Sometimes you see hundreds of fraud domains hosted at the same IP address. In a campaign to combat fraud, there are advantages in taking such an IP address out of circulation.
1. There will be a period of disruption while the fraud syndicate reassigns the hosts to a replacement IP address, and a period of down-time for the spammed domains affected.
2. Once they are reassigned, there is still a second disruption. Any name servers that have been placed on Client Hold can still perform their function of resolving domain names due to caching within the DNS system of the Internet. When the access to the IP address is stopped, then this caching will fail.
3. If the owners know that there is a compromised machine at that IP, they can locate it and clean it up, making it more robust and less likely to be compromised again.
Let's look at an example. On June 8, 2014 over 200 Eva Pharmacy fraud sites were detected on IP address
87.117.192.110A
WHOIS lookup on 87.117.192.110 shows that it belongs to RapidSwitch in the United Kingdom, with these contact details -
Code:
remarks: ******************************************************
remarks: * ABUSE REPORTS *
remarks: * https://myservers.rapidswitch.com/reportabuse.aspx *
remarks: ******************************************************
Filling in the abuse report form at that web page lets them know of the issue
Quote:
IP Address: 87.117.192.110
Type of Abuse:Hacking
Affects Network:
Hacked server hosting hundreds of fraud pharmacies
Details:
Please null route the access to this IP address, used to host over 200 pharmacy fraud domains
Details are posted at
http://www.spamtrackers.eu/wiki/index.php/Netlynx#Sample_illegal_domainsExamples
adacarleen.com
adelheidines.com
adriannairina.com
aggidaffinan.com
albertakaterine.com
aloiseerica.com
annmariecharmane.com
arielchelsie.com
aureliechiarra.com
bettekassia.com
blanchekaja.com
clairgizela.com
claudehesther.com
connihannie.com
alanaheloise.in
alleneandree.in
anettekaterina.in
annelisenanniekai.in
ardithleyla.in
arlinazarla.in
aureliecoral.in
babrenelle.in
bambicorny.in
beagiuliagui.in
Evidence about the perpetrators can be seen at these links
http
://spamtrackers.eu/wiki/index.php/EvaPharmacy
http
://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm358794.htm
http
://www.cipa.com/fraudulent-sites/
http
://scamfraudalert.org/2013/07/06/fda-warning-letter-eva-pharmacy/
Usually the host machine has been hacked and the server added.
Domain Name:spamtrackers.eu
Protocol:http
Port:80
Material:
http://spamtrackers.eu/wiki/index.php/EvaPharmacyrapidswitch wrote:
Thank you for your abuse report regarding IP address 87.117.192.110.
We are a conduit for this IP address, and the party responsible for it according to our records is one of our clients. Your complaint has been passed to the client, who will deal with the matter accordingly. Their response will be passed back to you at the e-mail address you raised this report from.
If no response is received from our client, it will automatically be escalated to a member of our staff. We aim to get a respose to all abuse reports within five working days.
Regards,
RapidSwitch
A traceroute will show if the IP is still accessible:
https://www.ultratools.com/tools/lookingGlassTools allowing for 15 hops
Code:
Hop number: 12
Connected to: 87.117.212.38 ( 87.117.212.38 )
Roundtrip times: 82.22 ms
81.088 ms
83.048 ms
Country: United Kingdom
Hop number: 13
Roundtrip times: Timed out.
Hop number: 14
Roundtrip times: Timed out.
UPDATE JUNE 13, 2014RapidSwitch wrote:
The RapidSwitch abuse team have returned your abuse ticket to the client who
was hosting the material you complained about. They should respond to the
ticket shortly. The comment added by the abuse team follows:
Ticket escalated to staff due to no response within 4 days. Please provide an update and confirm if the issue has been resolved. Thanks
All of the over 200 domains have been relocated onto another IP address,
107.6.41.96Anyone want to try this one in the same fashion?
Posted: Mon Jun 09, 2014 4:28 pm 
