Lee's Continued Fight Against Spam



Everyone gets spam, unfortunately. If you are reading this you probably have already been spammed many, many times. I don't really need to tell you that spam is annoying unsolicited advertising for crap you probably didn't actually want to buy.

There are many people who have already been implicated in the fight against spam. Unfortunately, very few of the players are US citizens. This of course adds much difficulty to the problem, as US anti-spam laws cannot be enforced upon people who violate them outside the US.

An Introduction to How Spam Domains Work

From many examples of spam that I have received lately, many have two things in common - the owner of the domain, and the company that sold the domain. To explain the relevance of this, I will breifly explain how domains are sold on the internet, and how they work. This is not to be mistaken with the famed explanation of the internet as a series of tubes, nor will it be as entertaining.

Domain Name Service (DNS)

Every system that is on the internet is assigned an Internet Protocol (IP) address. An address is something like (google.com). Of course, few people remember these numeric addresses, as there are millions of possibilities for them. You could, of course type into your web browser and google.com will load from it. But typing google.com would be easier for most people to remember. However, the numeric IP address allows for systems on the internet to know how to get to another system to exchange data.

So therefore, there needs to be some way to correspond to google.com. This is done through the Domain Name Service (DNS). When you type google.com into your web browser, your computer refers to DNS in order to get an IP address that it can contact for that domain name. This is true for essentially any domain name you can think of, whether it be a legitimate company such as google.com or the domain name that is being spamvertised in the spam that you recieved today.

Buying and Selling Domains

The total number of domains that could be bought and sold on the internet is essentially limited only by the creativity of people creating them. A domain can be any combination of letters and numbers, followed by a period and any of a long list of approved extensions. In order to register a domain name, you need to purchase it through a registrar, who is approved to sell domain names and update the DNS records on the internet that track the IP addresses for domains. Registrars are located in many countries around the world and sell domains to a wide variety of customers.

However, people who are interested in using spam to sell products across the internet often use predictable methods for their domain registration. Namely, they tend to use specific domain registrars (in this write-up I will focus on pacnames.com), they tend to register the domains to specific email addresses, and they tend to set their registration information in such a way to ensure that they cannot be contacted.

An example spam

I won't bother posting the entire spam. But we have likely all seen crap like this one, trying to sell pirated software (we'll drop the html formatting from this as it adds nothing):

 World leading manufacturers. The most popular software.

    * MS Windows XP Professional with SP2 - $49.95
    * Adobe Photoshop CS2 V 9.0 - $69.95
    * Microsoft Office XP Professional - $49.95 

Of course, this email assumes that we aren't smart enough to realize that prices this low cannot possibly be legal. On top of that, these sites usually are promoting special "download-only" prices, which if you check with Adobe or Microsoft, you will find don't actually exist. Adobe does allow direct downloads of their software, but only if you buy from them directly, and do not re-distribute it. Microsoft has no such program for theirs. But we'll ignore that for the sake of argument. The more important part is down further, where the spam gives the web site address for the spamvertised site:

Best price. Good choice. Visit our 

Tracking the spam

The next thing to do, then, is to figure out where this spam actually came from. And by that, I'm not referring to where the mailserver lies that sent it - we can do that later - but rather where the domain is registered and how it was registered. For this we will employ the WHOIS tool. This tool can be run from most any Unix/Linux command line, and several sites on the internet offer it through their pages as well.

>whois moioem.com
   Domain Name: MOIOEM.COM
   Whois Server: whois.pacnames.com
   Referral URL: http://www.pacnames.com
   Name Server: NS2.SRUL5.COM
   Name Server: NS1.SRUL5.COM
   Status: ACTIVE
   EPP Status: ok
   Updated Date: 07-Nov-2006
   Creation Date: 07-Nov-2006
   Expiration Date: 07-Nov-2007

   Domain name: MOIOEM.COM
   Registrar: PacNames
   Referral URL: http://www.pacnames.com/

   Domain Registrant: TOTALNIC-128733 (XSALSA@GMAIL.COM)
      Alex Rodrigez
      Alex Rodrigez
      PO box 109 WP 1432
      Lappeenranta NA 53101

Then of course the next question is what is this information good for? I dropped the intermediate legal garbage that normally comes with a WHOIS report, as the domain in question is breaking the law anyways. We now see a few things that are worth looking into:

Alex Rodrigez, the New King of Spam

This domain is only one of at least several dozen that I have seen that were sold to 'Alex Rodrigez' by pacnames.com. I have seen many other domains that he has purchased to sell coutnerfeit drugs as well as pirated software. More reecently, other people have seen email corresponding to new phishing activity on domains that have also been sold to Alex. Alex has also changed email addresses in the past - I have seen xsalsa@gmail.com as well as xsalsa@etn.org. Not that email sent to those are ever replied to. Other addresses that have been seen for the same criminal include admin@gorlock.net and domains@locu.st

What do do about this problem?

The WHOIS data above gives several possible ways to try to get this problem resolved. Of course, one could try contacting Alex directly through the gmail.com email address posted. I have tried this many times and can say that I have never had a reply. In fact, replying to that email address may have only lead to ensure that I was included on his later spamming campaigns.

In reality, the best choices are to go after the services that are needed in order to keep 'moioem.com' up and running. There are several services that are needed in order for the domain to be maintained:

Registration, please

So if we go through those in that order, we can start by working on the registration for the domain. The registration, as I mentioned before, is made by the domain registrar. In this case, that company is pacnames.com. We saw in the WHOIS report that this company has a physical address listed in New Zealand and a phone number in Colorado, USA. Pacnames.com lists their contact / support email address as support@pacnames.com. I can say that I have contacted this company on many occasions to report the spamming domains that they have sold to Alex. Sometimes they have responded, but most times they have not. I have also asked them why they continue to sell domains to a known spammer, and of course they have not replied to that. However, if one could get the registrar to invalidate the registration, then it should no longer be reachable and hence the spammer would not be able to sell any product through his website with its unreachable address.

Your name, sir...

The name server is much the same story. The WHOIS record shows us that this domain is dependent on two name servers in particular - CATS.AIMHIGH.NET and NS2.CAPITAL.HM. The .HM domain of the latter refers to a domain registered in "Heard and McDonald Islands". One could similarly do lookups on those two domains, and contact their respective owners to check to ensure that they are not intentionally providing DNS to spamming domains. If they appear to be in cahoots with the spammer (and they often are), then the same procedure could be repeated with them.

Your host will be...

The web hosting service is usually either the easiest or most difficult part of getting the spamming domain shut down. Either way, when it works it is generally the most satisfying, as the result is a resolvable domain that loads an error message because the hosting provider has shut down its own mapping to the site. If you are fortunate enough to find that the site is hosted in a country that speaks english natively (or any other language that you are fluent in) then it is usually easy to show the problem and get it resolved. This is also determined by a WHOIS lookup. First, ping the domain:

> ping moioem.com
PING moioem.com ( 56 data bytes

Now we have an IP address. We just need to run WHOIS on this address ( ) to figure out who owns it:

> whois
role:         CNCGroup Hostmaster
e-mail:       abuse@cnc-noc.net
address:      No.156,Fu-Xing-Men-Nei Street,
address:      Beijing,100031,P.R.China
nic-hdl:      CH455-AP
phone:        +86-10-82993155
fax-no:       +86-10-82993102
country:      CN
admin-c:      CH444-AP
tech-c:       CH444-AP
changed:      abuse@cnc-noc.net 20041119
mnt-by:       MAINT-CNCGROUP
source:       APNIC

Unfortunately, this is a Chineese ISP. I have tried unsuccesfully in the past to contact this group and they usually reply in Chineese with an automated message. You can of course bring it to APNIC, where you should be able to get a person who speaks fluent English, but getting anything donw is still very difficult.

In contact with...

The last thing I mentioned is the contact information for the domain. We already see his mailing and email addresses. I'm not sure how much postage is to Finland, but I know I can send email to gmail.com for free. As I mentioned, I have emailed him many times and never seen a reply. So then the next question is what can I do about his email address other than emailing him? The next thing I usually go for is to expose the spammer to their email provider. Gmail.com is of course run by google, so I then sent his spam to abuse@gmail.com and support@gmail.com. I am still waiting for google to do something about this. I have yet to find a phone number for contacting google, and every message they have sent me has been a form message that does not seem to ever lead to a human.

More on PacNames

I have written more extensively about one of the registrars of choice for "Alex Rodrigez". In particular, PacNames.com has been a willing partner of his for some time and a real thorn in my side on trying to stop spam.

You can read my writing on pacnames for more information.

A very clear definition of piracy

One particular software company has made very clear how to tell when you are looking at pirated copies of their software. Adobe.com has clearly stated on their AntiPiracy page that the only legitimate way to purchase Adobe software for download is through the Adobe Store. Hence, when Rodrigez and friends offer download-able copies of acrobat, photoshop, or any other adobe software, they are breaking the law.

Kevin Benson

I have started to see an increasing amount of spam email from domains registered to a "Kevin Benson". This person plays a similar game to the "Alex Rodrigez" that I had mentioned earlier, though selling replica watches instead of pirated software, while still selling prescription drugs without prescriptions. The registration data given for this person is usually as follows:

Name:           kevin    benson
Address:        1098 Queen St
                halifax, NS  B3H 2R9
Email Address:  kevben@coldmail.ca
Phone Number:   (902)412-1798

I have seen spam from at least four different domains that "Kevin Benson" has registered, selling either drugs or replica watches. One thing that distinguishes the spams sent by this person's domains is that they especially push "Cialis", rather than the usual "Viagra". In particular, their spam offers read like ad copy from the maker of Cialis, and often incorporate the slogans that are used in their commercials. This may itself be illegal (on top of the illegal sale), as it is likely copyright violation to use their slogans without permission. The four domains I have seen to date (05-10-07):

The first three were all pushing drugs, the last one was selling replica watches. I do not know if the replica watches are themselves illegal, when they are sold as replicas, but I am quite sure that it is illegal to sell prescription drugs in this uncontrolled manner. Even though this person claims to live in Canada, the drugs laws there prohibit this type of sale as well.

AIT domains

My frustrations with "Kevin Benson" have been worsened by my unfortunate discovery of yet another bad domain registrar. The four domains listed above were all registered to this person through aitdomains.com. And a WHOIS search will show that all four of those domains are still listed as "ok" (active) by their registrar. i have made several attempts to contact AIT domains to alert them to the criminal misuse of the domains that they have sold, and they have taken no action.

Indeed, I will even go so far as to say they are willingly taking no action. The replica watches domain - "lozfuertzone.com" - was the most recent one that I reported as a spamming domain. After waiting two days and seeing no response, I then went further to look into the DNS domain that it relies on. It appears that "Kevin Benson" has even registered his own DNS domain - "sickoldns.com". However, the DNS domain was registered through a reputable registrar (enom.com), who has since shut it down. Meanwhile, all the AIT domains belonging to "Kevin Benson" are still listed as "ok".