Guess what’s happening on Christmas?
E-mails starts to flow wishing merry christmas with links to uhavepostcard (dot com) and merrychristmasdude (dot com). One gets suspicious. And it turns out, one is right – again. Do not visit the above links unless you keen on getting some new trojans…
After adjusting our server’s spam filter, I do some more research. Some antivirus products recognise the downloadable, some not.
Domains were registered on 23rd of December, the registration data are obviusly fake (ZIP 12345, yahoo and hotmail e-mail accounts, etc.).
The problem is with this domain based spamvertizing, that – unlike the IP based ones – the domain can exist and can be maintained for longer period of time, it’s nameserver records can be changed, which by the way currently consist of 2*13 entries from different countries and different ISP-s.
Serving of the “webservers” IP address are done by these “bot-NS” servers, from a pool of thousands of other bot’s, so it is easily understandable that stopping these is impossible.
So, then one writes to the domain registrator company – responsible for registering the domains in question – to null out the nameservers and put the domain on hold (render the domain useless and not to let the domain to be registered elsewhere). The registrator happens to be Russian (RU-CENTER), which doesn’t look good at first sight.
However, some answer comes back, with the essence of that I should report to ICANN/Internic, if the domain have invalid registration data. Then after ICANN notifies them, they try to contact the owner, and if no answer comes back in 2 weeks(!), then they switch off the domain.
Those who understand even a tiny bit what this is about, now say “ridiculous”. After two weeks from now, whent the trojan was downloaded million times, noone will care whether the above domains exist or not.
I’ve tried once more explaining that if we can’t kill it at the domainregistration level, there is no chance doing anything else, like digging up thousands of bot’s IP’s and reporting them one-by-one (meanwhile newer ones join).
The last reply I got is currently this:
“We have initiated the check of the Whois information according to advised ICANN procedure. If it is really fail we will remove domain names.”
I’m really curious when will anything happen to these damned domains.
Update:
Dec 26, 18:04 [UTC +01:00] – New spamvertized malware hosting domain: HAPPYCARDS2008[.COM] – similar fake details, new registration, etc. Another urging message to the Russians. A slogan popped up into my mind, from an early MTV environmental advertisement. “If you’re not part of the solution, you’re part of the problem…”
Dec 26, 20:33 [UTC +01:00] – I didn’t get any answer from RU-CENTER nor I see the domains disappearing. So I encourage anyone who cares a little bit to contact (“bomb”) RU-CENTER at the “tld-ncc [@] nic.ru” address regarding to this matter. Other forms of contact can be seen here: http://www.nic.ru/about/en/contact_ncc.html
I’m amazed how many people wrote blog entries on this issue, yet none seemed to contact the only place which can do anything, the “tree root”. Come on people, you can do better. Or do I have to save the world (again) single handedly? :-]
Dec 27, 10:15 [UTC +01:00]
1st newyearcards2008[.com] spams – RU-Center urged to act again. Seems like if you want to spam, you should choose them to register your domain…
Dec 28, 16:51 [UTC +01:00]
new domain: newyearwithlove.com – reported at ICANN/Internic
Jan 05, 15:39 [UTC +01:00]
As you might have guessed, I got tired of reporting to an unresponsive registrator, internic and sirt.
There is not much I can do, and many others started to complain and comment on this issue.
Such as – but not limited to:
http://www.castlecops.com/p1038986-storm_worm_spam.html#1038986
Where – among others – you can see my “open letter to RU-CENTER”.
That was addressed on the 28th of December to ru-ncc@nic.ru, tld-ncc@nic.ru, tld-adm@nic.ru, tld-tech@nic.ru and info@cert.ru
Since they didn’t bother to do anything or at least answer, the most I can do is to list their addresses here and hope that email address harverster bots will “get the message” and eventually make them feel the same way like many of us.
Spamhaus complaint listed at: http://www.spamhaus.org/news.lasso?article=624
List of all domains registered relating to this fast-flux storm-bot Christmas/New Year “event”:
http://www.spamtrackers.eu/wiki/index.php?title=Storm#December_29
Jan 09, 15:53 [UTC +01:00]
Just received a mail from RU-CENTER:
The domains:
HAPPYCARDS2008.COM
NEWYEARWITHLOVE.COM
UHAVEPOSTCARD.COM
MERRYCHRISTMASDUDE.COM
are put on hold,
—
Best Regards,
Julia A. Lotkova
Regional Network Information Center (RU-CENTER)
Phone: +7 495 737-0601
fax: +7 495 737-0602
http://www.nic.ru”
And it only took like 16 days!!!
Let’s be happy folks – and prepare for the new domains which will be registered soon…
Jan 10, 11:51 [UTC +01:00]
“From: “RU-CENTER NCC”
Sent: Thursday, January 10, 2008 11:51 AM
Subject: [ru-center #1781157] Re: open letter to RU-CENTER
Dear Sirs,
The domains are put on hold, thank you for your report.
New alike registrations are monitored.
—
Best Regards,
Julia A. Lotkova
Regional Network Information Center (RU-CENTER)
Phone: +7 495 737-0601
fax: +7 495 737-0602
http://www.nic.ru”
so let’s hope that at least new domains won’t be registered here.