Re: [registrars] Not to sound like an attorney, but...

[Paul Westley <paul@internetters.co.uk>]

Hi guys,

We also had a large number of our customers getting these emails. We have 
done some more research.

If you look up the domain name domainrenewals.biz 
<http://www.internetters.com/whois.htm> you will see that it was only 
registered a few days ago on the 16th April.

The registrant details show :
Domain Renewals
Unit 10
287 Regent Street
London W1R 7PB
There are no phone numbers 
listed.  <http://www.domainrenewals.biz/contact.htm>.

A quick search on the post code on yahoo.co.uk throws up 
www.dotcomavenue.com at the same address
DOT COM AVENUE Suite 10, 287 Regent Street London W1R 7PB

If you look up the domain name dotcomavenue.com the admin details are 
<http://www.dotcomavenue.com/uk/contact.htm>.
Administrative contact :
Manager, Domain admin@ultra-server.net
Untra-server.ner
Unit 10
287 Regent Street
London W1R 7PB
+44 0800 052 4860
If you dial the phone number 0800 052 4860 the  response is  "The number is 
not available"

WHOIS shows the registrant ultra-server.net to be based in Uruguay:
Alvaro Collazo (ULTRA-SERVER-NET-DOM)
Manuel Oribe 2028
Tarariras, Colonia 7000
Uruguay
+1.7029778198
info@alvarocollazo.com
A search on Google Newsgroups on "dotcomavenue" brings up a whole history 
of slamming, etc.
<http://groups.google.com/groups?q=dotcomavenue&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search>

All the emails reported to Internetters have come from a single IP address 
81.104.220.53 which is pc2-papw2-4-cust53.cmbg.cable.ntl.com, which would 
appear to be a customer connection to the NTL cable network in UK 
(Cambridge). We have reported this to NTL and we have blocked the IP from 
our mailservers. I note that Spamcop have it in their blacklist also.

Kind regards,

Paul Westley
Internetters Limited
UK


At 04:56 PM 22/04/2003 -0700, Rick Wesson wrote:

>Mike,
>
>On Tue, 22 Apr 2003, Michael D. Palage wrote:
>
>[snip]
>
> > What has not be established, is what happens when someone enters their
> > credit card information at this site. Although there is likely to be
> > consensus on what would likely happen, no one can state with certainty what
> > would happen. There seems to be a premise that any registrar that would
>
>I am fairly confident that in this case we are on mark and that I am
>certain any credit card entered on that site was going to be used
>fraudulently.
>
>The quick action by this responsible party effectively solves this
>problem.
>
>I did speak with law enforcement and they effectively said [ i am
>paraphrasing here] we are SOL, these problems exist and only when we can
>demonstrate a articulateable damage in excess of 25K on one state we had
>better to learn to deal.
>
> >From one of the parties involved:
>
>    Thanks Rick,
>
>    I have contacted the customer, who is a reseller that has rented
>    out this server to a client.  We have disabled the formmail.cgi
>    script as its possbile that this script is vulnerable to the
>    formmail exploit.  This should at least stop the form submission
>    for now.  From what we suspect, its very possible that this fraud
>    scam detected this exploitable formmail.cgi script and is using it
>    to relay the mail.
>
>So, to speak directly to mikes email... taking action in the opposite
>direction of what you advocate did effectively shut down this scam for
>now, which is 100% better than what talking to law enforcement did.
>
>-rick
>
>ps attached is my note i sent to the FBI and all the involved hosting
>    parties today.