Newman, Esmond & Eisenberg Fraud
Report
Active
Domain
Don't Bear Internet Fraud
Home
Bobbear Icon

Newman, Esmond & Eisenberg banner

This
Newman, Esmond & Eisenberg LLP fraud uses a website stolen from the genuine company Neal, Gerber & Eisenberg LLP who are a Chicago based law firm. This fraud is just the latest in a long line that have recently included Harvey InvestmentDraper InvestmentSydney Car CentreCronos Investment and lastly the Waller Truck Co. fraud to name but five. Its sole purpose is to lend a glossy legitimacy to a fraud website, (stolen from a genuine company), which is hosting a money laundering mule job that is heavily spamvertised by highly characteristic spams that contain the same Bayesian avoidance 'white text' code as all the other frauds mentioned along with the current and past runs of 'Rockphish' phishing spams.

A Google search for Newman, Esmond & Eisenberg LLP only throws up hits for this criminals numerous different fraud domains, (usually suspended), and listings from various anti-fraud & anti-spam sites. However, the fraudulent company Newman, Esmond & Eisenberg should not be confused with any possible similarly named companies.

The
Newman, Esmond & Eisenberg LLP fraud website is currently hosted by a zombie botnet in exactly the same manner as all the previous aliases mentioned above.

If you've either received an active website link in a spam, or know of an active domain and it is not listed in the domain tables below, then please let us know by reporting it using the 'Report Active Domain' option in the title bar above.

Current Zombie Botnet Controller Hosts

***No Host*** - ns1.book-xm.com []

***No Host***
- ns1.uneedmc.com [] - Notified 

***No Host*** - ns1.bonoxc.com [] - Notified 

Netrouting Data Facilities/grafix.nl - ns1.iwarzone.com [194.110.67.169]

***No Host***
  -
ns1.walillc.com [] - Notified 


The above table shows the current providers of hosting services to the criminals and how long they have been providing them for. The decent ethical majority of service providers, (all credit to them - they are a pleasure to deal with), act within 1-24 hours of being informed of the criminal abuse of their system, (the best in less than 1 hour), but there are unfortunately some thatfor whatever reason, do not.

Misc. Other Hosts

Turktelekom - 212.174.25.241

JSC "EnginiaSystem" Network - 81.9.106.17

JSC Electrosvyaz of Buryatia Republic (burnet.ru)
- 212.0.85.6

NETVIGATOR (PCCW Limited) - ns2.newmanesrg.org [219.76.235.93]

Entel Chile - ns1.newmanesrg.org [200.72.139.67] and ns1.newmanesrg.com [200.72.139.67]

Sripatum University/KSC Commercial Internet Co. Ltd - ns2.newmanesrg.com [202.44.71.148]


Orange Nederland Breedband B.V. -  85.150.209.34


If you are an abuse team that has taken action, please let me know so that I can update the current status by removing the record.

Newman, Esmond & Eisenberg : Evidence of Criminal Fraud

i) The criminal fraudsters have stolen the website of the genuine Neal, Gerber & Eisenberg LLP as detailed above - this fraud is exactly the same as his Harvey Investment, Draper Investment, Cronos Investment frauds etc with a new company as the victim.

ii) The bogus websites are zombie botnet hosted as demonstrated by the DNS data below and the nameserver ns1.biosigndata.com was also used by the Adamant Global Fraud.

iii)  The criminal's spams, (example below), contain the illegal clear money mule function of accepting payments into a private bank account and transferring them back out to the criminals less 10% via Moneygram or Western Union.

iv) The 
Newman, Esmond & Eisenberg website contains the usual smokescreen of bogus jobs but among them is the following part-time, working from home, clear money mule function advertised as "Customer Service Associate":

Customer service associate

This is a part time job position, that enquires 1-2 hours a day to be dealt with. The candidate will be responsible for dealing with the customer payments in his local area, this will include: monitoring the payments to arrive on his banking account, making calculations regarding each payment, transmitting the payments further to the regional business partners, associates and branches by the means of Western Union or Money Gram services and being in an interactive communication with the headquaters continiously.

The successful applicant will have computer literacy coupled with the ability to communicate at a good level and will enjoy being flexible, enthsiastic and driven.

The applicant can expect a part-time working agreement to be signed up after the trial period is over. The employee is paid on a regular basis in the end of every month, as well as he gets a 10% commission out of each customer payment he has dealt with.

The main aim of the role is to attract new customers by offering them the high-speed delivery of their orders and to fasten customer payment delivery by prompt collection of their payments.

Notice the usual illiterate "fasten customer payment" which appears in numerous other scams from this fraudster.

v) On their bogus website they claim: "Today, Newman Esmond Eisenberg is a firm of over 200 attorneys spanning 22 practice groups". A Google search for "Newman, Esmond & Eisenberg" throws up zero hits as a genuine company, although there are many suspended domains and fraud website listings.

vi) All of the criminal's domains were registered with different registrars in the last few days.

vii) Domains have totally different bogus whois data although they are used for the same fraud website.

viii) The Newman, Esmond & Eisenberg spam contains forged header information and the usual bayesian filter avoidance 'white text' code that irrefutably link it to the Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre and all this criminal's many other aliases along with the 'rockphish' phishing criminals.

ix) The criminals prolific spam is zombie botnet distributed as is easily demonstrated by the source IPs.

x) The criminal's spams are all signed by different random names - they appear to have an infinite number of fake 'employees'.

The above evidence clearly demonstrates beyond any doubt that this stolen Newman, Esmond & Eisenberg website has been set up by money laundering and phishing criminals purely for the purpose of spamvertising an illegal money laundering 'mule' job and is undoubtedly just a stolen copy of the genuine Neal, Gerber & Eisenberg LLP site and is directly related to Cronos Investment, Draper Investment, Harvey Investment, Adamant Global, Sydney Car Centre and the rest of the money laundering/phishing criminal fraudsters' aliases documented here. If you are an abuse team that has received an abuse report regarding these fraudsters, please consider immediate termination of their services in view of the absolutely undeniable evidence of site theft, copyright offences, criminal money laundering activity and spamming - please don't delay - these criminals will not respond to any communication from you, (all their whois data is false), but will simply take advantage of any attempt at communication as a delaying tactic to allow them time to carry on their criminal activity and prepare their next network.

Do not be misled - these are professional criminals with a long history of fraud as detailed on the General Information page and are the same criminals as the 'rockphish' phishing fraudsters, so if a host or registrar shelters these crooks then they are also sheltering the 'rockphish' phishing fraudsters and aiding and abetting their criminal 'phishing' fraud activities.
Newman, Esmond & Eisenberg Fraudsters - current hosting details.

Current Main Domains, Hosts and  Registrars
Domain


nee.com.ua
newmanesrg.org
newmanesrg.com
nem.kg
nwa.kg

Registrar


Imena.ua (Internet Invest Ltd) (03-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Domain.kg (10-Mar-2008)
Domain.kg (11-Mar-2008)
Host IP Network /Botnet Nameserver Host


(ns1.bonoxc.com)
Orange Nederland Breedband B.V.
Orange Nederland Breedband B.V.
(ns1.bonoxc.com)
(ns1.uneedmc.com)
Host IP/Botnet Nameserver IP


85.150.209.34
85.150.209.34




See table below for the full list of known active & suspended main domains used by this criminal.
Current Zombie Botnet Nameserver Domains and Registrars

iwarzone.com (Spiritdomains/IA Registry - 28-Mar-2008)
bonoxc.com (REGISTER.COM, INC. - 28-Mar-2008)
walillc.com (INTERNET INVEST, INC. DBA IMENA.UA - 29-Mar-2008)
uneedmc.com (REGISTER.COM, INC. - 03-Apr-2008)
callsroar.com (Spiritdomains/IA Registry - 03-Apr-2008)
book-xm.com (REGISTER.COM, INC. - 07-Apr-2008)



List of all known domains used by the Newman, Esmond & Eisenberg Fraudsters 

Domain

neegl.org
neesei.net
neemi.tl
eisllpc.tl
nwnedllp.tl
eisenberg.tl
neei.la
neegl.com
neellp.com
neellp.net
neep.la
neer.la
neellp.org
neeg.la
newesei.tl
neesg.tl
neween.tl
neel.la
newese.org
neegr.la
neegp.la
newese.com
newese.biz
nenr.la
newdgl.com
newdgl.biz
newdl.biz
newdl.org
neesn.net
neesn.org
neesn.com
neesn.biz
neegl.net
neegl.biz
newndl.com
newnese.com
neelaw.org
newnm.org
newese.net
neelaw.biz
newnmm.com
newmnllp.tl
newdg.net
nmnmd.org
nmnmd.net
nmnmd.com
nwmsd.com
nwmsd.net
nwmsd.org
nenmdg.net
nenmdg.com
nenmdg.org
nmnsd.net
nmnsd.com
nmnsd.org
newesm.net
newesm.com
newesm.org
newesm.biz
nemns.com
nemns.net
nemns.org
nwmsmds.com
nwmsmds.net
nwmsmds.org
neamds.com
neamds.net
neamds.org
nnmbg.com
newmmns.com
nee.com.ua
nensmb.org
nwa.kg
newmanesrg.net
newmanesrg.org
newmanesrg.com
nwaemdeg.com
nwaemdeg.net
nwaemdeg.org
newmesde.net
newmesde.org
newmesde.com
newmesde.biz
nem.kg
nwaesde.net
nwaesde.com
nwaesde.org
nwaesde.biz
nwa.kg
nwanesb.com
nwanesb.org
nwanesb.biz
newmanesrb.com
newmanesrb.net
newmanesrb.org

Nameserver Domains

biosigndata.com
totdcom.com
my-cpm.com
regtoo.com
iprintworld.com
form-cm.com
alkgrp.com
minkot.com
notice-mm.com
mm-garden.com
toomnc.com
theloging.com
snowbm.com
dmmlife.com
newxmm.com
mmbopc.com
iwarzone.com 
bonoxc.com 
walillc.com
uneedmc.com
callsroar.com
book-xm.com

Status

Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Parked
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
DNS Looped
DNS Looped
Suspended
Unhosted
Unhosted
Suspended
Suspended
Suspended
Suspended
Suspended
Active
Suspended
Unhosted
Unhosted
Active
Active
DNS Looped
Suspended
DNS Looped
Suspended
Suspended
Suspended
Suspended
Active
Suspended
Suspended
Suspended
Suspended
Active
Suspended
Suspended
Suspended
Active
Active
DNS Failure



Suspended
Suspended
Suspended
Suspended
Suspended
Parked
Parked
Parked
Suspended
Parked
Suspended
Suspended
Parked
Suspended
Suspended
Suspended
Active
Active
Active
Active
Active
Active
Registrar

Spiritdomains/IARegistry (18-Feb-2008)
Spiritdomains/IARegistry (18-Feb-2008)
Nic.tl (19-Feb-2008)
Nic.tl (19-Feb-2008)
Nic.tl (19-Feb-2008)
Nic.tl (19-Feb-2008)
www.la
Spiritdomains/IARegistry (18-Feb-2008)
Spiritdomains/IARegistry (18-Feb-2008)
Spiritdomains/IARegistry (18-Feb-2008)
www.la (18-Feb-2008)
www.la (18-Feb-2008)
Spiritdomains/IARegistry (18-Feb-2008)
www.la (18-Feb-2008)
Nic.tl (26-Feb-2008)
Nic.tl(26-Feb-2008)
Nic.tl (26-Feb-2008)
www.la (18-Feb-2008)
Spiritdomains/IARegistry (25-Feb-2008)
www.la (25-Feb-2008)
www.la (25-Feb-2008)
Spiritdomains/IARegistry (25-Feb-2008)
Spiritdomains/IARegistry (25-Feb-2008)
www.la
Spiritdomains/IARegistry (01-March-2008)
Spiritdomains/IARegistry (01-March-2008)
Spiritdomains/IARegistry (01-March-2008)
Spiritdomains/IARegistry (01-March-2008)
Spiritdomains/IARegistry (25-Feb-2008)
Spiritdomains/IARegistry (26-Feb-2008)
Spiritdomains/IARegistry (25-Feb-2008)
Spiritdomains/IARegistry (26-Feb-2008)
Spiritdomains/IARegistry (18-Feb-2008)
Spiritdomains/IARegistry (18-Feb-2008)
Spiritdomains/IARegistry (01-March-2008)
ENOM, INC. (Mobile Names Services, Inc.) (01-Mar-2008)
CSL GmbH (Joker.com) (19-Feb-2008)
ENOM, INC. (Mobile Names Services, Inc.) (08-March-2008)
M.G. INFOCOM PVT. LTD. DBA MINDGENIES (06-Mar-2008)
CSL GmbH (Joker.com) (19-Feb-2008)
ENOM, INC. (Mobile Names Services, Inc.) (07-Mar-2008)
Nic.tl (06-Mar-2008)
Spiritdomains/IARegistry (01-Mar-2008)
ENOM, INC. (Mobile Names Services, Inc.) (10-Mar-2008)
ENOM, INC. (Mobile Names Services, Inc.) (10-Mar-2008)
ENOM, INC. (Mobile Names Services, Inc.) (10-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (12-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (12-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (12-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (12-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (12-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (12-Mar-2008)
Spiritdomains/IARegistry (08-March-2008)
Spiritdomains/IARegistry (08-March-2008)
Spiritdomains/IARegistry (08-March-2008)
Spiritdomains/IARegistry (29-Feb-2008)
Spiritdomains/IARegistry (29-Feb-2008)
Spiritdomains/IARegistry (29-Feb-2008)
Spiritdomains/IARegistry (29-Feb-2008)
Spiritdomains/IARegistry (09-Mar-2008)
Spiritdomains/IARegistry (09-Mar-2008)
Spiritdomains/IARegistry (09-Mar-2008)
Spiritdomains/IARegistry (11-Mar-2008)
Spiritdomains/IARegistry (11-Mar-2008)
Spiritdomains/IARegistry (11-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (11-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (11-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (11-Mar-2008)
ENOM, INC.(Mobile Names Services, Inc.)(09-Mar-2008)
Spiritdomains/IARegistry (12-Mar-2008)
Imena.ua (Internet Invest Ltd) (03-Mar-2008)
ENOM, INC.(Mobile Names Services, Inc.) (08-Mar-2008)
Domain.kg (11-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Imena.ua (Internet Invest Ltd) (29-Mar-2008)
Spiritdomains/IARegistry (09-Apr-2008)
Spiritdomains/IARegistry (09-Apr-2008)
Spiritdomains/IARegistry (09-Apr-2008)
Spiritdomains/IARegistry (09-Apr-2008)
Domain.kg (10-Mar-2008)
Spiritdomains/IARegistry (29-Mar-2008)
Spiritdomains/IARegistry (29-Mar-2008)
Spiritdomains/IARegistry (29-Mar-2008)
Spiritdomains/IARegistry (29-Mar-2008)
Domain.kg (11-Mar-2008)
Spiritdomains/IARegistry (21-Apr-2008)
Spiritdomains/IARegistry (21-Apr-2008)
Spiritdomains/IARegistry (21-Apr-2008)
Spiritdomains/IARegistry (29-Mar-2008)
Spiritdomains/IARegistry (29-Mar-2008)
Spiritdomains/IARegistry (29-Mar-2008)



Spiritdomains/IARegistry (19-Oct-2007)
Spiritdomains/IARegistry (19-Feb-2008)
Register.com (07-Feb-2008)
Register.com (07-Feb-2008)
IARegistry/Spiritdomains (07-Feb-2008)
Register.com (23-Feb-2008)
Register.com (25-Feb-2008)
Spiritdomains/IARegistry (27-Feb-2008)
Register.com (25-Feb-2008)
Register.com (27-Feb-2008)
KEY-SYSTEMS GMBH
(Imena.ua) (07-mar-2008)
Spiritdomains/IARegistry (07-Mar-2008)
Register.com (07-Mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (04-mar-2008)
KEY-SYSTEMS GMBH (Imena.ua) (11-mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (28-Mar-2008)
Spiritdomains/IA Registry (28-Mar-2008)
REGISTER.COM, INC. (28-Mar-2008)
INTERNET INVEST, INC. DBA IMENA.UA (29-Mar-2008)
REGISTER.COM, INC. (03-Apr-2008)
Spiritdomains/IA Registry (03-Apr-2008)
REGISTER.COM, INC. (07-Apr-2008)

Please notify me of any errors or domains not listed here.

Notes for Registrars

i) The  Newman, Esmond & Eisenberg criminal uses his own nameserver domains to control his zombie botnets or provide his DNS. By definition there can be no legitimate domains using his dedicated botnet nameservers & his conventional nameserver domains are always very recently registered. This provides an ideal database search option for you to identify and delete all of this criminal's fraud domains without any risk of hurting an innocent domain. All of the criminal's botnet nameservers are - ns1.mmbopc.com, ns1.iwarzone.com, ns1.bonoxc.com, ns1.walillc.com, ns1.uneedmc.com, ns1.callsroar.com, ns1.book-xm.com

ii) The criminal's domains have different false whois registration data.

iii) The criminal will not respond to your challenge but will use the notice to prepare a new network - immediate suspension is preferred, please.

The Spam Content

The
Newman, Esmond & Eisenberg spam headers contain many different forged/bogus 'From' & 'Return Path' addresses & various forged 'Receive' lines. The subject lines vary  & all indicate that there is a job opportunity to be had. There is - an illegal job as a money laundering 'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit proceeds into your account and forwarding it on via Western Union or Moneygram for a percentage cut. Needless to say it is these mules that will probably feel the full weight of the law while the remote money launderers are safe. The bogus or stolen funds in the mules account may well also be recovered, leaving them with large losses.

This is the content of an actual Newman, Esmond & Eisenberg scam spam:

Newman, Esmond, & Eisenberg LLP is a Berne-based law firm providing legal services to a diverse group of clients in a wide array of domestic and global business transactions and litigation matters. Our clients include privately and publicly held companies, financial institutions, not-for-profit organizations and high net worth individuals. Our client base reflects virtually every business industry, including a number of Fortune 100 companies.
Our company has a current opening for a part-time position of a Customer Service Associate. Join a team of professionals dedicated to the international growth, brand recognition, and successful partnering with clients to achieve exceptional expansion.
This is a part time job position, that enquires 1-2 hours a day to be dealt with. The candidate will be responsible for dealing with the customer payments in his local area; this will include: monitoring the payments to arrive on his banking account, making calculations regarding each payment, transmitting the payments further to the regional business partners, associates and branches by the means of Western Union or Money Gram services and being in an interactive communication with the headquaters continiously.

The successful applicant will have computer literacy coupled with the ability to communicate at a good level and will enjoy being flexible, enthsiastic and driven.

The applicant can expect a part-time working agreement to be signed up after the trial period is over. The employee is paid on a regular basis in the end of every month, as well as he gets a 10% commission out of each customer payment he has dealt with.

The main aim of the role is to attract new customers by offering them the high-speed delivery of their orders and to fasten customer payment delivery by prompt collection of their payments.

In NEE LLP we believe, that career is more than a job. It's about skills training. Competitive salaries. Flexible scheduling. Comprehensive benefits. Job satisfaction. At NEE LLP, we offer all this and more. Because we want to help you enjoy your work… and your life.
If you feel interested in a position, please visit our web-site to apply now!
If you have any questions, please do not hesitate to contact us.
Please consider, this is not a spam distribution. Your contact details were kindly put into our disposal by our partners: www.monster.com and www.careerbuilder.com.

We are looking to hearing from you asap,
Yours sincerely, Jayson Sanders

Y0FJ: 0x1, 0x178 9RL include common R1ZN. common: 0x153, 0x83847804, 0x3660, 0x22182772, 0x68051594, 0x89, 0x42, 0x394 common: 0x1174, 0x8 0x699, 0x6448, 0x64396745, 0x79635685, 0x6, 0x3, 0x148, 0x2979, 0x975 0x7 0x68627784, 0x47630693, 0x354, 0x0968, 0x37454999, 0x233, 0x62, 0x5, 0x8538, 0x3736 0x11138772, 0x1327, 0x23408161 0x303

rev: 0x2829, 0x74, 0x64792192, 0x197, 0x123, 0x2672, 0x36, 0x11, 0x99, 0x6, 0x02 0x68, 0x9, 0x40, 0x3, 0x9030, 0x51, 0x996, 0x65, 0x472, 0x59766137, 0x14, 0x3392 0x35, 0x38885054, 0x48, 0x7230, 0x9, 0x2361, 0x9289, 0x5331, 0x45, 0x2, 0x43, 0x8, 0x28 serv define CF4 0x61, 0x18, 0x336, 0x7425, 0x376, 0x62, 0x0, 0x0671 78Q: 0x3913, 0x38434472, 0x7995, 0x6, 0x2 TNQR, start, hex, file, B8VG, P2VX. 0x98963735, 0x180, 0x61, 0x05, 0x71, 0x6, 0x34232468, 0x9, 0x196, 0x1503 0x1, 0x42, 0x4598, 0x1936, 0x10, 0x1, 0x397, 0x121, 0x533, 0x92286802 rcs: 0x3, 0x5396, 0x6, 0x6, 0x299, 0x997, 0x648, 0x7, 0x94, 0x5, 0x817, 0x810, 0x3030, 0x43134203

0x841, 0x5, 0x41760438, 0x85, 0x6149, 0x92704866, 0x11, 0x16931340, 0x60 start: 0x393, 0x819, 0x2, 0x452, 0x525 0x52, 0x69, 0x42, 0x3331, 0x2 0x35, 0x4, 0x89 4X8 exe BYXT DB8 root G9QE 8128 VUT. 0x945, 0x69255826, 0x6, 0x3194, 0x22375866, 0x200, 0x66, 0x3227, 0x1743 start: 0x226, 0x963, 0x2, 0x33774359, 0x98, 0x193 0x4395, 0x78, 0x99, 0x96099212, 0x4, 0x28999236, 0x569, 0x23, 0x2, 0x6028, 0x4, 0x7822 8HR4 ISC8 1IG exe rev: 0x7987, 0x314, 0x00589904, 0x9834, 0x4, 0x69, 0x434, 0x52, 0x48, 0x5993, 0x65995681, 0x14

Note the usual Bayesian filter avoidance 'code', commonly used by these criminals and the 'rockphish' scammers alike. It's normally in 'whitetext' so it's invisible, but here I've greyed it in.


The Zombie Botnet DNS Data

(Valid for neegl.org, neesei.net, neemi.tl and eisllpc.tl)

How I am searching:

Searching for neegl.org A record at m.root-servers.net [202.12.27.33]: Got referral to C0.ORG.AFILIAS-NST.INFO. (zone: org.) [took 139 ms]
Searching for neegl.org A record at C0.ORG.AFILIAS-NST.INFO. [199.19.53.1]: Got referral to ns2.biosigndata.com. (zone: neegl.org.) [took 67 ms]
Searching for neegl.org A record at ns2.biosigndata.com. [212.78.44.91]: Timed out. Trying again.
Searching for neegl.org A record at ns2.biosigndata.com. [212.78.44.91]: Timed out. Trying again.
Searching for neegl.org A record at ns1.biosigndata.com. [194.169.192.131]: Reports neegl.org. [took 138 ms] Response:
Domain Type Class TTL Answer
neegl.org. A IN 1800 89.136.146.112
neegl.org. A IN 1800 89.178.108.90
neegl.org. A IN 1800 91.196.44.203
neegl.org. A IN 1800 79.114.92.75
neegl.org. A IN 1800 82.37.145.218
neegl.org. A IN 1800 86.123.247.45
neegl.org. A IN 1800 89.33.91.15
neegl.org. NS IN 1800 ns2.biosigndata.com.
neegl.org. NS IN 1800 ns1.biosigndata.com.
ns1.biosigndata.com. A IN 1800 194.169.192.131
ns2.biosigndata.com. A IN 1800 212.78.44.91

Looking up at the 2 neegl.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.biosigndata.com [194.169.192.131]  79.114.92.75 82.37.145.218 86.123.247.45 89.136.146.112 89.178.108.90 89.33.91.15 91.196.44.203
ns2.biosigndata.com [212.78.44.91] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.biosigndata.com hosted by Funke Internet Services Ltd. on IP 194.169.192.131 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

These criminals are experienced liars, thieves and professional confidence tricksters. Do not be fooled - do not believe them. The evidence of criminal fraud is undeniable. I'd like to thank the many honest & ethical hosts who have disconnected these fraudsters within an hour of receiving an abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports. The honest & ethical SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having considered the evidence below & investigated, but more and more frequently service providers stall or simply ignore abuse reports. This latter minority of uncaring & unethical hosts are aiding and abetting criminal fraud and the victims suffer because of it.

Blocking The spam

I have had quite a few queries about how to block the criminal's spam in Outlook Express. Fortunately they are easily detected using the OE 'Mail Rules' (Tools - Message Rules - Mail).

Rules based on the From, To etc addresses will never work as the header data is all forged. The message body remains constant, however & that can be used to detect them.

Use the rule "Where the message body contains specific words" and use 
"Newman, Esmond, & Eisenberg" as the search item then choose 'delete' (or whatever action you prefer) as the action then that will definitely detect every single one of these spams.
If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
<a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>
Fraud Blog Initial entry 21st. February 2008

***Latest News*** - 23rd. February 2008

The criminal has had his nameserver domain suspended by Spiritdomains. His new one is TOTDCOM.COM. His botnet is still located on the
Funke Internet Services Ltd. IP 194.169.192.131 They have not responded to an abuse report.

DNS Data (neegl.org, neesei.net, neemi.tl, eisllpc.tl, neei.la)
How I am searching:

Searching for neei.la A record at e.root-servers.net [192.203.230.10]: Got referral to NS0.CENTRALNIC.NET. (zone: la.)
Searching for neei.la A record at NS0.CENTRALNIC.NET. [213.146.149.169]: Got referral to ns1.totdcom.com. (zone: neei.la.)
Searching for neei.la A record at ns1.totdcom.com. [194.169.192.131]: Reports neei.la. Response:
Domain Type Class TTL Answer
neei.la. A IN 1800 89.137.200.165
neei.la. A IN 1800 62.231.91.77
neei.la. A IN 1800 79.114.90.75
neei.la. A IN 1800 79.114.221.130
neei.la. A IN 1800 82.79.233.221
neei.la. A IN 1800 84.108.239.70
neei.la. A IN 1800 89.43.205.130
neei.la. NS IN 1800 ns2.totdcom.com.
neei.la. NS IN 1800 ns1.totdcom.com.
ns1.totdcom.com. A IN 1800 194.169.192.131
ns2.totdcom.com. A IN 1800 67.74.18.77

Looking up at the 2 neei.la. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.totdcom.com [194.169.192.131]  62.231.91.77 79.114.221.130 79.114.90.75 82.79.233.221 84.108.239.70 89.137.200.165 89.43.205.130
ns2.totdcom.com [67.74.18.77] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.totdcom.com hosted by Funke Internet Services Ltd. on IP 194.169.192.131 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).


***Latest News*** - 25th. February 2008
Information supplied by site contact -

The criminal has already had his nameserver domain totdcom.com suspended by Spiritdomains and is now using a new one - my-cpm.com registered with Register.com.
DNS data:
(neegl.orgneemi.tl, eisllpc.tl)

Looking up at the 2 neegl.org. parent servers:

Server Response
ns1.my-cpm.com [194.169.192.131]  77.126.41.91 79.114.250.222 80.133.221.117 81.172.112.113 83.11.29.2 83.138.225.37 86.124.1.207
ns2.my-cpm.com [67.74.57.11] Timeout

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.my-cpm.com hosted by Funke Internet Services Ltd. on IP 194.169.192.131, (notified of abuse 22nd. Feb - no response to date), is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

The criminal has also drafted into service his zombie botnets that he used for his Waller Truck fraud using nameserver domains regtoo.com and iprintworld.com along with new main domains neegl.com (Spiritdomains, ns1.iprintworld.com), neellp.com (Spiritdomains, ns1.regtoo.com), and neellp.net (Spiritdomains, ns1.regtoo.com). Both zombie botnets are hosted on a SoftLayer Technologies Inc. (vpswelcome.com) IP (74.86.253.100).

DNS Data: (neegl.com)
Looking up at the 2 neegl.com. parent servers:


Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.iprintworld.com [74.86.253.100]  80.133.221.117 83.11.29.2 83.138.225.37 84.2.152.6 86.124.1.207 89.178.187.251 92.80.131.92
ns2.iprintworld.com [24.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.iprintworld.com hosted by SoftLayer Technologies Inc. (vpswelcome.com) on IP 74.86.253.100 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

DNS Data: (neellp.com, neellp.net)
Looking up at the 2 neellp.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.regtoo.com [74.86.253.100]  24.93.117.56 81.172.112.113 84.2.152.6 85.249.14.142 86.105.77.200 86.124.1.207 92.80.131.92
ns2.regtoo.com [68.74.57.31] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.regtoo.com hosted by SoftLayer Technologies Inc. (vpswelcome.com) on IP 74.86.253.100 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 26th. February 2008
Response from Funke Internet Services - hosting of ns1.my-cpm.com [194.169.192.131] has been ceased.

***Latest News*** - 27th. February 2008
Nameserver domain my-cpm.com has been suspended by Register.com and has been replaced by form-cm.com (Register.com - 23-Feb-2008)
New zombie botnet DNS data: (neegl.orgneemi.tl, eisllpc.tl)
Looking up at the 2 eisllpc.tl. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.form-cm.com [64.191.119.197]  195.189.81.163 78.106.67.85 79.114.241.20 84.0.114.42 86.123.131.78 86.127.92.162 89.137.26.33
ns2.form-cm.com [67.74.18.60] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.form-cm.com hosted by Network Operations Center Inc., (BurstNET Technologies, Inc.™), on IP 64.191.119.197 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later - Domain regtoo.com suspended
New Botnet DNS Data: (neellp.org):

Looking up at the 2 neellp.org parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.alkgrp.com [65.38.67.37] 64.201.204.96 76.254.7.27 79.114.153.232 85.183.142.65 86.106.42.177 86.120.93.205 87.206.162.115
ns2.alkgrp.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.alkgrp.com hosted by Globale Internet InfoAccess (vexxhost.com) on IP 65.38.67.37 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

DNS Data: (neer.la)
Looking up at the 2
neer.la parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.iprintworld.com [89.33.8.17]  210.6.255.133 77.81.232.76 86.120.94.68 89.137.9.59 89.42.127.105 91.196.44.203 91.197.163.178
ns2.iprintworld.com [24.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.iprintworld.com hosted by PF-Pintiliescu-Paul (Maxnet.ro) on IP 89.33.8.17 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: The criminal has had his Burst.net botnet disconnected... New details:
DNS Data (neegl.orgneemi.tl, eisllpc.tl)
Looking up at the 2 eisllpc.tl. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.form-cm.com [38.103.164.11]  79.113.2.128 79.113.4.173 84.108.239.70 84.110.189.252 86.125.118.161 89.42.127.105 99.146.96.72
ns2.form-cm.com [67.74.18.60] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.form-cm.com hosted by Cogentco.com, (Performance Systems International Inc.) on IP 38.103.164.11 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

I see that they are back with a regular supplier of services to these criminals, Cogentco.com, (Performance Systems International Inc.) on IP 38.103.164.11
Later - The crook seems to be hopping about with his botnet hosting, I wonder if this is a new tactic - he's now with yet another of his regulars - Net Access Corporation:
DNS Data (neemi.tl, eisllpc.tlneeg.la)
Looking up at the 2 eisllpc.tl. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.form-cm.com [64.21.48.156]  79.114.92.210 84.108.239.70 86.121.253.241 86.123.130.103 89.136.146.112 91.67.119.236 92.112.34.43
ns2.form-cm.com [67.74.18.60] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.form-cm.com hosted by Net Access Corporation (Moxiehosting) on IP 64.21.48.156 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 28th. February 2008
New domain reported by site contact - neer.la - hosted on PF-Pintiliescu-Paul (Maxnet.ro) zombie botnet.
New domain reported by site contact - neellp.org - hosted on Globale Internet InfoAccess (vexxhost.com) zombie botnet.
New domain spotted in the wild - neeg.la - hosted on the Net Access Corporation (Moxiehosting) zombie botnet.

***Latest News*** - 29th. February 2008
Various domains suspended and Vexxhost hosting ceased
Later: New domain reported by site contact - newesei.tl


Looking up at the 2 newesei.tl parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [64.21.48.156]  77.111.153.219 78.106.185.161 79.113.0.68 81.98.97.126 89.137.9.59 89.40.5.124 99.133.161.253
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by Net Access Corporation (Moxiehosting) on IP 64.21.48.156 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 1st. March 2008
Domain
newesei.tl suspended by registrar - no operational domains known.
Later - New domain reported by site contact - neween.tl on new botnet:

DNS Data: (newese.org, neegr.la)
Looking up at the 2 newese.org parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [64.191.112.197] 89.137.66.205 77.111.153.219 79.114.156.232 84.108.239.70 89.41.94.111 89.110.10.24 89.137.9.59
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by Network Operations Center Inc./Burst.net (Geek Rack Networks) on IP 64.191.112.197 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: - New domain reported by site contact (neel.la) on new botnet:


DNS Data: (neel.la)
Looking up at the 2 neel.la parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mm-garden.com [89.33.8.17] 89.178.10.68 77.81.232.76 79.114.154.150 82.37.145.218 89.33.60.122 89.40.5.124 89.137.66.205
ns2.mm-garden.com [67.82.17.59] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.mm-garden.com hosted by PF-Pintiliescu-Paul (Jump.ro) on IP 89.33.8.17 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).


***Latest News*** - 2nd. March 2008
New domain spotted in the wild - newese.org - hosted on the ns1.minkot.com controlled botnet (currently Network Operations Center Inc./Burst.net (Geek Rack Networks))
Later - The above Jump.ro zombie botnet has gone, replaced by one on IP 65.75.191.14
DNS Data (neegl.net, neegl.biz )
Looking up at the 2 neegl.net parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mm-garden.com [65.75.191.14]  24.93.117.56 69.139.151.25 77.81.232.76 86.106.42.177 89.33.60.122 89.42.127.105 99.147.148.59
ns2.mm-garden.com [67.82.17.59] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.mm-garden.com hosted by WEBHOSTPLUS-INC (theserverdoctor.com) on IP 65.75.191.14 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

The criminal has a third zombie botnet on the go using botnet controller/nameserver ns1.notice-mm.com [78.110.164.34] hosting domain
neellp.org

DNS Data (
neellp.org):
Looking up at the 2 neellp.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.notice-mm.com [78.110.164.34]  79.114.90.43 81.98.97.126 82.255.226.184 89.37.99.88 89.43.205.130 93.81.33.31 99.147.148.59
ns2.notice-mm.com [70.14.44.72] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.notice-mm.com hosted by VAServe LTD on IP 78.110.164.34 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 3rd. March 2008
Two new domains reported by site contact - newese.com and newese.biz both hosted on the ns1.minkot.com botnet controller which is now on a new host as follows:

DNS Data (newese.org, newese.com and newese.biz):
Looking up at the 2 newese.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [194.150.121.44]  125.129.26.177 24.93.117.56 77.111.153.219 81.198.22.45 82.212.128.158 85.178.238.8 89.39.109.72
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by OthelloColo.net (Tidyhosts.com) on IP 194.150.121.44 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). The IP 194.150.121.44 was last used by the Silverlens fraudster to host his botnet nameserver ns1.listns.com.
Later - new domain notified by site contact - nenr.la hosted on a Turktelekom IP for a change:

DNS Data: (newdgl.com, newdgl.biz)
Looking up at the 2 nenr.la. parent servers:

Server Response
ns67.mobns.com [200.72.139.67]  85.105.182.6
ns18.mobns.com [211.142.23.18]  [Error: Port Unreachable]

With a reverse DNS of dsl.static.85-105-46598.ttnet.net.tr, the host IP (85.105.182.6) looks to me like a single zombie on a TurkTelekom DSL (Broadband) network, assuming that the RDNS data is genuine. It could easily be a criminal owned IP or possibly just an unwitting infected end user. It's displaying the well known 'Rockphish' "66.1 Host Locked" message on HTTP access.

The IP is at present listed in the Spamhaus blocklist as a prolific phishing source:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL61979

The above evidence undeniably links these crooks to the 'Rockphish' gang.

***Latest News*** - 4th. March 2008
New domains notified from site contact - newdgl.com & newdgl.biz - both hosted on the Turktelekom ADSL IP above, and
neesn.net, neesn.org, neesn.com all hosted on the ns1.notice-mm.com botnet, currently hosted on Tidyhosts IP 194.150.121.96 using nameserver ns1.notice-mm.com:

DNS Data: (neellp.org, neesn.net, neesn.org, neesn.com)

How I am searching:

Searching for neesn.com A record at a.root-servers.net [198.41.0.4]: Got referral to H.GTLD-SERVERS.NET. (zone: com.) [took 33 ms]
Searching for neesn.com A record at H.GTLD-SERVERS.NET. [192.54.112.30]: Got referral to ns1.notice-mm.com. (zone: neesn.com.) [took 124 ms]
Searching for neesn.com A record at ns1.notice-mm.com. [194.150.121.96]: Reports neesn.com. [took 109 ms] Response:
Domain Type Class TTL Answer
neesn.com. A IN 1800 84.108.239.70
neesn.com. A IN 1800 77.81.232.76
neesn.com. A IN 1800 79.113.80.122
neesn.com. A IN 1800 79.114.90.194
neesn.com. A IN 1800 79.116.134.179
neesn.com. A IN 1800 82.79.67.253
neesn.com. A IN 1800 83.174.240.2
neesn.com. NS IN 1800 ns1.notice-mm.com.
neesn.com. NS IN 1800 ns2.notice-mm.com.
ns1.notice-mm.com. A IN 1800 194.150.121.96
ns2.notice-mm.com. A IN 1800 70.14.44.72

 Looking up at the 2 neesn.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.notice-mm.com [194.150.121.96]  77.81.232.76 79.113.80.122 79.114.90.194 79.116.134.179 82.79.67.253 83.174.240.2 84.108.239.70
ns2.notice-mm.com [70.14.44.72] Timeout

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.notice-mm.com hosted byTidyhosts on IP 194.150.121.96 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later - New domain reported by site contact - neegl.net - hosted on the ns1.mm-garden.com zombie botnet, hosted by WEBHOSTPLUS-INC (theserverdoctor.com) on IP 65.75.191.14. Domain neegl.biz also noted on the same botnet.
Later - The criminal has also set up his ns1.minkot.com botnet on another Tidyhosts IP (ns1.minkot.com [194.150.121.44]) hosting domains newese.org, newese.com and newese.biz:

DNS Data: (
newese.org, newese.com and newese.biz)
How I am searching:

Searching for newese.biz A record at a.root-servers.net [198.41.0.4]: Got referral to A.GTLD.biz. (zone: biz.)
Searching for newese.biz A record at A.GTLD.biz. [209.173.53.162]: Got referral to NS2.MINKOT.COM. (zone: newese.biz.)
Searching for newese.biz A record at NS2.MINKOT.COM. [208.21.54.10]: Timed out. Trying again.
Searching for newese.biz A record at NS1.MINKOT.COM. [194.150.121.44]: Reports newese.biz. Response:
Domain Type Class TTL Answer
newese.biz. A IN 1800 79.113.80.122
newese.biz. A IN 1800 79.116.104.153
newese.biz. A IN 1800 79.116.134.179
newese.biz. A IN 1800 84.108.239.70
newese.biz. A IN 1800 86.123.5.149
newese.biz. A IN 1800 86.125.118.91
newese.biz. A IN 1800 79.113.2.94
newese.biz. NS IN 1800 ns1.minkot.com.
newese.biz. NS IN 1800 ns2.minkot.com.
ns1.minkot.com. A IN 1800 194.150.121.44
ns2.minkot.com. A IN 1800 208.21.54.10

Looking up at the 2 newese.biz. parent servers:

Server Response
ns1.minkot.com [194.150.121.44]  79.113.2.94 79.113.80.122 79.116.104.153 79.116.134.179 84.108.239.70 86.123.5.149 86.125.118.91
ns2.minkot.com [208.21.54.10] Timeout

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by OthelloColo.net (Tidyhosts.com) on IP 194.150.121.44 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later - New domain notified by site contact - newndl.com
           The Tidyhosts botnets have been disconnected
Later - The criminal appears to have moved his zombie botnet controller/nameserver ns1.minkot.com back to the Hostnoc/Burst.net IP 64.191.112.197

DNS Data: (newese.org, newese.com, newndl.com)
Looking up at the 2 newese.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [64.191.112.197]  70.44.186.164 79.112.92.124 79.114.153.144 86.123.5.149 86.55.168.15 89.137.9.59 89.41.94.142
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by Network Operations Center Inc./Burst.net (Geek Rack Networks) on IP 64.191.112.197 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

Later - The same IP is also hosting a second botnet as follows:

DNS Data
: (neesn.net, neesn.org, neesn.com)
Looking up at the 2 neesn.net. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.notice-mm.com [64.191.112.197]  70.44.186.164 79.112.92.124 79.114.153.144 86.123.5.149 86.55.168.15 89.137.9.59 89.41.94.142
ns2.notice-mm.com [70.14.44.72] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.notice-mm.com hosted by Network Operations Center Inc./Burst.net (Geek Rack Networks) on IP 64.191.112.197 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 4th. March 2008
Burst.net have taken action against the crook and he has moved his ns1.minkot.com botnet. No doubt he is also working on his other one, possibly to put it on the same host.
DNS Data: (newese.org, newese.com, newese.biz, newndl.com)
Looking up at the 2 newese.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [209.41.75.37]  77.126.40.246 79.115.30.49 82.79.233.83 85.94.46.26 86.105.77.200 86.121.10.191 89.32.171.33
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by Tier Four on IP 209.41.75.37 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 5th. March 2008
The criminals have now set up their second botnet on Tier Four IP
209.41.75.37.
DNS Data (neesn.net, neesn.org, neesn.com)
Looking up at the 2 neesn.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.notice-mm.com [209.41.75.37]  70.44.184.54 82.137.14.19 82.77.119.99 85.121.94.56 86.122.190.232 91.196.44.203 99.147.148.59
ns2.notice-mm.com [70.14.44.72] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.notice-mm.com hosted by Tier Four on IP 209.41.75.37 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 7th. March 2008

The criminals have now moved both of their botnet controllers, (
ns1.minkot.com and ns1.notice-mm.com), to IP 76.76.3.149
DNS Data: (neesn.net, neesn.org, neesn.com)
Looking up at the 2 neesn.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.notice-mm.com [76.76.3.149] 77.100.34.77 77.98.188.162 79.113.2.7 80.171.120.11 84.58.121.234 86.106.49.218 88.160.89.30
ns2.notice-mm.com [70.14.44.72] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.notice-mm.com hosted by CaroNet Managed Hosting (carohosting.net) on IP 76.76.3.149 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

DNS Data: (newnese.com)
Looking up at the 2 newnese.com parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [76.76.3.149] 78.106.64.36 79.114.250.91 82.251.224.78 82.77.166.163 82.77.86.144 89.100.64.60 89.178.21.96
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by CaroNet Managed Hosting (carohosting.net) on IP 76.76.3.149 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 8th. March 2008

The criminals have now moved both of their botnet controllers, (
ns1.minkot.com and ns1.notice-mm.com), to IP 209.59.209.179
DNS Data: (neesn.net, neesn.org, neesn.com)
Looking up at the 2 neesn.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.notice-mm.com [209.59.209.179] 78.48.212.217 79.112.91.136 79.119.155.8 86.105.14.118 86.123.147.62 89.43.205.130 92.112.63.224
ns2.notice-mm.com [70.14.44.72] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.notice-mm.com hosted by Spry Hosting on IP 209.59.209.179 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

DNS Data: (newnese.com)
Looking up at the 2 newnese.com parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [209.59.209.179] 210.6.255.133 79.112.91.136 79.113.5.131 89.32.140.225 89.41.94.191 89.43.205.130 91.67.118.207
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by Spry Hosting on IP 209.59.209.179 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 9th. March 2008
The criminals have now moved both of their botnet controllers, (ns1.minkot.com and ns1.notice-mm.com), to IP 208.116.44.16
DNS Data: (neesn.net, neesn.org, neesn.com, newmnllp.tl)
Looking up at the 2 neesn.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.notice-mm.com [208.116.44.16] 78.48.212.217 79.112.91.136 79.119.155.8 86.105.14.118 86.123.147.62 89.43.205.130 92.112.63.224
ns2.notice-mm.com [70.14.44.72] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.notice-mm.com hosted by FortressITX on IP 208.116.44.16 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

DNS Data: (newnese.com, newnm.org, newnmm.com)
Looking up at the 2 newnese.com parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.minkot.com [208.116.44.16] 210.6.255.133 79.112.91.136 79.113.5.131 89.32.140.225 89.41.94.191 89.43.205.130 91.67.118.207
ns2.minkot.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).
The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.minkot.com hosted by FortressITX on IP 208.116.44.16 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

New domain noted in the wild - newdg.net (Spiritdomains - 01-Mar-2008) Hosted on IP 69.129.59.26 listed as belonging to THE BRIDGE RECORDING STUDIO via nameserver hosted on IP 81.16.131.40 listed as belonging to Complex Telmatic Systems Siberia network:

DNS Data: (newdg.net)
Looking up at the 2 newdg.net. parent servers:

Server Response
ns1.newdg.net [200.72.139.67]  69.129.59.26
ns2.newdg.net [81.16.131.40]  69.129.59.26

The host IP 69.129.59.26 has an RDNS of mntimnbas01-lo1-pool9-a26.mntimn.tds.net which suggests that it may be a criminal owned IP or more likely simply just a single zombie machine IP. The nameserver ns2.newdg.net [81.16.131.40] is obviously the criminal's own nameserver hosted on IP 81.16.131.40 listed as belonging to Complex Telmatic Systems Siberia network. The criminal's nameserver ns1.newdg.net [200.72.139.67] is on the usual Entel Chile IP.

New domain reported by site contact - neelaw.org. This is a domain registered with CSL Computer Service Langenbach GmbH d/b/a Joker.com and hosted on GoDaddy's network on IP 208.109.181.25 which is an arrangement the criminal used for one of his Waller Truck domains.

DNS Data:
 (neelaw.org):

How I am searching:

Searching for neelaw.org A record at g.root-servers.net [192.112.36.4]: Got referral to B0.ORG.AFILIAS-NST.org. (zone: org.)
Searching for neelaw.org A record at B0.ORG.AFILIAS-NST.org. [199.19.54.1]: Got referral to ns43.domaincontrol.com. (zone: neelaw.org.)
Searching for neelaw.org A record at ns43.domaincontrol.com. [208.109.78.180]: Reports neelaw.org. Response:
Domain Type Class TTL Answer
neelaw.org. A IN 3600 208.109.181.25
neelaw.org. NS IN 3600 ns43.domaincontrol.com.
neelaw.org. NS IN 3600 ns44.domaincontrol.com.
 Looking up at the 2 neelaw.org. parent servers:

Server Response
ns44.domaincontrol.com [208.109.255.22]  208.109.181.25
ns43.domaincontrol.com [208.109.78.180]  208.109.181.25

neelaw.org is hosted on GoDaddy's network on IP 208.109.181.25
***Latest News*** - 10th. March 2008
New domain reported by site contact - neelaw.biz, registered with CSL Computer Service Langenbach GmbH d/b/a Joker.com and also hosted on GoDaddy's network on IP 208.109.181.224 as follows:
How I am searching:

Searching for neelaw.biz A record at l.root-servers.net [199.7.83.42]: Got referral to a.gtld.biz. (zone: biz.)
Searching for neelaw.biz A record at a.gtld.biz. [209.173.53.162]: Got referral to NS43.DOMAINCONTROL.COM. (zone: neelaw.biz.)
Searching for neelaw.biz A record at NS43.DOMAINCONTROL.COM. [208.109.78.180]: Reports neelaw.biz. Response:
Domain Type Class TTL Answer
neelaw.biz. A IN 3600 208.109.181.224
neelaw.biz. NS IN 3600 ns43.domaincontrol.com.
neelaw.biz. NS IN 3600 ns44.domaincontrol.com.

Looking up at the 2 neelaw.biz. parent servers:

Server Response
ns44.domaincontrol.com [208.109.255.22]  208.109.181.224
ns43.domaincontrol.com [208.109.78.180]  208.109.181.224

neelaw.biz is hosted on GoDaddy's network on IP  208.109.181.224

Later: The domain newdg.net is now hosted on a RoadRunner IP:
Looking up at the 2 newdg.net. parent servers:


Server Response
ns1.newdg.net [200.72.139.67]  76.186.12.121
ns2.newdg.net [81.16.131.40]  76.186.12.121

Once again it has an RDNS (cpe-76-186-12-121.tx.res.rr.com) that appears to be that of a Road Runner end user in Texas, so this is almost certainly another single zombie or infected machine.

Five minutes later:
Looking up at the 2 newdg.net. parent servers:

Server Response
ns2.newdg.net [81.16.131.40]  79.15.170.74
ns1.newdg.net [200.72.139.67]  76.186.12.121
Caught it in mid-cycle this time - the first nameserver has changed over to a new zombie ( 79.15.170.74) but the second one hasn't quite caught up....
Five minutes later:
Looking up at the 2 newdg.net. parent servers:

Server Response
ns2.newdg.net [81.16.131.40]  79.15.170.74
ns1.newdg.net [200.72.139.67]  79.15.170.74
This time both nameservers are showing the new zombie (79.15.170.74) - RDNS for this is host74-170-static.15-79-b.business.telecomitalia.it
Five minutes later:
Looking up at the 2 newdg.net. parent servers:

Server Response
ns1.newdg.net [200.72.139.67]  76.186.12.121
ns2.newdg.net [81.16.131.40]  76.186.12.121
Back on the original zombie again.... and so it goes on, continually cycling round these two zombies which could conceivably be two or two hundred...

Later: - The Joker registered domain neelaw.org is back up on another GoDaddy IP (208.109.181.230):
How I am searching:

Searching for neelaw.org A record at c.root-servers.net [192.33.4.12]: Got referral to C0.ORG.AFILIAS-NST.INFO. (zone: org.)
Searching for neelaw.org A record at C0.ORG.AFILIAS-NST.INFO. [199.19.53.1]: Got referral to ns43.domaincontrol.com. (zone: neelaw.org.)
Searching for neelaw.org A record at ns43.domaincontrol.com. [208.109.78.180]: Reports neelaw.org. Response:
Domain Type Class TTL Answer
neelaw.org. A IN 3600 208.109.181.230
neelaw.org. NS IN 3600 ns43.domaincontrol.com.
neelaw.org. NS IN 3600 ns44.domaincontrol.com.

Looking up at the 2 neelaw.org. parent servers:

Server Response
ns44.domaincontrol.com [208.109.255.22]  208.109.181.230
ns43.domaincontrol.com [208.109.78.180]  208.109.181.230


***Latest News*** - 11th. March 2008
New domain reported by site contact - newnmm.com hosted on ns1.minkot.com controlled botnet hosted on
FortressITX/pwebtech.com IP 208.116.44.16.

No response from FortressITX/pwebtech.com to abuse reports, but domains
neesn.net, neesn.org, neesn.com have been suspended by the registrar Spiritdomains. Neesn.biz remains active but parked on the criminals nameservers at the moment. The second botnet controlled by ns1.minkot.com [208.116.44.16] hosting domains newnese.com, newnm.org and newnmm.com remains active on their IP.

No further response from GoDaddy to reports of abuse of their IPs
208.109.181.230 and 208.109.181.224. Their initial response was "As a hosting provider, we cannot be expected to judge the alleged illegal activities you have mentioned." followed by "We are currently investigating this company" when pressed, but as yet they have failed to take action.
Later - New domain spotted in the wild -
newmnllp.tl hosted on the FortressITX/pwebtech.com zombie botnet controlled by ns1.notice-mm.com [208.116.44.16]
Later - GoDaddy now appear to have taken action against their criminal clients neelaw.biz and
neelaw.org. 
FortressITX/pwebtech.com appear to have taken action against ns1.notice-mm.com [208.116.44.16], but ns1.minkot.com [208.116.44.16] remains active.
Later - The fraudster has moved his domains neelaw.org and neelaw.biz onto two new GoDaddy IPs as per the following DNS data:
 
Domain Type Class TTL Answer
neelaw.org. A IN 3600 208.109.181.232
neelaw.org. NS IN 3600 ns43.domaincontrol.com.
neelaw.org. NS IN 3600 ns44.domaincontrol.com.

 
Domain Type Class TTL Answer
neelaw.biz. A IN 3600 208.109.181.210
neelaw.biz. NS IN 3600 ns43.domaincontrol.com.
neelaw.biz. NS IN 3600 ns44.domaincontrol.com.

GoDaddy need to find a way to stop this criminal simply moving his hosting onto a new IP.

***Latest News*** - 12th. March 2008
The criminal seems to have branched out into an email response version of his spam, perhaps because his hosting is getting more and more difficult:

Newman, Esmond, & Eisenberg LLP is a Berne-based law firm providing
legal services to a diverse group of clients in a wide array of
domestic and global business transactions and litigation matters. Our
clients include privately and publicly held companies, financial
institutions, not-for-profit organizations and high net worth
individuals. Our client base reflects virtually every business
industry, including a number of Fortune 100 companies.
Our company has a current opening for a part-time position of a
Customer Service Associate. Join a team of professionals dedicated to
the international growth, brand recognition, and successful partnering
with clients to achieve exceptional expansion.
 
This is a part time job position, that enquires 1-2 hours a day to be
dealt with. The candidate will be responsible for dealing with the
customer payments in his local area; this will include: monitoring the
payments to arrive on his banking account, making calculations
regarding each payment, transmitting the payments further to the
regional business partners, associates and branches and being in an
interactive communication with the headquaters continiously.
 
The successful applicant will have computer literacy coupled with the
ability to communicate at a good level and will enjoy being flexible,
enthsiastic and driven.
 
The applicant can expect a part-time working agreement to be signed up
after the trial period is over. The employee is paid on a regular basis
in the end of every month, as well as he gets a 10% commission out of
each customer payment he has dealt with.
 
The main aim of the role is to attract new customers by offering them
the high-speed delivery of their orders and to fasten customer payment
delivery by prompt collection of their payments.
 
In NEE LLP we believe, that career is more than a job. It's about
skills training. Competitive salaries. Flexible scheduling.
Comprehensive benefits. Job satisfaction. At NEE LLP, we offer all this
and more. Because we want to help you enjoy your work. and your life.
If you feel interested in a position, please send your reply and CV via
email: patrowe95@yahoo.com to apply now!And If you have any questions,
please do not hesitate to contact us.
 
Please consider, this is not a spam distribution. Your contact details
were kindly put into our disposal by our partners: www.monster.com and
www.careerbuilder.com.
 
We are looking to hearing from you asap,
Yours sincerely, Pat Rowe

The criminal has parked his minkot.com nameserver domain on his bogus search page hosted by 'Optical Jungle' and has set up a new botnet to replace the one that used it as a nameserver domain:
DNS Data: (newnese.com, newnm.org, newnmm.com)

Looking up at the 2 newnese.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.toomnc.com [67.159.41.89]  210.6.255.133 78.106.56.207 78.55.178.86 79.117.35.159 79.117.72.155 86.122.156.236 89.32.140.225
ns2.toomnc.com [38.14.18.25] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.toomnc.com hosted by FDC Servers.net, LLC on IP 67.159.41.89 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later: GoDaddy appear to have promptly taken action against the hosting of the crooks domains neelaw.org and neelaw.biz as both of them are resolving to a fault page. GoDaddy now seem to be a bit more on the ball than their initial response indicated.
The above criminals botnet is still active on the FDC Servers Inc. hosting
Later: FDC Servers now appear to have terminated the hosting of the criminal's zombie botnet controller
ns1.toomnc.com [67.159.41.89]


***Latest News*** - 13th. March 2008
The criminal has set up a new botnet on Schlund + Partner AG IP 212.227.251.161 with a new nameserver (ns1.theloging.com) as KEY-SYSTEMS GMBH have already suspended toomnc.com:

DNS Data: (newnese.com, newnm.org, newnmm.com)
Looking up at the 2 newnmm.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.theloging.com [212.227.251.161]  79.165.168.136 85.182.43.95 86.105.77.200 89.136.117.212 89.32.140.225 91.197.163.178 99.147.148.59
ns2.theloging.com [20.131.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.theloging.com hosted by Schlund + Partner AG on IP 212.227.251.161 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

Later: The criminal has set up a new botnet on Spry Hosting IP 209.40.204.226:

DNS Data: (newnese.com, newnm.org, newnmm.com)
Looking up at the 2 newnmm.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.theloging.com. [209.40.204.226] 83.103.190.200 86.120.16.68 87.207.56.7 89.136.117.212 91.196.236.57 79.114.152.232 79.119.150.123
ns2.theloging.com [20.131.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.theloging.com hosted by Spry Hosting on IP 209.40.204.226 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 14th. March 2008

The criminal has some more domains registered with Enom.com's reseller
Mobile Names Services, Inc. whose published contact email address of support@mobilenameservices.com bounces with a "550 5.7.1 No mailbox found" error:

nmnmd.org

nmnmd.net
nmnmd.org

They also have registered a new nameserver domain of snowbm.com, (REGISTER.COM, INC. 07-Mar-2008)

DNS Data: (nmnmd.org, nmnmd.net, nmnmd.com)
Looking up at the 2 nmnmd.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.snowbm.com [74.62.155.57]  80.93.181.82 83.103.190.200 86.120.93.252 87.206.168.118 89.137.186.6 89.32.140.225 91.201.1.197
ns2.snowbm.com [208.40.54.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.snowbm.com hosted by Road Runner HoldCo LLC on IP 74.62.155.57 (rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 16th. March 2008
The criminal has a new botnet to replace the Spry Hosting one:
DNS Data: (newnese.com, newnm.org, newnmm.com, nenmdg.net)
Looking up at the 2 newnese.com. parent servers:

Server Response
ns1.theloging.com [67.210.224.100] 121.146.224.104 125.135.110.147 218.232.195.79 218.48.139.240 221.144.100.213 58.225.226.43 61.80.117.197
ns2.theloging.com [20.131.52.10] Timeout

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.theloging.com hosted by AS1660/Globalcon.net, LLC (Eric Chen) on IP 67.210.224.100 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 17th. March 2008
The criminal has a new domain (nwmsd.com) on a new , (non-botnet), host - Comcast.net
DNS Data: (nwmsd.com)
Looking up at the 2 nwmsd.com. parent servers:

Server Response
ns2.nwmsd.com [202.44.71.148]  76.126.72.41
ns1.nwmsd.com [200.72.139.67]  76.126.72.41
He's using his own main domain as his nameserver domain and once again there's the usual 'blackhat' SP Entel Chile IP 200.72.139.67 along with a Bangkok one (Sripatum University), 202.44.71.148. The website host IP is 76.126.72.41 (Comcast). The IP has a RDNS of c-76-126-72-41.hsd1.ca.comcast.net so it's quite possibly a zombie.

No response whatsoever from the Roadrunner abuse team or Globalcon.net.

***Latest News*** - 19th. March 2008
New domain notified by site contact -
nenmdg.net (KEY-SYSTEMS GMBH (12-Mar-2008))

Later: The criminal has added a second host IP to his above network:
Looking up at the 2 nwmsd.com. parent servers:

Server Response
ns2.nwmsd.com [202.44.71.148]  76.126.72.41
ns1.nwmsd.com [200.72.139.67]  80.7.203.208

The effect of this is to make the hosting of domain nwmsd.com appear to switch between the Comcast IP 76.126.72.41 and the NTL IP 80.7.203.208 depending on which nameserver is accessed for the lookup. The NTL IP
80.7.203.208 has a RDNS of cpc3-pool6-0-0-cust975.sotn.cable.ntl.com which to me looks like an end user on NTL's cable system in Southampton, UK, so it is almost certainly another zombie.

***Latest News*** - 21st. March 2008
The criminal is using two new zombies on the above network:
Looking up at the 2 nwmsd.com, nmnsd.net, nmnsd.com parent servers:

Server Response
ns1.nwmsd.com [200.72.139.67]  75.145.209.157
ns2.nwmsd.com [202.44.71.148]  79.15.170.74

The RDNS for 79.15.170.74
is host74-170-static.15-79-b.business.telecomitalia.it
The RDNS for 75.145.209.157 is 75-145-209-157-Memphis.hfc.comcastbusiness.net

Yet another Comcast zombie, looks like a business user this time.

The criminal's Globalcon and Roadrunner networks are still intact. Unfortunately it seems next to impossible to get Roadrunner to even understand that they are hosting this criminal fraudster on their IP 74.62.155.57 (rrcs-74-62-155-57.west.biz.rr.com), let alone take action to end the criminality, and Globalcon have not responded to a ticket which has been open on their ticketing system since 16th. March.

***Latest News*** - 22nd. March 2008
Today's zombies hosting
nwmsd.com, nmnsd.net and nmnsd.com
Looking up at the 2 nwmsd.com, nmnsd.net, nmnsd.com parent servers:

Server Response
ns1.nmnsd.com [71.249.231.112]  76.232.230.182
ns2.nmnsd.com [219.76.235.93]  75.145.209.157

Zombie 1: The RDNS for  76.232.230.182 is adsl-76-232-230-182.dsl.stlsmo.sbcglobal.net
Zombie 2: The RDNS for 75.145.209.157 is 75-145-209-157-Memphis.hfc.comcastbusiness.net

The criminal's zombie controllers are being hosted by:
Verizon Internet Services Inc. (ns1.nmnsd.com [71.249.231.112]) (static-71-249-231-112.nycmny.east.verizon.net)
NETVIGATOR (PCCW Limited) (ns2.nmnsd.com [219.76.235.93]) (n219076235093.netvigator.com)

Even the nameservers appear to be hosted on criminal owned machines or zombies.

***Latest News*** - 23nd. March 2008
Today's zombies hosting
nwmsd.com, nmnsd.net and nmnsd.com
Looking up at the 2 nmnsd.net. parent servers:

Server Response
ns1.nmnsd.net [71.249.231.112]  85.15.69.38
ns2.nmnsd.net [219.76.235.93]  212.0.81.14

Zombie 1:  The RDNS for  85.15.69.38 is a85-15-69-38.vpn.vtelecom.ru
Zombie 2:  The RDNS for  212.0.81.14 is ws-81-14.burnet.ru

The criminal's zombie controllers are being hosted by:
Verizon Internet Services Inc. (ns1.nmnsd.com [71.249.231.112]) (static-71-249-231-112.nycmny.east.verizon.net)
NETVIGATOR (PCCW Limited) (ns2.nmnsd.com [219.76.235.93]) (n219076235093.netvigator.com)

Even the nameservers appear to be hosted on criminal owned machines or zombies.

The criminal has set up a new zombie network. It hardly seems necessary as the crook has already got a selection of criminal friendly hosts in AS1660/Globalcon.net, LLC (Eric Chen), and Road Runner HoldCo LLC along with registrars like Enom who simply ignore all abuse reports of this illegal activity. With unethical service providers like that as accomplices, the criminal has an easy life with his 'bullet-proof' hosting. Anyway here is the new zombie botnet:
DNS Data: (newesm.net, newesm.com, newesm.org)
Looking up at the 2 newesm.net. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dmmlife.com [65.75.191.14]  125.139.235.164 78.97.0.76 81.180.130.205 85.121.70.76 89.33.95.207 89.36.52.237 89.45.112.171
ns2.dmmlife.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.dmmlife.com hosted by SoftwareWorks Group, Inc. (TheServerDoctor) on IP 65.75.191.14 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

New domain nmnsd.org spotted in the wild:
Looking up at the 2 nmnsd.org. parent servers:

Server Response
ns1.nmnsd.org [200.72.139.67]  85.15.69.38
ns2.nmnsd.org [202.44.71.148]  85.15.69.38

He's using his own main domain as his nameserver domain and once again there's the usual 'blackhat' SP Entel Chile IP 200.72.139.67 along with a Bangkok one (Sripatum University), 202.44.71.148. The website host IP is 85.15.69.38 (a85-15-69-38.vpn.vtelecom.ru).

***Latest News*** - 24th. March 2008
Today's zombies hosting
nmnsd.com, nmnsd.net, nmnsd.org and nwmsd.com
Looking up at the 2 nmnsd.com. parent servers:

Server Response
ns1.nmnsd.com [71.249.231.112]  76.126.72.41
ns2.nmnsd.com [219.76.235.93]  85.15.69.38

Looking up at the 2 nmnsd.net. parent servers:

Server Response
ns1.nmnsd.net [71.249.231.112] 76.126.72.41
ns2.nmnsd.net [219.76.235.93]  85.15.69.38

Looking up at the 2 nmnsd.org. parent servers:

Server Response
ns1.nmnsd.org [200.72.139.67]  76.126.72.41
ns2.nmnsd.org [202.44.71.148]  76.126.72.41

Looking up at the 2 nwmsd.com. parent servers:

Server Response
ns1.nwmsd.com [200.72.139.67]  76.126.72.41
ns2.nwmsd.com [202.44.71.148]  85.15.69.38

Here's the usual selection of IP addresses currently abused by the criminals:

71.249.231.112 (static-71-249-231-112.nycmny.east.verizon.net)
219.76.235.93 (n219076235093.netvigator.com)
76.126.72.41 (c-76-126-72-41.hsd1.ca.comcast.net)
85.15.69.38 (a85-15-69-38.vpn.vtelecom.ru)
200.72.139.67 (Entel Chile)
202.44.71.148 (Sripatum University)

***Latest News*** - 25th. March 2008
Spiritdomains have suspended the nameserver domain theloging.com and the criminal has replaced it with newxmm.com New botnet data:
DNS Data: (newnm.org, newnmm.com, nenmdg.net, nenmdg.com)
Looking up at the 2 newnm.org. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.newxmm.com [67.210.224.100]  125.177.201.102 207.47.241.118 83.103.137.88 87.242.18.243 89.133.250.45 89.136.7.132 99.155.199.199
ns2.newxmm.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.newxmm.com hosted by AS1660/Globalcon.net, LLC (Eric Chen) on IP 67.210.224.100 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).
Later - Globalcon.net have terminated the hosting of ns1.newxmm.com [67.210.224.100]. New botnet data:
DNS Data: (newnmm.com, nenmdg.net, nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.net parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.newxmm.com [74.202.129.229] 85.178.219.199 86.69.249.95 86.106.49.218 86.126.214.86 89.133.250.45 121.133.148.9 222.118.177.175
ns2.newxmm.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.newxmm.com hosted by EMC COMMUNICATIONS, LLC on IP 74.202.129.229 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

Today's zombies hosting nwmsd.com, nwmsd.net, nwmsd.org
Looking up at the 2 nwmsd.com. parent servers:

Server Response
ns1.nwmsd.com [200.72.139.67]  85.105.182.6
ns2.nwmsd.com [202.44.71.148]  76.126.72.41

Looking up at the 2 nwmsd.net. parent servers:

Server Response
ns2.nwmsd.net [71.249.231.112]  85.105.182.6
ns1.nwmsd.net [219.76.235.93]  85.105.182.6

Looking up at the 2 nwmsd.org. parent servers:

Server Response
ns1.nwmsd.org [200.72.139.67]  85.105.182.6
ns2.nwmsd.org [219.76.235.93]  85.105.182.6

IP addresses involved in the criminal's network:

85.105.182.6 (dsl.static.85-105-46598.ttnet.net.tr) - TurkTelekom, ADSL-ALC-Static Pool

76.126.72.41 (c-76-126-72-41.hsd1.ca.comcast.net) - Comcast Cable Communications, Inc.
71.249.231.112 (static-71-249-231-112.nycmny.east.verizon.net) - Verizon Internet Services Inc.
219.76.235.93 (n219076235093.netvigator.com) - NETVIGATOR (PCCW Limited)
200.72.139.67 (Entel Chile)
202.44.71.148 (Sripatum University)

Enom seems now to have joined the ethical camp along with Spiritdomains, www.la, nic.tl et al in the battle against these fraudsters with most of the Enom registered domains having been suspended.

***Latest News*** - 27th. March 2008
The EMC COMMUNICATIONS, LLC zombie botnet has been terminated and the criminals now have a new host for their botnet,
OC3 Networks & Web Solutions, LLC:

DNS Data: (newnmm.com, nenmdg.net, nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.newxmm.com [66.63.174.26]  222.118.177.175 77.111.178.36 77.196.201.72 77.81.228.90 87.207.56.7 89.133.250.45 89.136.78.86
ns2.newxmm.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.newxmm.com hosted by OC3 Networks & Web Solutions, LLC on IP 66.63.174.26 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 28th. March 2008

The OC3 Networks & Web Solutions, LLC zombie botnet has been terminated and the criminals now have a new host for their botnet, Netrouting Data Facilities (GrafiX Internet B.V.):

DNS Data: (newnmm.com, nenmdg.net, nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.net. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.newxmm.com [91.199.50.70]  193.227.242.23 79.112.68.144 86.105.194.106 87.206.168.118 89.136.196.38 89.41.70.23 92.112.179.124
ns2.newxmm.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.newxmm.com hosted by Netrouting Data Facilities (Grafix.nl)  on IP 91.199.50.70 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

Today's zombies hosting nwmsd.net, nwmsd.org
Looking up at the 2 nwmsd.net. parent servers:

Server Response
ns2.nwmsd.net [71.249.231.112]  212.0.72.114
ns1.nwmsd.net [219.76.235.93]  85.105.182.6

Looking up at the 2 nwmsd.org. parent servers:

Server Response
ns1.nwmsd.org [200.72.139.67]  212.0.72.114
ns2.nwmsd.org [219.76.235.93]  85.105.182.6

IP addresses involved in the criminal's network:

85.105.182.6 (dsl.static.85-105-46598.ttnet.net.tr) - TurkTelekom, ADSL-ALC-Static Pool
212.0.72.114 - BURNET.RU (
SC Electrosvyaz of Buryatia Republic)
71.249.231.112 (static-71-249-231-112.nycmny.east.verizon.net) - Verizon Internet Services Inc.
219.76.235.93 (n219076235093.netvigator.com) - NETVIGATOR (PCCW Limited)
200.72.139.67 (Entel Chile)

KEY-SYSTEMS GMBH seem to have put domain nwmsd.com on clienthold, (i.e. suspended it), but they haven't taken action against all the other domains registered with them which are all involved in the exactly the same criminal activity - strange...

***Latest News*** - 30th. March 2008
Today's zombies hosting nwmsd.net, nwmsd.org
Looking up at the 2 nwmsd.net. parent servers:

Server Response
ns1.nwmsd.net [219.76.235.93]  212.0.72.114
ns2.nwmsd.net [71.249.231.112]  212.0.72.114

Looking up at the 2 nwmsd.org. parent servers:

Server Response
ns1.nwmsd.org [200.72.139.67]  212.0.72.114
ns2.nwmsd.org [219.76.235.93]  212.0.72.114

IP addresses involved in the criminal's network:

212.0.72.114 - BURNET.RU (
SC Electrosvyaz of Buryatia Republic)
71.249.231.112 (static-71-249-231-112.nycmny.east.verizon.net) - Verizon Internet Services Inc.
219.76.235.93 (n219076235093.netvigator.com) - NETVIGATOR (PCCW Limited)
200.72.139.67 (Entel Chile)

No response to several abuse reports to Netrouting Data Facilities (GrafiX Internet B.V.), first sent on March 28th. The company continues to host the criminal's zombie botnet on their IP 91.199.50.70.

Spiritdomains have been very helpful and have suspended all of the criminal's fraud domains registered with them - many thanks are due to them for their ethical position along with all the other honest and decent registrars and hosts who help in the fight against internet crime.

Road Runner HoldCo LLC have been knowingly hosting a zombie botnet since 14-Mar-2008 on their IP address 74.62.155.57.It would appear that they don't care that they host the zombie botnets of criminals.

Unfortunately, while unethical service providers are free to turn a blind eye to criminal fraud in this way, these criminals will continue to prosper and their victims will continue to suffer.

Later:- Domains neamds.com, neamds.net and neamds.org spotted in the wild, (all registered with KEY-SYSTEMS GMBH/Imena.ua), and all hosted on the abovementioned Roadrunner zombie botnet as follows:

DNS Data (neamds.com, neamds.net and neamds.org)
Looking up at the 2 neamds.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.snowbm.com [74.62.155.57]  142.177.228.18 79.112.25.50 80.97.170.165 86.106.49.218 89.41.168.145 89.42.124.153 91.196.44.203
ns2.snowbm.com [208.40.54.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.snowbm.com hosted by Road Runner HoldCo LLC on IP 74.62.155.57 (rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).


***Latest News*** - 1st. April 2008
The Netrouting Data Facilities  (GrafiX Internet B.V.) zombie botnet has been terminated and the criminal is now back on a previous host for their botnet,
OC3 Networks & Web Solutions, LLC:

DNS Data: (newnmm.com, nenmdg.net, nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.newxmm.com [66.63.174.28]  194.150.87.223 59.22.162.77 81.180.130.205 86.105.157.70 89.136.7.132 89.137.186.6 89.42.124.117
ns2.newxmm.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.newxmm.com hosted by OC3 Networks & Web Solutions, LLC on IP 66.63.174.28 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 2nd. April 2008
The criminal has moved his OC3 Networks botnet onto a Layered Technologies, Inc. IP (72.232.5.33):

DNS Data: (newnmm.com, nenmdg.net, nenmdg.com, nenmdg.org)
Looking up at the 2 nenmdg.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.newxmm.com [72.232.5.33] 89.137.186.6 194.150.87.223 77.41.50.64 79.115.20.179 81.198.252.240 87.207.253.79 89.43.44.130
ns2.newxmm.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.newxmm.com hosted by Layered Technologies, Inc. on IP 72.232.5.33 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). The RDNS for 72.232.5.33 is 33.5.232.72.static.reverse.ltdomains.com

***Latest News*** - 3rd. April 2008

The criminal's Roadrunner and Layeredtech botnets are both still active despite both Layeredtech and Roadrunner having been informed of the abuse. It is rather sad and discouraging that companies of such standing can continue to aid and abet these criminals without any sanction or apparent conscience at all.

The Roadrunner botnet now has a new nameserver domain (mmbopc.com) which is rather odd as the criminal's old nameserver domain (snowbm.com) doesn't seem to have been suspended by Register.com. New DNS details:

DNS Data (neamds.comneamds.net, neamds.org,
nwmsmds.net, and nwmsmds.org)
Looking up at the 2 neamds.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.mmbopc.com. [74.62.155.57] 81.25.33.207 84.108.239.70 85.64.54.195 86.127.186.84 89.32.73.26 91.67.119.39 79.113.0.234
ns2.mmbopc.com. [98.61.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.mmbopc.com hosted by Road Runner HoldCo LLC on IP 74.62.155.57 (rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

The old nameserver
ns1.snowbm.com still tracerts to
Roadrunner IP 74.62.155.57 so I suspect that the criminals are taking advantage of Roadrunners willingness to aid and abet their fraud to set up a second site hosting botnet with new domains.

***Latest News*** - 5th. April 2008

TheServerDoctor, Roadrunner,  and Layeredtech are continuing to knowingly host this criminals botnet controllers.

Latest botnet DNS data: (nemns.com, nemns.net and nemns.org)

Looking up at the 2 nemns.com parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.dmmlife.com [65.75.191.14]  77.204.203.48 79.113.97.106 79.117.181.149 83.103.137.88 87.207.253.79 87.207.56.7 91.196.44.203
ns2.dmmlife.com [20.31.85.15] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.dmmlife.com hosted by  SoftwareWorks Group, Inc./TheServerDoctor on IP 65.75.191.14 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 7th. April 2008
The criminal now has three site hosting zombie botnets operating courtesy of Road Runner HoldCo LLC (74.62.155.57), Layered Technologies, Inc./Savvis.net. (72.232.5.33) and SoftwareWorks Group, Inc. (TheServerDoctor) (65.75.191.14) all of whom were informed of the abuse on the dates at the top of this page.

***Latest News*** - 9th. April 2008
Suspension notice received from Imena.ua for all of their registered domains for this criminal - thanks guys for your ethical action. That means the criminals will by now have new main domains, new nameserver domains and new botnet details. Known details follow, (please let me know of any active website URLs/domains):

DNS Data (newnmm.com)
Looking up at the 2 newnmm.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.iwarzone.com [72.232.5.33]  195.189.81.163 210.6.255.133 77.192.160.54 79.116.186.67 85.217.201.213 87.207.253.79 89.37.242.97
ns2.iwarzone.com [99.61.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.iwarzone.com hosted by Layered Technologies, Inc. on IP 72.232.5.33 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT). The RDNS for 72.232.5.33 is 33.5.232.72.static.reverse.ltdomains.com

The criminals newly registered nameserver domain is iwarzone.com (Spiritdomains/IA Registry - 28-Mar-2008). The botnet continues to be hosted by Layeredtech/Savvis despite several abuse reports.

DNS Data (nemns.com, newesm.biz, nnmbg.com, nee.com.ua, nem.kg)
Looking up at the 2 nemns.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.bonoxc.com [65.75.191.14]  210.6.255.133 78.52.147.3 79.116.186.67 80.98.245.209 85.217.201.213 87.207.253.79 89.37.242.97
ns2.bonoxc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.bonoxc.com hosted by  SoftwareWorks Group, Inc./TheServerDoctor on IP 65.75.191.14 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

The criminals newly registered nameserver domain is bonoxc.com (REGISTER.COM, INC. - 28-Mar-2008). The botnet continues to be hosted by SoftwareWorks Group, Inc. (TheServerDoctor).

DNS Data (nwmsmds.net, and nwmsmds.org)
Looking up at the 2 nwmsmds.org parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.walillc.com [74.62.155.57] 85.217.201.213 87.207.253.79 89.37.242.97 210.6.255.133 78.52.147.3 79.116.186.67 80.98.245.209
ns2.walillc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.walillc.com hosted by Road Runner HoldCo LLC on IP 74.62.155.57 (rrcs-74-62-155-57.west.biz.rr.com) is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

The criminals newly registered nameserver domain is walillc.com (INTERNET INVEST, INC. DBA IMENA.UA - 29-Mar-2008). The botnet continues to be hosted by Road Runner HoldCo LLC. despite numerous abuse reports.

***Latest News*** - 10th. April 2008
The criminal has moved his above Roadrunner botnet, whether it is because of any action by Roadrunner or not I do not know. New network data:
DNS Data (nwmsmds.net, and nwmsmds.org)
Looking up at the 2 nwmsmds.org parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.walillc.com [67.228.213.11] 89.36.249.90 91.67.119.58 59.22.162.50 59.186.129.140 78.52.190.143 85.178.238.224 86.106.59.77
ns2.walillc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.walillc.com hosted by SoftLayer Technologies Inc./AptHost Communications Inc. on IP 67.228.213.11 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).


The criminal has also moved his Layered Technologies, Inc. zombie botnet. New network data:
DNS Data (newnmm.com)
Looking up at the 2 newnmm.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.iwarzone.com [67.215.229.45] 195.189.81.163 59.21.161.210 59.22.162.50 85.178.238.224 85.217.201.213 87.242.17.66 89.36.249.90
ns2.iwarzone.com [99.61.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.iwarzone.com hosted by Secured Private Network/FISIXNETWORKS on IP 67.215.229.45 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 11th. April 2008
New zombie botnets replacing ones shut down by ethical hosts:
DNS Data (newnmm.com)
Looking up at the 2 newnmm.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.iwarzone.com [66.197.222.5]  213.134.173.106 24.93.118.199 79.114.153.112 79.115.20.45 84.38.81.65 87.207.253.79 87.242.17.66
ns2.iwarzone.com [99.61.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.iwarzone.com hosted by Network Operations Center Inc./Burst.net on IP 66.197.222.5 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 12th. April 2008
New zombie botnet replacing one shut down by ethical hosts Network Operations Center Inc./Burst.net:
DNS Data (newnmm.com, newmmns.com, nwaesde.net)
Looking up at the 2 newnmm.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.iwarzone.com [76.191.102.141] 203.228.153.110 24.93.118.199 59.186.129.140 86.105.12.97 87.207.253.79 89.35.204.247 89.36.249.90
ns2.iwarzone.com [99.61.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.iwarzone.com hosted by Spectrum Networks/Vanoppen.biz on IP 76.191.102.141 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 13th. April 2008
New domain noted in the wild - nensmb.org registered with Enom's reseller Mobile Names Services, Inc., both of whom have been unresponsive. It's highly amusing to note that Enom have themselves been a victim of a 'phishing' attack using the domain enomcemtral.com registered with ENOM, INC./Mobile Names Services, Inc. - I hope the irony is not lost on them and they start being more pro-active against these criminals that they knowingly shelter. I won't hold my breath....
DNS Data (nensmb.org)
Looking up at the 2 nensmb.org. parent servers:

Server Response
ns1.nensmb.org [200.72.139.67]  212.174.25.241
ns2.nensmb.org [219.76.235.93]  212.174.25.241
The host of this one is Turktelekom on IP 212.174.25.241

***Latest News*** - 15th. April 2008
The criminal has some more domains registered with Imena.ua (Internet Invest Ltd):
newmanesrg.net
newmanesrg.org
newmanesrg.com

DNS Data (newmanesrg.org, newmanesrg.com, nensmb.org)
Looking up at the 2 newmanesrg.org. parent servers:

Server Response
ns1.newmanesrg.org [200.72.139.67]  81.9.106.17
ns2.newmanesrg.org [219.76.235.93]  81.9.106.17

The host IP is another JSC "EnginiaSystem" Network IP
81.9.106.17 and the nameserver IPs are also the usual Entel Chile IP (200.72.139.67) and the NETVIGATOR (PCCW Limited) IP (219.76.235.93) both of which have been reported many times with no response, never mind action.


The domain newmanesrg.net is unhosted at present, but no doubt it will join the rest shortly.
Later: New botnet:
DNS Data (newmesde.com, newmesde.net, newmesde.org)
Looking up at the 2 newmesde.com. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.uneedmc.com [71.6.211.95]  194.6.201.133 78.90.139.19 79.114.39.215 85.65.36.23 86.106.59.77 86.127.5.58 89.136.117.212
ns2.uneedmc.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.uneedmc.com hosted by California Regional Intranet, Inc./Zanadoo Hosting on IP 71.6.211.95 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 18th. April 2008
By suspending all of their registrations, the ethical registrar Spiritdomains have sent a clear message to these criminals that they will not tolerate their criminal activity. ENOM, INC. (Mobile Names Services, Inc.) have also taken similar action. All other companies please take note. Remaining known domains and hosting:

DNS Data: (
nee.com.ua, nem.kg)
Looking up at the 2 nee.com.ua. parent servers:


Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.bonoxc.com [65.75.191.14]  121.179.6.41 220.109.1.60 77.81.147.22 77.97.25.230 89.136.117.212 89.32.171.214 89.44.37.19
ns2.bonoxc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.bonoxc.com hosted by SoftwareWorks Group, Inc./CaroNet/TheServerDoctor on IP 65.75.191.14 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

SoftwareWorks Group, Inc./CaroNet/TheServerDoctor have ignored all abuse reports and have hosted these criminals since 23-Mar-2008

N.B. -
A contact from the company TheServerDoctor has asked me to point out that as far as he is concerned the ARIN data for the IP 65.75.191.14 is incorrect and he is NOT the owner and responsible person. The IP is controlled by CaroNet hosting, (Caro.net), of Charlotte, North Carolina.

DNS Data: (newmanesrg.org, newmanesrg.com)
Looking up at the 2 newmanesrg.org. parent servers:


Server Response
ns1.newmanesrg.org [200.72.139.67]  212.0.85.6
ns2.newmanesrg.org [219.76.235.93]  212.0.85.6

The host of this criminal's network is JSC Electrosvyaz of Buryatia Republic (burnet.ru)
Later: The criminal's botnet on IP 65.75.191.14 has been shut down after a complaint to the upstream transit provider to SoftwareWorks Group, Inc./CaroNet/TheServerDoctor. It's a pity it was necessary. The criminal is in the process of setting up a new botnet on IP 67.222.130.212 which is an IP belonging to Tailor Made Servers of Carrollton, Texas.

DNS Data: (nee.com.ua, nem.kg)
Looking up at the 2 nem.kg. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.bonoxc.com [67.222.130.212]  77.81.10.65 79.115.21.216 85.217.201.213 86.120.93.159 87.206.170.128 89.137.9.59 89.34.24.160
ns2.bonoxc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.bonoxc.com hosted by Tailor Made Servers of Carrollton, Texas. on IP 67.222.130.212 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 19th. April 2008
The above criminal's botnet controller ns1.bonoxc.com [67.222.130.212] appears to have been disconnected.

Later: The criminal has set up a new botnet on IP 66.197.245.92

DNS Data: (nee.com.ua, nem.kg)
Looking up at the 2 nem.kg. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.bonoxc.com [66.197.245.92]  207.47.240.45 86.120.92.194 87.206.170.128 89.114.58.152 89.137.186.6 89.33.213.53 89.41.182.152
ns2.bonoxc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.bonoxc.com hosted by Network Operations Center Inc./Burst.net on IP 66.197.245.92 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

New domain  noted in the wild:

DNS Data: (nwa.kg)
Looking up at the 2 nwa.kg. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.uneedmc.com [69.42.220.141]  207.47.240.45 86.120.92.194 87.206.170.128 89.114.58.152 89.137.186.6 89.33.213.53 89.41.182.152
ns2.uneedmc.com [208.21.54.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the nameserver ns1.uneedmc.com hosted by Awknet Communications, LLC on IP 69.42.220.141 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site http://www.nwa.kg/ (as determined by TRACERT).

***Latest News*** - 20th. April 2008
The criminal's botnet controller
ns1.bonoxc.com [66.197.245.92] has been disconnected by Hostnoc/Burst.net.

Unfortunately the 
criminal's botnet controller ns1.uneedmc.com [69.42.220.141] hosted by Awknet Communications LLC remains active. Awknet Communications LLC have been informed of the criminal activity that they are hosting.

Later: The criminal has moved his ns1.bonoxc.com botnet to the FDC Servers IP 67.159.48.120:

DNS Data: (nee.com.ua, nem.kg)
Looking up at the 2 nem.kg. parent servers:

Zombie Botnet Nameserver Botnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.bonoxc.com [67.159.48.120] 89.33.213.53 91.122.61.241 79.116.187.30 84.38.86.116 84.232.148.70 85.64.231.36 88.134.126.229
ns2.bonoxc.com [195.81.52.10] Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the
criminal owned nameserver ns1.bonoxc.com hosted by FDCservers.net on IP 67.159.48.120 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site (as determined by TRACERT).

***Latest News*** - 21st. April 2008
The criminal's botnet controller ns1.bonoxc.com [67.159.48.120] has been disconnected by FDCservers. The Awknet Communications LLC hosted botnet controller ns1.uneedmc.com [69.42.220.141] remains active.

***Latest News*** - 22nd. April 2008
The criminal's
Awknet Communications botnet has been disconnected.

***Latest News*** - 23rd. April 2008
The criminal has a new nameserver domain (callsroar.com - Spiritdomains - 03-apr-2008) but it is not yet on an active network.

The criminal has a new botnetwork for domain nwa.kg:
DNS Data: (nwa.kg)
Looking up at the 2 nwa.kg. parent servers:

Zombie Botnet NameserverBotnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.uneedmc.com [91.193.130.202] 24.93.118.199 67.225.21.208 77.81.10.65 85.204.112.226 86.125.218.226 89.114.58.152 89.32.130.125
ns2.uneedmc.com [208.21.54.10]Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.uneedmc.com hosted by Inline Internet Online Dienste GmbH/ValueServer.de on IP 91.193.130.202 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site http://www.nwa.kg/ (as determined by TRACERT).

Later: The criminal's botnet has been quickly terminated by Internet Online Dienste GmbH/ValueServer.de, (an abuse team that's really clued up - thank you). The criminal now has a new botnetwork for domain nwa.kg:

DNS Data: (nwa.kg)
Looking up at the 2 nwa.kg. parent servers:

Zombie Botnet NameserverBotnet Nameserver 'A' Records (Zombie Site Host IPs)
ns1.uneedmc.com [66.197.245.157]99.235.126.120 24.93.118.199 67.225.21.208 77.81.10.65 89.33.213.53 89.41.182.152 89.137.9.59
ns2.uneedmc.com [208.21.54.10]Timeout - Fake nameserver, (never resolves).

The data shows a standard 7-IP site hosting zombie botnet where the criminal owned nameserver ns1.uneedmc.com hosted by Network Operations Center Inc./Burst.net on IP 66.197.245.157 is acting as a zombie botnet controller 'herding' the rotating zombies, (as determined by RDNS), in the 'A' records list which are hosting the fraud site http://www.nwa.kg/ (as determined by TRACERT).

DNS Data (newmanesrg.org, newmanesrb.net)      
DNS Data (newmanesrg.com, newmanesrb.com)

Looking up at the 2 newmanesrg.org. parent servers:                 Looking up at the 2 newmanesrg.com. parent servers:

ServerResponse          ServerResponse
ns2.newmanesrg.org [219.76.235.93] 85.150.209.34 ns2.newmanesrg.com [202.44.71.148] 85.150.209.34
ns1.newmanesrg.org [200.72.139.67] 85.150.209.34 ns1.newmanesrg.com [200.72.139.67] 85.150.209.34

The domains newmanesrg.org, newmanesrb.net, newmanesrb.com and newmanesrg.com are all hosted on the zombie IP 85.150.209.34 which is a compromised or criminal owned customer machine, (5596d122.adsl.wanadoo.nl), on the Orange Nederland Breedband B.V. network. They are still using 'in house' nameservers hosted on the usual 'Blackhat' Entel Chile IP 200.72.139.67 and the equally unhelpful NETVIGATOR (PCCW Limited) IP (219.76.235.93) both of which have been reported many times with no response, never mind action.

***Latest News*** - 24th. April 2008
The Network Operations Center Inc./Burst.net on IP 66.197.245.157 hosting nwa.kg appears to have been disconnected.

***Latest News*** - 24th. May 2008

No known current activity on this fraud - archived to previous aliases. If you know different, please let me know.