges against him if the harassment continued. I also used the “Remove Me” feature on two of his pharmacy pages and took screen shots (with the date) to use as evidence in filing CAN-SPAM charges.

I also wrote to his registrars and accused him of having fraudulent registration information because 1.3473285225 cannot be reached in the United Kingdom, where he says he is registered. (I did try to place the international call twice.) Only later did I learn that the number is in the U.S. but that is his problem; a reasonable person would not try to place a domestic call to the United Kingdom.

When I called 1.3473285225, I got someone with a very thick accent (Russian?) who said he was not responsible for the spam and that he only sold Web space to customers, or something to that effect. I reminded him that, as he is actually in the U.S., he is subject to the jurisdiction of CAN-SPAM.

Dear Abacus Team

I see you have not reacted to my previous mail on this subject.

Please see ICANN’s regulations on this issue. These are made very clear in your registration agreement.

The registration have to be correct, else the registration is invalid.

A fictitious name is not acceptable for for whois details.

A valid working address is required.

A valid working email address is required. By definition the type of email address given here, pookmail.com is the physical equivalent of saying “put my mail in the street somehere, I will find it.”

This type of registration goes against everything contemplated in the requirements for a valid whois details. As such I am extremely supprised that these domains are still valid after my previous mail.

Please note that you are now becomming responsible for network abuse. While this would not normally the case, by allowing your user Leo to knowingly continue using these fake details with your sponsorship in direct violation of ICANN’s whois requirements, you are becoming part of a problem. It is also not that you can say you had to verify the fact given. This can be done in ten minutes on the internet, especially if you have the details as submitted to ICANN. It is just a case of verifying it.

Maybe I should ensure that all abuse reports (spam, hijacking etc) get copied you for the domains you are sponsoring. Is this the evidence you require? I am sure a few million internet users will appreciate the opportunity of telling you exactly what Leo is doing with the domains he has registered under the alias “Jeff Westbury”. Based on this mail, you can not then hide behinf “We are not responsible for the usage”. If you know the details to be fake and allow the abuse – you are responsible!

I am also sending a mail to Attorney General Tom Reilly’s office on this issue. He has more than an axe to grind with your client. It is up to you to decide if you wish to be part of this fight ….

Best regards

D Smythe

R157-LRMS Abacus America, Inc. dba Names4ever.com

DFMARTINOEIF.COM DECRETIVEFD.INFO EMBDENDKEIJ.INFO FCVOMITUREGG.NET GJPOALIKELC.COM GJPOALIKELC.COM IGSTATDLYDM.INFO JJPLANULARCH.INFO

UPWHIRCADMH.NET

NO SPAM wrote:

< Dear Abacus team < < The domain FCVOMITUREGG.NET refers – bad whois. < < Below also communication to ICANN on this issue that explains the situation. Unfortunately you are one of these victims. < < Please act as per ttp://www.icann.org/announcements/advisory-03apr03.htm < < Best regards < < D Smythe < < ————————————————————– < Domain name: fcvomituregg.net < < Registrant: < JEFF westbury (AAHQ4) jeffwestbury@pookmail.com < 77 beak street #118 < London, GB w1f9db < United Kingdom < Phone: (1)3473285225 x < < Domain Name: FCVOMITUREGG.NET < Registrar: ABACUS AMERICA, INC. DBA NAMES4EVER < Whois Server: whois.names4ever.com < Referral URL: http://www.names4ever.com < Name Server: NS1.RAPERCONNN.BIZ < Name Server: NS2.RAPERCONNN.BIZ < Status: ACTIVE < Updated Date: 21-jul-2005 < Creation Date: 21-jul-2005 < Expiration Date: 21-jul-2006 <

This was followed by mail from Eugeen to ICANN

From: “Cranny V. Peddled” Return-Path: X-ClientAddr: 85.64.18.48 Received: from 85-64-18-48.barak-online.net

HTML Links pointing to: lhperdixnd.com Whois of lhperdixnd.com is:

Jeff WESTBURY (WESTBU12-BMN-PE) 77 beak street #118 w1f9db LONDON UNITED KINGDOM phone: 1.3473285225 e-mail: jeff_resale_domains@yahoo.co.uk

Dear Mail Boxes Etc team

A party, believed to be Leo Kuvayev based on evidence, is using the address Westbury, Jeff 77 Beak Street, #118 London, GB w1f9db GB

I need to know if there is a Jeff Westbury renting such an address, or if this is incorrect (ie a fake mail address)

The party I am seeking details on is repsonsible for various forms of fraud: Using email addresses without the permission of the owner, selling illegal pirated software via internet downloads (Microsoft, Macromedia, Adobe, Symantec, Corel etc) selling drugs illegally internet pornography and exploitation etc etc

All this can be evidenced by doing a search via your favourite internet search engine, example: http://www.google.com/search?hl=en&lr=&q=Jeff+Westbury+spam&btnG=Search

Additionally, this party is believed to be Leo Kuvayev: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5278 Additional info also exists that prooves this info to be correct.

More info on Leo Kuvayev and his legal issues: “AG REILLY FILES LAWSUIT, OBTAINS EMERGENCY ORDER SHUTTING DOWN INTERNET SPAM GANG BELIEVED TO BE ONE OF THE WORLD’S LARGEST SPAM OPERATIONS” http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1416 Also http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1426

Awaiting your reply.

Best regards

Sol

Mail sent to ICANN on issue. Leo has hundreds upon hundreds of domains, all with bad whois.

Dear ICANN team

A situation has arisen that it appears is not covered under the normal procedures for domain registrations.

I do believe that this calls for some type of alert to registrars. This type of whois abuse is also becoming more commonplace.

A party, suspected to be Leo Kuvayev, is registering domains by the hundreds, literally, and using the for net abuse (spam with all the other associated net abuses).

The registration details reflect a mailbox in the UK, but this mailbox is a mail forwarding company.

He uses the name of Jeff Westbury, but this is obviously not real.

He uses a USA tel number. The party answering the phone at 13473285225 has a strong Russian accent, acknowledging that he is Jeff Westbury?? However, he says he has sold the domain in question and like. Also note the change of whois details for ADDADCBAL.COM:

Administrative Contact: Perenskiy, Anatoliy jeffwestbury@pookmail.com Lugskaya uliza 4/1, 31 Saint Peterburg, LA 195265 RU 13473285225

… is now

Administrative Contact: Westbury, Jeff jeffwestbury@pookmail.com 77 Beak Street, #118 London, GB w1f9db GB 1.3473285225

As regards this email address: The homepage at http://www.pookmail.com describes usage as: ” * Step 1 Instead of giving your real email address to every website on Earth, just make up an imaginary name for @pookmail.com. Example: dontbotherme@pookmail.com

* Step 2
  Wait for your email to arrive.

* Step 3
  Login to PookMail.com by typing your imaginary email name (dontbotherme) into the login form, and click GO

* Step 4
  After 24 hours, the email associated with your login name will be cleaned from the system.

“

Based on the massive number of domains involved, spanning numerous registrars, the WDPRS mechanism as at http://wdprs.icann.org/ does not work.

As such we currently have domains without any accountability. See: http://vaxcave.com/index.php?p=345 http://veino.com/

Please attend as a matter of urgency.

Thank you.

D Smythe

Sample of domain names: ADDADCBAL.COM upwhircadmh.net stagermiecc.com rebornfgief.com (This domain cancelled during registration process after mail to Communigal) agnosislk.com EMBDENDKEIJ.INFO granchdlcdm.info PTBHPVT.COM GRANCHDLCDM.INFO MAMMONNNJFF.COM ollieffmng.com relentenfcl.info etc etc