It looks like some idiot is using the VaxCave domain as a FROM header in a spam mailing list. I only know this because I’m getting tons of undeliverable messages that are being returned to odd users at vaxcave.com (e.g. vezwex726yte@vaxcave.com). It has gotten to the point where I’m getting about 50 undeliverables a day. The worst part is I can’t get the spam filter to cover them because I may get some undeliverables that I actually may need to be aware of. So I started by trying to track down where this idiot was coming from. A few of the domains that are being referenced in the emails are:
- socagefh.com
- wadlikeei.com
- plazajm.net
- forgerma.com
- snowinessgc.com
I tried to find out some info about these places via Sam Spade. It looks like the common threads that the domains share are registration through annulet.com and name servers that are:
- third.dhawinkaa.com
- pri.dhawinkaa.com
The contact information was strange but it is worth revealing:
Registrar: Annulet Inc. (Annulet.com)
Whois Server: whois.annulet.com
Referral URL: http://www.annulet.com
Administrative Contact:
Jeff and Dean
Dean WESTBURy jeffywestbury@yahoo.com.br
77 Beak Street 118
London VI W1F 9DB
Phone: 13473285225
United Kingdom
Technical Contact:
Jeff and Dean
Dean WESTBURy jeffywestbury@yahoo.com.br
77 Beak Street 118
London VI W1F 9DB
Phone: 13473285225
United Kingdom
I decided that I should first do some research on the registrar. I had never heard of this particular one so it couldn’t hurt to give it a little Google action. I found their contact info and gave the registrar a call in hopes of them being able to do something about this particular customer. Thankfully, the guy is using the same technical and administrative information on all the domain registrations. Unfortunately, when I called, all I got was the answering service. They indicated that I could expect a call in the morning. We’ll see what happens with them. I’m not sure what they can do about it, but it’s worth a shot.
Developing…
Well, the address is a mail forwarding postbox for this party.
Additionally, he has moved on and his email address is now jeffwestbury@pookmail.com. Figure π
He is also listed on Spamhaus.org at http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5278
As such your real perpetrator appaers to be Leo Kuvayev
Best of luck.
I think the only word I understood in that whole post was “spam,” and then all I kept thinking was “faaaaaake meeeeeeat yuuuuuuuum.”
You don’t seriously eat that stuff do you? You should be using it in some art, not eating it. Picture it: A mailbox, picket fence… in the mailbox are greasy envelopes. Why are they greasy? They’re stuffed with real Hormel Spam.
I have been reporting “Jeff Westbury” for over a month to almost every ISP & Registrar imagineable. Finally resting at Total Registrations with the following: tiltlikecm.info = [ 221.7.209.72 ]
Domain ID: D10539295-LRMS Domain Name: TILTLIKECM.INFO Created On: 08-Jul-2005 17: 21: 29 UTC Expiration Date: 08-Jul-2006 17: 21: 29 UTC Sponsoring Registrar: R157-LRMS Status: ACTIVE Status: OK Registrant ID: C10557564-LRMS Registrant Name: Dean westburY Registrant Organization: jeff and dean Registrant Street1: 77 Beak Street 118 Registrant City: London Registrant State/Province: GB Registrant Postal Code: w1f-9db Registrant Country: GB Registrant Phone: 1.3473285225 Registrant Email: jeffwestbury@pookmail.com
secretajb.info = [ 221.7.209.72 ] Domain ID: D10539298-LRMS Domain Name: SECRETAJB.INFO Created On: 08-Jul-2005 17: 22: 36 UTC Expiration Date: 08-Jul-2006 17: 22: 36 UTC Sponsoring Registrar: R157-LRMS Status: ACTIVE Status: OK Registrant ID: C10557578-LRMS Registrant Name: Dean westburY Registrant Organization: jeff and dean Registrant Street1: 77 Beak Street 118 Registrant City: London Registrant State/Province: GB Registrant Postal Code: w1f-9db Registrant Country: GB Registrant Phone: 1.3473285225 Registrant Email: jeffwestbury@pookmail.com
Total registrations response to my advisory of this false/invalid whois spamming entity was: “Hi,
Unfortunately we cannot disable a domain because of claims of spamming – you would need to contact the host and if this doesn’t solve the problem you should contact the relevant enforcement agencies in your area.
Kind Regards,
Laurie Walker Domains Department Total Registrations.”
If they continue with that attitude, ol’ Jeffy has now found a place to squat and enjoy a spammers delight!
In doing some research, 77 Beak St., London, is a Mailboxes Etc. in Soho. See halfway down the page: http://www.shac.net/TARGETS/mailboxes_etc.html
It turns out that Jeffs e-mail isn’t password protected. You can all read his mail if you want to.
If you’re smart you can also get his credit card info and a lot of other stuff…
I’m not a very experienced computer user. I’m just asking a question. Let’s say (theoretically) that someone gets “everything” on this Jeff Westbury (which actually IS his real name). His e-mail account, all his domains, his credit card, all digital traces. How can this be used legally to stop him? Just curious…
Which email address? His pookmail one?
Regardless, this info is surely from a guy in Russia. He is using the identity of Mr. Westbury to do his dirty work.
Knock yourself out:
[snip: info archived]
I just called the number 1-347-328-5225 which is listed in Brookland, NY by the way, and I did talk to Dean Westbury. He acknowledged owning the domain cisekldej.com but he denies any responsibility for the spamming because he has sold access to those who are doing it. He mentioned “IP Networks” but I couldn’t hear him clearly and he has a thick Russian sounding accent. Then the call ended abruptly.
Mail sent to ICANN on issue below today. I the mean time, info below will assist in filing reports at http://wdprs.icann.org/.
Cheers
Dear ICANN team
A situation has arisen that it appears is not covered under the normal procedures for domain registrations.
I do believe that this calls for some type of alert to registrars. This type of whois abuse is also becoming more commonplace.
A party, suspected to be Leo Kuvayev, is registering domains by the hundreds, literally, and using the for net abuse (spam with all the other associated net abuses).
The registration details reflect a mailbox in the UK, but this mailbox is a mail forwarding company.
He uses the name of Jeff Westbury, but this is obviously not real.
He uses a USA tel number. The party answering the phone at 13473285225 has a strong Russian accent, acknowledging that he is Jeff Westbury?? However, he says he has sold the domain in question and like. Also note the change of whois details for ADDADCBAL.COM:
Administrative Contact: Perenskiy, Anatoliy jeffwestbury@pookmail.com Lugskaya uliza 4/1, 31 Saint Peterburg, LA 195265 RU 13473285225
… is now
Administrative Contact: Westbury, Jeff jeffwestbury@pookmail.com 77 Beak Street, #118 London, GB w1f9db GB 1.3473285225
As regards this email address: The homepage at http://www.pookmail.com describes usage as: ” * Step 1 Instead of giving your real email address to every website on Earth, just make up an imaginary name for @pookmail.com. Example: dontbotherme@pookmail.com
“
Based on the massive number of domains involved, spanning numerous registrars, the WDPRS mechanism as at http://wdprs.icann.org/ does not work.
As such we currently have domains without any accountability. See: http://vaxcave.com/index.php?p=345 http://veino.com/
Please attend as a matter of urgency.
Thank you.
D Smythe
Sample of domain names: ADDADCBAL.COM upwhircadmh.net stagermiecc.com rebornfgief.com (This domain cancelled during registration process after mail to Communigal) agnosislk.com EMBDENDKEIJ.INFO granchdlcdm.info PTBHPVT.COM GRANCHDLCDM.INFO MAMMONNNJFF.COM ollieffmng.com relentenfcl.info etc etc
Additional info on the matter. In the mean time, use http://wdprs.icann.org/ to lart away. Just keep it factual. Remember The registrar is NOT responsible for his client’s internet abuse, only to ensure that the whois is correct. If it is bad, he can boot him. See http://www.icann.org/announcements/advisory-03apr03.htm
Mail sent to ICANN on issue. Leo has hundreds upon hundreds of domains, all with bad whois.
Dear ICANN team
A situation has arisen that it appears is not covered under the normal procedures for domain registrations.
I do believe that this calls for some type of alert to registrars. This type of whois abuse is also becoming more commonplace.
A party, suspected to be Leo Kuvayev, is registering domains by the hundreds, literally, and using the for net abuse (spam with all the other associated net abuses).
The registration details reflect a mailbox in the UK, but this mailbox is a mail forwarding company.
He uses the name of Jeff Westbury, but this is obviously not real.
He uses a USA tel number. The party answering the phone at 13473285225 has a strong Russian accent, acknowledging that he is Jeff Westbury?? However, he says he has sold the domain in question and like. Also note the change of whois details for ADDADCBAL.COM:
Administrative Contact: Perenskiy, Anatoliy jeffwestbury@pookmail.com Lugskaya uliza 4/1, 31 Saint Peterburg, LA 195265 RU 13473285225
… is now
Administrative Contact: Westbury, Jeff jeffwestbury@pookmail.com 77 Beak Street, #118 London, GB w1f9db GB 1.3473285225
As regards this email address: The homepage at http://www.pookmail.com describes usage as: ” * Step 1 Instead of giving your real email address to every website on Earth, just make up an imaginary name for @pookmail.com. Example: dontbotherme@pookmail.com
“
Based on the massive number of domains involved, spanning numerous registrars, the WDPRS mechanism as at http://wdprs.icann.org/ does not work.
As such we currently have domains without any accountability. See: http://vaxcave.com/index.php?p=345 http://veino.com/
Please attend as a matter of urgency.
Thank you.
D Smythe
Sample of domain names: ADDADCBAL.COM upwhircadmh.net stagermiecc.com rebornfgief.com (This domain cancelled during registration process after mail to Communigal) agnosislk.com EMBDENDKEIJ.INFO granchdlcdm.info PTBHPVT.COM GRANCHDLCDM.INFO MAMMONNNJFF.COM ollieffmng.com relentenfcl.info etc etc
Mail to Mail Boxes etc. Reponse, if any, to follow.
Dear Mail Boxes Etc team
A party, believed to be Leo Kuvayev based on evidence, is using the address Westbury, Jeff 77 Beak Street, #118 London, GB w1f9db GB
I need to know if there is a Jeff Westbury renting such an address, or if this is incorrect (ie a fake mail address)
The party I am seeking details on is repsonsible for various forms of fraud: Using email addresses without the permission of the owner, selling illegal pirated software via internet downloads (Microsoft, Macromedia, Adobe, Symantec, Corel etc) selling drugs illegally internet pornography and exploitation etc etc
All this can be evidenced by doing a search via your favourite internet search engine, example: http://www.google.com/search?hl=en&lr=&q=Jeff+Westbury+spam&btnG=Search
Additionally, this party is believed to be Leo Kuvayev: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5278 Additional info also exists that prooves this info to be correct.
More info on Leo Kuvayev and his legal issues: “AG REILLY FILES LAWSUIT, OBTAINS EMERGENCY ORDER SHUTTING DOWN INTERNET SPAM GANG BELIEVED TO BE ONE OF THE WORLDβS LARGEST SPAM OPERATIONS” http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1416 Also http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1426
Awaiting your reply.
Best regards
Sol
Got a “Visit our NEW PHARMACY E-Store” spam from this guy today 7/26/05 @ 12:02pm EST
From: “Cranny V. Peddled”
Return-Path:
X-ClientAddr: 85.64.18.48
Received: from 85-64-18-48.barak-online.net
HTML Links pointing to: lhperdixnd.com Whois of lhperdixnd.com is:
Jeff WESTBURY (WESTBU12-BMN-PE) 77 beak street #118 w1f9db LONDON UNITED KINGDOM phone: 1.3473285225 e-mail: jeff_resale_domains@yahoo.co.uk
Mail sento the Abbacus at info@aplus.net, registrar who is regsitering Leo’s domains under the name ‘Jeff Westbury’
Dear Abacus Team
I see you have not reacted to my previous mail on this subject.
Please see ICANN’s regulations on this issue. These are made very clear in your registration agreement.
The registration have to be correct, else the registration is invalid.
A fictitious name is not acceptable for for whois details.
A valid working address is required.
A valid working email address is required. By definition the type of email address given here, pookmail.com is the physical equivalent of saying “put my mail in the street somehere, I will find it.”
This type of registration goes against everything contemplated in the requirements for a valid whois details. As such I am extremely supprised that these domains are still valid after my previous mail.
Please note that you are now becomming responsible for network abuse. While this would not normally the case, by allowing your user Leo to knowingly continue using these fake details with your sponsorship in direct violation of ICANN’s whois requirements, you are becoming part of a problem. It is also not that you can say you had to verify the fact given. This can be done in ten minutes on the internet, especially if you have the details as submitted to ICANN. It is just a case of verifying it.
Maybe I should ensure that all abuse reports (spam, hijacking etc) get copied you for the domains you are sponsoring. Is this the evidence you require? I am sure a few million internet users will appreciate the opportunity of telling you exactly what Leo is doing with the domains he has registered under the alias “Jeff Westbury”. Based on this mail, you can not then hide behinf “We are not responsible for the usage”. If you know the details to be fake and allow the abuse – you are responsible!
I am also sending a mail to Attorney General Tom Reilly’s office on this issue. He has more than an axe to grind with your client. It is up to you to decide if you wish to be part of this fight ….
Best regards
D Smythe
R157-LRMS Abacus America, Inc. dba Names4ever.com
DFMARTINOEIF.COM DECRETIVEFD.INFO EMBDENDKEIJ.INFO FCVOMITUREGG.NET GJPOALIKELC.COM GJPOALIKELC.COM IGSTATDLYDM.INFO JJPLANULARCH.INFO
UPWHIRCADMH.NET
NO SPAM wrote:
< Dear Abacus team < < The domain FCVOMITUREGG.NET refers – bad whois. < < Below also communication to ICANN on this issue that explains the situation. Unfortunately you are one of these victims. < < Please act as per ttp://www.icann.org/announcements/advisory-03apr03.htm < < Best regards < < D Smythe < < ————————————————————– < Domain name: fcvomituregg.net < < Registrant: < JEFF westbury (AAHQ4) jeffwestbury@pookmail.com < 77 beak street #118 < London, GB w1f9db < United Kingdom < Phone: (1)3473285225 x < < Domain Name: FCVOMITUREGG.NET < Registrar: ABACUS AMERICA, INC. DBA NAMES4EVER < Whois Server: whois.names4ever.com < Referral URL: http://www.names4ever.com < Name Server: NS1.RAPERCONNN.BIZ < Name Server: NS2.RAPERCONNN.BIZ < Status: ACTIVE < Updated Date: 21-jul-2005 < Creation Date: 21-jul-2005 < Expiration Date: 21-jul-2006 <
This was followed by mail from Eugeen to ICANN
Derek,
Valid or not, he listed jeffwestbury@pookmail.com as his contact address. I sent an E-mail to that address placing him ON NOTICE under the provisions of the CAN-SPAM Act that my address is off limits to spam and that I would file criminal (felony?) charges against him if the harassment continued. I also used the “Remove Me” feature on two of his pharmacy pages and took screen shots (with the date) to use as evidence in filing CAN-SPAM charges.
I also wrote to his registrars and accused him of having fraudulent registration information because 1.3473285225 cannot be reached in the United Kingdom, where he says he is registered. (I did try to place the international call twice.) Only later did I learn that the number is in the U.S. but that is his problem; a reasonable person would not try to place a domestic call to the United Kingdom.
When I called 1.3473285225, I got someone with a very thick accent (Russian?) who said he was not responsible for the spam and that he only sold Web space to customers, or something to that effect. I reminded him that, as he is actually in the U.S., he is subject to the jurisdiction of CAN-SPAM.
You can also use the Registrar Problem Report Form at Internic:
http://reports.internic.net/cgi/registrars/problem-report.cgi
Well
Today is the 12th of August.
ICANN has done njada. But then ICANN has of late become nothing more than a lot of hot air. Despite concrete proof of wrong doings by registrars, they do zip. $$$$$$?
Registrars have done njada. $$$$$$?
Party is Russian, in fact it is Leo Kuvayev.
Anybody in Massachusetts, you may wish to phone up Attorney General Tom Reilly’s Hotline. “Attorney General Reilly’s Consumer Hotline at (617) 727-8400”
The Russian “Mr Westbury” New Yorker may have a bit of a suprise comming.
http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1426
They seem to have hijacked my domain name as well for their fake FROM headers. The web addresses in the message have domain names that trace back to the same Jeff Westbury, IP of web server 221.11.133.68 is in China.
Did it ever stop? Did you somehow get them to stop?
It has tapered off, but I still get at least 20 failure messages a day. This has been going on for at least 5 weeks.
Perhaps a little more information would be helpful? I just got an spam that appears to be from this character (see
which leads to a website:
Doing a little ‘nslookup’ digging, I find that bcunbrentmh.com’s authority DNS records are at ns0.mammonnnjff.com and ns1.mammonnnjff.com. When I set my DNS server to ns0.mammonnnjff.com, and look up gggthx.bcunbrentmh.com, it then claims there that the DNS authority records are ns1.raperconnn.biz and ns1.raperconnn.biz.
Interesting name, ‘raperconnn’?? π
Further, gggthx.bcunbrentmh.com having an IPv4 address of 222.47.78.229 == the IPv4 address of ns1.raperconnn.biz == the IPv4 address of ns0.mammonnnjff.com!!
guess what ya get when you do a whois on raperconnn.biz:I wonder if this problem could be attacked by going to the sponsoring registrar for the DNS, Network Solutions?
I hope this helps. -David
MPA? (Multiple Personaility Disorder)
Or is Leo Kuvayev still evolving? more likely ….
Domain Name : mirooteryci.com (MIROOT2-BMN-DOM) Registrar : BookMyName Whois Server : whois.bookmyname.com Referral URL : https://www.bookmyname.com
Registrant / Admin Contact : PERSON Jeff WESTBURY (WESTBU18-BMN-PE)
77 BEAK STREET 118
w1f9db London UNITED KINGDOM phone : 13473285225 fax : e-mail : JohsephWinst@yahoo.com
Billing Contact : PERSON Jeff WESTBURY (WESTBU18-BMN-PE)
77 BEAK STREET 118
w1f9db London UNITED KINGDOM phone : 13473285225 fax : e-mail : JohsephWinst@yahoo.com
Technical Contact : PERSON Jeff WESTBURY (WESTBU18-BMN-PE)
77 BEAK STREET 118
w1f9db London UNITED KINGDOM phone : 13473285225 fax : e-mail : JohsephWinst@yahoo.com
Domain servers : ns0.hostsbackop.com (NHC124-BMN-HST)
ns1.hostsbackop.com (NHC125-BMN-HST)
However, looking at NS! Registrant: Individual 77 BEAK STREET 118 London, GB w1f9db GB 13473285225
Domain Name: HOSTSBACKOP.COM
Administrative Contact: Winst, Johseph JohsephWinst@yahoo.com 77 BEAK STREET 118 London, GB w1f9db GB 13473285225
Technical Contact: Winst, Johseph JohsephWinst@yahoo.com 77 BEAK STREET 118 London, GB w1f9db GB 13473285225
Record last updated 08-15-2005 05:28:07 PM Record expires on 08-15-2006 Record created on 08-15-2005
Domain servers in listed order: NS0.HOSTSBACKOP.COM 222.47.94.32 NS1.HOSTSBACKOP.COM 61.234.241.246
Please supply more info.
“17. They seem to have hijacked my domain name as well for their fake FROM headers. The web addresses in the message have domain names that trace back to the same Jeff Westbury, IP of web server 221.11.133.68 is in China.”
One of his emails does not work!: host mx3.mail.yahoo.com[64.156.215.5] said:
554 delivery error: dd This user doesn’t have a yahoo.com account
(jeff_resale_domains2@yahoo.com) [-5] – mta155.mail.scd.yahoo.com (in reply
to end of DATA command)
Lart away at http://wdprs.internic.net/ (Invalid whois data)
Has anyone successfully contacted “names4ever.com” / “aplus.net” / “abacus america” regarding westbury?
I have tried several times to contact them about this guy, and they seem to continually do nothing. In fact, they even registered him a new domain last week:
Domain name: amturiam.comRegistrant: JEFF westbury (PM4ZV) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x
Administrative Contact: JEFF westbury (ETMVB) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x
Technical Contact: JEFF westbury (PM4ZV) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x
Billing Contact: JEFF westbury (XWPYF) jeff_resale_domains2@yahoo.com 77 Beek Street 118 London, GB w1f9db United Kingdom Phone: (1)3473285225 x
Record last updated on 2005-08-19 00:00:00 Record created on 2005-08-17 00:00:00 Record expires on 2006-08-17 00:00:00 I have since reported this group to internic, by emailing “abuse@internic.net”. We’ll see if that does anything, as abuse@aplus.net certainly doesn’t. On the same note, I’ve also tried the support link on aplus.net, which leads to a “chat” window. In the window, you’ll see any of a variety of names, accompanies by one of about 5 “real pictures”. The chat seems to be driven by a bot, as they never say anything useful other than to send your complaint to “abuse@aplus.net”.
AxsDeny — In your letter to Abacus, you mention ICANN policy requires that domain registration info be correct. What section of which document is this from? Do you know if there is a similar valid info requirement for IP allocation? I’m hoping to refer to the policy in e-mails to registrars, in particular mentioning the consequences registrars are supposed to apply (cancelation if the registrant doesn’t supply valid info?). I’ve been searching the ICANN website but am having difficulties finding the policy information on my own.
I didn’t write that letter. Eugene did. But I still get spam returned to me on a daily basis. It’s getting ridiculous.
I started reporting “Westbury” on 04/17/2005, 238 reports later I have wittled away and seen domain after domain finally being shut down – mostly through reports to ICANN. With patience, something in the registrant information becomes invalid, be it the email, a change in tel #, whatever. Now I’m trying to find out what or who is at 177 Beak Street. Since “Westbury” changed to “Dean Westbury” at 177 Beak from 77 Beak (which most registrars accepted as not a real address, I have come to a dead end. Anyone know who or what is at 177 Beak Street? All I can say is keep reporting him and eventually the domain gets shut down π
That doesn’t get us far since he just creates 6 new registrations every day. Boy, would I like to get my hands on this guy.
I believe someone earlier pointed out that the physical address “Westbury” is using is actually a PO Box. I have also reported many domains owned by this person, as well as his (yahoo) email addresses. They have all been shut down. As was pointed out, though, he just goes off and finds a new registration host.
I’ve found a couple of registration hosts to be particularly troublesome (as in I have difficulties gettingthem to take action): your-domains-here.com logicboxes.com
Each of these two have at least one alias name that they also own and register under. It also doesn’t seem that they do anything to actually verify the information given to them.
If you’re looking to get the domains shut down due to bad registrant info, I would recommend going after the email address. For some reason spammers like to use yahoo addresses (because they’re free, I suppose). If you show yahoo proof that the yahoo address is being used to register spamming internet domains, they will shut down the email account, and then you can pass that data back to the registrant and/or ICANN as bad WHOIS data.
Happy hunting…
Spammy now has shift his registrations from Yesnic (too many nukes I suppose) to Joker in Germany. your-domains-here.com is only a reseller for Joker, which seems quite resistant to complants. Whois contact for your-domains-here.com is domainz@web2mail.com in Belize City, so I suspect your-domains-here.com is the spammer itself. Yahoo now seems to be the favorite freemailer for spammers whois registration because Yahoo also seems quite unresponsive because of complaints against using Yahoo addresses for faked whois entries.
Sorry for the late reply on “where” ICANN stipulates accurate/valid whois info. Boss is strict if you work for yourself π
See http://www.icann.org/announcements/advisory-03apr03.htm Note reason 1 for immediate domain suspension: ‘The customer’s “willful provision of inaccurate or unreliable information” ‘
Yep, that is our Leo.
Report these domains to ICANN here: http://wdprs.internic.net/
If the registrar refuses to do anything, you can report here: (this implies having contacted the registrar directly at addresses found at http://www.internic.net/contact.html) http://reports.internic.net/cgi/registrars/problem-report.cgi
Alternatively, if you believe you have valid proof that the registrar is deliberately not honouring his registrar agreement(see http://www.icann.org/registrars/ra-agreement-10nov99.htm), mail registrar-info@icann.org.
Best of luck.
Regards
E
It doesn’t look like this thread has seen a lot of activity lately, but I found useful spam advice here before, so I’ll try this one again. I’ve been getting a lot of pharmaceutical spam – you know, the type that wants to sell cheap viagra and whatnot. I have been angered enough by the volume of this that I thought I would try going after its source, and try to shut down the sites in a legal manner. So I have started running WHOIS on all of them, and I have noticed something in common. The almost always tend to rely on the same name servers. I have seen six name server domains occur frequently now:
yourgoldenhealth.info drrecommends.info themeds.info yourmedz.info
-and more recently- yourbestmedz.info healzymen.info
As I dug through these domains trying to get these shut down, as they seem to serve only for spamming domains, I found something interesting in common for all six of them: Tucows.com. I didn’t even know they were a registrar for internet domains. In fact, they happen to be known to ICANN as R139-LRMS. They have registered, and continue to hold registration status “OK” for all six of these domains. I have contacted tucows, and they refuse to do anything about this.
I have since taken my complaint to ICANN, and have not yet received any response from them. I brought this to ICANN on the merit of the fact that of the original four, three of them are registered to invalid email addresses (hence bad WHOIS data). Nothing has changed in response to that, either.
Any ideas from anywhere would be great. The first four domains all resolve to a Chineese ISP (chinamobile.com) for the ns1..info address, with their ns2..info addresses resolving to a Korean ISP. Trying to get through to these ISPs has been almost impossible. I am in the process of working with their CERT teams, but that is excrutiatingly slow going.
Hi,
You seem to be fighting the good fight, but may I ask why my domain name is listed in the “Dear ICANN team” mail(s) cited above? I hope it is as an example of the victimized and not the perpetrators. If so, please make this more clear in future.
My domain [veino dot com] has been victimized in the same way by this “fake sender” scheme. I and it are not part of the origination of this scourge. I too get 0->~50 bounced messages returned to me daily, whenever the mood hits them for some more SPAMming (interestingly enough they seem to be now using a x weeks on, y weeks off approach; the traffic ebbs and flows).
The thing that really ticks me off is that I am losing more and more email addresses at my domain… as I need to disable them due to the faked outgoing addresses becoming incoming SPAM targets, after they apparently end up in some other victim’s address book (and subsequent virus target?). Some of them turn out to be desireable or valid addresses at my domain, and now they are trashed. So not only am I being robbed of my time in filtering the bounces, but the value of my domain is being impacted.
I have archived every mail returned from the SPAM activities and live in the good old state of Massachusetts, so I will be giving the AG’s office a call. I have had similar problems with the lack of effective registrar response to those I see cited above. In my experience, you were lucky even to get a reply… I’ve not experienced even that, when I’ve complained to the registrars.
DonV
Don,
Your site, as well as mine, were used as reference sites for the ICANN team to look at as domains that have been used as hijacked senders. Since you mention it on your front page it seemed appropriate to include.
They’re doing that backscatter thing to everybody. It just feels like they’re singling you out because the total volume is so huge. Folks who seem to know estimate less than one in half a million spams generates a correctly targeted complaint. People have just stopped complaining, because the major culprits effectively ignore complaints.
The ICANN is a sock puppet of the US Dept of Commerce. If the US Govt wanted spam stopped, ICANN would enforce its rules quickly and spammers would lose their domains so fast there would be no point in spamming any more. Spam is company policy. They want to get rid of the public SMTP email system and replace it with something centralized with back doors for govt and advertisers.
Imagine what would happen if 60 Minutes did an expose on Microsoft’s and Yahoo’s role in the Nigeria fraud spam. Now ask why they never will.
Well, you’ll be happy to know that the top spammer involved in your little party was incarcerated in Russia, probably for a very long time. You see, in addition to using other’s website URLs as bounce victims, using other people’s names, addresses, etc. as his own, sending out animal and kiddie smut, he’s now devolved to the point where he was charged with molesting as many as 50 minors. Of course, to really seal his fate as the biggest scumbag of the universe, he made sure all these minors were from an orphanage.
http://www.spamhaus.org/rokso/listing.lasso?file=903
(Yeah, this is the SpamSlayer who took this scumbag on (along with a few other spammer scumbags like Polyakov), and fed the FBI and Massachusetts Attorney General with a lot of the info they used to bust him here in the US, leading to him fleeing first to Canada, then back home to Russia.)
Oh, and that picture of Kuvayev on the Spamhaus.org website? Got it by hacking Kuvayev’s personal website. Downloaded all the pictures, still got them on CD if you want them.