ICANN/DNSO
DNSO Mailling lists archives

[registrars]

<<< Chronological Index >>>    <<< Thread Index >>>

Re: [registrars] Not to sound like an attorney, but...


Mike,

On Tue, 22 Apr 2003, Michael D. Palage wrote:

[snip]

> What has not be established, is what happens when someone enters their
> credit card information at this site. Although there is likely to be
> consensus on what would likely happen, no one can state with certainty what
> would happen. There seems to be a premise that any registrar that would

I am fairly confident that in this case we are on mark and that I am
certain any credit card entered on that site was going to be used
fraudulently.

The quick action by this responsible party effectively solves this
problem.

I did speak with law enforcement and they effectively said [ i am
paraphrasing here] we are SOL, these problems exist and only when we can
demonstrate a articulateable damage in excess of 25K on one state we had
better to learn to deal.

From one of the parties involved:

   Thanks Rick,

   I have contacted the customer, who is a reseller that has rented
   out this server to a client.  We have disabled the formmail.cgi
   script as its possbile that this script is vulnerable to the
   formmail exploit.  This should at least stop the form submission
   for now.  From what we suspect, its very possible that this fraud
   scam detected this exploitable formmail.cgi script and is using it
   to relay the mail.

So, to speak directly to mikes email... taking action in the opposite
direction of what you advocate did effectively shut down this scam for
now, which is 100% better than what talking to law enforcement did.

-rick

ps attached is my note i sent to the FBI and all the involved hosting
   parties today.


.BIZ SPAM & Renewal Fraud.

Joyce Lynn the CEO of 007domains received the following note [1] today
that kicked off a flurry of activity tiring to get the web site 
domainrenewals.biz taken off the air.

Several registrars in the US and UK noticed hundreds of messages going
to their customers notifying them they need to renew their domain
name. The SPAM was being sent to all customers of all domain holders
under the .biz TLD. Apparently the folks at domainrenewals.biz had
mined the whois database and were sending false renewal notices to
every .biz domain registrant.

Upon inspecting the site www.domainrenewals.biz, it is obvious that the
information is being collected unprocessed. Understand only the
registrar of record may renew a domain and the website
domainrenewals.biz does not appear to be affiliated with any
registrar. Furthermore the submission of the form-data is posted to a
ipv4 address hosted in Canada.

I've spoken to Joe at Valuenet.net who hosts the website where the
credit cards are taken at and I notified the folks at rackforce 
that a server on their network is being used to receive the 
posted form-data.

I'm still tracking down who was involved in the spam and what network
sent out the email.

-rick

Rick Wesson
CEO, Alice's Registry, Inc.
CTO, ICANN/DNSO Registrars Constituency




details follow:

;; QUESTION SECTION:
;www.DOMAINRENEWALS.BIZ.                IN      A

;; ANSWER SECTION:
www.DOMAINRENEWALS.BIZ. 69422   IN      A       216.162.112.42

;; AUTHORITY SECTION:
DOMAINRENEWALS.BIZ.     6470    IN      NS      NS1.ITBRAZIL.COM.
DOMAINRENEWALS.BIZ.     6470    IN      NS      NS5.DOMAIN34.COM.
DOMAINRENEWALS.BIZ.     6470    IN      NS      NS1.DOMAIN34.COM.

;; ADDITIONAL SECTION:
NS1.DOMAIN34.COM.       172071  IN      A       66.139.78.42
NS1.ITBRAZIL.COM.       172071  IN      A       69.27.32.18
NS5.DOMAIN34.COM.       172071  IN      A       66.111.43.120
   

Request: 216.162.112.42
connecting to whois.arin.net [192.149.252.43:43] ...
Valuenet Corp. VALUENET-1BLK (NET-216-162-96-0-1)
                                  216.162.96.0 - 216.162.127.255
Bestdsl.net 216-162-112-24 (NET-216-162-112-0-1)
                                  216.162.112.0 - 216.162.112.255

Request: VALUENET-1BLK@whois.arin.net
connecting to whois.arin.net [192.149.252.43:43] ...

OrgName:    Valuenet Corp.
OrgID:      VALN
Address:    4534 N Lindbergh Blvd Suite 429
City:       Bridgeton
StateProv:  MO
PostalCode: 63044
Country:    US

NetRange:   216.162.96.0 - 216.162.127.255
CIDR:       216.162.96.0/19
NetName:    VALUENET-1BLK
NetHandle:  NET-216-162-96-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.VALUENET.NET
NameServer: NS2.VALUENET.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1999-08-05
Updated:    2001-06-28

TechHandle: JY62-ARIN
TechName:   Yu, Joe
TechPhone:  +1-314-731-2860
TechEmail:  Joe@valuenet.net

OrgTechHandle: JY62-ARIN
OrgTechName:   Yu, Joe
OrgTechPhone:  +1-314-731-2860
OrgTechEmail:  Joe@valuenet.net


<FORM  action=http://69.10.141.77/cgi-sys/formmail.cgi 
                                method=POST onsubmit="return FrontPage_Form1_Validator(this)" language="JavaScript" name="FrontPage_Form1">
                                <TR>

OrgName:    RackForce Hosting Inc.
OrgID:      RACKF
Address:    1780 Dolphin Ave
Address:    Suite 104
City:       Kelowna
StateProv:  BC
PostalCode: V1Y-9S4
Country:    CA

NetRange:   69.10.128.0 - 69.10.143.255
CIDR:       69.10.128.0/20
NetName:    RACKFORCE-1
NetHandle:  NET-69-10-128-0-1
Parent:     NET-69-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.IPWORLDCOM.CA
NameServer: NS2.IPWORLDCOM.CA
Comment:
RegDate:    2002-12-12
Updated:    2002-12-12

TechHandle: RNO3-ARIN
TechName:   RackForce Network Operations
TechPhone:  +1-866-468-1158
TechEmail:  noc@rackforce.com

OrgTechHandle: RNO3-ARIN
OrgTechName:   RackForce Network Operations
OrgTechPhone:  +1-866-468-1158
OrgTechEmail:  noc@rackforce.com


[1] Note recived by Joyce Lynn

> ----- Original Message -----
> From: ".BIZ RENEWALS" <renewal-help@domainrenewals.biz>
> To: <joyce@webex.net>
> Sent: Tuesday, April 22, 2003 12:22 PM
> Subject: Domain Renewal (SORSBYART.BIZ)
>
>
> > Dear Registrant,
> >
> > Your domain SORSBYART.BIZ is due for renewal shortly. Please see our web
> > site to renew your domain name:
> >
> > http://www.domainrenewals.biz
> >
> > Registration Fees:
> >
> > 2 Years - $35/year
> > 3-5 Years - $25/year
> > 6-10 Years - $20/Year
> >
> > All prices are US Dollars.
> >
> > Should you have any questions on renewing your domain please contact
> renewal-help@domainrenewals.biz
> >
> > BIZ Domain Renewals
> > http://www.domainrenewals.biz
> >
> > ----------------------------------
> > If you no longer wish to receive domain renewal notifications
> > see http://www.domainrenewals.biz/notifications.html
> > This email was sent to joyce@webex.net

From: NeuLevel Registry <registrarsignup@neulevel.biz>
To: support@ar.com
Subject: NeuLevel advisory on unsolicited renewal notices

Dear Registrar Partner,

RE:     Domain Renewal Notices

Several registrants and Registrars of .BIZ domain names have notified
NeuLevel that a company doing business as Domain Renewals
<www.domainrenewals.biz > has been sending out correspondence regarding
renewal of .BIZ domain names.  These notices have not only been regarding
names that are not due for renewal for at least a year, but also have been
delivered to registrants of .BIZ domain names that are listed in the
Registry's Whois database as being your customers. The notices being sent
out read as follows:

=================================================================
Dear Registrant,

Your domain [DOMAINNAME] is due for renewal shortly. Please see our
web site to renew your domain name:

http://www.domainrenewals.biz

IMPORTANT: FAILURE TO RENEW YOUR DOMAIN BEFORE ITS EXPIRY DATE WILL RESULT
IN LOSS OF SERVICE.

Registration Fees:

2 Years - $35/year
3-5 Years - $25/year
6-10 Years - $20/Year

All prices are US Dollars.

Should you have any questions on renewing your domain please contact
renewal-help@domainrenewals.biz .

BIZ Domain Renewals
http://www.domainrenewals.biz
<<< Chronological Index >>>    <<< Thread Index >>>