Knujon Weekly Reports

A compendium of news related to spammers, spam arrests, spam legislation, forum spamming, cybercrime and related issues.

Knujon Weekly Reports

Postby AlphaCentauri » Fri Aug 29, 2008 9:59 am

Since a lot of people aren't subscribed to Knujon's newsletter, I thought I would reproduce them in this thread.

8/29/08
Subject: Phantom Registrars, Fake Pharmacies, and the Secret Infrastructure - KnujOn Reports
Hello,

In our continuing effort to shed light on the dark corners of the Internet
we have produced this report on the Directi Group, a fairly large player in
the Registrar world. We have highlighted their use of the controversial
service PrivacyProtect.org, their continued sponsorship of fake pharmacy
domains, and their apparent ability to get Registrar accreditations for 48
Phantom Companies.

The full report with documentation, data and links to supporting articles is
here: http://www.knujon.com/news.html#directi
PDF version:
http://www.knujon.com/KnujonReport_dire ... 082808.pdf

********************************************
48 Phantom Registrars

KnujOn has found at least 48 ICANN-accredited Registrars that do not seem to
exist. All of the Registrars in question are affiliated with the Directi
Group (Directi, PublicDomainsRegistry, Answerable, LogicBoxes). Our
attention was first brought to them when we released our report of the Ten
Worst Registrars for illicit domains, spam, and false registrations. At the
time, in some records Directi’s address was listed as: “14525 SW Millikan
#48732 Beaverton Oregon”. Directi has since denied this and now disclosed
its address as being in Mumbai, India. This prompted us to take a closer
look at all the Registrars in Internic’s (ICANN) directory affiliated with
Directi and presenting themselves as being located in the United States. 8
Directi–affiliated Registrars list their address on the Internic Registrar
Directory as: 14525 SW Millikan #48732 Beaverton Oregon.

In examining the directory for the other 40 Direct-affiliated Registrars, we
find an even more confusing address:

15 West 47th Street New York, NY 10036 Oregon
United States
650-331-0716

The first line is obviously ambiguous with “Oregon” on the end of a New York
address. An additional layer of confusion is added by the fact that
650-331-0716 is a San Mateo, California phone number. So, where are these
companies? New York, Oregon, California or Mumbai? There is nothing wrong
with having multiple business locations, but this fact is not disclosed on
any their websites or at Internic.

Next, we set out to verify if any of these companies were real. Because of
the confusing addresses we researched the New York, Oregon, California and
India business registries. None of the Directi-affiliated companies listed
in the Internic Registrar Directory are real licensed companies:

Jumbo Name, Inc.
Your Domain King, Inc.
Fenominal, Inc.
Game For Names, Inc.
Ever Ready Names, Inc.
Find Good Domains, Inc.
Go Full House, Inc.
Instinct Solutions, Inc.
Name Perfections, Inc.
Need Servers, Inc.
Network Savior, Inc.
Power Carrier, Inc.
Power Namers, Inc.
Super Name World, Inc.
Tech Tyrants, Inc.
The Registrar Service, Inc.
Trade Starter, Inc.
Unpower, Inc.
Venus Domains, Inc.
Yellow Start, Inc.
Zone Casting, Inc.
Extend Names, Inc.
Extremely Wild Key Registrar, Inc.
Magic Friday, Inc.
Name To Fame, Inc.
Net Juggler, Inc.
Unified Servers, Inc.
Names Bond, Inc.
Specific Name, Inc.
Genuine Names, Inc.
Best Site Names, Inc.
Get Real Names, Inc.
Global Names Online, Inc.
Naming Associate, Inc.
The Names Registration, Inc.
Cool Ocean, Inc.
Names Real, Inc.
Big Domain Shop, Inc.
Colossal Names, Inc.
Click Registrar, Inc.
Cotton Water, Inc.
Crystal Coal, Inc.
Curious Net, Inc.
Domain Band, Inc.
Domain Mantra, Inc.
Platinum Registrar, Inc.
There is an expression that a company can “exist only on paper”, but in this
case we don’t even have that.

********************************************
The Fake Pharmacies

We have collected content and data for the 19,000 plus domains using the
PrivacyProtect.org service that have been advertised through spam and
narrowed the analysis down to 9,156 domains that are currently active.

What has been found is very interesting and helps explain how a rogue
Registrar can play a big role in supporting massive fake pharmacy networks.

Starting with a list of 1,820 fake pharmacy domains all using
PrivacyProtect.org and all registered through Directi/PublicDomainsRegistry
we find these sites are all served from 132.206.106.15, an IP at the McGill
University (likely a compromised machine, maybe even that of a student).
Half of the content for the sites is served from an IP in Austria, the other
half from an IP in the UK. (See the full list)

We could call McGill today and get this IP closed but it would only be a
temporary obstacle for the criminals. In fact, since KnujOn collected this
data the sites have already moved to 61.153.209.98, which is Donghai
University in China. These networks are very nimble, the content is highly
portable and deployed by scripted kits. This is where the Registrar comes
in. They have to make the sites resolve at a new location quickly. The IP
addresses of the fake pharmacies change, but the Registrar and proxy
registration service are constants. The nameservers for these sites are all
at Directi/PublicDomainsRegistry and also shielded by PrivacyProtect.org.

Their subtle misdirection provides cover. If a consumer complains to
Directi/PublicDomainsRegistry about these sites they simply direct them to
the ISP host that serves the content. If and when the site content is closed
by the ISP host, Directi/PublicDomainsRegistry just helps them set up at a
new IP. The true owners are of course shielded by PrivacyProtect.org. It’s a
cycle they have adapted to, so the fake online pharmacy business continues
with minimal interruptions. (Download full list of Directi/PrivacyProtect Rx
domains with most recent IP)

********************************************
Secret Infrastructure

The service that shields ownership of the unlicensed pharmacies,
PrivacyProtect.org, is itself a phantom with undisclosed ownership. It was
revealed in a Washington Post article that the Directi Group actually owns
PrivacyProtect.org, a fact they did not deny when they responded to the
article.

In summary, we have thousands of illicit domains cloaked by a company which
is also anonymously owned. The domains are all sponsored by the Directi
Group which is affiliated with 48 Registrars that cannot be proven to be
real entities. Clearly there are serious problems with oversight, due
diligence, and accountability. How can the consumer be protected under these
conditions?

While Directi claims they will suspend illicit domains, KnujOn has found on
many occasions Directi sponsored domains being removed temporarily only to
be restored after a brief period with the same content. The sheer volume of
fake pharmacies at Directi is daunting, and given the fact that they can all
be traced to one source: PrivacyProtect.org, would it not be time for
Directi to reconsider its relationship with PrivacyProtect.org if they are
serious about solving the problem?

As for ICANN, how is it possible that so many companies can be granted
accreditation with unverified credentials?
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Postby meep » Wed Sep 03, 2008 4:51 am

Thanks for posting that. Good read.
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Postby spamislame » Wed Sep 03, 2008 9:49 am

Wow that was a very informational posting.

There's no question that the networks of individuals behind these setups (and I'll name names, I believe they're talking here about Canadian Pharmacy, ie: spamit / glavmed) are highly organized and efficient.

Very good information.

Thanks.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Postby brewt » Tue Sep 09, 2008 11:08 pm

knujon, on Mon, September 8, 2008 wrote:Hello,

There has been some amazing activity in the last week. KnujOn’s report on
EstDomains, Directi, and other Internet companies has created significant
controversy. The final details of all this are not yet complete, but after
After 5 days of very heated public (and private) discussions with the
Registrar Directi we can report some significant developments. Aside from
dumping thousands of illicit websites, cutting ties with EstDomains, and
investigating various questionable resellers, Directi has made the following
public pledge:

<<Directi affirms they are in no way supporting illicit online pharmacies.
KnujOn has sent a list of newly populated fake pharmacy domains that Directi
suspended. Directi and KnujOn now jointly call on the Internet community,
private industry, and government to help develop policy and methods to put a
stop to the fake pharmacy menace since Registrars cannot do this alone.>>

KnujOn will constantly feed Directi with fake pharmacy data and monitor the
situation to ensure this pledge in the long term. In the short term, we need
to keep this momentum going and ensure that other parties join this effort.
I truly believe that a comprehensive policy fix for the Internet is possible
with the right support.

EstDomains CEO a convicted felon?
http://voices.washingtonpost.com/securi ... .html#more

The end of a cybercrime conspiracy?
http://arstechnica.com/articles/culture ... alware.ars

Stand by folks, there is much more to come in the near future.
User avatar
brewt
Spam Muncher
 
Posts: 812
Joined: Fri Jul 20, 2007 2:26 pm

Postby spamislame » Wed Sep 10, 2008 11:11 am

brewt wrote:
knujon, on Mon, September 8, 2008 wrote:Directi and KnujOn now jointly call on the Internet community,
private industry, and government to help develop policy and methods to put a
stop to the fake pharmacy menace since Registrars cannot do this alone.


Who can we contact directly at Knujon to make them aware (if they aren't already) of our castlecops wiki listings of domains?

Or of the spamwiki's definitions and research pointing to the illegality of the sites (whether spammed or not?)

A group like Knujon could bring about much faster builds of foreign-language content for the spam wiki, for example. (At least in theory.)

Someone should contact whoever sends that newsletter about that. Or I could, if someone has a contact.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Postby AlphaCentauri » Wed Sep 10, 2008 12:14 pm

There is a Knujon forum at Castlecops (one public and another private one for members, actually). It seems the best way to contact Knujon is to start a thread there and wait for Garth to check the forum. He drops by occasionally and responds to everyone's comments at once, though I suspect he'll be dropping by more frequently since the Directi thing is ongoing.

I'm not sure how interested he would be. He doesn't deal with spam brands, and probably doesn't attempt to filter for innocent domains mentioned in spams that get forwarded, nor evaluate for how quickly reported domains are shut down. His strategy is to bulk report to WDPRS asking for confirmation of the accuracy of the registration info on every spammed domain. ICANN never even kept up with the regular level of reports, which is exactly why he does it -- to demonstrate that the system is inadequate. And his expectation from registrars is that they find a way to stop new spammer registrations, not that they merely shut down reported spammed domains promptly.

Unfortunately, he makes no attempts to notify registrars directly of the information he's sending to ICANN. The first registrars hear about Knujon is when he comes out with these name-and-shame lists, and since those look at the last 12 months of spam, they aren't necessarily reflective of current spammer or registrar patterns of activity.

Currently, people who sign up as members to have their spam reported pay a subscription fee, but I think eventually he plans to have registrars pay to get a Knujon seal of approval.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Postby meep » Wed Sep 10, 2008 12:41 pm

There is a Knujon forum at Castlecops (one public and another private one for members, actually).


Thanks, AC, for letting me know that, I knew of the public forum at CC, but it seems to have little traffic.

Maybe putting a thread in the private forum would be best. I don't know Garth or any one else at Knujon thru any correspondence.

Garth is supposed to be at the APWG meeting, so I can meet him in person. :) I plan to make a lot of contacts at the APWG meeting in October in Atlanta. I wish some of you all can go, but it is geographically far for most of you all that I know of.

**
[and pricey to go (400 USD for 3 days)]
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Postby brewt » Wed Sep 10, 2008 10:59 pm

spamislame wrote:Who can we contact directly at Knujon to make them aware (if they aren't already) of our castlecops wiki listings of domains?
They are aware since at least June 2008, thanks to Tembow of the Castlecops forum.
http://www.castlecops.com/t224211-Revis ... op_10.html

I emailed them about the wiki as early as may 2008.
They have been in correspondence with Tembow at castlecops, and Chris at todaynic as well, apparently.

p.s. This is something relatively new for knujon.
knujon.com wrote:Free Personal Client Account (limited offer)

Free - With advertisements

A private email reporting address will be provided
* A regular status report will be issued displaying the progress on your email
...
* Reports will contain minimal, non-popup ads and banners. via

...

Personal/Free with advertisements: KnujOn.com is proud to help individuals with their junk mail problems. You will be issued a unique account to forward your junk email to. You may forward email from multiple accounts. In return you will receive regular reports detailing your progress. These reports will have tasteful and minimal advertising banners.
User avatar
brewt
Spam Muncher
 
Posts: 812
Joined: Fri Jul 20, 2007 2:26 pm

Postby AlphaCentauri » Thu Sep 18, 2008 12:06 am

Newsletter Sept. 17, 2008:

Hello,

KnujOn is moving forward on recent events and building on them. We will be
issuing a new press release shortly detailing a three-point plan for
expanding our success. KnujOn will also be going on the road over the next
two months with appearances in New York, Washington D.C., Fort Lauderdale,
Atlanta, and Cleveland. Details about each event will be posted on our home
page: http://www.knujon.com. Your participation and input in these events
will be solicited! You will have an opportunity to have your voice heard in
fight against spam, malware and cybercrime.

****************************************************
Review of KnujOn Interface – add your comments

A KnujOn client and malware researcher has blogged about KnujOn, we invite
you to post your own comments and share your experience at the same blog:
http://secshoggoth.blogspot.com/2008/09/i-love-getting-spam-redux.html

***************************************************
Are you in Virginia?

If you are a KnujOn client and located in Virginia (United States), we need
you to contact us. The junk email you have submitted can help make a case
against spammers. Please contact us and we’ll give you more details.


The blog he's talking about is one in which someone who signed up with Knujon basically says, "wow, this is not causing me any work and of the 7,000 spam domains I've submitted, 270 have been shut down and isn't it wonderful that Knujon is doing this."

Is anyone else getting peeved that Knujon takes credit for every spammed domain that gets shut down -- despite not reporting any of them to anyone except ICANN? Yet trobbins, Red, seekaybee, nodus and others have gotten thousands of domains shut down by establishing contacts with real human beings at registrars and setting up systems for bulk reporting via email and through the wiki at Castlecops.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Postby kamaraju » Fri Sep 19, 2008 9:39 am

AlphaCentauri wrote:Is anyone else getting peeved that Knujon takes credit for every spammed domain that gets shut down -- despite not reporting any of them to anyone except ICANN? Yet trobbins, Red, seekaybee, nodus and others have gotten thousands of domains shut down by establishing contacts with real human beings at registrars and setting up systems for bulk reporting via email and through the wiki at Castlecops.


I would like to complain about the contacts with real human beings. It is not 100% effective as far as I can see.

For example, someone previously established a contact with Go Daddy, Xin Net. They did shutdown spam nameservers/websites at that time. But after some time, they are back to their old ways. According to http://rss.uribl.com/nic/ Go Daddy, Xin Net now ranked 4th, 5th spammy registrars. This tells how ineffective our (complainterator) approach could be.

May be I am wrong. But Knujon's way of publicly shaming spammers, building evidence against them and indulging law enforcement does seem to be a better approach in the longer term.

Any comments?
kamaraju
Spam Observer
 
Posts: 72
Joined: Sun Jun 24, 2007 10:31 pm

Postby AlphaCentauri » Fri Sep 19, 2008 4:36 pm

kamaraju wrote:May be I am wrong. But Knujon's way of publicly shaming spammers, building evidence against them and indulging law enforcement does seem to be a better approach in the longer term.

Any comments?


I would agree if they ever forwarded any of their complaints to the registrars before they shamed them. They only send them to ICANN, which never does anything with them. And Knujon knows they never do anything with them; they're reporting every single spam domain to demonstrate that the system is inadequate to deal with the problem.

The slowdown at CC has been a problem, too -- we had some of the registrars going to the bulk spam reporting pages and suspending everything we posted, and then the wiki went down. I know I haven't been as good at reporting there lately, even though they have been back up for a while now, and I think a lot of us have been busy and not gotten back to it.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Postby trobbins » Sat Sep 20, 2008 1:13 am

I've been MIA for the past month and a half and have noticed that registrations with XINNET and others are climbing again. I have only had time to collect domains and run a program overnight to check on suspensions during this time. I have some house cleaning to do to my database and will begin reporting in full force shortly.
User avatar
trobbins
Spammers' Nightmare
 
Posts: 2556
Joined: Thu Apr 12, 2007 6:55 pm

Postby AlphaCentauri » Sat Sep 20, 2008 1:23 am

Great to have you back! (and that amazing database, too... :) )
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Postby Red Dwarf » Sat Sep 20, 2008 1:44 am

Welcome back.

I have had to scale back a lot, too. The real life has impinged on the cyber one.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Postby spamislame » Sun Sep 21, 2008 2:19 pm

Red Dwarf wrote:Welcome back.

I have had to scale back a lot, too. The real life has impinged on the cyber one.


Lotta that going around. ;)

I'm back as well.

Welcome back, trobbins. And yes I agree: knujon + wdprs = nowhere near the response we are getting as a loosely-knit group of volunteers.

One day we'll be able to be more public about our activities. Until then, others can publicly take credit.

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Next

Return to Spam In The News

Who is online

Users browsing this forum: BlexBot and 1 guest

cron