This page tells you how to report a
criminal fraudster's website hosting and his domain registration. To
report the fraud itself see these Law Enforcement Links. If you have received a fraud spam, please send me a copy via the Send Us a Scam Spam! link.
How do you report these fraudsters and who to?
1) The fraudsters use 'domains', (e.g. imascammer.com), for
their fraudulent websites that are
registered with domain registrars and most domain registrars these days
are honest, ethical and will suspend domains if they are provided
with clear & adequate evidence that the domain is being used in
a way that contravenes their policies, generally referred
to as an Acceptable Use Policy, or AUP.
2) The fraudsters use hosts to host their websites, or, (in the
case of a zombie botnet), to host the nameserver that controls the
network of zombied computers that actually host the website in
rotation. Once again most hosts will cease the
hosting if they
are provided
with clear & adequate evidence that the domain is being used in
a way that contravenes their policies.
There are always a few bad apples in the barrel - they can just be
unresponsive, unethical or even downright crooked. They are generally
noted as such on the individual scam report pages.
So, the general principle is to file an abuse report with the
registrar of the criminals website domain(s) and in the case of a
zombie botnet, with the registrar of the criminals nameserver domain,
(which has to be criminal registered as the criminal cannot use a
legitimate DNS,
(Domain
Name System),
to control a
zombie botnet), and also with the host
of the website, or in the case of a zombie botnet, with the host of the
nameserver which is acting as a botnet controller.
There are many tools on the internet that allow you to find out who a
particular domain is registered with, (domain WHOIS data), and also how
the
domain is hosted and
who with,
(domain IP address WHOIS data). Here are some
examples of useful tools, (if anyone knows of any others, please let me
know):
In the case of a normally, (non-botnet), hosted website, the
website domain will generally map to a single IP address, whereas the
zombie
botnet is a little more complex and is described in general on the General
Information page. Basically the DNS data will show the
website domain mapped
to a number, (anything from 1 upwards, usually 1, 5 or 7), of IP
addresses, (zombied end user machines),
controlled by a single nameserver which selectes the zombie site host
in rotation.
The
Abuse Report
The
abuse report itself presents many conflicting and variable requirements
which
make it virtually impossible to standardise in my experience.
Especially as abuse teams vary wildly in their comprehension &
willingness to help - no two abuse teams are the same. It is possible
however to use the previous reports as templates in a sort of rolling
development tailored to the abuse team in question and that is
essentially what I do.
As I see it, the guidelines are:
1) The
information must be 100% correct and must be based on solid
evidence - abuse teams will quite rightly not consider remedial action
if your report is based on conjecture or is factually incorrect or
evidence is not provided to back up your claims.
2) You must
be polite & friendly and never abusive, but you
must
also be convincing. These requirements can sometimes slightly conflict,
(especially if the abuse team involved has no interest in being
convinced),
but always remember you are trying to solicit their help.
3) Request
the correct action in the language the abuse teams
understand and if you can, quote the pertinent sections of their AUP
that are applicable.
4) Abuse
teams are busy people - you must present the relevant
information in as concise and understandable form as possible. once
again this is a difficult balance to achieve and what is a correct
balance for one abuse team will not be for another. Some teams are
technically astute and others not....
5) Do not
include attachments to your abuse reports - they must be in
plain text form only - no HTML.
6) Try to
avoid multiple reports for the same incident. Once again this
presents a problem, i.e. what do you do if the abuse team concerned
does not respond in any way and/or takes no action in a reasonable time
scale, say two or three working days? Has your abuse report been
blocked by a spam filter? Once again abuse teams vary wildly - some
will respond positively and quickly, (say within 24 hours on a working
day), & others will not respond at all until you've sent them
several criminal fraud reports over a weeks period when they may simply
respond to tell you to stop spamming them which pretty well tells you
their position....
Unfortunately, many abuse reporting addresses have spam filtering in
place, often with non-delivery returns disabled, so it is not always a
good idea to include spam source code for reports of this nature unless
requested to do so, but to state that spam source code is available
upon request.
Feel free to comment on the sample abuse reports below, but please bear
in mind that no two people will ever agree on what constitutes the
'best' abuse report as I don't think there is any such thing, for
instance some abuse teams simply will not understand the DNS data which
is included below, but if you don't include it you will get accused of
not providing any evidence of zombie botnet use by the rest that do
understand it....
However your abuse reports are phrased, be prepared for the occasional
VERY dumb response..... :o)
Some suggested reports, first a detailed multiple destination report: Hello,
This
carefully researched report involves site theft, money laundering
fraud activity
and spamming as evidenced on http://www.bobbear.com/cronosinvest.html
& involves the
Spiritdomains registered
domain REGNEWUSER.COM, Switch.ch registered domain CRONOF.LI
and ISPSYSTEM
zombie botnet hosting on nameserver IP 82.146.52.103. Spam available
upon request.
SUMMARY
OF EVIDENCE
Cronos
Investment site thief, copyright abuser, spammer and money
laundering criminal
fraudster, (aka Draper Investment fraudster), using a fake
website based
on the genuine company http://www.draperco.com/index.html and
hosted by
a zombie botnet controlled by nameserver ns1.regnewuser.com [82.146.52.103]
using domain cronof.li. The criminal fraud website,
e.g. http://cronof.li/index.php
is spamvertising a 'Regional Associate'
money transfer
'mule' job under the 'Career' menu
(http://cronof.li/career.php) using
a massive spam campaign distributed by a zombie botnet as spam
source IPs
demonstrate, (Sample spam on
http://www.bobbear.com/cronosinvest.html)
REQUESTED
ACTION
1)
SWITCH.CH - Would you please suspend the Cronos Investment
criminal's domain
cronof.li and delete the DNS data for involvement in site theft,
copyright
abuse, (third party rights infringement), criminal money
transfer fraud,
spamming and false whois data, all in contravention of
international law,
your AUP/Registration Agreement and the Swiss anti-spam
legislation (April
2007). Thank you. ***Any domain on your database using zombie
botnet nameserver
ns1.regnewuser.com is a domain registered by this criminal
and spammer***
2)
SPIRITDOMAINS - Would you please suspend the criminal registered
zombie botnet
nameserver domain regnewuser.com and delete the DNS data for involvement
in site theft, money laundering fraud activity and spamming
as detailed
on http://www.bobbear.com/cronosinvest.html. This domain was
only registered
by the criminal on 31-aug-2007 specifically to use in
conjunction with
his zombie botnet DNS. By definition it cannot host any innocent domains.
Thank you.
3)
ISPSYSTEM - Would you please disconnect the criminal's zombie botnet
hosting
ns1.regnewuser.com [82.146.52.103] for site theft, criminal
fraud activity
and spamming as detailed on http://www.bobbear.com/cronosinvest.html.
Thank you.
The
data shows a standard zombie botnet where the nameserver ns1.regnewuser.com
hosted by ISPSYSTEM on IP 82.146.52.103 is acting as
a zombie
botnet controller 'herding' the rotating zombies, (as determined
by RDNS),
in the 'A' records list which are hosting the fraud site on the
above domain(s)
(as determined by TRACERT).
Please
see the irrefutable evidence against these criminal fraudsters
and sample
spam on website http://www.bobbear.com/cronosinvest.html
Further sample
spam available on request.
Please
help to fight internet crime, thank you for your co-operation.
Kind
regards,
Bob
Harrison.
If
you have any queries, or if this abuse report has reached you in
error, or
if you do not wish to receive
them, then please contact the sender. Multiple destination reports
may be too much for a busy abuse team to digest, so it may often be
better to send a simple short abuse report to each destination simply
referring the abuse team for evidence to the relevant information link
on this website, for example here is a report to the Yahoo abuse teams
relating to a Melbourne IT (Yahoo as reseller) registered domain hosted
by Yahoo: Hello,
The following
MIT/Yahoo registered and Yahoo hosted domain is involved in phishing
for personal details, deception, money laundering
criminal activity and spamming:
Please would you
disable the above criminal domain investsales-promo.us ASAP and ensure
the criminal cannot reinstate it, thank you.
All of the information
you require can be viewed on the above evidence link, but if you
require further information, please do not hesitate
to contact me.
