Tuesday, June 10, 2008

China: The Last Resort for Spammer Domain Registration

Take any domain you've been spammed with over the past week and do a simple lookup on it. Chances are extremely good that the registrar for said domain will be located in China.

The list of the most spammer-friendly domain registrars has included the following major players:


  • Tucows.com

  • godaddy.com

  • registerfly.com

  • CSL Computer Service Langenbach GmbH d/b/a joker.com [aka: Joker.com]

  • Beijing Innovative Link Technology

  • Moniker.com

  • aceofdomains.com (a subsidiary of Moniker.com)

  • Xin Net Technology Corporation (aka: Xin Net, New Net, paycentre.com)

  • Todaynic.com

  • Chinanet

  • BizCN

  • Dotster

  • HKDNR



Of that list, four are located in China, with one in Hong Kong.

Over the past two year, following a relentless campaign of complaints and educating registrars on how to properly shut down and nullroute an illicit domain, that list shrank to:


  • Beijing Innovative Link Technology

  • Xin Net Technology Corporation (aka: Xin Net, New Net, paycentre.com)



And only within the past couple of days:


  • Xiamen Chinasource Internet Service Co., Ltd.



That's largely because Xin Net finally heeded the literally millions of complaints we were sending to them, backed up with evidence of fake contact information and links to wikipedia entries which outline the illegal operations these sponsor organizations are a part of.

It's a pretty good sign that complaining to the right people, in the right way, can have a devastating effect on the spammer economy. XIN NET was home to literally millions of spammed domains representing illegal operations. It took months of consistent communication, often using translators and other elements to get the message across to them that they were essentially supporting illegal activity.

It should be mentioned that Beijing Innovative Link Technology (aka: "BILT" to our community) have in fact been responsive regarding illegally-registered domains. It's just that they never shut them all down. There are always a handful of them which are still actively in use in widespread, aggressive spam campaigns.

I and several colleagues of mine have been diligently reporting every domain and name server we get spammed with in the hopes of getting the domains shut down. This was initially a very daunting process, since many of not most registrars weren't entirely clear on how to perform a proper domain shut down. Fortunately most of them have been very receptive and now even the most stubborn registrars have undergone a change of heart, probably because their continued ignoring of complaints could have led to their ICANN accreditation being revoked.

This is the kind of work which spammers and their sponsors assume (rightly, until recently) that members of the general public didn't want to take on. On the surface it sounds extremely overwhelming. Sponsors routinely register literally hundreds of thousands of domains, including DNS domains. I won't go into the boring details of how domain names work, and how registration takes place, but suffice to say that in the case of spammer-friendly sponsors like SanCash and Spamit, the registration of millions of domain names is not uncommon, and it all happens automatically.

There are two key failing points regarding these domain registrations:

1) They always use fake contact information for all of the contacts. (Administrative, Technical, Billing, etc.)
2) In many cases, a stolen credit card is used to register the domain, or a hacked PayPal account. Several regular domain reporters have received feedback to this effect over the past several years of reporting the domains.

Registration of a domain using fake information is in violation of ICANN accreditation. Forget what the domain is even used for (for now at least): if the contact information is along the lines of the following:

Administrative Contact:
Joe Lastname
123 Fake St.
Fake, NY
10000
tel: 123 4567890
fax: 123 4567890
joelastname@fakefakefake.com


Then that puts the domain registrar in the position of having allowed an illicit domain registration to take place.

If I report that information as being verifiably fake, and the registrar continues to allow several thousand more new domains to be registered using the same information, that puts them in violation of ICANN regulations, which stipulate that valid contact information must be present in order for a registered domain to be considered "valid."

Notably, XIN NET was continually allowing that to happen, for many years. They appeared to be ignoring our multiple complaints, making note of identifiably fake contact information.

All of that changed approximately eight days ago, and XIN NET should be commended for finally taking swift and widespread action against several tens of thousands of active domains used for heavily spammed products such as VPXL, Canadian Pharmacy and Prestige Replicas (to name only a few.)

But add to that the fact that all of these sites are doing the following:


  • Lying, everywhere, on every page, about every detail of their products, their location, their staff and their alleged online security.

  • Sale of fake "herbal remedies" with no valid active ingredient (several reports confirm this, notably the BBC report from December 2007 regarding "Elite Herbal", now known as "VPXL")

  • Sale of potentially harmful or extremely addictive pharmaceutical products without the advice or consent of any licensed pharmacist.

  • Aggravated repeat spamming to a majority of recipients who do not wish to receive any emails regarding these products and for whom there is no mechanism to opt out.



And you have a lot more ammunition to supply to the domain registrar.

If I started a website called "coccacolla.com" and claimed it was an official website of the Coca Cola corporation, Coca Cola would definitely hear about it, and the site would be shut down. I would also be sued. That's because there are laws regarding what a company (and therefore: the company's website) can and cannot claim. I can't claim, for example, that Coca Cola will cure cancer. I also can't claim that my corporate address is somewhere in the middle of the Atlantic Ocean. Again: it's not just morally incorrect behavior, it's illegal in most countries to do so.

Yet we have sites representing this barrage of spamvertised products, all registered with fake contact information, promoting fake or (at best) counterfeit products, with claims that they are located in a variety of locations where they in fact do not occupy any offices or warehouses.

One example: Canadian Pharmacy.

A recently spammed domain:

http://scoreway.cn

Whois information:

%whois scoreway.cn
Domain Name: scoreway.cn
ROID: 20071204s10001s42304059-cn
Domain Status: ok
Registrant Organization: theNoun
Registrant Name: HimNil
Administrative Email: goto@åç¸ç½ç»æéån
¬å¸nsoring Registrar: å¦é¨å
Name Server:ns0.nameedns1.com
Name Server:ns0.renewwdns1.com
Registration Date: 2007-12-04 21:03
Expiration Date: 2008-12-04 21:03


Look at that. No identifiable contact information of any sort. The brevity of the record is not unnatural, but the lack of any genuine contact info is.

But scoreway.cn actually presents you an iframe which is loading a separate domain:

http://newrxwalk.com

WHOIS for newrxwalk.com:

Domain Name: NEWRXWALK.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS0.BILLBOARDTOPTENS.COM
Name Server: NS0.GREATTENS.COM
Name Server: NS0.ONTHETENS.COM
Name Server: NS0.ORSTENSGUIDE.COM
Status: ok
Updated Date: 06-jun-2008
Creation Date: 23-may-2008
Expiration Date: 23-may-2009

Registrant:
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
710061



Administrative Contact:
WenFeng
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
xi an Shanxi 710061
CN
tel: 298 5228188
fax: 298 5393585
cncliup@21xn.com

Technical Contact:
WenFeng
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
xi an Shanxi 710061
CN
tel: 5228188
fax: 5393585
cncliup@21xn.com

Billing Contact:
WenFeng
Wen Feng
NO.397,zhuquedadao street,xian City,shanxi Province
xi an Shanxi 710061
CN
tel: 5228188
fax: 5393585
cncliup@21xn.com

Registration Date: 2008-05-23
Update Date: 2008-06-06
Expiration Date: 2009-05-23

Primary DNS: ns0.orstensguide.com
Secondary DNS: ns0.onthetens.com


That old standby, XIN NET.

A complaint has already been sent of course. :)

As I mentioned in previous posts, it's pretty straightforward to pick apart the falseness of this contact information, even if you know nothing about Chinese postal addresses or phone numbers. There is no "5228188" phone number. Dialing it will get you nothing. Likewise the fax number. The regsitrant behind this scam of a domain knows this.

"Wen Feng" is similar to numerous other bogus registrant names we've seen in the past. The address is bogus. etc. etc. All verifiable if you do some legwork.

An aside here: note that registrant's email address: cncliup@21xn.com. For the past year or more, hundreds of thousands of domains have been registered using a similar address: cncliup@21cn.com. Do a google search on that and you'll find numerous complaints and reports regarding spammed domains for these sites. We focused on the use of that domain as an indicator that it was registered illegally. XIN NET and Todaynic took that information and used it in conjunction with our detailed reports to shut down thousands of domains at once, and may be using that information to block registration of any new domains. This would explain the shift to the 21xn.com domain. Note: 21cn.com and 21xn.com are both providers of free email addresses. Sort of like a Chinese Hotmail.

Anyway...

If we visit the site, and look at what they claim:

You may contact us at +1(210) 888-9089, please, keep your order I.D. every time you make a call.


That phone number is a VOIP phone number (or otherwise digital phone line) registered by Level 3 communications in San Antonio, Texas. The owner of the number could in theory be located anywhere in the world. Just like everything else regarding this operation, it's quite possible that the number was also registered using fake contact info, and / or using a stolen credit card number.

Calling the number initially results in a voicemail prompt:

Hello. You have reached united pharmacy support service. Unfortunately, our operators are currently unavailable, so please leave a message after the beep.


They also mention that you can email them at support@uphs.info, or visit the website: uphs.info

Subsequent phone calls however result in a woman answering the phone, and denying any connection whatsoever to the spammed website "scoreway.cn", or its subsequent redirected domain "newrxwalk.com". Unless you have a concern regarding an order you actually placed, they won't discuss anything with you.

If we visit the "contact us" link, we're presented with a form, and the email address: support@canadianmedicationsupport.com

That email address has of course changed several times over the past several years. No contact with that address or via the form has ever gotten any kind of response, and I've been trying for the past two years under a variety of identities.

No corporate address is listed anywhere, no physical location is given.

My (long winded) point: no legitimate company would run in so many circles to hide its location, nor would it need so many thousands of illegally-registered domains to operate. The reason Coca Cola doesn't hide it's corporate office addresses (in Atlanta, GA) is because it operates legally, and communicates with its customers and the public in appropriate and legal ways.

Of course, they also don't illegally abuse numerous systems while attempting to promote their products. Spamit sites, and Canadian Pharmacy in particular, are routinely hosted on botnets (assumedly Storm), use hacked public domains to perform redirections, abuse whitelisted email templates from well known corporate email campaigns, and abuse all manner of systems just to ensure that you recieve a message from them, promoting their products. No legitimate company would engage in these tactics.

This is only one example, obviously.

If you want to join the cause and begin making more of a dent in these illicitly-run spam operations, go over to complainterator.com and download the complainterator. Read the supplied instructions and enter any of the numerous domains you got spammed with. Send off the complaint. Join the cause. (Apologies in advance: at the moment this is a Windows-only application. And no, I didn't create it.)

You would be surprised at just how effective this can be. If a company like XIN NET can be turned around, so can any other registrar being hit with these fake domain registrations. XIN NET is more vigilant about this process. Now it's time to educate Xiamen Chinasource Internet Service Co., Ltd..

SiL / IKS / concerned citizen

14 comments:

Unknown said...

http://weblog.infoworld.com/stratdev/archives/2008/06/xin_net_crackdo.html

IKillSpammerz said...

Yes! Although it certainly seems that they have (finally, after months of attempting to contact them) greatly tightened things up at XIN NET regarding fake contact information, and spammers and their sponsors are rapidly jumping ship to a variety of lesser-known players (still in China, of course.)

XIN NET has gotten away with this for several years now, so I don't disagree with this poster's opinion. But it cannot be denied that many months of consistent complaints definitely have had the desired effect (and hopefully also had the residual effect of impacting the likes of SanCash and Spamit.)

Thanks for the heads up.

SiL

Anonymous said...

fake contacts or not - is there any differents if packages sents and customersy are happy with their pills? do you ever have talk with guys on other side? with canadian pharmacy owners/management for example.

IKillSpammerz said...

> fake contacts or not - is there any differents if packages
> sents and customersy are happy with their pills? do you ever
> have talk with guys on other side? with canadian pharmacy
> owners/management for example.


No, of course not. They haven't ever bothered to respond to numerous emails, not just from me, but from anyone. They constantly feature "contact forms" which appear to go literally nowhere (which makes sense, since all of their spamvertised websites last merely a few days before disappearing completely.)

I would love to hear how "canadian pharmacy owners/management" would care to explain their complicity with the writers of the Storm worm, for example. Or why they feel they need to register so many bogus domains which are hosted on hacked computers, using domains which have been proven to be registered not only with fake contact information, but also using either stolen credit cards, or hacked paypal accounts. Of course nobody from their charming organization has ever replied to a single email.

"fake contacts or not" - clearly, you are a spam-friendly commenter. You have no idea what you're talking about.

If you can't find a legitimate human being to contact regarding the site, it underscores the complete lack of legitimacy of the organization. What's your point? The only company that needs to hide their identity using obviously fake contact information is one which is operating unlawfully. That is not merely my opinion. But the lie doesn't stop there: Their "products", received via several bait orders, are 100% fake. In other cases they are harmful, containing no active ingredient whatsoever, or at worst containing additives which are never supposed to be present at all. This is well-documented in numerous investigative reports.

> is there any differents if packages
> sents and customersy are happy with their pills?


Spoken, as usual, like a true spammer. (And it seems as though you are possibly Russian.)

Of course there's a difference.

Show me one (ONE) such customer who has provided feedback. By that I mean one which is not a complete fabrication, as the ones present on all of these sites are. These "happy customers" - if they exist at all - would likely never publicly announce that they purchase from any of these sites.

Also: define "happy". "Happy" how, exactly? Since it's been repeatedly verified that these pills are fake, or dangerous, how do these people know any better once they've received them? They don't.

All of these sites lie about every single detail. (Not just Canadian Pharmacy, the entire lot of these sites including PowerEnlarge or whatever they choose to call it next.) Their sites are not implementing "Verified by Visa". They offer no security watsoever during checkout. Their operators are well aware that they use the logos of Pharma Checker without authorization, and without that organization's support. Their sites are all hosted on hijacked public IP addresses. They do not sell what they claim. They offer no refunds. (Or at least there is absolutely no documented evidence that they do.

They lie about every single detail.

Also: You're a spammer.

SiL

IKillSpammerz said...

I notice that this particular topic is suddenly on several peoples' radar.

Slashdot today referred to a report from thestandard.com which asks the question: Will ICANN take action against "worst" Chinese registrar?, directly referring to XIN NET.

I'm interested to see where this leads.

SiL

Anonymous said...

I'm glad this is finally waking up the sleeping beast such as ICANN! I have making thousands of WDPR reports concerning these china-based spammer domains for over 2 years, with not a single action until now. And that includes many email reports to ICANN! They just simply played dumb and go on business as usual, until this matter is brought to the attention of the media.

It is also no wonder that the biggest spammer friendly registrars are based in China, given the rampant corruption environment there. I'm not at all surprised that these registrars have been bribed or even bought over behind the scene by the spammers. My suspicious about all the sudden turn around action by these registrars are just playing to the gallery. It's not likely to last for long, unless they are shut down for good. Once the spotlight has turned away from them, I can assure you they will be back to the same old self again.

Anonymous said...

I like this article. It is realy useful for us.

IKillSpammerz said...

Red Dwarf, aka Tembow, the creator of the fabulous Complainterator (complainterator.com) sent me an update that was particularly on point for this posting. It appears that a coordinated series of complaints to domain registrars in China, coupled with some stern warnings from ICANN regarding registration via repeatedly fraudulent contact information has had a devastating effect on the domains being registered on behalf of SanCash and Spamit:

*******************************************

Out of fairness, it should be noted that Xin Net is not the only registrar who has reacted to the ICANN communications to registrars in China, followed by the Knujon report.

Xin Net has now gained the skill level required to shut down name servers since I last reported to you.

The tracking site at http://wiki.castlecops.com/XIN_NET_NS_Suspended lists over 120 name servers successfully removed from the spammers.

They have also suspended every spammed site that the Complainterator team has sent in, whether by individual or bulk reports.

We have had a similar response from the others listed in the Knujon report:

* Todaynic since February 2008: Over 28,000 (100% compliance)

* Xin Net since December 2007: Over 16,000 (100% compliance)

Xin Net was losing 20% of all incoming mail until a month ago, when I convinced them to fix their Mail Exchange records which were not RFC compliant. Now all of their mail is getting through.

* Bizcn since December 2007: Over 3,000 (100% compliance)

* Beijing Innovative Linkage Technology since 2007: 1,180 (40% compliance)

This company has unfortunately put spam blocking on incoming mail, which refuses mail containing any spammed URLs. As a result of this they are not receiving complaints for spammed sites in their own registrar base.

From Todaynic in particular we are seeing response times of under 3 hours to shut down as many as 1,000 reported sites on one request. Spammed sites are often shut down by this registrar preemptively before we can even report them. They have proven to be star performers in shutting out the spammers abusing their service.

The Complainterator team is surprised to see no acknowledgement of the changed circumstances from Knujon. Surely when the registrars respond so fully and effectively, Knujon should update their report and give the registrars the credit they deserve.

These statistics are all verifiable at:

http://wiki.castlecops.com/Bulk_Spam_Reporting

*******************************************

Nice work, everyone. Obviously they have moved on to other registrars, but I and several others have noticed large amounts of inbound spam messages with domains which are already out of commission. I hop this means that every last one of Spamit and SanCash's mailers are losing money hand over fist. I'm also seeing a diversion into age-old stock spamming, which is always a good sign that someone is suffering financially on the other end of the "send" button. (Honestly: HXPN? Are you high?)

I'll say it again: very nice work everyone.

SiL / IKS / concerned citizen

Anonymous said...

hmm....something got me thinking....I remember in the old days of the Internet, around mid-late 90s, there were warnings, about not using "faked" addresses on registration forms, so users can't mis-use a "forgot password" function and scoop up your password, to what you thought was a "garbage address"...

Well, look here.

this domain is registered by joelastname@fakefakefake.com - could someone not register fakefakefake.com - set up a Mail server/account named joelastname on this server, then goto the registrars site and use the "forgot password" and get their (the spammer) address e-mailed to this previously "fake" address....? :)

IKillSpammerz said...

> this domain is registered by joelastname@fakefakefake.com -
> could someone not register fakefakefake.com - set up a Mail
> server/account named joelastname on this server, then goto
> the registrars site and use the "forgot password" and get
> their (the spammer) address e-mailed to this previously
> "fake" address....? :)


Actually, that was not a genuine example. I should have been much clearer. I used the phrase "along the lines of the following" before quoting that fictitious example. I was trying to say: you aren't supposed to use obviously fake contact information to register a domain.

Your suggestion, though, is a bit of a longshot. Yes, presumably you could do that (if you have that kind of time on your hands, go for it :) ) but what would that ultimately do? All spammer domains are meant to last for a very short time, and serve a very narrow purpose. There is no expectation of long-term communication via a spamvertised domain. In fact my own research has shown that the "contact us" forms on all SanCash sites don't do anything. They post a form to a php script which does nothing but say "Thank you." No message is sent, no message is stored anywhere. They know that the domain is a throwaway and is not expected to serve anything but an immediate requirement for brief profits.

The only "company" that would need to use fake contact information and fly-by-night domains is an illicit, illegal operation.

The people that run tall of these sites are well aware that they operate illegally.

SiL

Anonymous said...

SHUT THEM DOWN!
Xin Net Technology Corporation

the gringo said...

Thanks for your excellent site. My company is being spammed by this canadian drugstore at the moment.

I fell across its link to the storm botnet tonight while researching botnets.

I tried http://chinamobilesms.com which is an old storm botnet site. It redirected me to http://mojtuvov.cn/ which is one of our canadian med friends.

A tracert and whois of chinamobilesms.com show it is owned by:

person: Boris Raychev Stoev
address: Smart Software Technologies Ltd.
address: 3 , Chernorizetc Hrabar
phone: +359897850460
fax-no: +359887575268
e-mail: b_stoev@sstech.biz

This looks like a real IT company. would love to know why a website owned by them is redirecting to a chinese drug spam site.

Anyone interested in having a further dig as my limited knowledge has run out!

IKillSpammerz said...

> Thanks for your excellent site. My company is being spammed
> by this canadian drugstore at the moment.
>
> I fell across its link to the storm botnet tonight while
> researching botnets.
>
> I tried http://chinamobilesms.com which is an old storm
> botnet site. It redirected me to http://mojtuvov.cn/ which
> is one of our canadian med friends.
To be more specific, this is a bulkerbiz.com affiliate site. That now redirects to a series of domains: fesravay.cn, juqnakip.cn, svozquzrel.net. (It seems to change about every two minutes or so.) The site type is known as Canadian Health&Care Mall [bulker.biz info, Canadian Health&Care Mall info]. All of these redirect domains are hosted on hijacked Unix servers located in various geographic locations.

It is entirely possible that chinamobilesms.com has also been hijacked by this group as well. It's how they host every site they run. (Including their affiliate portal, and - previously - their forum.)

> A tracert and whois of chinamobilesms.com show it is owned
> by:
>
> person: Boris Raychev Stoev
> address: Smart Software Technologies Ltd.
> address: 3 , Chernorizetc Hrabar
> phone: +359897850460
> fax-no: +359887575268
> e-mail: b_stoev@sstech.biz
>
> This looks like a real IT company. would love to know why a
> website owned by them is redirecting to a chinese drug spam
> site.
You should try contacting him to find out - especially via phone. If his server has actually been hijacked, he might not even be aware.

However there's also a second possibility: this group knowingly uses stolen contact data and credit cards to register their domains. It's entirely possible this guy is unaware his name is tied to this criminal operation's domain.

Thanks for the information.

SiL

Mr. Average said...

I think "Wen Feng" is that troublesome spammer in our Mr. Men Show Blog in Typepad.
He owns lots of online shops.