[gnso-rds-pdp-wg] [POSSIBLY OFF-TOPIC] Example of Usage for Conversation..

Thu Jun 1 18:49:04 UTC 2017

And a reverse search on the email and fake identity yields 270 domains! All
of which can be blocked before any spam is sent, and any future domains
with those same details can be blocked as well.

And all of this analysis can be done without having to get a judge's order
in the country "1 HOST RUSSIA, INC" is in. How likely do you think that a
Russian judge would grant an order to disclose the information needed to do
this same analysis?

On Thu, Jun 1, 2017 at 1:45 PM, Michael Peddemors <michael at linuxmagic.com>
wrote:

> When it comes to addressing 'thin' or 'thick' data, it helps to have an
> example of what kinds of data are valuable, and whether a 'specific' part
> of the data is important/invaluable to the community at large.. vs any
> privacy implications, and as already mentioned now several times, the
> personal information issue should be able to be addressed with simple
> 'informed consent' that the data is being made available..
>
> 108.170.9.82        (M)           5   protecting.qlive.us
>    108.170.9.84     (M)           4   fortnight.catau.us
>    108.170.9.85     (M)           6   fancy.showsdepositplan.us
>    108.170.9.87     (M)           4 childhood.thesecarwarranty.us
>    108.170.9.88     (M)           4 sweating.samplehairgrowth.us
>    108.170.9.90     (M)           4   resignation.hirio.us
> 184.95.36.99                     44 nowhere.yesfrenchwineflatbelly.us
>    184.95.36.100                 33   vertical.bidea.us
>    184.95.36.101                 41 relevance.indeednerverenew.us
>    184.95.36.102                 15 decrease.iflifeinsurance.us
> 192.3.137.211       (M)           8 talent.soldtimesharefrom.us
>    192.3.137.212    (M)          12 global.reliefnervepainwith.us
>    192.3.137.213    (M)           7   steal.memoryfixgoodmini.us
>    192.3.137.214    (M)           8 show.viewautowarrantythat.us
>    192.3.137.215    (M)           7   culture.catho.us
>    192.3.137.216    (M)           9   reverse.oueme.us
>    192.3.137.217    (M)           5 include.causewineflattummy.us
>    192.3.137.218    (M)           8 pour.provedshepardweightloss.us
>    192.3.137.219    (M)          11   looks.ylame.us
>    192.3.137.220    (M)          32 forward.exactlymiracleoil.us
>    192.3.137.221    (M)          37   sidesbrainboosters.us
>    192.3.137.222    (M)          35   ballet.bsume.us
>
>
> Example, our spam auditors received reports of 'snowshoe' spammers over
> night from the following domains:
>
>
> While 'whois' information is not really standardized of course, but lets
> look at it from the perspective of what this registrar provides, and
> discuss the information that is valuable..
>
> Domain Name:                                 QLIVE.US
> ^^^^^ Of course..
> Domain ID:                                   D59983383-US
> Sponsoring Registrar:                        NAMECHEAP, INC.
> ^^^^^ Some registrars have different reputation
> Sponsoring Registrar IANA ID:                1068
> Registrar URL (registration services): http://www.namecheap.com
> Domain Status: clientTransferProhibited
> Registrant ID:                               T112TZREYY9QGXNM
> Registrant Name:                             Ancell Powls
> ^^^^^^ For comparison against other domains..
>        We 'could' use a simple label, but that doesn't work across
> registrars
> Registrant Address1:                         23 Main St
> Registrant Address2:                         P.O. Box 2033
> ^^^^^^^ Use of a PO Box, and for comparison against other actors with
> similar/same information
> Registrant City:                             Symington
> ^^^^^^^  Is the same city used?
> Registrant State/Province:                   Biggar
> ^^^^^^^  Same province?
> Registrant Postal Code:                      ML12 6LJ
> ^^^^^^^ Same Postal?
> Registrant Country:                          UNITED KINGDOM
> ^^^^^^^ Same Country
> Registrant Country Code:                     GB
> Registrant Phone Number:                     +44.3457220123
> ^^^^^^^^ Is it valid, and conform to the specified geographical location
> Registrant Email: ancellpowls7627997 at aol.com
> ^^^^^^^^^ FreeEmail provider, throwaway address
> Registrant Application Purpose:              P1
> Registrant Nexus Category:                   C11
> Administrative Contact ID:                   K2GPWOMDZJLH056R
> Administrative Contact Name:                 Ancell Powls
> ^^^^^^^^^ Similar reason for all administrative contact information
>           and compared against the registrant data
> <clipped>
> Billing Contact ID:                          WDKK5ZI9VTLK5GI6
> Billing Contact Name:                        Ancell Powls
> ^^^^^^^^^ Similar reason for all administrative contact information
>           and compared against the registrant data
> <clipped>
> Technical Contact ID:                        UCTFQMK8L13PWK4A
> Technical Contact Name:                      Ancell Powls
> ^^^^^^^^^ Similar reason for all administrative contact information
>           and compared against the registrant data
> <clipped>
> Name Server: JOSH.NS.CLOUDFLARE.COM
> Name Server: IRIS.NS.CLOUDFLARE.COM
> ^^^^^^^^^ Which name servers do they use? Are they common across domains?
>           Some name servers might even be a preferred method ..
> Created by Registrar:                        NAMECHEAP, INC.
> Last Updated by Registrar:                   NAMECHEAP, INC.
>
> Domain Registration Date:                    Thu Jun 01 05:45:30 GMT 2017
> ^^^^^^^^^^ Obvious, newly created.. and only an automated script can
> generate email under that domain that fast..
> Domain Expiration Date:                      Thu May 31 23:59:59 GMT 2018
> Domain Last Updated Date:                    Thu Jun 01 07:24:28 GMT 2017
> ^^^^^^^^^^^
> DNSSEC:                                      false
> ^^^^^^^^^^^ Don't really care ;)
>
> We also like to compare against the 'rwhois' data.. same guy operate the
> IP(s)?
>
> network:Network-Name:Private
> network:IP-Network:108.170.9.80/28
> network:IP-Network-Block:108.170.9.80 - 108.170.9.95
> network:Org-Name:AndreAgoncillo
> network:Street-Address:#10 Rizal Street
> network:City:La Carlota City
> network:State:XX
> network:Postal-Code:6130
> network:Country-Code:PH
>
> Gives an indication of whether using a 3rd party..
>
> NetRange:       192.3.137.208 - 192.3.137.223
> CIDR:           192.3.137.208/28
> NetName:        CC-192-3-137-208-28
> NetHandle:      NET-192-3-137-208-1
> Parent:         CC-15 (NET-192-3-0-0-1)
> NetType:        Reallocated
> OriginAS:       AS36352
> Organization:   Hudson Valley Host (HVH-9)
> RegDate:        2017-03-06
> Updated:        2017-03-06
> Ref: https://whois.arin.net/rest/net/NET-192-3-137-208-1
>
> (that is simply bad information, known snowshoe haven, colocrossing)
>
>
>
> --
> "Catch the Magic of Linux..."
> ------------------------------------------------------------------------
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> ------------------------------------------------------------------------
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
> ------------------------------------------------------------------------
> 604-682-0300 Beautiful British Columbia, Canada
>
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>

-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170601/0aba961d/attachment-0001.html>