In yesterday’s post, I pointed out how simple it was for internet criminals to get a free domain name through the Microsoft Office Live (MSOL) hosting service. Today we’ll examine what they do when MSOL learns that their (unpaying) customer is violating their terms of service.

Microsoft’s Response
The MSOL method of dealing with abuse complaints is mixed. (One of the worst examples can be read in a series of forum posts starting last April, in which a complaint sender was assured a site would be down in 48 hours and it was still up weeks later. This case is extraordinary, however.)

The industry standard is that complaints about abuse of a company’s server should go to the contact point listed in the Whois of the server’s IP address. MSOL sites show up on two IP addresses, both of which list as the Abuse contact. However, has a spotty track record in responding to these requests. At best they redirect you to talk to somebody else, at worst they deny Microsoft owns that IP address or completely misunderstand the content of a complaint. (For example, if I’m complaining about a lottery scam, I don’t need to be told that I may have received a lottery scam email.)

(A minor side note: all Microsoft and MSOL email addresses (even abuse@) have spam filters. That means you can’t forward a scam letter in plain text as evidence; Microsoft requests file attachments instead. More reading on abuse department “best practices” can be found at RFC Ignorant and RIPE if you’re bored, or really into that sort of thing.

Another side note: aa419 recommends never opening attachments sent to you in email, ever.)

A less typical contact point is to get in touch with the technical contact listed in the site’s Whois details, in this case . This results in a somewhat improved response record, but they tend to direct anyone who contacts them to use a web form instead. (A form which, incidentally, requires the complainant to use Microsoft Internet Explorer!)

Once we managed to learn the preferred complaint process, the response rate apparently improved. (More on why I use the word “apparently” in the next post!) One significant problem which remains, though, is an inability to complain about more than one domain at a time. We know of hundreds of scam domains, and the most effective MSOL complaint process doesn’t really have a way of handling more than one at a time.

There are indeed some more specialized contacts we know at Microsoft, and we have been trying hard to work with them. We have sent long lists of domains at once for them to work with. For example, 163 domains imitating the Central Bank of Nigeria (CBN) — we all know that the CBN does its own hosting, not on MSOL free services, and there are a limited number of legitimate CBN domains. That list was allegedly closed down. A sample:

http://atmcardcenter.org
http://atmcbn-gov.net
http://cbnannexofficelondon.com
http://cbn-bank.com
http://cbnbanknig.com
http://cbnbank-online.net
http://cbn-email.org
http://cbngroup.org
http://cbn-online-ng.org
http://cbnpaymentdepartmentnig.org
http://cbnpaymentofficedirectlink.com
http://cbnstaff-email.org
http://cbnwiretransfer.com
http://cenbankforeignremittance.org
http://cenbank-ng.org
http://cenbank–ng.org
http://centrabankonline.org
http://centralbankforeignremittance.org
http://centralbankgovernment.com
http://centralbankheadquater.com
http://central-bank-ng.org
http://centralbank-nigria.com
http://centralbankofnig.org
http://centralbankofniigeriaheadquarter.com
http://centralbk-nig.com
http://centralbk-nig.net
http://foreignoperationscenbank.org
http://foreignremittancedept.org
http://governorcentralbnkng.org
http://mail-cbn.com
http://nig-cbn.net
http://thegovernorcentralbank.net
http://transferdeptcenbank.org

Other large batches have been sent with mixed results. Over 600 fake government agencies from various countries are still alive. A sample:

http://bankofengland-online.com
http://bankofengland-plc.org
http://british-customs.org
http://british-immigration-uk.org
http://britishgovuk.org
http://fedbureau-invcstigation.org
http://federalbureauoffice.org
http://federalhighcourt-nig.com
http://fraud-interpol-uk.com
http://fraud-interpol.net
http://hm-customs.net
http://inlandrevenueservice.org
http://inland-revenueboard.com
http://met-police-uk.com
http://ministryoffinance-ng.org
http://ministryofinformation-nig.org
http://presidencynig-gov.com
http://presidencyoffice-nig.com
http://reservebankonline.org
http://unitednations-online.com
http://unitednationshqs.net
http://unitednations-webonline.org
http://worldbank-online.com

Even Microsoft employees are not able to get consistent results. We send our contact long lists, he states it will be dealt with… and then nothing happens. We send a reminder, the contact says they don’t understand why it hasn’t been dealt with, and nothing continues to happen. I have every reason to believe these contacts are working with us in good faith — it is the abuse complaint system within MSOL which is lacking.

To be completely up front, Microsoft got in touch with us first, asking us to moderate some anti-Microsoft commentary in the forums which resulted from general disgust with the MSOL responses to complaints. We took the opportunity to discuss why that commentary was there in the first place and express our desire to see small changes.

The next post will go into detail about the most critical failure of MSOL support — the fact that they apparently can’t actually close an account.

This entry was posted on Monday, February 11th, 2008 at 12:02 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.