InBoxRevenge KS Forum

Interesting

http://www.examiner.com/article/interpo ... drug-raids



There was also a tv segment in Toronto about this that featured an interview with an Interpol officer.

The segment focused on purchasing from rogue pharmacy websites, and seemed to make an extra effort *not* to show which sites were used. They looked like EvaPharmacy sites from the selection of the drugs that was visible. (My guess, Canadian Health&Care Mall)

Good to see.

SiL

Examiner.com:
diet erectile dysfunction medications ???

Wurst case of a missing comma that I've seen in a while.

[Edit: Add]
See "Pangea VII" on Interpol's website at
http://www.interpol.int/Crime-areas/Pha ... ion-Pangea

(My emphasis added to the date and the total)

Was it really the combined efforts of all those agencies that resulted in over 10,600 websites being shut down?

Let's see how many I shut down. My publication date was May 16 2014, and posted on this site:

REGISTRAR	SUSPENDED	REPORTED	PCT	PENDING
PSI-USA, INC / InterNetX	1616	1769	91	153
TRUNKOZ TECHNOLOGIES	1564	1564	100	0
NETLYNX INC.	1615	2137	76	522
NAMESILO LLC	1107	1124	98	17
DOMAINCONTEXT	1615	1615	100	0
EvoPlus Ltd.	687	687	100	0
KEY-SYSTEMS	356	362	98	6
CLOUD GROUP LIMITED	97	97	100	0
ABOVE.COM PTY LTD	168	168	100	0
UNITED-DOMAINS AG	82	82	100	0
NIC.AT / AT.DOM	160	160	100	0
REGRU-REG-RIPN	35	35	100	0
**Domain Silver Inc.** / CERT.PL	77	77	100	0
NIC.UA	74	74	100	0
PDR LTD.	34	34	100	0
1API GmbH	0	28	0	28
NAUNET-REG-RIPN	255	799	32	544
BIZCN.COM, INC	694	774	90	80
HTTP.NET INTERNET GMBH	260	261	100	1
DATTATEC.COM	21	21	100	0
MONIKER ONLINE SERVICES	17	20	85	3
DOMAIN.COM	12	13	92	1
NORDNET	13	14	93	1
ARCTIC NAMES, INC.	10	10	100	0
1&1 INTERNET AG	9	9	100	0
SILICONHOUSE.NET	101	101	100	0
TODAYNIC.COM, INC.	9	29	31	20
	---------	---------	---------	---------
TOTALS	10,688	12,064	89	1,376

So according to the press release dated 13-20 May 2014 the combined forces of all those operatives in Operation Pangea have brought about the shut down of over 10,600 web sites.

And according to my posting dated 16 May 2014, my own Operation Enough is Enough I have personally brought about the shut down of 10,688 web sites.

I leave it up to you to decide whether the Operation Pangea result is just a coincidence, or whether they are taking the credit for my operation as if it were part of their own.

I was hoping it meant they shut down 10,600 websites that were still in operation on the date of the raids. Surely there would have been a lot more than 10,600 if they were counting all of yours, too.

Hmm, Remade an account sorry if this ends up being a duplicate.

I am just hoping you give me in depth guide to how you are reporting these sites.

Normally I just report to the IP registrar, the domain registrar. I do this via email. But I am not having much luck with them responding.

The information that needs to be sent to the IP address owner, (the ISP), is as shown in
viewtopic.php?f=1&t=7337

The evidence of fraud for pharmacy domains is posted at http://www.spamtrackers.eu/wiki
Reports to registrars of the domain names are usually effective when they contain links to the evidence of illegal activity shown there.

Other evidence is seen in the press releases from the FBI, the Canadian International Pharmacy Association and the Department of Justice, for example
http://www.fda.gov/NewsEvents/Newsroom/ ... 358794.htm
http://www.cipa.com/fraudulent-sites/
http://scamfraudalert.org/2013/07/06/fd ... -pharmacy/

For the Russian "Eva Pharmacy" fraud operation, most ISPs and Registrars find that evidence sufficiently convincing that they take action.
The exceptions are in India and China who sometimes take action, and Russia, who rarely take any notice.

Registrar responsiveness is tracked at viewtopic.php?f=1&t=5905

Ok thanks, took a look at that link and I basically did those exact steps and gave all of the same information in my emails. I also filled out the abuse forms. But I have one other question.

What do you do when the registrar of the domain and the company that owns the IP the site is hosted on do nothing?
I have had a little luck with reporting sites for incorrect whois on ICAAN but other then that, I am kind of out of ideas

The methods vary according to the registrar(for domains) and the ISP (for the IP addreses).

Post some examples of domains and registrars, IPs and ISPs, and I will take a look and try to advise how best to report them.

Generally speaking, the most effective targets in priority order would be -

Domain name server (kills multiple domains)
Scam/fraud domains
IP addresses

The state of the art is that IP addresses are set up on a constant rotation basis. An IP hosting 1000 domains may be switched to other IPs several times a day, so taking down one has a minimal impact on the operation. These scammers just take it out of the rotation pool and carry on.

This is the main site I want taken down: ixjobs.net

I have reported the domain and IP to these people:
[email protected]
[email protected]
[email protected]
ICANN
[email protected]
[email protected]

No luck with any of them.



Another: medicnhjet.ru
Sent to:
[email protected]
[email protected]
ICANN
[email protected]
[email protected]

Lastly: garciniafatburn.com
Reported to:
ResellerID Form
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]


Any advice you can provide will be beneficial!!

registrar: REGRU-REG-RIPN
admin-contact: http://www.reg.ru/whois/admin_contact
(Unresponsive)
Evidence page
http://www.spamtrackers.eu/wiki/index.p ... acy_Expres

medicnhjet.ru has address 94.242.199.109
Please contact abuse@as5577.net

UPDATE June 27
94.242.199.109 traceroute shows the IP gets no further than the .as5577.net upstream
478 ms xe-0-3-1.r1.lon.iptransit.com [204.26.60.209]
396 ms te4-1.r2.lux.iptransit.com [199.59.206.134]
498 ms ic-root.lux.as5577.net [199.59.206.98]
* Request timed out.
* Request timed out.

But now, medicnhjet.ru has address 189.197.62.147

Thanks for the above^

Just curious why did you say "medicnhjet.ru has address 94.242.199.109"
Doing a who.is on the domain shows me it is: 80.86.88.69

Any idea on the other 2 I mentioned?

To get a world-wide view of what IP address a name resolves to, visit
http://cachecheck.opendns.com/
and key in the domain name. You should see results from many different geographical locations.

WHOIS does not give you any reliable result. It is designed to provide information about only the registrar and the registrant.

Another useful detailed analysis of the domain is at
http://www.dnsstuff.com/tools#dnsReport ... icnhjet.ru
It takes a few seconds to build the report, so be patient.

I will comment on the other two at a later time, because they are out of my area of attention at this time and I am a little busy.

ISP DETAILS
What is the IP:
>host -t ta ixjobs.net
ixjobs.net has address 46.22.166.160

ISP for that IP
netname: E-RING-NETWORK
descr: E-RING KRAKOW DATA CENTER
country: PL

person: Artur Grabowski
address: Slupsk
phone: +48 61 669 06 22
On Facebook: https://www.facebook.com/artur.grabowski.94801

What URLs have landed on that IP:
https://www.virustotal.com/en/ip-address/46.22.166.160/information/


REPUTATION SERVICES
Ratings on mywot for the domain name
https://www.mywot.com/en/scorecard/ixjobs.net
McAfee SiteAdvisor
http://www.siteadvisor.com/sites/IXJOBS.NET#reviewercommentssummary

REGISTRAR

Domain Name: IXJOBS.NET
Registrar: GODADDY.COM, LLC
Name Server: NS19.DOMAINCONTROL.COM
Name Server: NS20.DOMAINCONTROL.COM
Status: clientDeleteProhibited
Status: clientRenewProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 21-apr-2014
Creation Date: 24-feb-2014
Expiration Date: 24-feb-2015

REGISTRANT
Registrant details from WHOIS:


He has registered other domain names, either extinct or unused - eg FINEARTE.INFO which has a different (Russian) valid phone number ( Registrant Phone:+7.69278805 )
A list of his registrations can be seen at http://www.webboar.com/whois-email/dGhvci5pdWxpYW5AZ21haWwuY29t

EVIDENCE OF ILLEGAL ACTIVITY

The phone number rings. The address looks valid, because there is a 3 Strada Malva in Bucharest; although the exact postal code would be 030773 ( http://prefixe.ro/cauta_cod_postal-0.php/page=255 )

The registrant is mentioned at http://pastebin.com/PTMqby9K "Alexandru Iulian Florea - Romanian Spammer"
His Facebook page is unused at https://www.facebook.com/profile.php?id=100005028934348&sk=about

But where is there any convincing evidence that it is used for fraud, or breaks the registrar or ICANN terms of service?
http://cyberwarzone.com/aware-ixjobs-twitter-scam/
http://news.softpedia.com/news/Flappy-Bird-Fans-Targeted-by-Scammers-on-Twitter-426583.shtml
http://www.bloglovin.com/viewer?post=2906229801&group=0&frame_type=b&blog=3786644&frame=1&click=0&user=0

Formerly known as jobdeals.us and twitter.jobdeals.us - http://archive.today/5WKe8

GoDaddy have previously suspended one of his similar domains
Domain Name: SOCIALD-EALS.COM
Registrar: GoDaddy.com, LLC
Updated Date: 06-sep-2013
Creation Date: 14-aug-2013
Registrant Name: Alexandru Iulian Florea
Tech Email: [email protected]
Name Server: NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
Name Server: NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM


That is the sort of information that might encourage GoDaddy to take action.

GARCINIAFATBURN.COM



3902 Weston Road is in Toronto.
Postal Code: M9N 1G4 does not span that address.
Phone: +1.4162107432 does not exist.
Useful reference from a trusted source:
http://grahamcluley.com/2013/07/fake-bbc-diet-spam/

Go to https://forms.icann.org/en/resources/compliance/complaints/whois/inaccuracy-form