This
page tells you how to report a
criminal fraudster's website hosting and his domain registration. To
report the fraud itself see these Law Enforcement Links. If you have
received a fraud spam, please send me a copy via the Send Us a Scam Spam! link.
How do you report these fraudsters and who to?
1) The fraudsters use 'domains', (e.g. imascammer.com), for
their fraudulent websites that are
registered with domain registrars and most domain registrars these days
are honest, ethical and will suspend domains if they are provided
with clear & adequate evidence that the domain is being used in
a way that contravenes their policies, generally referred
to as an Acceptable Use Policy, or AUP.
2) The fraudsters use hosts to host their websites, or, (in the
case of a zombie botnet), to host the nameserver that controls the
network of zombied computers that actually host the website in
rotation. Once again most hosts will cease the
hosting if they
are provided
with clear & adequate evidence that the domain is being used in
a way that contravenes their policies.
There are always a few bad apples in the barrel - they can just be
unresponsive, unethical or even downright crooked. They are generally
noted as such on the individual scam report pages.
So, the general principle is to file an abuse report with the
registrar of the criminals website domain(s) and in the case of a
zombie botnet, with the registrar of the criminals nameserver domain,
(which has to be criminal registered as the criminal cannot use a
legitimate DNS,
(Domain
Name System),
to control a
zombie botnet), and also with the host
of the website, or in the case of a zombie botnet, with the host of the
nameserver which is acting as a botnet controller.
There are many tools on the internet that allow you to find out who a
particular domain is registered with, (domain WHOIS data), and also how
the
domain is hosted and
who with,
(domain IP address WHOIS data). Here are some
examples of useful tools, (if anyone knows of any others, please let me
know):
In the case of a normally, (non-botnet), hosted website, the
website domain will generally map to a single IP address, whereas the
zombie
botnet is a little more complex and is described in general on the General
Information page. Basically the DNS data will show the
website domain mapped
to a number, (anything from 1 upwards, usually 1, 5 or 7), of IP
addresses, (zombied end user machines),
controlled by a single nameserver which selectes the zombie site host
in rotation.
The
Abuse Report
The
abuse report itself presents many conflicting and variable requirements
which
make it virtually impossible to standardise in my experience.
Especially as abuse teams vary wildly in their comprehension &
willingness to help - no two abuse teams are the same. It is possible
however to use the previous reports as templates in a sort of rolling
development tailored to the abuse team in question and that is
essentially what I do.
As I see it, the guidelines are:
1) The information must be 100%
correct and must be based on solid
evidence - abuse teams will quite rightly not consider remedial action
if your report is based on conjecture or is factually incorrect or
evidence is not provided to back up your claims.
2) You must be polite &
friendly and never abusive, but you
must
also be convincing. These requirements can sometimes slightly conflict,
(especially if the abuse team involved has no interest in being
convinced),
but always remember you are trying to solicit their help.
3) Request the correct action
in the language the abuse teams
understand and if you can, quote the pertinent sections of their AUP
that are applicable.
4) Abuse teams are busy people
- you must present the relevant
information in as concise and understandable form as possible. once
again this is a difficult balance to achieve and what is a correct
balance for one abuse team will not be for another. Some teams are
technically astute and others not....
5) Do not include attachments
to your abuse reports - they must be in
plain text form only - no HTML.
6) Try to avoid multiple
reports for the same incident. Once again this
presents a problem, i.e. what do you do if the abuse team concerned
does not respond in any way and/or takes no action in a reasonable time
scale, say two or three working days? Has your abuse report been
blocked by a spam filter? Once again abuse teams vary wildly - some
will respond positively and quickly, (say within 24 hours on a working
day), & others will not respond at all until you've sent them
several criminal fraud reports over a weeks period when they may simply
respond to tell you to stop spamming them which pretty well tells you
their position....
Unfortunately, many abuse reporting addresses have spam filtering in
place, often with non-delivery returns disabled, so it is not always a
good idea to include spam source code for reports of this nature unless
requested to do so, but to state that spam source code is available
upon request.
Feel free to comment on the sample abuse reports below, but please bear
in mind that no two people will ever agree on what constitutes the
'best' abuse report as I don't think there is any such thing, for
instance some abuse teams simply will not understand the DNS data which
is included below, but if you don't include it you will get accused of
not providing any evidence of zombie botnet use by the rest that do
understand it....
However your abuse reports are phrased, be prepared for the occasional
VERY dumb response..... :o)
Some suggested reports, first a detailed multiple destination report: Hello,
This carefully
researched report involves site theft, money laundering
fraud activity and
spamming as evidenced on http://www.bobbear.co.uk/cronosinvest.html
& involves the
Spiritdomains registered
domain REGNEWUSER.COM, Switch.ch registered domain CRONOF.LI
and ISPSYSTEM
zombie botnet hosting on nameserver IP 82.146.52.103. Spam available upon
request.
SUMMARY OF
EVIDENCE
Cronos
Investment site thief, copyright abuser, spammer and money
laundering criminal
fraudster, (aka Draper Investment fraudster), using a fake
website based on the
genuine company http://www.draperco.com/index.html and
hosted by a zombie
botnet controlled by nameserver ns1.regnewuser.com [82.146.52.103]
using domain cronof.li. The criminal fraud website,
e.g. http://cronof.li/index.php
is spamvertising a 'Regional Associate'
money transfer 'mule'
job under the 'Career' menu
(http://cronof.li/career.php) using a massive
spam campaign distributed by a zombie botnet as spam
source IPs
demonstrate, (Sample spam on
http://www.bobbear.co.uk/cronosinvest.html)
REQUESTED ACTION
1) SWITCH.CH -
Would you please suspend the Cronos Investment
criminal's domain
cronof.li and delete the DNS data for involvement in site theft,
copyright
abuse, (third party rights infringement), criminal money
transfer fraud, spamming
and false whois data, all in contravention of
international law, your
AUP/Registration Agreement and the Swiss anti-spam
legislation (April 2007).
Thank you. ***Any domain on your database using zombie
botnet nameserver
ns1.regnewuser.com is a domain registered by this criminal
and spammer***
2)
SPIRITDOMAINS - Would you please suspend the criminal registered
zombie botnet
nameserver domain regnewuser.com and delete the DNS data for involvement in
site theft, money laundering fraud activity and spamming
as detailed on
http://www.bobbear.co.uk/cronosinvest.html. This domain was
only registered by
the criminal on 31-aug-2007 specifically to use in
conjunction with his zombie
botnet DNS. By definition it cannot host any innocent domains. Thank
you.
3) ISPSYSTEM -
Would you please disconnect the criminal's zombie botnet
hosting
ns1.regnewuser.com [82.146.52.103] for site theft, criminal
fraud activity and
spamming as detailed on http://www.bobbear.co.uk/cronosinvest.html.
Thank you.
The data shows
a standard zombie botnet where the nameserver ns1.regnewuser.com
hosted by ISPSYSTEM on IP 82.146.52.103 is acting as
a zombie botnet
controller 'herding' the rotating zombies, (as determined
by RDNS), in the
'A' records list which are hosting the fraud site on the
above domain(s) (as
determined by TRACERT).
Please see the
irrefutable evidence against these criminal fraudsters
and sample spam on
website http://www.bobbear.co.uk/cronosinvest.html
Further sample spam
available on request.
Please help to
fight internet crime, thank you for your co-operation.
Kind regards,
Bob Harrison.
If you have any
queries, or if this abuse report has reached you in
error, or
if you do not wish to receive them, then please contact the sender. Multiple destination reports
may be too much for a busy abuse team to digest, so it may often be
better to send a simple short abuse report to each destination simply
referring the abuse team for evidence to the relevant information link
on this website, for example here is a report to the Yahoo abuse teams
relating to a Melbourne IT (Yahoo as reseller) registered domain hosted
by Yahoo: Hello,
The following MIT/Yahoo registered
and Yahoo hosted domain is involved in phishing for personal details,
deception, money laundering criminal activity
and spamming:
Please would you disable the above
criminal domain investsales-promo.us ASAP and ensure the criminal
cannot reinstate it, thank you.
All of the information you require
can be viewed on the above evidence link, but if you require further
information, please do not hesitate to contact
me.
