[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: "Registrar-Lock"?

Michael Brennan Nobody at SpamCop.net.dev.null
Wed Oct 12 04:50:04 EDT 2005 

Mike Easter wrote:
> 
> Michael Brennan wrote:
> > Chasing down a spamvertised webpage, I came across this return for a
> > whois lookup:
> >
> > Spampage:  http://yotdgd2b.brave-123.net/savings.asp
> 
> Your information for brave-123.net is different from mine.
> 
> >     Domain Name: BRAVE-123.NET
> >     Registrar: ENOM  INC.
> >     Whois Server: whois.enom.com
> >     Referral URL: http://www.enom.com
> >     Name Server: NS1.HELLO-123.NET
> >     Name Server: NS2.HELLO-123.NET
> >     Status: REGISTRAR-LOCK
> >     Updated Date: 10-oct-2005
> >     Creation Date: 06-oct-2005
> >     Expiration Date: 06-oct-2006  >>> Last update of whois database:
> > Mon  10 Oct 2005 14: 13: 15 EDT <<<
> 
> I'm not getting that.  enom, crsnic, and internic give me nothing
> 
> dnsstuff gives me different information than you have and sez it is at
> namecheap.com which gives me nothing except to say that the name is
> available.

<snipping>

I ran it through SamSpade's online lookup.

> <snip>
> Registration Service Provided By: NameCheap.com
> Contact: *******@NameCheap.com
> Visit: http://www.namecheap.com/
> 
> Domain name: brave-123.net
> 
> Registrant Contact:
>    NB
>    nicholas brown **************@netscape.net)
>    +1.2062020838
>    Fax: +1.5555555555
>    1201 N NORTHLAKE WAY
>    Seattle, WA 98103
>    US
> 
> Administrative Contact:
>    NB
>    nicholas brown **************@netscape.net)
>    +1.2062020838
>    Fax: +1.5555555555
>    1201 N NORTHLAKE WAY
>    Seattle, WA 98103
>    US
> 
> Technical Contact:
>    NB
>    nicholas brown **************@netscape.net)
>    +1.2062020838
>    Fax: +1.5555555555
>    1201 N NORTHLAKE WAY
>    Seattle, WA 98103
>    US
> 
> Billing Contact:
>    NB
>    nicholas brown **************@netscape.net)
>    +1.2062020838
>    Fax: +1.5555555555
>    1201 N NORTHLAKE WAY
>    Seattle, WA 98103
>    US
> 
> Status: Locked
> 
> Name Servers:
>    ns1.hulk-123.com
>    ns2.hulk-123.com
> 
> Creation date: 06 Oct 2005 09:49:32
> Expiration date: 06 Oct 2006 09:49:32
> </snip>
> 
> but the information at dnssstuff also said this "Using 1 day old cached
> answer (or, you can get fresh results)." and then the link for the fresh
> results gave me nothing
> 
> Very puzzling about the discrepancy at namecheap.  My guess is that the
> one day old information is the most accurate, but maybe not.

<snip>

I got the same information for "Nicholas Brown" registering another
spampage in another "mortgage-application" phishing spam [I've got a
fresh one in my inbox as I type] which I LARTed on on October 9
(Sunday), tracking URL here:

http://www.spamcop.net/sc?id=z813885989zfcadb152a67bc0b743b342e35527be76z

I looked up his spampage on SamSpade again and got this:
   Server Used: [ whois.yesnic.com ]

 http://pr0per.net/fine.asp = [ 211.147.228.105 ] 
 ----------------------------------------------- 
  Queried Domain Information as follows 
  ----------------------------------------------- 
  Domain Name : pr0per.net 
  : :Registrant: : 
        Name      : Nicholas Brown 
        Email     : nich0lasbrown at netscape.net
 
        Address   : 1201 N NORTHLAKE WAY 
        Zipcode   : 98103 
        Nation    : US 
        Tel       : 2062020838 
        Fax       : 
  : :Administrative Contact: : 
        Name      : Nicholas Brown 
        Email     : nich0lasbrown at netscape.net
 
        Address   : 1201 N NORTHLAKE WAY 
        Zipcode   : 98103 
        Nation    : US 
        Tel       : 2062020838 
        Fax       : 
  : :Technical Contact: : 
        Name      : Nicholas Brown 
        Email     : nich0lasbrown at netscape.net
 
        Address   : 1201 N NORTHLAKE WAY 
        Zipcode   : 98103 
        Nation    : US 
        Tel       : 2062020838 
        Fax       : 
  : :Name Servers: : 
        ns1.pr0per.com 
        ns2.pr0per.com 
  : :Dates & Status: : 
        Created Date   2005-10-05 18: 22: 43 EDT 
        Updated Date   2005-10-05 18: 22: 43 EDT 
        Valid Date     2006-10-05 18: 22: 43 EDT 
        Status         ACTIVE 

Reverse DNS on the IP gives Etrust, with an e-mail address in there for
liucheng at gzidc.com and an admin e-mail address at
netadmin at ehomenet.com.  

I checked the address on "Northlake Way" using MapQuest and USPS.com. 
Address is bogus for Zip Code 98103 and is not found in Seattle or
suburbs Phinney, Wallingford, Meridian, Fremont, or Green Lake either
(all nearby that Zip) with or without Zip Code attached.

Ergo, the registration is bogus in 3D space.

Reverse phone lookup on registered contact number (206)202-0838  yielded
no listings.

I put all that in the comments section of the LART, mentioning LK's name
in passing as having been a source for very similar spams in the past,
and sent it off.  Maybe Cyveillance did something with it.  I also filed
a complaint (actually, two -- two different spams/registrations) to
Internic about Yesnic on the bad registration address data, as we'd
previously discussed about another of these bogus Seattle-area
registrations.  

I didn't try to e-mail the Netscape contact address or call up the phone
number (unlisted CLEC number, again, in Seattle) to verify that they
were bogus as well.  I've tried to LART Netscape on these support
mailboxes before and got 554 rejection notices (I think it was 554's, I
didn't keep them -- LOL).  Yahoo! on the other hand has looked into them
and replied in a reasonably short time.

> > What does the term "REGISTRAR-LOCK" mean, and what does this record
> > indicate?
> 
> It just means that the information can't be changed or the domainname
> moved without the registrant getting the registrar to 'unlock' the
> registration.  Which is basically the way it is supposed to be.
> 
<snip>

Since then, I sent another complaint last night on a similarly
registered (with radiant bogosity) spampage in another mortgage phish
UBE to Joker.com, using my throwaway account, and if I don't hear
anything back from them pdq, I'll forward that info to Internic as well,
and let them explain to Internic how they registered one spamvertised
webpage for William Troy, and another for Troy Williams, at the same
street number and street, in different Zip codes hundreds of miles
apart, on the same AOL mail account, a few days apart.  As of six hours
ago or so, Joker hadn't replied yet -- and they've had a full business
day to look into it.

Beyond mailing a note to Internic, that's about all I can do.  Who
knows, maybe that's too much.  Well, it's more than I want to do with
one or two spams.

Is anyone chasing these spampage registrations down on a regular basis,
to see whether these registrars are playing by the rules?  I'd rather
someone else did it, if only for reasons of efficiency and relative
advantage.  I wouldn't want to put my elbow in the gravyboat, trying to
correct something that is obviously wrong and bad, if someone else can
do it better.

Regards,
Michael

More information about the SpamCop-List mailing list