| Abuse Reporting |
Don't Bear Internet Fraud
|
 |
How do you report these fraudsters and who to?
1) The fraudsters use 'domains', (e.g. imascammer.com), for their fraudulent websites that are registered with domain registrars and most domain registrars these days are honest, ethical and will suspend domains if they are provided with clear & adequate evidence that the domain is being used in a way that contravenes their policies, generally referred to as an Acceptable Use Policy, or AUP.
2) The fraudsters use hosts to host their websites, or, (in the case of a zombie botnet), to host the nameserver that controls the network of zombied computers that actually host the website in rotation. Once again most hosts will cease the hosting if they are provided with clear & adequate evidence that the domain is being used in a way that contravenes their policies.
There are always a few bad apples in the barrel - they can just be unresponsive, unethical or even downright crooked. They are generally noted as such on the individual scam report pages.
So, the general principle is to file an abuse report firstly with the registrar of the criminals website domain(s) and in the case of a zombie botnet, with the registrar of the criminals nameserver domain, (which has to be criminal registered as the criminal cannot use a legitimate DNS, (Domain Name System), to control a zombie botnet), and secondly with the host of the website, or in the case of a zombie botnet, with the host of the nameserver which is acting as a botnet controller.
There are many tools on the internet that allow you to find out who a particular domain is registered with, (domain WHOIS data), and also how the domain is hosted and who with, (domain IP address WHOIS data). Here are some examples of useful tools, (if anyone knows of any others, please let me know):
http://www.domaintools.com/services/
http://www.centralops.net/co/
http://www.robtex.com/
http://www.dnsstuff.com
In the case of a normally, (non-botnet), hosted website, the website domain will map to a single IP address, whereas the zombie botnet is a little more complex and is described in general on the General Information page. Basically the DNS data will show the website mapped to a number, (usually 5), of IP addresses, (zombied end user machines), controlled by a single nameserver which selectes the zombie site host in rotation.
The Abuse Report
The abuse report itself presents many conflicting and variable requirements which make it virtually impossible to standardise in my experience. Especially as abuse teams vary wildly in their comprehension & willingness to help - no two abuse teams are the same. It is possible however to use the previous reports as templates in a sort of rolling development tailored to the abuse team in question and that is essentially what I do.As I see it, the guidelines are:
1) The information must be 100% correct and must be based on solid evidence - abuse teams will quite rightly not consider remedial action if your report is based on conjecture or is factually incorrect or evidence is not provided to back up your claims.
2) You must be polite & friendly and never abusive, but you must also be convincing. These requirements can sometimes slightly conflict, (especially if the abuse team involved has no interest in being convinced), but always remember you are trying to solicit their help.
3) Request the correct action in the language the abuse teams understand and if you can, quote the pertinent sections of their AUP that are applicable.
4) Abuse teams are busy people - you must present the relevant information in as concise and understandable form as possible. once again this is a difficult balance to achieve and what is a correct balance for one abuse team will not be for another. Some teams are technically astute and others not....
5) Do not include attachments to your abuse reports - they must be in plain text form only - no HTML.
6) Try to avoid multiple reports for the same incident. Once again this presents a problem, i.e. what do you do if the abuse team concerned does not respond in any way and/or takes no action in a reasonable time scale, say two or three working days? Has your abuse report been blocked by a spam filter? Once again abuse teams vary wildly - some will respond positively and quickly, (say within 24 hours on a working day), & others will not respond at all until you've sent them several criminal fraud reports over a weeks period when they may simply respond to tell you to stop spamming them which pretty well tells you their position....
Unfortunately, many abuse reporting addresses have spam filtering in place, often with non-delivery returns disabled, so it is not always a good idea to include spam source code for reports of this nature unless requested to do so, but to state that spam source code is available upon request.
Feel free to comment on the sample abuse report below, but please bear in mind that no two people will ever agree on what constitutes the 'best' abuse report as I don't think there is any such thing, for instance some abuse teams simply will not understand the DNS data which is included below, but if you don't include it you will get accused of not providing any evidence of zombie botnet use by the rest that do understand it....
However your abuse reports are phrased, be prepared for the occasional VERY dumb response..... :o)
A typical report from me:
Hello,
This carefully researched report involves site theft, money laundering fraud
activity and spamming as evidenced on
http://www.bobbear.co.uk/cronosinvest.html & involves the Spiritdomains
registered domain REGNEWUSER.COM, Switch.ch registered domain CRONOF.LI and
ISPSYSTEM zombie botnet hosting on nameserver IP 82.146.52.103. Spam
available upon request.
SUMMARY OF EVIDENCE
Cronos Investment site thief, copyright abuser, spammer and money laundering
criminal fraudster, (aka Draper Investment fraudster), using a fake website
based on the genuine company http://www.draperco.com/index.html and hosted
by a zombie botnet controlled by nameserver ns1.regnewuser.com
[82.146.52.103] using domain cronof.li. The criminal fraud website, e.g.
http://cronof.li/index.php is spamvertising a 'Regional Associate' money
transfer 'mule' job under the 'Career' menu (http://cronof.li/career.php)
using a massive spam campaign distributed by a zombie botnet as spam source
IPs demonstrate, (Sample spam on http://www.bobbear.co.uk/cronosinvest.html)
REQUESTED ACTION
1) SWITCH.CH - Would you please suspend the Cronos Investment criminal's
domain cronof.li and delete the DNS data for involvement in site theft,
copyright abuse, (third party rights infringement), criminal money transfer
fraud, spamming and false whois data, all in contravention of international
law, your AUP/Registration Agreement and the Swiss anti-spam legislation
(April 2007). Thank you. ***Any domain on your database using zombie botnet
nameserver ns1.regnewuser.com is a domain registered by this criminal and
spammer***
2) SPIRITDOMAINS - Would you please suspend the criminal registered zombie
botnet nameserver domain regnewuser.com and delete the DNS data for
involvement in site theft, money laundering fraud activity and spamming as
detailed on http://www.bobbear.co.uk/cronosinvest.html. This domain was only
registered by the criminal on 31-aug-2007 specifically to use in conjunction
with his zombie botnet DNS. By definition it cannot host any innocent
domains. Thank you.
3) ISPSYSTEM - Would you please disconnect the criminal's zombie botnet
hosting ns1.regnewuser.com [82.146.52.103] for site theft, criminal fraud
activity and spamming as detailed on
http://www.bobbear.co.uk/cronosinvest.html. Thank you.
DNS Data for cronof.li:
-------------------Botnet Nameserver--------'A' Record (Zombie host IPs)
ns1.regnewuser.com [82.146.52.103]121.132.38.188 76.199.64.140 80.178.185.74
86.104.233.124 90.49.204.40
ns2.regnewuser.com [208.21.54.48] Timeout - Fake Nameserver (Never Resolves)
The data shows a standard zombie botnet where the nameserver
ns1.regnewuser.com hosted by ISPSYSTEM on IP 82.146.52.103 is acting as a
zombie botnet controller 'herding' the rotating zombies, (as determined by
RDNS), in the 'A' records list which are hosting the fraud site on the above
domain(s) (as determined by TRACERT).
Please see the irrefutable evidence against these criminal fraudsters and
sample spam on website http://www.bobbear.co.uk/cronosinvest.html Further
sample spam available on request.
Please help to fight internet crime, thank you for your co-operation.
Kind regards,
Bob Harrison.
If you have any queries, or if this abuse report has reached you in error,
or if you do not wish to receive them, then please contact the sender.