Sydney Car Centre Fraud

Don't Bear Internet Fraud

Sydney Car Centre is the replacement money laundering/transfer fraud site for the Lux Capital money laundering fraud - exactly the same Serenitynet / Infinitie.net / Eonix Corporation hosted nameserver/botnet controller, exactly the same modus operandi, i.e. a stolen website offering an illegal 'Regional Assistant' so-called 'job' as a money laundering mule/transfer fraud victim and generally hosting the stolen site using a zombie botnet, (some domains use the Yahoo/Geocities 'small business' network as seen before), often with a host that apparently has no scruples about hosting thieves and fraudsters, the latest being Convergent Network Services of Hicksville NY, aka Ironcolo.com who do not respond to abuse reports concerning this criminal botnet on their network.

This time the site is stolen from a genuine UK company - the Stratford Car Centre. This is the fake site: http://www.sydncare.ph and this is the genuine site: http://www.stratfordcarcentre.co.uk/
__________________________________________________________________________________________________________________________

Evidence of Criminal Fraud

i) The fraudsters have stupidly stolen the identity of the 'Stratford Car Centre' in the UK for their bogus 'Sydney Car Centre' & not even bothered to disguise it - the forecourt sign for Stratford Car Centre is clearly visible in the stolen images on the fraudster's website. See the genuine website http://www.stratfordcarcentre.co.uk/ for where the images & text were stolen from.

ii) They have no cars for sale! The genuine site has a 'virtual showroom' - the fake site does not.

iii) The website claims "Sydney Car Centre was first established in March 1983", but the fraudsters domains were all registered very recently to host the stolen website.

iv) The fraudster uses a multiplicity of recently registered domains, registered with various different registrars & all with different false whois data. (Listed below)

v) The fraudster used the same zombie botnet of infected end user machines to host his site that was used for the previous Lux Capital fraud.

vi) The fraudster offers one 'job' of "Regional Assistant". Details of the 'job' taken directly from the bogus website include:

* Communicate closely with the head office;
* Be available to receive 2-3 payments on your bank account from the customers every week;
* Make calculations regarding every transaction;
* Withdraw the funds from the bank account (less your 10% fee);
* Make transactions via Western Union to the suppliers;
* Inform the head office about every payment received and dealt with at the earliest convenience.

In other words acceptance of counterfeit or criminal proceeds into your personal bank account and forwarding it on to these crooks via Western Union - that is clearly just another money laundering mule job, i.e. criminal fraud.

vii) Forged email headers - 'From' & 'Return To' addresses are all different random forged addresses.

viii) Every spam is 'signed' by a different person - they appear to have an infinite number of bogus employees.

ix) What would a car dealer want with money transfer operations?

Do not be fooled by their stolen website - these are professional criminals with a long history of fraud as detailed on the General Information page.
__________________________________________________________________________________________________________________________

The Spam Content

The headers contain many different forged/bogus 'From' & 'Return Path' addresses & various forged 'Receive' lines. The subject lines vary greatly, but include "Account manager’s vacant position in the Sydney Car Centre", "Do you want to work for major company? This offer is just for you!" etc, etc & all indicate that there is a job opportunity to be had. There is - an illegal job as a money laundering 'mule' or transfer fraud victim, i.e. accepting stolen or counterfeit proceeds into your account and forwarding it on via Western Union or Moneygram for a percentage cut. Needless to say it is these mules that will inevitably feel the full weight of the law while the remote money launderers are safe. The bogus funds in the mules account will also be recovered, leaving him with large losses.

The spam link to the website is of the general form http://sydncare.ph/ & the bogus job link from the spam is of the general form: http://sydncare.ph/vacancies.php where the domain sydncare.ph can be replaced by any of the above active domains. It also uses some 'password' text prior to the domain that the criminal will probably use for list-washing purposes, so don't click on the link without removing it or the crook will know he's got a live one - you...

The spam body is followed by the usual 'whitetext' bayesian filter avoidance text, but in this case it seems to be a random section of code. AFAIK it has no other significance, but if anyone knows better....

This is the content of an actual spam:
__________________________________________________________________________________________________________________________

While we may have high expectations of our associates, we also give them high rewards. Imagine being part of a stable organization with a sterling reputation - a place where the Sydney Car Centre is an integral part of all that we do. With our car centre personality, you'll not just succeed - you'll thrive. And, with our strong commitment to promoting from within, you'll definitely enjoy your rise to the top.

Today the Sydney Car Centre is looking for an industrious regional assistant to fasten the process of the delivery of customer payments to the suppliers. The position offered is a part-time job, and will only require from you to be available for 1-2 hours a day.

As a regional assistant, you will be supposed to operate with the payments from those customers, based in your country. You will be expected to accept 2-3 transactions to your bank account every week, make certain calculations about every transaction (you will be precisely instructed about it), & transfer the funds to the suppliers by means of western Union/Money Gram less your fee & the charges of the Western Union/Money Gram. You will be continuously communicating with the manager from the head office, who will instruct you & give advice regarding every new payment.

The ideal candidate will be industrious, goal-oriented person, with the availability of a personal/business bank account suitable to be used for the company needs. Knowledge of English, computer literacy and sociability are appreciated.

The company guarantees to pay NET 10% fee out of the amount of every payment you dealt with and to provide you with the regular income & flexible schedule. All the related expenses you might have (like the Western Union/Money Gram chargers, related expenses on traveling) are covered by the company.

The more detailed information is available on our web-site http://sydncare.ph/vacancies.php, where you can fill in the on-line application form for this position.

We would be glad to welcome you in our team!

We are looking forward to hearing from you as soon as possible!

Yours sincerely, [Random name]
__________________________________________________________________________________________________________________________

I see they are still looking to "fasten the process". The semi-literate misspelt rubbish doesn't change much from scam to scam. It offers the usual 'job' of accepting criminal/counterfeit proceeds into your bank account and forwarding it on via Western Union or Moneygram less your 10%, i.e. an illegal money laundering mule.

Every spam is 'signed' by a different person - they seem to have an infinite number of (bogus) employees...
__________________________________________________________________________________________________________________________

The zombie botnet method of operation of these criminals is exactly the same as for FIC Financial Inc., United Cargo Solutions, the Radius Group, Lux Capital & Aegis Capital Group scams, (some domains use the Yahoo/Geocities "small business" network as seen before) - the only difference is in the domains, nameserver domains & host IP:

Looking up at the 2 sydncare.ph parent servers:

================Server============='A' Record Response (Zombie host IPs)=============
ns1.gem-tn.com [206.71.145.83] 82.30.9.238 85.181.5.202 85.30.101.125 88.64.40.3 89.40.5.124
ns2.gem-tn.com [69.72.10.37] [Error: Port Unreachable]

The above DNS data shows a nameserver ns1.gem-tn.com acting as a botnet zombie controller referencing five 'zombie' IPs in the 'A' Record Response (Zombie host IPs) column on a rotating basis. The second nameserver is always a fake, needed to make up the requirement for a minimum of two nameservers as per RFCs and never resolves.

The nameserver ns1.gem-tn.com is hosted on IP 206.71.145.83 by Convergent Network Services of Hicksville NY, (AKA Ironcolo.com), who have so far ignored all abuse reports regarding this fraudster.

Note that there are many main & nameserver domains registered & the host IP can change very frequently, (unless they find a 'criminal friendly' service provider such as Convergent Network Services of Hicksville NY, AKA Ironcolo.com), so the details that you see may be different to the above. See the 'Latest News' below for the latest domains & host IP.

See the 'General Information' page for more detailed information on a typical zombie botnet setup.
__________________________________________________________________________________________________________________________

These criminals are experienced liars, thieves and professional confidence tricksters. Do not be fooled - do not believe them. The evidence of site theft, criminal fraud & zombie botnet use is undeniable. I'd like to thank the many honest & ethical hosts who have disconnected these fraudsters within an hour of receiving my abuse report, (several in c. 20 minutes). However, the zombie botnet controlling nameservers seem to be occasionally hosted by Colocation/VPS service providers who do not respond to criminal fraud abuse reports. The honest & ethical SPs will respond with an immediate, (preferably not 24 hours or 48 hours & certainly not never...), disconnection on receipt of a criminal abuse report, having considered the evidence below & investigated, but more and more frequently service providers stall or simply ignore abuse reports. This latter minority of uncaring & unethical hosts are aiding and abetting criminal fraud and the victims suffer because of it.

Knowingly supplying services to these fraudsters is a criminal offence in the UK under the UK Proceeds of Crime act (2002) Section 328 "A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person". The notification level for this offence is low. Would all hosts and registrars with a UK presence, (other countries will undoubtedly have similar provisions), please bear this in mind and please do not ignore any criminal fraud abuse reports you may receive or if you do, please don't be surprised or offended if I file a crime complaint against you with local law enforcement agencies after a reasonable notice of abuse - the victims, (who could be your mother, father, grandmother, grandfather, the helpless, the disabled or any loved one - these criminals are exactly the same as doorstep conmen), deserve better.

The unethical hosts, (and registrars), should appreciate that taking the 'blind eye' approach involves them in the crime, creates a great deal of ill-will, bad publicity & hurts everybody, especially the victims of these fraudsters. They should also bear in mind that these crooks pay for their services using Paypal linked to stolen credit card details so they are likely to get a charge-back which will also leave them out of pocket, unless, of course, they have a more intimate relationship with the criminals.

A CEO of a Credit Union tells me of clients who have lost thousands of pounds cashing counterfeit money orders for these criminals, & I myself have had letters from worried victims, so do not under any circumstances get involved with them and also please think twice about doing business with the unethical service providers who continue to provide this criminal with the means to perpetrate his crime despite being notified of the criminal activity.

Eonix Corporation, (Infinitie.net) & IDC Inc. (Serenitynet) failed to respond in any way to all evidential abuse reports concerning this fraudster, (the first submitted on June the 5th.), and continued to host the criminal's zombie botnet on the nameserver ns1.search-pnd.com [66.196.43.228] until June the 20th. They also hosted the previous Lux Capital fraudster's botnet controller on the same nameserver/botnet controller domain & IP from 13th. May onwards and ignored all abuse reports then too. Crime complaint filed with IC3.gov.

PoundHost Internet Services Ltd./Euroconnex Networks LLP (Maidenhead - UK), are another host that ignored all criminal fraud abuse reports concerning this crook from July the 2nd. and continued to allow the criminal to operate his zombie botnet and his criminal operation on their network until July the 20th. when they were contacted by the Metropolitan police following a crime complaint.

Convergent Network Services of Hicksville, NY were informed of this criminal's zombie botnet nameserver ns1.infobiodata.com on their IP 206.71.145.83 on July the 26th. To date they have not responded to abuse reports or webform submissions. Crime complaint filed with IC3.gov.
__________________________________________________________________________________________________________________________

Blocking The spam

I have had quite a few queries about how to block the criminal's spam in Outlook Express. Fortunately they are easily detected using the OE 'Mail Rules' (Tools - Message Rules - Mail).

Rules based on the From, To etc addresses will never work as the header data is all forged. The message body remains constant, however & that can be used to detect them.

Use the rule "Where the message body contains specific words" and use the name Sydney Car Centre as the search item then choose 'delete' (or whatever action you prefer) as the action then that will definitely detect every single one of these spams.

The only problem then is if someone sends you a wanted email containing the name Sydney Car Centre.

So, to get around that you could of course pick any combination of letters from the spam as I believe that they are all the same, for example you could use the phrase "car centre personality" as the detection phrase using the above rule. That should detect them all and also be pretty safe from false positives.
__________________________________________________________________________________________________________________________ If you find this site helpful then please feel free to link to it on your website by inserting the following HTML code, (opens site in new window):
<a href="http://www.bobbear.co.uk" target="_blank">Money Laundering Fraud Websites</a>
__________________________________________________________________________________________________________________________ Here are all the known domains that are/have been used for the fraud:

Domain

sydneycentre.io
sccentre.io
sycarcentre.io
cccentre.hk
sccentre.hk
sydneycc.hk
scarcentre.hk
sydney-car.com
sydney-car.net
sydneycarcentre.tw
sydneycc.tw
sccsite.hk
carsydney.hk
carsydneys.hk
carcentre.hk
sydneycar.hk
centrecar.jp
sydneycarcentre.jp
sccentre.jp
centrecar.vg
sydneyauto.hk
scc2007.hk
carcentre.ph
sydcarc.hk
sydycarc.hk
newsydney.hk
sydneycar.st
sydneycars.hk
sydncar.kg
sydcar.kg
sydneycar.kg
scc.st
scentre.hk
sydneycentre.st
sydcarcen.ph
sydncar.st
sydcar.vu
sydcarc.st
sydncarcr.ph
sydncarc.ph
sydncarec.ph
sydnycarec.ph
sydnycarc.ph
sydcrcr.st
sydcarcr.kg
sydncr.kg
sdycar.ph
sydcar.ph
sdycrc.ph
sydycarc.kg
sdycar.kg
sdycr.kg
sydncare.ph
sdycr.ph
sdncr.ph
sdncar.kg

Zombie Botnet
Nameserver Domains

search-pnd.com
lp-vote.com
my-boxs.com
infobiodata.com gem-tn.com

Status
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Parked (Under construction page)
DNS Looped
DNS Looped
DNS Looped
Inactive
Inactive
DNS Looped
DNS Looped
Inactive
Inactive
Inactive
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Suspended
Active

Zombie Botnet
Nameserver Domains

Parked
Suspended
Parked Active Active

Registrar

nic.io
nic.io
nic.io
HKDNR.hk
HKDNR.hk
HKDNR.hk
HKDNR.hk
Joker.com
Joker.com
SEED.net.tw
SEED.net.tw
HKDNR.hk
HKDNR.hk
HKDNR.hk
HKDNR.hk
HKDNR.hk
JPRS.jp??
JPRS.jp??
JPRS.jp??
AdamsNames Ltd
HKDNR.hk
HKDNR.hk
domains.ph
HKDNR.hk
HKDNR.hk
HKDNR.hk
Nic.st
HKDNR.hk
Domain.kg
Domain.kg
Domain.kg
Nic.st
HKDNR.hk
Nic.st
domains.ph
Nic.st
Vunic.vu
Nic.st
Domains.ph
Domains.ph
Domains.ph
Domains.ph
Domains.ph
Nic.st
Domain.kg
Domain.kg
Domains.ph
Domains.ph
Domains.ph
Domain.kg
Domain.kg
Domain.kg
Domains.ph
Domains.ph
Domains.ph
Domain.kg

Zombie Botnet
Nameserver Domains

Register.com
Spiritdomains.com
Domaindirect.com
Spiritdomains.com
Register.com

Please notify me of any errors or domains not listed here.

Tips for registrars
i) The criminal uses his own nameserver domain to control his zombie botnet. By definition there are no legitimate domains using his dedicated botnet nameservers, currently ns1.gem-tn.com & ns2.gem-tn.com. This provides a good database search option for you to identify & delete all of this criminal's fraud domains and suspend them if you so wish.

ii) All of the criminal's domains have different false whois data.
__________________________________________________________________________________________________________________________

If you have been a victim of this fraudster & would like to tell your story on this page as a warning & to help others, please contact me.
__________________________________________________________________________________________________________________________ Fraud Blog

5th. June 2007
Abuse reports sent to Joker for domains sydney-car.com & sydney-car.net & Yahoo for their network hosting:
Looking up the 2 sydney-car.com parent servers: (The DNS data for
sydney-car.net is identical).

==============Server===========DNS 'A' Record Response (Site host IPs)====
yns1.yahoo.com [66.218.71.205] 69.147.83.150 69.147.83.151 69.147.83.152 69.147.83.153 69.147.83.154 69.147.83.155
yns2.yahoo.com [216.109.116.20] 69.147.83.146 69.147.83.159 69.147.83.176 69.147.83.177 69.147.83.178 69.147.83.179

The criminal's network uses a set of 34 Yahoo/Geocities IPs from 69.147.83.146 to 69.147.83.179 to host his site on a rotating basis controlled by Yahoo nameservers yns1.yahoo.com [66.218.71.205] & yns2.yahoo.com [216.109.116.20]

Abuse reports also sent to HKDNR, NIC.IO, Register.com, Infinitie.net & Serenitynet for the criminal's domains sydneycentre.io, sccentre.io, sycarcentre.io, sccentre.hk, sydneycc.hk & scarcentre.hk all hosted on this zombie botnet:

Looking up the 2 scarcentre.hk parent servers:

==================Server========'A' Record Response (Zombie host IPs)==========
ns1.search-pnd.com [66.196.43.228] 123.194.90.181 222.105.127.136 75.36.159.225 75.49.2.172 82.59.114.29
ns2.search-pnd.com [26.81.81.101] Timeout (Fake nameserver)
__________________________________________________________________________________________________________________________
6th. June 2007 Yahoo appear to have disconnected the domains sydney-car.com & sydney-car.net as the DNS data now shows a loop-back to the root servers for those domains. No action as yet from HKDNR, NIC.IO, Register.com, Infinitie.net & Serenitynet for the other domains.
Later Domain sydney-car.com resolving again on the Yahoo network although the dns for sydney-car.net remains looped - abuse report re-submitted.
Later DNS looped on both domains sydney-car.com & sydney-car.net rendering the sites inaccessible.
Later I don't know what Yahoo are doing - sydney-car.net still has it's DNS disabled, but sydney-car.com is back up on the Yahoo network again. I know from example that these expert criminal con artists can be very convincing of their bogus innocence, but the evidence against these crooks is irrefutable...
__________________________________________________________________________________________________________________________
7th. June 2007 Another 'action taken' notice received from Yahoo in response to my further abuse report & sydney-car.com is now disabled once again, (along with sydney-car.net), - thank you Yahoo. Please keep it in its coffin this time...

In contrast, domains:

sydneycentre.io
sccentre.io
sycarcentre.io
cccentre.hk
sccentre.hk
sydneycc.hk
scarcentre.hk

are all still active on the zombie botnet above - no action has been taken by HKDNR for the .hk domains, nic.io for the .io domains, register.com for the nameserver domain search-pnd.com or Infinitie.net & Serenitynet for the host IP 66.196.43.228. All in all I think it's a pretty disgraceful state of affairs for all concerned, considering that the first "urgent" abuse report was sent to all parties 48 hours ago at 12:32pm, (UTC+1), on the 5th. June.

As an aside, it's worth noting that from June the 1st. a new law has come into effect in Hong Kong called the 'Unsolicited Electronic Messages Ordinance' which basically outlaws the sending of unsolicited bulk email, (spam) and has provisions covering other areas such as fraud.

Later I don't believe it - sydney-car.com is back up on the same Yahoo network, although sydney-car.net remains disabled. I despair... Abuse report re-filed with Yahoo domains.
__________________________________________________________________________________________________________________________
8th. June 2007 The domains sydney-car.com & sydney-car.net are now both disabled on the Yahoo network but for how long is anybody's guess. I asked Yahoo domains team why sydney-car.com had been reinstated but didn't receive an answer - just another 'action taken' notice.
The zombie botnet is still active for all the criminal's other domains as noted yesterday.
Later The criminal's domain sydney-car.com has been reinstated yet again on the same Yahoo network - this is getting extremely tedious. Yahoo abuse report filed yet again.
__________________________________________________________________________________________________________________________
9th. June 2007 It looks like Yahoo may have permanently looped the dns of sydney-car.com this time around. It appears that serenitynet.com & infinity.net have little intention of terminating the accounts of these criminals, nor have register.com for the nameserver domain search-pnd.com. Also HKDNR are once again dragging their feet over suspending criminal registered .hk domains.Later sydney-car.com back up again on the Yahoo 'small business' network - what can I say? Abuse report resent.
__________________________________________________________________________________________________________________________
11th. June 2007 Yahoo seem to have stuck the domain sydney-car.com on an 'under construction' page this time which is good (I think?) - thank you, Yahoo. The rest of the domains listed on the 7th. are all still active as before.
__________________________________________________________________________________________________________________________
12th. June 2007 Nic.io appear to have finally done the decent thing and suspended the .io domains. I'm afraid HKDNR are back to their bad old ways. They have been aware of the situation regarding the above .hk domains since June the 5th. from me and have all the crystal clear evidence of site theft & fraud, but so far have not taken the action that is warranted under sections 12.1 (d) & (f) of their registration agreement, not to mention the recently enacted Unsolicited Electronic Messages Ordinance (Hong Kong) act. Complaint against HKDNR submitted to the Hong Kong police & acknowledgement received.

Register.com also seem to be unhelpful in suspending this fraudster's domains.

Infinitie.net & Serenitynet are continuing to provide hosting for the criminal fraudster's nameserver/botnet controller on IP 66.196.43.228 despite having being notified about it several times from June the 5th. onwards. Complaint against Eonix/Infinitie.net submitted to IC3.gov. In contrast, Yahoo seem to have finally evicted the crooks two domains sydney-car.com & sydney-car.net from their small business network, but Joker have so far not suspended them, so no doubt they will be up on another network shortly.
__________________________________________________________________________________________________________________________
14th. June 2007 All the criminal's .io domains are suspended thanks to nic.io, but all his .hk domains are still resolving due to HKDNR's unwillingness to suspend them, (first notified on June 5th.). Serenitynet/Infinitie.net are still hosting the criminal's zombie botnet on 66.196.43.228 (also notified June 5th.).

Just a note on IC3.gov - this is a cyber crime reporting partnership between the FBI and the National White Collar Crime Center & is a reporting centre for cyber crime & the criminals that perpetrate it. According to press releases on their website, the FBI reached a significant cyber-crime milestone on Wednesday, announcing that IC3.gov logged its 1 millionth consumer complaint. IC3 have forwarded more than 461,000 criminal complaints, involving c. $647m losses, to federal, state or local law enforcement agencies. The FBI are currently clamping down on botnets of the sort hosted by Infinitie.net - operation 'Bot Roast' has been ongoing for several months & has resulted in several arrests.

Let's hope Eonix Corp./Infinitie.net get a call for providing hosting for a zombie botnet run by cyber criminals. Their lack of response to abuse reports to date is allowing the criminal to carry on his fraud unhindered.
__________________________________________________________________________________________________________________________
15th. June 2007 Another of the fraudster's domains has been spotted in the wild - sydneycarcentre.tw. He may well have a selection of these .tw registrations, but this is the only one I've come across so far - any more noted by anyone? It's on the usual botnet above. Abuse report submitted to registrar, (SEED.NET) et al.

Later: Good news! HKDNR have finally suspended all of the .hk domains listed above, but it's taken since June the 5th., (since my first contact, anyway), to get here - that's far too long considering the undeniable evidence of criminality & means the criminal has had a ten day free ride to con his victims, using services provided by the botnet host, Eonix/Infinitie.net.

The only domain I know of that is still active on their Eonix/Infinitie.net botnet is the domain sydneycarcentre.tw & that has been abuse reported to the registrar SEED.net.tw. If anyone knows of any other active domains used by this criminal then please do let me know.
__________________________________________________________________________________________________________________________
16th. June 2007 Another .tw domain spotted in the wild - sydneycc.tw, alive on the Eonix/Infinitie.net hosted botnet above. Abuse reported & added to list.
Later A new domain (sccsite.hk) has been notified to me by a visitor - many thanks. Abuse reported & added to list.
__________________________________________________________________________________________________________________________
18th. June 2007 I've received spam using a new domain - carsydneys.hk on the usual botnet. Abuse reported to all concerned, although it's so far proved a waste of time reporting to Eonix Corp. (Infinitie.net), IDC Inc., (Serenitynet.com), and Register.com who all continue to provide services for this criminal fraudster.
__________________________________________________________________________________________________________________________
19th. June 2007 Another new domain spotted - carcentre.hk, still on the Eonix (Infinitie.net) hosted botnet. Unfortunately, the criminal appears to have got a reliable host in Infinitie.net who do not seem concerned at hosting this site thief & criminal fraudster. He is obviously building up a new stock of .hk domains with HKDNR. I did suggest to HKDNR that if they were so minded, they could search their database for domains using the criminal's 'in house' nameserver ns1.search-pnd.com & immediately suspend all of the criminal's domains in one go.
__________________________________________________________________________________________________________________________
20th. June 2007
That's a curious development - the six active criminal's domains:

sydneycarcentre.tw (http://sydneycarcentre.tw/)
sydneycc.tw (http://sydneycc.tw/)
carcentre.hk (http://carcentre.hk/)
carsydney.hk (http://carsydney.hk/)
carsydneys.hk (http://carsydneys.hk/)
sccsite.hk (http://sccsite.hk/)

are all still hosted on the Eonix/Infinitie.net zombie botnet as normal, but the stolen 'Sydney Car Centre' money laundering fraud site content has been replaced by an ubiquitous 'search engine' page. I wonder by whom & why?
__________________________________________________________________________________________________________________________
21st. June 2007 The answer seems to be 'by the criminals'.

The criminal's now moved his botnet. New details:

Looking up at the 2 sccsite.hk. parent servers: 

 Server (Botnet Controller) Response (Zombie Website Host IPs)
ns1.lp-vote.com [64.38.5.126] 69.159.49.146 69.238.171.27 75.41.24.0 76.109.140.174 85.237.18.122
ns2.lp-vote.com [66.71.21.31] Timeout (Fake Nameserver)

The criminal's new nameserver lp-vote.com is registered with IA Registry(Spiritdomains) and the new nameserver host IP belongs to FastServers, Inc. of Chicago.

At the moment he's just got the domains sccsite.hk, sydneycarcentre.tw and sydneycc.tw on the above botnet with the stolen Stratford Car Centre website content. His other domains, (carcentre.hk, carsydney.hk & carsydneys.hk), have his *bogus? search page on them. The domain carsydneys.hk is still on the old botnet, & carcentre.hk is on the new one. No doubt he'll move them all across, plus some new ones before long... *Note to self - research domain bmnq.com....
Later Spam received using a new domain sydneycar.hk & hosted on the botnet above also with carcentre.hk and the others except carsydney.hk & carsydneys.hk. You would imagine that as HKDNR has already suspended several domains used by this fraudster then others would be quickly suspended - unfortunately that doesn't seem to be the case...
__________________________________________________________________________________________________________________________
22nd. June 2007 The criminal should now find that the above botnet nameserver ns1.lp-vote.com [64.38.5.126] is now no longer responding - thanks for the help & feedback, guys. Look out for a new host shortly...

Later That wasn't long - the crook is up on his new botnet controller host:

Looking up at the 2 sydneycar.hk. parent servers:
http://www.dnsstuff.com/tools/traversal.ch?domain=sydneycar.hk&type=A

---Server (Botnet Controller)---------'A' Response (Zombie Host IPs)-----
ns1.lp-vote.com [75.126.231.132] 77.98.30.193 82.137.44.50 86.107.195.223 89.132.181.204 89.33.57.188
ns2.lp-vote.com [66.71.21.31] Timeout - fake nameserver to meet requirement for two nameservers as per RFC 1035 section 2.2.

The criminal's zombie botnet controller ns1.lp-vote.com [75.126.231.132] is hosted by Softlayer Technologies Inc. of Plano, Texas. Usual abuse reports filed.

On this botnet the criminal is using the domains:

sydneycarcentre.tw (http://sydneycarcentre.tw/)
sydneycc.tw (http://sydneycc.tw/)
carcentre.hk (http://carcentre.hk/)
sydneycar.hk (http://sydneycar.hk/)
sccsite.hk (http://sccsite.hk/)
centrecar.jp (http://centrecar.jp/)
centrecar.vg (http://centrecar.vg/)

Those are just the presently active ones that I know of. There may well be others, let me know if you see any. The full list of all known domains used since the beginning of this fraud is at the top of the page.
__________________________________________________________________________________________________________________________
25th. June 2007 All the criminal's domains are still resolving on the above botnet. It looks like we may have another unresponsive host of this fraudster in Softlayer Technologies Inc. & HKDNR appear to be back to their bad old ways of ignoring criminal domain abuse reports which I guess explains the increased flood of .hk domain fraudsters & spammers in my inbox. I'm also rather disappointed in Spiritdomains who have in the past been helpful in shutting down this criminal's in-house nameserver domains. SEED.net are also not responding re. the criminal's .tw domains. All-in-all the Sydney Car Centre criminal fraudster appears to have chosen his providers rather well this time around which is unfortunate for his victims....
__________________________________________________________________________________________________________________________
26th. June 2007 Once again all of the criminal's domains are still resolving courtesy of the Softlayer Technologies Inc. hosted botnet. One new domain has been added to the botnet list, (courtesy of a viewer), & that's centrecar.jp - that's the first .jp domain I've seen for these criminals.
__________________________________________________________________________________________________________________________
27th. June 2007 Softlayer Technologies, HKDNR, Spiritdomains, SEED.net et al are all still not responding to reports of the activity of their criminal client. A viewer has notified me of a new domain, (centrecar.vg), which is operating on the usual Softlayer Technologies Inc. hosted botnet above.
__________________________________________________________________________________________________________________________
28th. June 2007 No change to the situation - Softlayer Technologies Inc. continue to host the criminal fraudster & ignore all abuse reports as do the domain registrars.

If these fraudsters are targeting you & if, like me, you object to Softlayer Technologies Inc. making money out of criminal fraud by providing the criminals with their internet hosting facilities, then you may wish to tell them so by writing to sales@softlayer.com, abuse@softlayer.com and support@softlayer.com or you may wish to consider filing a complaint against them with http://ic3.gov/ for providing the technical facilities used to host a zombie botnet involved in the perpetration of criminal fraud.

Even if Softlayer Technologies Inc. decide now to do the honest, decent & ethical thing by disconnecting the fraudsters two botnet controllers/nameservers ns1.lp-vote.com [75.126.231.132] & ns2.lp-vote.com [75.126.231.132], (yes, the criminal's pointed his second nameserver to the same IP), it should be borne in mind that they have so far ignored all abuse reports for a week which has given the criminal all of the hosting he would probably expect to cover his spam runs. If every host behaves in this manner then the criminal has an easy ride and, as ever, it is the victims that will pay the price & ultimately us all.
__________________________________________________________________________________________________________________________
29th. June 2007 More fraud spam received & all the criminal's domains listed above are still resolving. Don't forget to report all his spam links as phishing/fraud sites to Internet Explorer & Firefox via the 'Tools' & 'Help' menus respectively. Firefox are already correctly listing most of his spam links as fraud sites, but there are a couple still not listed. Internet Explorer, (as ever), is well behind. Links are of the form http://sydneycarcentre.tw/vacancies.php where the domain sydneycarcentre.tw can be replaced by any of the seven known active domains listed above.
__________________________________________________________________________________________________________________________
30th. June 2007 The only two domains still resolving out of the seven active ones listed above are centrecar.jp & centrecar.vg. All the other five appear to have their DNS looped back to the root servers on the nameservers. Quite who has done that I'm not sure, but I don't think it's Softlayer Technologies Inc. Possibly it's the nameserver domain registrar Spiritdomains, but I'm not sure why they've left out the odd two domains if that's the case.
__________________________________________________________________________________________________________________________
1st. July 2007 Another month and Softlayer Technologies Inc. of Plano, Texas are still providing hosting services for the criminals despite numerous abuse reports to them & their upstream providers & 'interactive chats' via their website.

A reader has kindly informed me of another of the crooks domains - sydcarc.hk. Added to the list & abuse reported. That leaves just four active domains that I know of ATMIT on the Softlayer Technologies Inc. zombie botnet above, namely:

sydneyauto.hk
sydcarc.hk
centrecar.jp
centrecar.vg

Unfortunately AdamsNames Ltd. have not yet suspended centrecar.vg, nor have the registrars for the other 3 domains, but on the positive side, they are the only 4 known domains still left resolving out of the total of 20 known domains listed above. If you know better, please let me know! All comments & feedback are welcome - I try to reply to all.
Later Spam received using the domain sydneyauto.hk - added to the list & abuse reported.
__________________________________________________________________________________________________________________________
2nd. July 2007 The criminal's Softlayer Technologies Inc. hosted nameservers ns1.lp-vote.com [75.126.231.132] & ns2.lp-vote.com [75.126.231.132] are now both timing out, so none of the above remaining four domains are resolving. I expect he'll be up on another unhelpful host shortly, unless this Sydney Car Centre scam has reached the end of its natural life....
Later Looks like the crook is moving his botnet nameserver ns1.lp-vote.com over to 85.234.157.216 which is a PoundHost Internet Services (Euroconnex Networks LLP) IP. (That rings a bell..). All four of the above fraud domains appear to be resolving via that nameserver now. Here we go again..
__________________________________________________________________________________________________________________________
3rd. July 2007 All 4 of the above active domains still resolving this morning on this Euroconnex/Poundhost botnet:

sydneyauto.hk DNS data (All four of the above fraud domains share the same data):

---Server (Botnet Controller)---------'A' Response (Zombie Host IPs)-----
ns1.lp-vote.com [85.234.157.216] 12.217.177.168 62.30.174.26 81.4.253.84 84.133.38.56 86.71.39.119
ns2.lp-vote.com [75.126.231.132] Timeout - Softlayer hosting finally appears terminated

According to my records, I last had dealings with Euroconnex/Poundhost back in July-September 2006 when they were hosting this same fraudster on IP 85.234.150.43 under the alias 'Norway Consulting Group'. They didn't respond to abuse reports then. I hope I can report differently this time around...
__________________________________________________________________________________________________________________________
4th. July 2007 All of the criminal's domains are still resolving this morning and no response whatsoever from several abuse reports to Poundhost. Sadly it looks like they haven't changed since our last encounter. More fraud spam received this am using domains sydneyauto.hk and centrecar.jp. Abuse report sent, this time including a 'request for help' to Poundhost's upstream providers.
__________________________________________________________________________________________________________________________
5th. July 2007 The criminal's zombie botnet above is intact and all four of his fraud domains are still resolving so it looks like once again the criminal has made a wise choice of suppliers of services to his fraud.
Later Notified by a reader of another new domain used by this fraudster - scc2007.hk. Thank you.
__________________________________________________________________________________________________________________________
6th. July 2007 No reply from Adamsnames, but domain centrecar.vg appears to have been suspended - thank you for that, it's just a shame that it couldn't have been quicker, given the irrefutable evidence of criminality. It's even more of a pity that PoundHost Internet Services (Maidenhead - UK), & the registrars are still providing services to the criminal.

I'm quite surprised that Poundhost Internet Services ignore reports of criminal activity on their network considering that they are full members of the RIPE NCC
__________________________________________________________________________________________________________________________
7th. July 2007 Spotted another of the criminal's domains this morning, (sydneycarcentre.jp), & added to the list. Needless to say it's on the crooks Poundhost Internet Services botnet like all the others. Does anyone have an effective reporting address/registrar details for these .jp domains?
Another .jp domain deduced: sccentre.jp
__________________________________________________________________________________________________________________________
8th. July 2007 Confirmation of suspension of nameserver domain lp-vote.com received from Spiritdomains - thank you guys. I think there has been a problem with Spiritdomains abuse reporting address. The criminal will shortly be needing a new nameserver domain for his botnet - watch this space.
Later As usual the criminal has been quick off the mark and has moved his botnet over to a new nameserver domain, my-boxs.com, which he has only registered in the last week with Domain Direct, (a Tucows offshoot), but still on the Poundhost hosted zombie botnet:
---Server (Botnet Controller)---------'A' Response (Zombie Host IPs)-----
ns1.my-boxs.com [85.234.157.216] 83.184.25.124 84.0.167.117 86.124.195.7 89.110.11.104 89.35.175.117
ns2.my-boxs.com [69.101.57.11] Timeout - Fake nameserver to meet RFC requirement for two nameservers

He's just got the .hk domains scc2007.hk, sydneyauto.hk & sydcarc.hk on it at the moment AFAIK, but no doubt the .jp ones will follow if he's still got access to them.
__________________________________________________________________________________________________________________________
10th. July 2007 This morning's spam is using a new domain - carcentre.ph but still using the PoundHost Internet Services Ltd./Euroconnex Networks LLP hosted zombie botnet despite numerous abuse reports.
Later More criminal fraud spam received using the HKDNR domain sydneyauto.hk
__________________________________________________________________________________________________________________________
12th. July 2007 The criminal's domains are all still resolving on their PoundHost Internet Services Ltd. / Euroconnex Networks LLP hosted zombie botnet along with a new domain - sydycarc.hk
__________________________________________________________________________________________________________________________
13th. July 2007 Good news - HKDNR seem to have suspended domains sydneyauto.hk & scc2007.hk - if only they were quicker. That just leaves 3 active domains remaining that I know of on the criminal's Poundhost/Euroconnex botnet, (sydycarc.hk, sydcarc.hk & carcentre.ph), out of 25 known originals. If you know different, please let me know.
__________________________________________________________________________________________________________________________
14th. July 2007 I've been notified of a new fraud domain - newsydney.hk Thank you for that. Needless to say it is hosted on the Poundhost/Euroconnex zombie botnet like the others.
Later Yet another fraud domain (sydneycar.st) spotted & abuse reported to nic.st etc.
__________________________________________________________________________________________________________________________
15th. July 2007 All five of the criminal's known currently active domains are still resolving this morning. It's worth reiterating that these criminals couldn't operate if it weren't for hosts such as PoundHost Internet Services LLP / Euroconnex Networks LLP, (Maidenhead - UK) and the registrars involved. At least HKDNR are now making some sort of effort to tackle this sort of criminality but they are far too slow to act.
__________________________________________________________________________________________________________________________
16th. July 2007 The registrar HKDNR have suspended the domains newsydney.hk & sydycarc.hk, leaving just the known domains sydcarc.hk, carcentre.ph & sydneycar.st still active on their service providers', (PoundHost Internet Services LLP/Euroconnex Networks LLP), zombie botnet.
__________________________________________________________________________________________________________________________
17th. July 2007 Another new domain which was registered only yesterday notified to me by a viewer - sydneycars.hk. Thank you for that. Abuse reported to HKDNR. Needless to say it is on the usual criminal's Poundhost/Euroconnex zombie botnet
__________________________________________________________________________________________________________________________
19th. July 2007 Good news - the Met Police have spoken to Poundhost and that should shortly be the end of the crook's hosting. It's just a shame that they have got away with hosting this criminal for so long, considering the number of victims that have probably been sucked in to the fraud since I first notified them on July the 2nd. Under the UK Proceeds of Crime act (2002) Section 328 "A person commits an offence if he enters into or becomes concerned in an arrangement which he knows or suspects facilitates (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person". The notification level for this offence is low. Would all hosts and registrars with a UK presence please bear this in mind and please do not ignore abuse reports involving criminal fraud.
__________________________________________________________________________________________________________________________
20th. July 2007 The Poundhost/Euroconnex hosted botnet controller ns1.my-boxs.com [85.234.157.216] is now timing out. It's just a pity that it took the intervention of the law to make them do the honest & decent thing. If you know of any other criminal fraud sites that Poundhost Internet Services are hosting then please contact me.
Later Noticed that HKDNR have suspended the last known active .hk domain - sydcarc.hk. They're getting to be quite good at this now... That means that the crook just has the domains sydneycar.st & carcentre.ph on his dead botnet AFAIK - let me know if you know different.
Later Another domain notified to me by a site visitor - sydncar.kg. Thanks for that. Abuse reported to domain.kg
__________________________________________________________________________________________________________________________
21st. July 2007 The criminal's botnet is still down so none of his domains are resolving for the moment, but he appears to have started to use .kg domain registrations, probably because HKDNR are now taking action against their .hk criminal clients. Another domain notified to me - sydcar.kg. Abuse reported to domain.kg ditto for another domain - sydneycar.kg

Later It didn't take long - the fraudster has now got his domains up and his botnet running on the Layered Technologies Inc IP 72.36.200.218:
---Server (Botnet Controller)---------'A' Response (Zombie Host IPs)-----
ns1.my-boxs.com [72.36.200.218] 213.220.218.93 75.41.15.168 81.77.36.238 84.156.240.221 88.65.76.194
ns2.my-boxs.com [69.101.57.11] Timeout - Fake nameserver to meet RFC requirement for two nameservers

The domains I know of that he has on this botnet are:
sydneycar.st - Attention Nic.st ***Suspended***
scc.st - Attention Nic.st ***Suspended***
sydneycar.kg - Attention domain.kg
sydcar.kg - Attention domain.kg
sydncar.kg - Attention domain.kg
carcentre.ph - Attention Domains.ph ***Suspended***
my-boxs.com - Attention Domaindirect.com

This criminal gang have used Layeredtech before - the last time my experience in getting them shut down was not good. I hope I can report more positively this time around.
Later Only an auto response from Layeredtech abuse, but the crook's Layeredtech nameserver IP 72.36.200.218 is now timing out & none of his domains are resolving. If it stays dead I might have to say something nice about Layeredtech...
__________________________________________________________________________________________________________________________
22nd. July 2007 The criminal's botnet nameserver ns1.my-boxs.com. [72.36.200.218] is still timing out this morning, so it looks as though thanks are due to Layeredtech for taking fast and responsible action - thank you.
Later Having very quickly been kicked off Layeredtech, all the above crook's domains are resolving once again as he has now moved his botnet to the Netdirekt/Exportal IP 89.149.225.100:
DNS Traversal for all of the above domains:
---Server (Botnet Controller)---------'A' Response (Zombie Host IPs)-----
ns1.my-boxs.com [89.149.225.100] 213.220.218.93 74.78.114.62 75.41.15.168 76.50.40.116 86.126.220.73
ns2.my-boxs.com [69.101.57.11] Timeout - Fake nameserver to meet RFC requirement for two nameservers.
Later Another .st domain notified to me - scc.st
__________________________________________________________________________________________________________________________
23rd. July 2007 The domain sydneycar.st appears to have been suspended by nic.st, but the other five known domains are still resolving on the Netdirekt/Exportal botnet & my open on-line abuse ticket has not yet been replied to. Domaindirect(Tucows) do not respond to requests to suspend the nameserver domain my-boxs.com
__________________________________________________________________________________________________________________________
25th. July 2007 The criminal's botnet is disabled due to action by Exportal to disable the VPS on IP 89.149.225.100 and the domain carcentre.ph has been suspended by domains.ph - thanks guys for your help & your responsible actions. I wonder who the crook's next host will be? I'm already seeing a new nameserver domain - infobiodata.com, registered with Spiritdomains on July the 13th. so it looks like the crook's working on it... watch this space...
Later...and here we are back to Layeredtech (72.232.50.114) with his zombie botnet and new nameserver domain infobiodata.com:

DNS traversal for all of the crook's active domains:

----Server (Botnet Controller)---------------'A' Response (Zombie Host IPs)-------------
ns1.infobiodata.com [72.232.50.114] 81.203.21.33 82.79.188.122 83.190.150.150 86.107.232.12 87.20.141.190
ns2.infobiodata.com [67.14.58.11] Timeout - Fake nameserver to meet RFC requirement for two nameservers.
__________________________________________________________________________________________________________________________
26th. July 2007 Layeredtech have terminated this criminal's hosting - once again, thanks from me, (and I'm sure from all the crook's victims too), to the Layeredtech abuse team for your ethical & responsible action.
Later The crook has now moved his botnet to a Convergent Network Services IP - 206.71.145.83:

DNS traversal for all of the crook's above active domains:

----Server (Botnet Controller)---------------'A' Response (Zombie Host IPs)-------------
ns1.infobiodata.com [206.71.145.83] 68.59.1.82 81.203.21.33 82.155.52.73 83.181.173.99 87.19.140.5
ns2.infobiodata.com [67.14.58.11] Timeout - Fake nameserver to meet RFC requirement for two nameservers.
He's still got these four domains on the above Convergent Network Services hosted botnet:
scc.st - Attention Nic.st ***Suspended***
sydneycar.kg - Attention domain.kg
sydcar.kg - Attention domain.kg
sydncar.kg - Attention domain.kg
Sadly, domain.kg have not responded to any abuse reports.
__________________________________________________________________________________________________________________________
27th. July 2007 Unfortunately no response or action from domain.kg or the host of the botnet, Convergent Network Services of Hicksville, NY, so the criminal's operation continues. All parties involved in this criminal activity are aware of it, but are so far choosing to turn a blind eye to it and by so doing are aiding and abetting this criminal fraudster.
__________________________________________________________________________________________________________________________
28th. July 2007 Nic.st have suspended the domain scc.st. A little slow, but better late than never - thanks, guys... The Kyrghyzstan registrar domain.kg continues to ignore abuse reports regarding this fraudster's domains and the US service provider Convergent Network Services of Hicksville, NY continues to provide this criminal with his botnet hosting despite many reports via email & webform. They also ignored abuse reports concerning their hosting of the Aegis Capital fraudster. Their published contact email addresses are:

service@convergentns.net
sales@convergentns.net
billing@convergentns.net
noc@convergentns.net

and their other contact details are here. If you disagree with their continued hosting of this criminal fraudster then feel free to let them know - I'm sure they'd love to hear from you. Apart from the criminal himself & his Kyrghyzstan registrar, it's mainly down to Convergent Network Services inaction at the moment that their fraud spammer client Sydney Car Centre using server ns1.infobiodata.com [206.71.145.83] is having an easy ride, although the Kyrghyzstan domain registrar could also stop the fraudster if they so wished by immediately suspending his fraud domains.
__________________________________________________________________________________________________________________________
29th. July 2007 No change - the Convergent Network Services hosting on ns1.infobiodata.com [206.71.145.83] is still active and the Sydney Car Centre fraudster is still pumping out his criminal spam & entrapping his victims. If you are being spammed senseless, or this crook has ripped you off then you can let Convergent Network Services, (800 956 3226), know what you think about them continuing to provide their criminal client with the facilities to do it. Other contact details on the link above. They may just do the honest, ethical & decent thing that they should have done on the 26th, i.e. cease this criminal's hosting.
__________________________________________________________________________________________________________________________
30th. July 2007 No change - The Sydney Car Centre criminal is still operating, courtesy of Convergent Network Services and the Kyrghyzstan domain registrar.
Later A viewer has informed me of a new domain used by this fraudster - sydneycentre.st. Thank you.
__________________________________________________________________________________________________________________________
31st. July 2007 No change - The Sydney Car Centre criminal is still operating, courtesy of Convergent Network Services and the Kyrghyzstan domain registrar. More spam received from them this morning. I think the Convergent Network Services position is pretty clear. They've had more than a fair chance to do the honest, ethical & decent thing or at least respond to abuse reports & they've done neither. Criminal activity report filed against them via IC3.gov. You may wish to do the same, especially if you have lost money to this criminal. Abuse reports also copied to their upstream provider, Global Crossing. Hopefully they will prove more responsible.
__________________________________________________________________________________________________________________________
1st. August 2007 Another month and on the bad side Convergent Network Services and the Kyrghyzstan domain registrar continue to aid and abet criminal activity. On the good side nic.st have suspended the domain sydneycentre.st - thanks guys - at least there's one ethical link in the chain.
Later Spam received using a new domain - sydcarcen.ph
__________________________________________________________________________________________________________________________
2nd. August 2007 Spam received using another new domain - sydncar.st. All active domains still resolving courtesy of the Convergent Network Services, (aka Ironcolo.com), zombie botnet hosting.
Later Another new domain notified to me by a viewer - sydcar.vu. Thanks for that.
Later Nic.st have already suspended the domain sydncar.st - thanks guys, brilliant service from an ethical registrar showing how it should be done. Such a pity some other registrars and hosts are not so scrupulous.
Later Spam received from another new domain - sydcarc.st
__________________________________________________________________________________________________________________________
3rd. August 2007 Vunic.vu report that sydcar.vu has been removed from their system. My thanks to another ethical provider. All other active domains still responding on the Convergent Network Services, (aka Ironcolo.com), hosted botnet. I think what's needed are a few high profile criminal prosecutions of hosts that knowingly host criminals & their zombie botnets.
__________________________________________________________________________________________________________________________
5th. August 2007 Thank you nic.st for suspending domain sydcarc.st. If only some of the other registrars involved and especially the criminal's zombie botnet hosting provider, Convergent Network Services, (aka Ironcolo.com), were as honest, decent and ethical and did not continue to aid and abet site theft and criminal fraud. Another domain received in spam - sydncarcr.ph
__________________________________________________________________________________________________________________________
7th. August 2007 None of the criminal's .kg & .ph domains are resolving at the moment. It's not obvious, (to me, anyway), who's taken the action as there are no A records at the nameserver ns1.infobiodata.com [206.71.145.83] but the IP is still active & reachable & none of the registrars appear to have done anything.
Later All the domains are resolving again on the same Convergent Network Services, (aka Ironcolo.com), zombie botnet. I thought it unlikely that his criminal accomplices would have done anything ethical & indeed it appears that they haven't.
__________________________________________________________________________________________________________________________
8th. August 2007 The Sydney Car Centre criminal has a new nameserver domain, (gem-tn.com):

DNS traversal for all of the crook's active domains below:

----Server (Botnet Controller)---------------'A' Response (Zombie Host IPs)-------------
ns1.gem-tn.com [206.71.145.83] 75.53.125.103 81.98.121.164 85.176.177.113 85.178.194.205 86.126.152.97
ns2.gem-tn.com [69.72.10.37] [Error: Port Unreachable] - Fake nameserver to meet RFC requirement for two nameservers, (never resolves).

The domain gem-tn.com was registered on July the 13th. with Register.com. He obviously registered a number of them at the same time.

He's still got these website domains that I know of on the above Convergent Network Services/Ironcolo.com hosted zombie botnet:

sdycr.kg - Attention Domain.kg ***Suspended***
sydncare.ph - Attention Domains.ph ***Suspended***
sdycr.ph - Attention Domains.ph ***Suspended***
sdncr.ph - Attention Domains.ph ***Suspended***
sdncar.kg - Attention Domain.kg

Sadly, the zombie botnet host, Convergent Network Services, (aka Ironcolo.com), of Hicksville, NY obviously have no conscience about hosting this thief, criminal fraudster & spammer. If, like me, you believe in ethical behaviour, please consider if this is the sort of company to do business with.
__________________________________________________________________________________________________________________________
9th. August 2007 Unfortunately, the Sydney Car Centre criminals, aided & abetted by the above zombie botnet host are still actively recruiting money transfer 'mules' to launder their stolen/counterfeit funds.
__________________________________________________________________________________________________________________________
10th. August 2007 Convergent Network Services, (aka Ironcolo.com) of Hicksville NY, (contact details under 28th. July above), continue to provide this criminal with the services necessary for him to continue to perpetrate his crime despite numerous notifications since July the 26th from me. They will undoubtedly have been bombarded with numerous complaints from others to no apparent avail.
__________________________________________________________________________________________________________________________
13th. August 2007 Helpful feedback received from the .kg & .ph registrars - thanks guys. They've cancelled the crooks known .kg & .ph domains although I notice that the .kg domains are still resolving in DNS as the .kg root servers 'A' records still seem to be present. Hopefully they will clear in 24 hours. Once they do he has no active domains that I know of.
__________________________________________________________________________________________________________________________
14th. August 2007 Spam received this morning containing new domain sydncarec.ph Abuse reported to domains.ph.
Later Two more .ph domains notified to me, (thanks, guys) & abuse reported:
sydnycarec.ph
sydnycarc.ph
The criminal obviously still thinks that domains.ph are criminal friendly &/or slow to act or he wouldn't keep using them. Let's hope he's wrong....
__________________________________________________________________________________________________________________________
15th. August 2007 Unfortunately the criminal's latest .ph domains are still active today & Convergent Network Services, (aka Ironcolo.com) continue to aid and abet the criminal by hosting his zombie botnet despite numerous reports.
__________________________________________________________________________________________________________________________
16th. August 2007 Unfortunately the three .ph domains above are still active despite a reply from domains.ph and the criminal is still using that fact to full advantage - spam received today using two of them. The crook's host, (Convergent Network Services, aka Ironcolo.com), is also still providing them with the means to perpetrate their criminal fraud. They are proving themselves to be the worst criminal host I have ever come across. They have no abuse reporting address as per RFCs and even their contact email address in the IP whois data , (noc@convergentns.net), bounces with an 'unknown user' error as does their listed address billing@convergentns.net.
New domain notified to me by a site visitor - sydcrcr.st. Thank you for that.
__________________________________________________________________________________________________________________________
17th. August 2007 Confirmation from domains.ph of suspension of all the criminals known .ph domains - thanks guys. New domain received in spam - sydcarcr.kg
Later Another new .kg fraud domain notified to me by a site visitor - sydncr.kg
__________________________________________________________________________________________________________________________
18th. August 2007 The criminal's .kg domains are still resolving on his Convergent Network Services/Ironcolo.com zombie botnet. It's a pity the FEDs don't make an example of that lot, pour discourager les autres. I'd happily provide any evidence they need...
__________________________________________________________________________________________________________________________
19th. August 2007 New domain received in spam - sdycar.ph Abuse reported.
Later New domain received in spam - sydcar.ph - abuse reported.
__________________________________________________________________________________________________________________________
20th. August 2007 New domain received in spam - sdycrc.ph - abuse reported.
Later All three of the crooks known .ph domains are still active despite the first one, (sdycar.ph) having been reported over 36 hours ago. Domains.ph do cancel fraud domains, (which is good), but their slow response to abuse reports is allowing the crook to get out his spam runs and get his responses back from his victims before the domain is suspended which IMHO isn't acceptable in view of the undeniable evidence of criminal activity.
__________________________________________________________________________________________________________________________
21st. August 2007 All five of the criminal's known .kg and .ph domains are still resolving this morning on the Convergent Network Services/Ironcolo.com zombie botnet. No action appears to have been taken by CNS or domain.kg, but domains.ph may have finally suspended two out of their three fraud domains but the change has not yet propagated though DNS. No action has yet been taken against the third domain, sdycrc.ph, reported yesterday.
__________________________________________________________________________________________________________________________
22nd. August 2007 New domain reported - sydycarc.kg
Later..and yet another received in spam - sdycar.kg
_________________________________________________________________________________________________________________________
23rd. August 2007 Feedback from .kg domain manager - domains sydcarcr.kg and sydncr.kg have been suspended - many thanks, but it needs to be quicker or preferably proactive if this crook is to be even inconvenienced. The crook's host, Convergent Network Services, (Ironcolo.com), continue to shelter their criminal client.
_________________________________________________________________________________________________________________________
24th. August 2007 Feedback from domains.ph - domain sdycrc.ph has been suspended & from domain.kg - domains sydycarc.kg & sdycar.kg have also been suspended. Thanks guys, both for your help and your feedback.
Later New domain received in spam - sdycr.kg
_________________________________________________________________________________________________________________________
27th. August 2007 Domain sdycr.kg suspended - thanks for the feedback. Two new domains notified - sydncare.ph and sdycr.ph. Unfortunately this crook will continue to abuse .ph domains as long as the registrar keeps giving him 48hrs grace - that's all he needs. The criminal's US zombie botnet host, Convergent Network Services, (aka Ironcolo.com) of Hicksville, NY are still getting away with knowingly hosting this criminal since July the 26th. If you are a victim of this scammer, you may wish to consider filing a crime complaint on the crime reporting website http://www.ic3.gov/
Later Another new domain received in spam - sdncr.ph
_________________________________________________________________________________________________________________________
29th. August 2007 Response from domains.ph - domains sdncr.ph, sydncare.ph, and sdycr.ph have been suspended - thanks guys.
Later New domain received in spam - sdncar.kg _________________________________________________________________________________________________________________________
***Latest News*** 12th. September 2007

Obituary

There now appears to be no further activity from this particular alias of the criminal. He seems to be concentrating on his Harvey Investment and Adamant Global aliases and no doubt there will be another one along shortly from his stable - keep your eyes peeled...
This particular incarnation has set a few records AFAIK. The first for the sheer number of domains registered by the criminal, (56 according to my math - listed above), and the second for the longest period of hosting by a service provider that is completely unresponsive to abuse reports. The company Convergent Network Services, (aka Ironcolo.com), hosted the fraudster from July the 26th. and in fact the IP 206.71.145.83 is still alive today. They also ignored abuse reports concerning their hosting of the previous Aegis Capital fraudster.