[registration-issues-wg] Accountability: fact or fiction?

Derek Smythe derek at aa419.org
Wed May 10 02:24:28 UTC 2017

Some thoughts on issues I have been pondering the past few days. This
came to a head tonight upon a "certain reply from an ICANN Accredited
registrar", while staring at massive nest at the same registrar, that
evoked a sense of deja vu.

One of the newer methods registrars are deploying to combat spam abuse
is webforms. However this approach can be problematic. Consider where
the registrar insists the webform be used to report issues, then does
not send an acknowledgement.

Was the ticket received? Or is the system down and the ticket lost?
This happened as we saw on one domain based attack and an escalation
attempt followed to a registrar with no response. At least this
registrar acknowledges tickets. So alternative methods could be used
when no acknowledgement was received. The issue was resolved quickly.
Kudos to them.

But is there another purpose at some registrars? Zero accountability
while ignoring ICANN mandated obligations?  Call me neurotic if you
will. But ICANN Accredited registrarsshould be beyond even such
suspicions by using accountable systems.

This becomes topical when a registrar has a history of abusive
registrations spoofing any and all banks, also other legitimate
businesses via said registrar. Then said registrar claims to "only be
a registrar" taking no responsibility, ignoring bogus registration
details reported. Now it turns into a "prove it" issue.   Incidentally
this exact same registrar also provides proxy services where the same
unaccountable abuse reporting methods are used.

As such I asked for a ticket nr and a copy of what I reported since no
reply was forthcoming. The response:

> Sorry, but we do not have purview over the content on web sites as
> we clearly state on our web site. You are advised to contact the host.
> Thanks,
> Skyler
> NameSilo support
> On 5/9/2017 2:40 PM, Derek Smythe wrote:
> Hello Namesilo
> I lodged a complaint via your web form a bit back on domain
> fastweedonline.com, since you absolutely insist your web forms be used.
> No ticket or reply was ever received. Additionally this domain is
> still active as well despite showing the issues with this domain
> registration.
> For the sake of accountability, may I please have a dated ticket
> reference and a copy of what was submitted?
> Thanks.
> Derek Smythe
> Artists Against 419
> http://www.aa419.org

Not forwarding the details of the ticket as requested? Oh great -
accountability has been swept out of the door.  So now a registrar
(who signed the RAA 2013) can start profiteering from malicious
domains ignoring ICANN RAA Sect 3.7.8 of the Registrar Obligations and
nobody can prove it  ... oh, why am I using future tense? It's already
being done at this registrar.

We can say: "Use the ICANN Whois Inaccuracy Complaint Form". Yet takes
at least 2 weeks plus to get results. Meanwhile Rome is burning and
the result would be the same as merely pointing out the same obvious
details. Why give a malicious registrant a 15 day pass?

Let us look at the issues here. This is a weed scam. Currently it's
domain has a proxy registration. The weed scam typically claims to
sell drugs etc (none-existent).

Earlier this year this domain showed registration details:

> Registry Domain ID: 1944472965_DOMAIN_COM-VRSN
> Registrar WHOIS Server: whois.launchpad.com
> Registrar URL: LaunchPad.com
> Updated Date: 2017-02-15T18:33:27Z
> Creation Date: 2015-07-04T09:27:22Z
> Registrar Registration Expiration Date: 2019-07-04T09:27:22Z
> Registrar: Launchpad, Inc. (HostGator)
> Registrar IANA ID: 955
> Domain Status: OK https://icann.org/epp#OK
> Registry Registrant ID: Not Available From Registry
> Registrant Organization: None
> Registrant Street: akwa douala  
> Registrant City: Douala
> Registrant State/Province: Litoral
> Registrant Postal Code: 00237
> Registrant Country: US
> Registrant Phone: +237.7135745287
> Registrant Phone Ext:
> Registrant Fax:
> Registrant Fax Ext:
> Registrant Email: bathsaltsforsale at gmail.com

Some history: https://db.aa419.org/fakebanksview.php?key=104810

bathsaltsforsale at gmail.com ?! Numerous honorable registrars suspended
numerous of this registrant's domains, some for fake registration
details, some for violating their policies.

Help yourself and  have a look, decide what's real:

It is also how this domain came to be at the current registrar. This
registrant transferred away from registrars that are less abuse
tolerant to those who can't care when exposed. This registrant have
quite a domain portfolio with the same issues, much now abusing proxy
registrations. Ironically some European registrars revoked some of
proxy registrations upon seeing the evidence. Y

et now this particular domain's registration shows:

> Domain Name: fastweedonline.com
> Registry Domain ID: 1944472965_DOMAIN_COM-VRSN
> Registrar WHOIS Server: whois.namesilo.com
> Registrar URL: https://www.namesilo.com/
> Updated Date: 2017-05-07
> Creation Date: 2015-07-04
> Registrar Registration Expiration Date: 2020-07-04
> Registrar: NameSilo, LLC
> Registrar IANA ID: 1479
> Registrar Abuse Contact Email: abuse at namesilo.com
> <https://reversewhois.domaintools.com/?email=ea11081436b70a9bc19798dd4211d6b4>
> Registrar Abuse Contact Phone: +1.4805240066
> Status: clientTransferProhibited
> Registry Registrant ID: 
> Registrant Name: Domain Administrator
> Registrant Organization: See PrivacyGuardian.org
> Registrant Street: 1928 E. Highland Ave. Ste F104 PMB# 255
> Registrant City: Phoenix
> Registrant State/Province: AZ
> Registrant Postal Code: 85016
> Registrant Country: US
> Registrant Phone: +1.3478717726
> Registrant Phone Ext: 
> Registrant Fax: 
> Registrant Fax Ext: 
> Registrant Email: pw-8cdd0708527db74d3976336180cb7a15 at privacyguardian.org

Ideal! A can of worms now neatly wrapped up behind a proxy
registration so all nice and legit and unchallengeable? Yet this was
supposed to be part of a staged disruption.  I am probably
over-sharing, but perhaps it's overdue as to see exactly what this
registrar is enabling. Law enforcement is known in this issue.

The drug scam is not above extortion. Exactly what we have with this
registrant. This scammer set up a website on another domain, dare I
say using the same registrar where he's welcome and once again using
another set of fake registration details, publishing certain
particulars of a victim in an extortion attempt to get them to pay up
on a website claiming to sell cocaine in the USA. Then attempted to
report this domain, knowing full well how we work and that reports are
made to the authorities where appropriate.  Nasty does not even begin
to describe it. Terminally ill cancer patients are typical targets.
Domains with fake registration details have now become weapons of
extortion. Apart from the other twists attributable to this group -

Let's look at an unreported domain ourcountry48shop.com (which I'm
sure the sponsoring registrar will have no problems disabling), also
being the NS for the above FASTWEEDONLINE.COM domain.

> Registrant Organization:
> Registrant Street: AKWA
> Registrant City: DOUALA
> Registrant State/Province: Karnataka
> Registrant Postal Code: 560056
> Registrant Country: IN
> Registrant Phone: +91.679301995
> Registrant Phone Ext:
> Registrant Fax:
> Registrant Fax Ext:
> Registrant Email: cynthialori2008 at gmail.com

But bathsaltsforsale at gmail.com is also an alias for "kellysummers2008".

"Nadin"/"Cynthia"/"Kelly" is now in Douala in India? A serious
geography fail here.  Simply another bogus identity to add to the ones
we already know of. Yet law enforcement is expected to untangle the
proxy mess for FASTWEEDONLINE.COM with accountable procedures that
will take six months, only to get access to more junk registration
data? Who are we fooling and who is frustrating accountability?

I note some similarities with:

I raise KnuJon a hXXp: // cocaineonlineshopusa. com/ - incidentally
also via the same registrar. 

Is that legal and allowed in the USA?

Research and join the dots ... things are not always what they seem.
At least one registrar obviously cannot do it.

It's also not great when you have registration details like these that
I recently shared on an ITSec group, also at the same registrar:

> Registrant Name: Inno Cent
> Registrant Organization:
> Registrant Street: No. 14 Adamawa Road
> Registrant City: imc
> Registrant State/Province: imc
> Registrant Postal Code: 23456
> Registrant Country: NG
> Registrant Phone: +234.07036603572
> Registrant Phone Ext:
> Registrant Fax:
> Registrant Fax Ext:
> ...
> Tech Email: innocentbenghalami at yahoo.com

Plausible? Not when considering there is no city IMC in Nigeria. There
is no state IMC in Nigeria. Yet these details are being abused to
spoof a bank, see hxxp :// www.gbcibgroup. com/home/,  apart from also
being used for other bogus companies targeting consumers and
businesses. It's not as if this registrar was not made aware of this
issue (Nor ICANN compliance): http://snapper.aa419.org/DS/Namesilo/

Yet the ability to cc other parties who may have a legitimate interest
in the matter no longer exists. Not even a ticket number to forward
and requests are met with replies such as shown.

Currently registration is continuing with these exact same fake
registration details.

Add another registrar in Malaysia. Same situation.

"Inno Cent" also uses this registrar as well with his many, many
names. Using many similar registration details, banks and banking
regulators are massively spoofed, some many times, all to the
detriment of the consumer using these two registrars. Using tracking
methods we can link many of these and prove gross domain abuse and
tardy response to these from the relevant registrars actively
empowering these malicious registrant. This issue has been ongoing for
at least two years. In both cases ICANN Compliance complaints
followed. In both cases Compliance eventually closed the ticket as
Registrar  met commitments, in both cases the domains still had fake
registration details and in both case still spoofing the real banks.
One such case the issue was escalated to the Ombudsman. A lot of info
was requested and supplied, also a request of the desired outcomes. 
Nothing ever more was heard.

Roll forward to today and we see massive spoofing issues continuing.
Consider the "hotel" scammer, playing registration games on the first
registrar. Typically hotel addresses are abused to register malicious
domain, the UK telephone numbers are too short. The ICANN RAA makes
some comments on telephone number verification in this regard. Upon
lodging a Whois Inaccuracy Complaint, the complaint was met with
resistance by compliance. It had to be explained again that the
telephone number is too short and we are seeing the same repeated
patterns. Eventually these domains were suspend.  Currently this same
party is still merrily registering domains that with UK telephone
numbers being too short and hotel addresses at the same registrar.
targeting consumers.

As such I think it's only fair to ask: Where does this buck stop?
Where is the internet we promised users in the mid 1990's?  Is there
in fact any accountability left on the net? We are talking of
connecting the next billion. The next billion what? Potential victims?

Atm my experience is some registrars are great and sincere in what
they publish in terms of their AUP/ToS, also their promises to abide
by the RAA. Others may consider it if enough noise is created. Others
demand court action follow to resolve clear-cut issues where their own
AUP/ToS are mere eye candy and openly violated. See an ordinary person
whose web property was stolen and then hidden behind the proxy of a US

Of course, the average Joe Soap is a third party beneficiary to the
RAA and as such has no legal leg to stand on. It's up to ICANN to
ensure that promises made in the RAA are adhered to. Without this, the
consumer becomes cannon fodder to an elitist club.

Recently at Copenhagen comments were  made that ICANN only has
obligations to registrants as clients. While I disagree, let's for a
moment accept this at face value. Why should a legitimate registrant
have to defend his property and name at a cost of ~$2500 in payment
for UDRP procedures, while the unaccountable malicious registrant with
fake registration details typically pays less than $10 to as low as
$2, many a time a free proxy thrown in. Only to repeat the pattern
regardless of the UDRP outcome? Obviously there is something wrong
with this picture. See a real world example of this:
http://blog.aa419.org/2017/04/19/from-benin-a-loan-scam-syndicate/ -
Europe is fodder to a bunch of common loan scammers from Benin with
many domains with inadequate whois details, also many belying one

My question is this: Has accountability become an optional extra as
well, another freebie thrown in like an anonymous proxy, all for the
price of a discounted domain? Along with the ICANN RAA? Or should we
take a hard look and re-evaluate what's been created?

Personally I have lost a lot of faith in the willingness of some of
these parties to stop domain abuse. Apologies if I offend anybody's
sensibilities, but the above situation is leading to extreme harm at
consumer and business level. Atm ~40% of all West African related
fraud cases received by one law enforcement official is BEC related.
The above situation simply enables this caustic environment.

Derek Smythe
Artists Against 419

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/registration-issues-wg/attachments/20170510/e3a6be0f/attachment-0001.html>

More information about the registration-issues-wg mailing list