ICANN Compliance complaint XTO-568-35273: QHoster Proxy
This is a rendition in HTML of a PDF format document sent to ICANN Compliance in the below complaint.
This is followed by esclatation attempts at ICANN.
Time span: 01 Mar 2018 – 07 Jun 2019 (last contact)
Ref: https://www.icann.org/en/system/files/files/complaint-00005840-redacted-11jul18-en.pdf
Note: minor edits were made to avoid email address harvesting.
ICANN Compliance complaint XTO-568-35273
QHoster Proxy
Derek Smythe
Artists Against 419
2018-03-17
Contents
QHoster
QHoster as Domain Name Reseller
QHoster as a Proxy
Registrant Details Used
Continuous Malicious Domains
Namesilo Knowledge of the Proxy Service
QHoster
QHoster is a hosting provider, a domain name reseller and also a proxy provider for some domains registered via them.
Their website is at https://www.qhoster.com/.
Their general privacy policy is at https://www.qhoster.com/privacy-policy.html
Of importance on this page and right at the bottom, is their address details and specifically the email address:
|
QHoster as Domain Name Reseller
QHoster is currently a Namesilo reseller under the ICANN registrar channel. We find many domains also labelled as such, showing a formal recognition of this relationship by the registrar:
|
The ICANN RAA 2013 defines a reseller as:
|
Considering Namesilo’s own registry entries attests to this relationship, this reseller is an official reseller of theirs. Additionally QHoster offers full domain registration and management services on their own website.
QHoster as a Proxy
We find a history of domains registered to the email address info@QHoster.com. This is the exact same email address also used for the QHOster privacy policy shown at the start. Further we also find email address domains@qhoster.com used for the same purpose.
Note: A registrar standards complaint was also filed via ICANN compliance a day prior to this complaint. A reply was received today: UNY-783-11184. This forms part of the issues and other we see and why this complaint was lodged.
QHoster is a primary source of malicious domains using Namesilo as sponsoring registrar. In an analysis, over 60% of domain names with Registrar Namesilo, showed QHoster as the reseller. This is discounting .org TLD domain which for some reason does not show the reseller tag, so this figure is higher. Namesilo themselves are the second most abused registrar in terms of advance fee fraud domains, malicious domains deliberately registered for advance fee purposes. Typically these domains are registered with deliberately supplied inaccurate registration details. The registration details will not pass the most basic of scrutiny or checks.
The registrar Namesilo see themselves as “only a registrar” as per their website, yet do not enforce the mandated registrant requirements or check validity leading to gross abuse. They never respond to enquiries either via email or via their website form which they insist a complainant need to use. Their website form has no flow control system and supplies the complainant with no automatic receipt or like response code. This has been mentioned before in complaints to ICANN on this registrar. In the past the registrar has replied to ICANN they never received any such complaints. This situation continues, thereby making a mockery of the ICANN RAA requirements and any accountability metrics like retaining abuse reports. In turn this is leading to mass unlawful usage of their services to target consumers in fraud. We also see a migration of malicious actors, away from other registrars that are not fraud tolerant, to them.
As such, to see QHoster having a proxy, knowing the continuous invalid registrations we see where upstream registrar Namesilo does not check such details and knowing the primary source of these domains are QHoster, we shudder to think what hides behind this proxy.
But the reason for this complaint is that QHoster has none of the proxy terms mentioned in the SPECIFICATION ON PRIVACY AND PROXY REGISTRATIONS of the ICANN RAA 2013 (which the sponsoring Registrar Namesilo has signed). Yet Namesilo should have abided by these terms.
In this case, as per definitions in Section 1, QHoster.com is “P/P Provider” or “Service Provider” providing a “Proxy Service” to their “P/P Customer”s.
The associated responsibility of providing such a proxy service is also defined in Section 3.7.7.3 of the RAA 2013 and previous iterations, where the “P/P Customer” is the “licensee” and the “P/P Provider” or “Service Provider” is called the “Registered Name Holder”.
Looking at Section 2 states:
|
As per the definitions and this description, this applies QHoster and the below terms should be applicable.
|
To be clear here and to avoid confusion, the sponsoring Registrar Namesilo has it’s own affiliated proxy service PrivacyGuardian and webpage at https://www.privacyguardian.org/ that has nothing to do with the services this compliance complaint relates to. The contact details are completely different and clearly identified as such in domain registrations.
No terms or costs linked to this proxy are found on QHoster’s website. The only portion or web content relating to proxy services is at https://www.qhoster.com/domains.html. This is merely some marketing material and not the required content we are looking for. As such none of the mandated terms are available!
Registrant Details Used
The domains using the QHoster proxy uses the following registration details:
|
For some domains we see (apparently newer?):
|
Using an online domain email lookup tool such as WHOXY, we see widespread usage of this proxy with over 2,300 domains having been recorded thus far:
https://www.whoxy.com/email/38749844
We also see a variation of this proxy registration using email address domains@qhoster.com. While this email is not solely used for proxy registrations, many are (It also yields some extremely interesting and invalid domain registrations such as mrcryptoidea.com). Some of these registrations also appear to be “Privacy Service” registrations as per the RAA proxy definitions used before.
Once again, using WHOXY, we see widespread usage of this proxy with over 600 such domains recorded:
https://www.whoxy.com/email/405699
This email was first observed as far back as 2015 with domain turk-bk.com where it was spoofing Turklandbank (https://www.tbank.com.tr/):
https://db.aa419.or/fakebanksview.php?key=97692
Two registrant names are used, “Michael Dwen” and “Domain Administrator” with company name “Fast Serv Inc. d.b.a. QHoster.com”. The company name is self-explanatory, it is QHoster.com.
The name Michael Dwen can be commonly found linked to QHoster, also in their network information and address as seen in the proxy registrations. Example 198.27.105.224:
….
OrgName: QHoster.com
OrgId: QHOST-6
Address: 1 Mapp Street
City: Belize City
StateProv:
PostalCode: 00000
Country: BZ
RegDate: 2015-02-26
Updated: 2015-02-26
Ref: https://whois.arin.net/rest/org/QHOST-6OrgAbuseHandle: MDD11-ARIN
OrgAbuseName: Dwen, Michael Dwen
OrgAbusePhone: +18774231155
OrgAbuseEmail: abuse at qhoster.com
OrgAbuseRef: https://whois.arin.net/rest/poc/MDD11-ARINOrgTechHandle: MDD11-ARIN
OrgTechName: Dwen, Michael Dwen
OrgTechPhone: +18774231155
OrgTechEmail: abuse at qhoster.com
OrgTechRef: https://whois.arin.net/rest/poc/MDD11-ARIN
….
The 1 Map Str, Belize address is actually the address of a company specializing the formation of offshore companies: http://www.offshorebelize.com
Email address info@qhoster.com is also found on QHoster’s own web pages on their privacy page as shown earlier.
As such there can be no confusion or doubt that the details shown in the domain registrations are those of QHoster.com.
As such it is proven that reseller QHoster is providing proxy services.
Continuous Malicious Domains
While preparing this document, a check on the link to WHOXY mentioned earlier, showed a new domain chemeout.com has just been registered and using this proxy registration:
Domain Name: chemeout.com
Registry Domain ID: 2238470100_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2018-03-13T07:00:00Z
Creation Date: 2018-03-12T07:00:00Z
Registrar Registration Expiration Date: 2019-03-12T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse at namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Reseller: QHOSTER.COM
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Fast Serv Inc. d.b.a. QHoster.com
Registrant Street: 1 Mapp Str.
Registrant City: Belize City
Registrant State/Province: BZ
Registrant Postal Code: 00000
Registrant Country: BZ
Registrant Phone: +501.18774231155
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@qhoster.com
….
Name Server: NS1.QHOSTER.NET
Name Server: NS2.QHOSTER.NET
Name Server: NS3.QHOSTER.NET
Name Server: NS4.QHOSTER.NET
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2018-03-14T07:00:00Z
A quick check on the usage shows a few things; we already have a Royal Bank of Canada spoof (419 related, not phishing) at the associated website, and a PHP mailer form commonly used in 419 fraud. As such this domain and spoof was recorded: https://db.aa419.org/fakebanksview.php?key=130286
Since recording it, the responsible party has now also placed more malicious content on the associated website. An attack is in progress of being set while writing this report.
Versus three hours later:
An analysis of the new file, stub.exe:
https://www.virustotal.com/#/url/acfafc4510bcb2db7770f96420f75d9ab441ab9c96d3dc6cd40c69e359047234/detection
As such this website and associated domain is clearly under malicious control.
This is not surprising and par for the course, as we have been seeing many such malicious activities and have recorded them.
We also find UDRP’s against this proxy where typically the respondent never replies; a $10 domain causing at least a $2,500 loss to the applicant to just defend his rights. It begs the question as to why the result of a violation of policies is wrapped in extensive and expensive processes for the victims which will have no lasting effect or relief (refer http://snapper.aa419.org/DS/projects/petifre2/Petifre.pdf which was included in the Namesilo standards complaint to ICANN).
http://www.adrforum.com/domaindecisions/1749008.htm – securianfinancialgroups.com
Respondent is Michael Dwen / Fast Serv Inc. d.b.a. QHoster.com (‘Respondent’), Belize
http://www.wipo.int/amc/en/domains/decisions/text/2017/d2017-2166.html – onlinefidelityhk.com & onlinefidelityhk.net
Respondents are Fid Hk of Accra, Ghana, and Michael Dwen, Fast Serv Inc. d.b.a. QHoster.com of Belize, Belize.
This is not surprising in our experience. Yet this does not acknowledge the consumer harm done in the process. The evidence of malicious abuse is extensive.
While we could try twisting this into “content issues”, we need to consider other usage. Consider:
natoprocurement-int.com (NATO Procurement) being abused to spoof NATO with no website, only in email:
|
Delivered-To: (removed)@gmail.com Received: by 10.223.164.81 with SMTP id e17csp2861005wra; Fri, 22 Sep 2017 05:20:24 -0700 (PDT) X-Google-Smtp-Source: AOwi7QCpDS9HA96hpBLbvE6ZyMi2B46lwtpNRzDIzaVqRTsVaSz+x+/6aQ/+SguqxmV+GdsVFehN X-Received: by 10.223.155.157 with SMTP id d29mr5206540wrc.24.1506082824215 . . . ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:subject:cc:to:from:message-id:date :dkim-signature:arc-authentication-results; bh=nRPka/Whu5xclctAGQNh/bAL3nrUEalNJHULHj6Njww=; b=cYNiFwFEBuHQl56axp92Qfzcq/h8v/AjjQfldYysEKMkz6ZvhzmE73/+K+zyicC4jC kBPYi3t0k2IMuq3EFgfRgMCvn0rak3iyGP7VwwSUgrls1BJGMK/m+TSioL0D7eBHfCgA b2lH/GLQ8384aPDaEiX2Dpm+eCbs6twGFnBK/KLw5qa84NJmHsyW8a88FvsLd8pT9xMY FWMJ022uwMAbrWenqEM10YXhNyGWJHAI/VfslYPaPwQQMv64qR2VwWwf7YC0zMqFmXEj JW+xIsZeX7Un7ubIQrZiYmiqvsyczneaj0vy7YFQhTkbRJrNPC4C6iFoT59+0IeKGAd6 fAxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@natoprocurement-int.com header.s=default header.b=ORzQGKlX; . . . Return-Path: <hollan.rodrick@natoprocurement-int.com> Received: from terminal2.veeblehosting.com (terminal2.veeblehosting.com. [37.72.171.98])by mx.google.com with ESMTPS id 99si3054761wmh.190.2017.09.22.05.20.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Sep 2017 05:20:24 -0700 (PDT) . . . dkim=pass header.i=@natoprocurement-int.com header.s=default header.b=ORzQGKlX; spf=neutral (google.com: 37.72.171.98 is neither permitted nor denied by best guess record for domain of hollan.rodrick@natoprocurement-int.com) smtp.mailfrom=hollan.rodrick@natoprocurement-int.com DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=natoprocurement-int.com; s=default; h=MIME-Version:Content-Type:Subject:Cc: To:From:Message-ID:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: . . . . Message-ID: <20170922082021.Horde.s6ln0_N2fpVRtAIgDTeO0dA@37.72.171.98> From: "Gen. Hollan Rodrick" <hollan.rodrick@natoprocurement-int.com> To: snipped@gmail.com Cc: petjamson@gmail.com Subject: NATO Procurement Contract Agreement User-Agent: Horde Application Framework 5 Content-Type: multipart/mixed; boundary="=_N4ANCq0jar-YtmCNfcPryN4" MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - terminal2.veeblehosting.com X-AntiAbuse: Original Domain - gmail.com X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - natoprocurement-int.com X-Get-Message-Sender-Via: terminal2.veeblehosting.com: authenticated_id: hollan.rodrick@natoprocurement-int.com X-Authenticated-Sender: terminal2.veeblehosting.com: hollan.rodrick@natoprocurement-int.com . . . |
Simple reality is there is no way to mitigate malicious domain abuse at hosting level.
Below is a list of some domain names found, the claimed business name, comments, a link to the database entry indicated as “DB” and a snapshot marked “Snap” – recorded at the time of entering into the Artists Against 419 database:
| 1 | chemeout.com – Royal Bank of Canada Spoofing: Royal Bank of Canada ActiveDB: https://db.aa419.org/fakebanksview.php?key=130286 Snap: https://db.aa419.org/docs/DB/00/0013/001302/00130286/20180314_161432_18juwol8.jpg |
| 2 | bacibc.net – Bond Alliance Credit International Bank Corporation (BACIBC) Content stolen from: https://www.mmgbank.com/ Currently host suspended. DB: https://db.aa419.org/fakebanksview.php?key=130109 Snap: https://db.aa419.org/docs/DB/00/0013/001301/00130109/20180303_213833_y2s7kvel.jpg |
| 3 | hdfcsacess.com – HDFC Bank Spoofing: https://www.hdfcbank.com/ Active and content hidden at http://ib.hdfcsacess.com/personal/default.htm DB: https://db.aa419.org/fakebanksview.php?key=130078 Snap: https://db.aa419.org/docs/DB/00/0013/001300/00130078/20180302_193640_2fjhdswu.jpg |
| 4 | diamondoline.com – Diamond Bank Spoofing: http://www.diamondbanking.com/ Content hidden at http://diamondoline.com/home/index.htm.html DB: https://db.aa419.org/fakebanksview.php?key=130077 Snap: https://db.aa419.org/docs/DB/00/0013/001300/00130077/20180302_191655_s3i2ajom.jpg |
| 5 | wintrustacces.com – WinTrust Bank Plc Content stolen from: https://www.accessbank.com/ Content hidden in a sub-domain at http://ib.wintrustacces.com/ DB: https://db.aa419.org/fakebanksview.php?key=130076 Snap: https://db.aa419.org/docs/DB/00/0013/001300/00130076/20180302_180542_t0eucfvv.jpg |
| 6 | crelann.com – Crelan Spoofing: http://www.crelan.be/ Content hidden at http://crelann.com/nl/algemeen/index.html DB: https://db.aa419.org/fakebanksview.php?key=130075 Snap: https://db.aa419.org/docs/DB/00/0013/001300/00130075/20180302_173122_b6tvxbdr.jpg |
| 7 | ncitioline.com – Citi Private Bank Spoofing: https://www.privatebank.citibank.com/ Currently host suspended. DB: https://db.aa419.org/fakebanksview.php?key=130070 https://db.aa419.org/docs/DB/00/0013/001300/00130070/20180302_032243_kgjfoofa.jpg |
| 8 | hsbacess.com – HSBC Bank Plc Spoofing: http://www.hsbc.com/ Content hidden in a sub-domain at http://ib.hsbacess.com/ DB: https://db.aa419.org/fakebanksview.php?key=130069 https://db.aa419.org/docs/DB/00/0013/001300/00130069/20180302_025728_zo4b55ix.jpg |
| 9 | cbdaee.com – Commercial Bank of Dubai Spoofing: https://www.cbd.ae/ Content in a sub-domain at http://ib.cbdaee.com/index.html DB: https://db.aa419.org/fakebanksview.php?key=130068 Snap: https://db.aa419.org/docs/DB/00/0013/001300/00130068/20180302_024452_t0px8nqf.jpg |
| 10 | accessonlnc.com – Access Plc / The Military Bank Content stolen from: https://www.accessbank.com/ Content hidden in a sub-domain at http://us.accessonlnc.com/ DB: https://db.aa419.org/fakebanksview.php?key=130065 Snap: https://db.aa419.org/docs/DB/00/0013/001300/00130065/20180301_215645_8epeh87w.jpg Also see: https://db.aa419.org/fakebanksview.php?key=116099 |
| 11 | hbl-habibz.com – Habib Bank Spoofing: http://www.habibbank.com Status unknown. Content was hidden at http://www.hbl-habibz.com/bank/index.html and found after victim report. Ref: https://scamsurvivors.com/forum/viewtopic.php?f=17&t=65480 DB: https://db.aa419.org/fakebanksview.php?key=129708 Snap: https://db.aa419.org/docs/DB/00/0012/001297/00129708/20180209_210217_fpwsvryr.jpg |
| 12 | santanderin.com – Banco Santander, S.A Spoofing: https://www.santanderbank.com ClientHold Was hidden at http://santanderin.com/en/ behind a fake 404 page DB: https://db.aa419.org/fakebanksview.php?key=127969 Snap: https://db.aa419.org/docs/DB/00/0012/001279/00127969/20171027_234631_tse8hwb5.jpg |
| 13 | natoprocurement-int.com – NATO Procurement Spoofing: https://www.nato.int/ SMTP (email) usage only, no web content. DB: https://db.aa419.org/fakebanksview.php?key=127966 Email: https://db.aa419.org/docs/DB/00/0012/001279/00127966/20171027_225150_ni0zvp40.txt |
| 14 | fivestarschemicallab.com – Fivestars Chemical Labs Fraud type illegal internationally: Classical Black Money Scam Status currently unknown DB: https://db.aa419.org/fakebanksview.php?key=126251 Snap: https://db.aa419.org/docs/DB/00/0012/001262/00126251/20170811_002306_1n84sr7x.png |
| 15 | omegassdlab.com – Omega SSD Chemical Laboratory Fraud type illegal internationally: Classical Black Money Scam Active DB: https://db.aa419.org/fakebanksview.php?key=126025 Snap: https://db.aa419.org/docs/DB/00/0012/001260/00126025/20170804_191609_kfg3pq2r.jpg |
| 16 | chemcorelabs.com – ChemCore Laboratories Fraud type illegal internationally: Classical Black Money Scam Active DB: https://db.aa419.org/fakebanksview.php?key=126024 Snap: https://db.aa419.org/docs/DB/00/0012/001260/00126024/20170804_190922_ixawlzxc.jpg |
| 17 | cruxssdlab.com – Crux SSD Laboratories Fraud type illegal internationally: Classical Black Money Scam Status currently unknown DB: https://db.aa419.org/fakebanksview.php?key=126022 Snap: https://db.aa419.org/docs/DB/00/0012/001260/00126022/20170804_185647_sr2mayd8.jpg |
| 18 | blssco.com – British Logistics Services and Security Company Fraud type: Bogus courier Expired DB: https://db.aa419.org/fakebanksview.php?key=125565 Snap: https://db.aa419.org/docs/DB/00/0012/001255/00125565/20170722_034750_e56bpd8j.jpg Note: Found after victim report in a loan scam and researching. Was exposing victim personal information onto the net! |
| 19 | hamzakumar.com – Hamza Kumar Loan Company Fraud type: Loan fraud (linked to previous domain blssco.com) Clienthold DB: https://db.aa419.org/fakebanksview.php?key=125564 Snap: https://db.aa419.org/docs/DB/00/0012/001255/00125564/20170722_033253_ws0j8otr.jpg |
| 20 | spotlesssecandlog.com – Spotless Security & Logistics Courier fraud (click-my.com syndicate) with content and logo stolen from https://www.pviltd.com/ Re-hosts upon hoster suspension Active DB: https://db.aa419.org/fakebanksview.php?key=125393 Snap: https://db.aa419.org/docs/DB/00/0012/001253/00125393/20170715_221058_c94q8uv8.jpgThis is a common template used many times (also in seen in the Petifre issue). Also see: https://db.aa419.org/fakebanksview.php?key=128715 (Petifre) https://db.aa419.org/fakebanksview.php?key=125363 |
| 21 | dallasenergy.net – Dallas Energy Procurement fraud (click-my.com syndicate), company profile stolen from Chevron, director images stolen. Active DB: https://db.aa419.org/fakebanksview.php?key=125390 Snap: https://db.aa419.org/docs/DB/00/0012/001253/00125390/20170715_213844_gdh9vyfj.jpg Profile:https://db.aa419.org/docs/DB/00/0012/001253/00125390/20180315_200651_qmkct0lh.jpg Stolen directors: https://db.aa419.org/docs/DB/00/0012/001253/00125390/20170715_213906_mu190pj6.jpg https://db.aa419.org/docs/DB/00/0012/001253/00125390/20180315_195534_rmy3w70q.jpg |
| 22 | metrobusonline.com – Metro Bank Spoofing: https://www.metrobankpc.com/ Active, hidden at http://www.metrobusonline.com/m.home.html DB: https://db.aa419.org/fakebanksview.php?key=116095 Snap: https://db.aa419.org/docs/DB/00/0011/001160/00116095/20180116_214811_aro2eg3r.jpg |
Any violation of trademarks and/or copyright issues is merely incidental. The consumer has no rights to such claims, yet they are the very reason why these websites exist. This needs to be made clear.
None of the above banks are phishing. They were verified to be 419 in nature as is explained at https://blog.aa419.org/phishing-sites-vs-fake-419-banks/
Namesilo Knowledge of the Proxy Service
The ICANN RAA: SPECIFICATION ON PRIVACY AND PROXY REGISTRATIONS portion on proxies, makes provision for savings by which the registrar will not be responsible for a proxy he is not aware of:
3 Exemptions. Registrar is under no obligation to comply with the requirements of this specification if it can be shown that:
3.1 Registered Name Holder employed the services of a P/P Provider that is not provided by Registrar, or any of its Affiliates;
3.2 Registered Name Holder licensed a Registered Name to another party (i.e., is acting as a Proxy Service) without Registrar’s knowledge; or
3.3 Registered Name Holder has used P/P Provider contact data without subscribing to the service or accepting the P/P Provider terms and conditions.
3.1 & 3.3: We have already established that QHoster is a Namesilo reseller. As per the RAA definitions; “1.3 “Affiliate” means a person or entity that, directly or indirectly, through one or more intermediaries, Controls, is controlled by, or is under common control with, the person or entity specified.” As such reseller QHoster is an affiliate of Namesilo and 3.1 does not apply. 3.3 would be impossible, and even if it were, reseller and registrar were both notified as these domains are sponsored by them. As such 3.3 does not apply either.
3.2: Namesilo has been made aware of this proxy on more than one occasion. Much of the evidence cannot be produced for the simple reason of Namesilo insisting on complainant use a website form which does not send any acknowledgement and thus allows for no proof or accountability in terms of ICANN compliance metrics. This issue has been raised before, mentioned earlier and will be addressed fully with evidence in the relevant compliance ticket lodged as mentioned earlier. But at least two such emails do exist where both Namesilo and QHoster were copied on malicious domains using this proxy.
In the first the relevant bank being spoofed was also copied:
|
In this email, the details are also being asked as per ICANN RAA 3.7.7.3 while making both Namesilo and QHoster aware that the mandated proxy details cannot be found.
| Subject: ICANN RAA Mandated Proxy provisions? Date: Sat, 28 Oct 2017 01:42:37 +0200 From: Derek Smythe <derek at aa419.org> Reply-To: derek at aa419.org Organization: aa419.org To: info@qhoster.com, support<at>qhoster.com CC: abuse@namesilo.comHello QHostercc NameSilo – Sponsoring Registrar Re: Qhoster proxy servicesWe notice you are offering domain proxy protection services for domains using yourself as the proxy agent. Typically these details are shown:
This just became topical where we found a domain spoofing NATO with these domain details, the domain being sourced from QHoster with NameSilo as sponsoring Registrar. A closer look shows this to be a common occurrence, even spoofing banks, for example:
We find a Santander Bank spoof here: What is even more disconcerting, is that we uncover an extremely well known login panel for bank spoofs massively abused by a certain party; Since QHoster is an official NameSilo reseller, the ICANN RAA 2013 SPECIFICATION ON PRIVACY AND PROXY REGISTRATIONS applies. This section makes it clear that this also applies to your as an official QHoster reseller. We closely checked your website for these terms. They could not be found. The closest we could find was this, which does not meet these terms: As per sect 3 of this part: As per the ICANN RAA 2013 definitions, the Registered Name Holder is QHoster. As per 3.1, QHoster is an affilate. As per the ICANN RAA definitions: > 1.13 “Illegal Activity” means conduct involving use of a Registered Name sponsored by Registrar that is prohibited by applicable law and/or exploitation of Registrar’s domain name resolution or registration services in furtherance of conduct involving the use of a Registered Name sponsored by Registrar that is prohibited by applicable law. Spoofing NATO, Banks and like to defraud consumers by registering domain names to host email services and furthering these malicious impersonation activities, meets this definition. Also note that as per SECT 3.7.7.3 of the ICANN RAA: This begs the question: Will you disclose the licensee information? According to our database statistics, over 60% of all malicious We are noticing a trend by malicious parties that have their domains As such we wish to know where we can find these mandated the ICANN RAA Also, please be as kind as to reveal the licensee details for Thank you. Derek Smythe |
| Return-Path: <pm_bounces@dmarc.qhoster.com> Delivered-To: derek at aa419.org Received: from mta201a-ord.mtasv.net (mta201a-ord.mtasv.net [104.245.209.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.aa419.org (Postfix) with ESMTPS id 074F4601A6 for <derek at aa419.org>; Sat, 28 Oct 2017 15:11:33 +0000 (GMT) Authentication-Results: mail.aa419.org; dkim=pass reason=”1024-bit key; insecure key” header.d=qhoster.com header.i=support<at>qhoster.com header.b=hITYk8U/; dkim-adsp=pass; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20160517231308pm; d=qhoster.com; h=Message-ID:MIME-Version:From:To:Reply-To:Date:Subject:Content-Type; i=support<at>qhoster.com; bh=C3IT5SQHKCxhvpMcnPD57Wv9OSc=; b=hITYk8U/fdBeBkzbsB3x3UMAIN6qzjMqnqR07FBO/qz37MZ/1NpkeG8FHKjAL1fPQSz+8lKlZq4N UCKAcfWZcsSXEqgXexT1vnd1RyzW2c1nxELSjzBFDpEe1W3j5SqS+yeMnMVtdZ1pss1hkj3ZY09R pvtUGZsNAfTDYoBIZ6Y= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pm; d=pm.mtasv.net; h=Message-ID:MIME-Version:From:To:Reply-To:Date:Subject:Content-Type; bh=C3IT5SQHKCxhvpMcnPD57Wv9OSc=; b=kJnkML1AhCzVL/E+b3fR5miV6/+lsVXjtwRC5iYmDcLQ16GcWEp/1A7CSjO6cXC8II+BMzxRlh6T J2Bgs9k02PPWK3LJgu3317rQGcIPygwBvkzyAieilQ0crJp8DJJHEO4KonKaNr9hwRBHkDh74jIL OWX/nwMg9xjuSutlgy8= Received: by mta201a-ord.mtasv.net id huif2a1jk5kd for <derek at aa419.org>; Sat, 28 Oct 2017 11:11:32 -0400 (envelope-from <pm_bounces@dmarc.qhoster.com>) X-PM-IP: 104.245.209.201 X-Mailer: QHoster.com Feedback-ID: 1969152:112498::postmark X-Complaints-To: abuse@postmarkapp.com X-PM-Message-Id: 38989375-df98-477a-b2c1-c1f27eda75b8 X-PM-RCPT: |bTF8MTEyNDk4fDE5NjkxNTJ8ZGVyZWtAYWE0MTkub3Jn| Message-ID: <38989375-df98-477a-b2c1-c1f27eda75b8@mtasv.net> MIME-Version: 1.0 From: “QHoster.com Support” <support<at>qhoster.com> To: “Derek Smythe” <derek at aa419.org> Reply-To: “QHoster.com Support” <support<at>qhoster.com> Date: 28 Oct 2017 11:11:31 -0400 Subject: [Ticket ID: 915013] ICANN RAA Mandated Proxy provisions? Content-Type: multipart/alternative; boundary=–boundary_3713569_4a2c4160-ac78-49ff-abbd-56b213ed4f4dDerek Smythe,Thank you for contacting our support team. A support ticket has now been opened for your request. You will be notified when a response is made by email. The details of your ticket are shown below.Subject: ICANN RAA Mandated Proxy provisions? Priority: Medium Status: OpenYou can view the ticket at any time at https://www.qhoster.com/clients/viewticket.php?tid=915013&c=hEa65lgFRegards,QHoster.com – Quality Hosting Matters |
| Return-Path: <pm_bounces@dmarc.qhoster.com> Delivered-To: derek at aa419.org Received: from mta202a-ord.mtasv.net (mta202a-ord.mtasv.net [104.245.209.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.aa419.org (Postfix) with ESMTPS id 5C567601A6 for <derek at aa419.org>; Sat, 28 Oct 2017 15:14:18 +0000 (GMT) Authentication-Results: mail.aa419.org; dkim=pass reason=”1024-bit key; insecure key” header.d=qhoster.com header.i=support<at>qhoster.com header.b=IGc0c2Rb; dkim-adsp=pass; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=20160517231308pm; d=qhoster.com; h=Message-ID:MIME-Version:From:To:Reply-To:Date:Subject:Content-Type; i=support<at>qhoster.com; bh=zcEPOV2HYrDSn9ARY9pGbGuYG20=; b=IGc0c2RbmUVIr+8HrZA1C8N/aUP0XY/HfcglBXF3Oi335yaeUPDUT1t8ljFCBG98PIb7CbSLyqyW 63kiaYLDLBULASud0W9wPmvGcRUuX7IF64yB0EPDf5dXxc8zQudRksp8q3HhLt7vK6DP6EN8fbS+ aEHsBJqcdhe1ClzmGqw= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pm; d=pm.mtasv.net; h=Message-ID:MIME-Version:From:To:Reply-To:Date:Subject:Content-Type; bh=zcEPOV2HYrDSn9ARY9pGbGuYG20=; b=SZZcBbsE4gKIsFYt/ykXiIFqhyshsvDmcORDWZm26ptmGFALh4btC3qFH4zTELip8MfW//5cT/qL CKcEJl3wXq1P1lFf9Qo52TTxJTYGJrtOptF+ujllAuKIjOIsomKWx20DFVkZXypeAjTN4HmJsyG2 7DaROPPBiPMWo/vBcxc= Received: by mta202a-ord.mtasv.net id huifck1jk5kt for <derek at aa419.org>; Sat, 28 Oct 2017 11:14:17 -0400 (envelope-from <pm_bounces@dmarc.qhoster.com>) X-PM-IP: 104.245.209.202 X-Mailer: QHoster.com Feedback-ID: 1969152:112498::postmark X-Complaints-To: abuse@postmarkapp.com X-PM-Message-Id: 219cbb20-5afc-4b9e-a550-10671e22e618 X-PM-RCPT: |bTF8MTEyNDk4fDE5NjkxNTJ8ZGVyZWtAYWE0MTkub3Jn| Message-ID: <219cbb20-5afc-4b9e-a550-10671e22e618@mtasv.net> MIME-Version: 1.0 From: “QHoster.com Support” <support<at>qhoster.com> To: “Derek Smythe” <derek at aa419.org> Reply-To: “QHoster.com Support” <support<at>qhoster.com> Date: 28 Oct 2017 11:14:17 -0400 Subject: [Ticket ID: 915013] ICANN RAA Mandated Proxy provisions? Content-Type: multipart/alternative; boundary=–boundary_3715188_cf5584fc-51b4-4f35-a153-899a66accd07santanderin.com has been disabled.Let us know the rest active abusing domains so we can check them 1 by 1.———————————————- Ticket ID: #915013 Subject: ICANN RAA Mandated Proxy provisions? Status: AnsweredTicket URL: https://www.qhoster.com/clients/viewticket.php?tid=915013&c=hEa65lgF ———————————————-Regards,QHoster.com – Quality Hosting Matters |
| Subject: Re: [Ticket ID: 915013] ICANN RAA Mandated Proxy provisions? Date: Sun, 29 Oct 2017 23:30:55 +0200 From: Derek Smythe <derek at aa419.org> To: QHoster.com Support <support<at>qhoster.com> CC: abuse at namesilo.comHello QHostercc: Namesilo AbuseObviously you did not reply to the question being asked. You simply terminated one domain spoofing a bank that was given as an example of the actionable harm, yet not addressing the real underlying issue at hand causing harm and violating ICANN policies as per the RAA.It is for this reason we will be lodging a compliance complaint.Further we have no choice but to regard QHoster’s proxy as a Rogue Proxy, listing it as such: https://blog.aa419.org/rouge-proxy-list/Derek Smythe Artists Against 419 http://www.aa419.org |
As such, despite the email subject being “ICANN RAA Mandated Proxy provisions”, this question is never answered. Nor are the details ever supplied. Additionally QHoster was cc’ed on these communications.
—ooo000ooo—
Original complaint until Compliance closure: 2 March to 25 May 2018
Subject: [~XTO-568-35273]: Additional information for Privacy/Proxy complaint
Date: Mon, 12 Mar 2018 21:30:21 +0000
From: Compliance Tickets
Dear Derek Smythe,
Thank you for submitting the Privacy/Proxy complaint below.
Please note that with regard to the domain name <ALRAYANACC.COM>, the domain appears to be registered with a different registrar (or reseller) than the one referenced in your complaint. Please submit a separate ticket using the appropriate form at https://www.icann.org/compliance/complaint .
Please note that with regard to the domain name <co.in>, the domain name is registered under a country code top level domain name (ccTLD). ICANN does not accredit registrars (or resellers) for ccTLDs. A list of all delegated ccTLDs and their designated managers is available at http://www.iana.org/cctld/cctld-whois.htm .
With regard to the domain names <ncitioline.com>, <crelann.com> and <diamondoline.com>, please note that according to the public Whois information, these domain names do not appear to be registered behind a privacy proxy service. If you have evidence demonstrating otherwise, please provide it in response to this communication.
ICANN reviewed your complaint and requires additional information. Please note the posting requirements of the Specification on Privacy and Proxy Registrations of the 2013 Registrar Accreditation Agreement (RAA) may apply to either the registrar (or reseller) or the Privacy/Proxy Provider, yet your complaint does not indicate which posting requirements are not met.
Please provide ICANN the following before 19 March 2018:
1. Confirm whether you have attempted to contact the registrant through the provided contact information and/or Privacy/Proxy Provider; and if so, provide copies of communications (including headers showing email addresses);
2. Identify the specific violation or information the registrar (or reseller) or Privacy/Proxy Provider is not providing under section 3.7.7.3 of the RAA, or as required by the Specification on Privacy and Proxy Registrations of the 2013 RAA; and,
3. Copies of all communications you may have had with the registrar, NameSilo, LLC, (or reseller) regarding this matter;
4. Any available evidence that the domain names <ncitioline.com>, <crelann.com> and <diamondoline.com>, mentioned in your complaint are utilizing privacy/proxy registration services;
5. If your complaint refers to multiple domain names, please provide a list of all the domain names relevant to your transfer complaint so ICANN can address it in its entirety.
6. Any other records or information relevant to your complaint.
7. Please confirm your permission for ICANN to forward your complaint below and any attachment you may provide in your response(s) to the registrar of record and any other party with whom ICANN may consult in order to address your complaint.
Please send the information and records requested above via reply email (no more than 4 MB total) and do not change the email subject heading. Please provide records as attachments in .TXT, .PDF, or .DOC(X) format.
If you do not provide this information on or before 19 March 2018, ICANN will close your complaint.
Sincerely,
ICANN Contractual Compliance
############################################
The problem summary
Time of submission/processing: Fri Mar 2 20:00:27 2018
Reporter Name: Derek Smythe
Reporter Organization: Artists Against 419
Reporter Email: derek at aa419.org
Registrar that is subject of complaint: Namesilo
Domain Name that is subject of complaint: ncitioline.com
Privacy/Proxy provider that is subject of complaint: QHoster
Compliance(s):
Failure to disclose or abide by service terms
Failure to provide or abide by terms of service and description of procedures
Description of problem: This complaint is not just about domain ncitioline.com but the issue is much wider spanning many domains. QHoster is a reseller for Namesilo and offering a privacy proxy. No terms are found for this proxy or associated costs as per the RAA 2013 “SPECIFICATION ON PRIVACY AND PROXY REGISTRATIONS”. The only mention of proxy services is https://www.qhoster.com/domains.html which is marketing.
Namesilo and QHoster were made aware of this issue last year already after abuse with this proxy. No reply was received on this issue, the response was the relevant domain was suspended. This abuse continues.
Currently we see massive abuse of this proxy to hide perpetrators spoofing banks internationally.
http://ib.alrayanacc.com/en/
http://rbi.roline.co.in/
http://crelann.com/nl/algemeen/index.html
http://diamondoline.com/home/index.htm.html
etc …
The whois at the time of processing is:
REGISTRAR WHOIS:
Domain Name: ncitioline.com
Registry Domain ID: 2214621018_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: https://www.namesilo.com/
Updated Date: 2018-02-25T07:00:00Z
Creation Date: 2018-01-18T07:00:00Z
Registrar Registration Expiration Date: 2019-01-18T07:00:00Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse at namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Reseller: QHOSTER.COM
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Fast Serv Inc. d.b.a. QHoster.com
Registrant Street: 1 Mapp Str.
Registrant City: Belize City
Registrant State/Province: BZ
Registrant Postal Code: 00000
Registrant Country: BZ
Registrant Phone: +501.18774231155
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@qhoster.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Fast Serv Inc. d.b.a. QHoster.com
Admin Street: 1 Mapp Str.
Admin City: Belize City
Admin State/Province: BZ
Admin Postal Code: 00000
Admin Country: BZ
Admin Phone: +501.18774231155
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: info@qhoster.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Fast Serv Inc. d.b.a. QHoster.com
Tech Street: 1 Mapp Str.
Tech City: Belize City
Tech State/Province: BZ
Tech Postal Code: 00000
Tech Country: BZ
Tech Phone: +501.18774231155
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: info@qhoster.com
Name Server: DNS1.NCITIOLINE.COM
Name Server: DNS2.NCITIOLINE.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-03-02T07:00:00Z <<<
For more information on Whois status codes, please visit
https://icann.org/epp
WWW.QHOSTER.COM – CHEAP DOMAINS/HOSTING, LINUX/WINDOWS RDP VPS IN 30
LOCATIONS, DEDICATED SERVERS – PAYPAL, BITCOIN, WEBMONEY, PERFECT MONEY,
NETELLER, SKRILL, PAYSAFECARD, ALIPAY, PAYEER, CASHU ETC.
REGISTRY WHOIS:
Domain Name: NCITIOLINE.COM
Registry Domain ID: 2214621018_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: http://www.namesilo.com
Updated Date: 2018-01-18T15:23:43Z
Creation Date: 2018-01-18T15:21:46Z
Registry Expiry Date: 2019-01-18T15:21:46Z
Registrar: NameSilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse at namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Domain Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Name Server: DNS1.NCITIOLINE.COM
Name Server: DNS2.NCITIOLINE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form:
https://www.icann.org/wicf/
For more information on Whois status codes, please visit
https://icann.org/epp
Registrar: NameSilo, LLC
Whois Server: whois.namesilo.com
############################################
Ticket Details
Department: Privacy/Proxy
Type: Issue
Status: NEW
Priority: Normal
Subject: Re: [~XTO-568-35273]: Additional information for Privacy/Proxy complaint
Date: Sat, 17 Mar 2018 04:05:58 +0200
From: Derek Smythe
To: compliance-tickets
Dear ICANN Compliance
Please find the details you seek attached in a PDF document.
My apologies for ALRAYANACC.COM and ROLINE.CO.IN – they inadvertently slipped in somehow and are part of another issues already resolved and were not meant to be mentioned. Please ignore it further.
> 1. Confirm whether you have attempted to contact the registrant through the provided contact information and/or Privacy/Proxy Provider; and if so, provide copies of communications (including headers showing email addresses);
No. First the email is not unique to a registrant and Privacy/Proxy Provider makes no provisions for such communications. Anyway, would we really wish to encourage communications with somebody deliberately registering domains for criminal purpose? That is after all exactly the domain issue at hand.
> 2. Identify the specific violation or information the registrar (or reseller) or Privacy/Proxy Provider is not providing under section 3.7.7.3 of the RAA, or as required by the Specification on Privacy and Proxy Registrations of the 2013 RAA; and,
>
> 3. Copies of all communications you may have had with the registrar, NameSilo, LLC, (or reseller) regarding this matter;
>
> 4. Any available evidence that the domain names , and , mentioned in your complaint are utilizing privacy/proxy registration services;
>
> 5. If your complaint refers to multiple domain names, please provide a list of all the domain names relevant to your transfer complaint so ICANN can address it in its entirety.
>
> 6. Any other records or information relevant to your complaint.
See attached document.
>
> 7. Please confirm your permission for ICANN to forward your complaint below and any attachment you may provide in your response(s) to the registrar of record and any other party with whom ICANN may consult in order to address your complaint.
You have such permission.
Concern:
The issues mentioned in the document are malicious domains where we understand what they are about, how they are used and we are qualified to comment on.
While there may be more advance fee fraud domains on this proxy, this is not the total sum of maliciousness using this proxy. We also see what I believe to be business impersonation / BEC. Such emails are hardly ever used for online content and rather email only purposes and is also domain name based abuse.
Examples:
conyersdil.com vs conyersdill.com
bestwlnco.com vs bestwinco.com
genluste.com vs geniuste.com
startachnofit.com vs startechnofit.com
gascogenflexible.com vs gascogneflexible.com
siliconeworld-cn.com vs siliconeworld.cn
hillcropenregy.com vs hillcropenergy.com
etc
This is a commercial threat and a channel exists for it. But since it ties back to this issue as well, I’m copying two joint ICANN SSAC / APWG members.
Thank you.
Kind regards,
Derek Smythe
Artists Against 419
http://www.aa419.org
Attachment: Abuse report in detail shown at start
Subject: [~XTO-568-35273]: Additional information for complaint Abuse complaint re: NameSilo, LLC
Date: Wed, 04 Apr 2018 23:44:33 +0000
From: Compliance Tickets
Dear Derek Smythe,
Thank you for your response on 17 March 2018. However, your response is incomplete and although your complaint may not apply for the complaint type selected, it may be able to be processed as an Abuse complaint. To make that determination, ICANN is requesting additional information.
Please note that ICANN does not register domain names or control their content, and has no ability to activate, suspend or otherwise modify domain names. However, registrars under the 2013 Registrar Accreditation Agreement (RAA) are required to respond to abuse reports that are sent to its published abuse contact details. However, please note that registrars are not required by the RAA to suspend or delete domain names in response to abuse reports.
Therefore, if you believe a domain name may be involved in an abusive or illegal activity, you may consider filing an abuse report with the corresponding sponsoring registrar. If you have done so, and believe the registrar has failed to meet its obligations under RAA, please provide ICANN the following before 11 April 2018:
1. Copies of your abuse report (including email headers) and any response(s) from the registrar (including auto-responses and bounce-back or returned “undeliverable” emails) concerning each of the domain names listed in your abuse report.
2. Any other records or information relevant to your complaint.
Please send the information and records requested above via reply mail (no more than 4 MB total) and do not change the email subject heading. Please provide records as attachments in .TXT, .PDF or .DOC(X) format.
If you do not provide this information before 11 April 2018, ICANN will close your complaint.
Sincerely,
ICANN Contractual Compliance
Subject: Re: [~XTO-568-35273]: Additional information for complaint Abuse complaint re: NameSilo, LLC
Date: Thu, 5 Apr 2018 17:44:19 +0200
From: Derek Smythe
To: compliance-tickets
Dear ICANN Compliance
Note: There are two distinct Compliance complaints at play here, interrelated ~UNY-783-11184 and ~XTO-568-35273
~XTO-568-35273 focuses on the Namesilo reseller QHoster’s rogue proxy not being RAA complaint and serial abuse emanating from it. It also sets the framing of how this is part of much bigger issues at ICANN registrar Namesilo. Yet an email is supplied where Namesilo and QHoster is made aware of this issue.
~UNY-783-11184 deals with Namesilo’s non-compliance with zero accountability metrics and them never replying. This explains WHY it’s near impossible to supply the information you seek.
I submitted complaint ~UNY-783-11184 first, then ~XTO-568-35273. However you wanted more information on the latter first. I was waiting for a ticket number for the first and time was running out, as such I supplied some of the details needed. Just prior to submitting, I received a ticket, ~UNY-783-11184. That’s why I refer to it. So please also refer to this complaint and specifically the section “Registrar reporting system does not allow for accountability metrics”.
In a nutshell, you cannot expect the complainant to supply you with evidence if the ICANN Accredited registrar insists web form be used and is not supplying any form of acknowledgement. Web forms also do not supply headers. This was also pointed out in previous complaints. It is exactly for this reason that Garth Bruen, John Horton and indeed yourselves are eventually copied on an email complaint as shown:
> Subject: Re: fastweedonline.com (add cocaineonlineshopusa.com)
> Date: Tue, 9 May 2017 20:01:17 -0700
> From: NameSilo Support – 8
> To: derek at aa419.org
> CC: Garth Bruen at KnujOn , ####@legitscript.com, compliance at icann.org
This eventually provokes a response. It shows how Skyler at Namesilo tries to distance themselves from the complaint, then eventually says the complaint was not received in a later email. You have a copy in your archives as well.
So, this registrar must be psychic to deny responsibility in detail to an issue, if they have no knowledge of said issue as claimed later “since such complaint was not received”? This illustrates the issue at hand and is a repeat of the issues mentioned in ICANN Compliance complaint XFS-327-35074 that was never resolved. The issue continued and is leading to gross consumer harm, fueling DNS abuse where fake registration details and zero accountability thrives.
As such please read these two compliance complaints together and understand why these tickets were lodged, an attempt to fix this lacking accountability issue which would allow a complainant to supply you the information you seek. In turn this also undermines your task.
This also answers your query for additional information.
Thank you.
Derek Smythe
Artists Against 419
http://www.aa419.org
Subject: [~XTO-568-35273]: Confirmation of Privacy/Proxy complaint
Date: Mon, 30 Apr 2018 20:29:20 +0000
From: Compliance Tickets
Dear Derek Smythe,
Thank you for your understanding while ICANN reviewed your Privacy/Proxy complaint below. Your report has been entered into ICANN’s database. For reference your ticket ID is: XTO-568-35273. Please note that this complaint will be limited to ensuring compliance with the requirements of the Specification on Privacy and Proxy Registrations of the 2013 Registrar Accreditation Agreement (RAA).
ICANN will follow up with the registrar per process and provide you an update with its findings.
For more information about ICANN’s process and approach, please visit http://www.icann.org/en/resources/compliance/approach-processes .
Sincerely,
ICANN Contractual Compliance
Subject: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed
Date: Fri, 25 May 2018 23:29:00 +0000
From: Compliance Tickets
Dear Derek Smythe,
Thank you for submitting a Privacy/Proxy complaint concerning the registrar NameSilo, LLC. ICANN has reviewed and closed your complaint because:
– Upon request by ICANN, the registrar took corrective actions and is now in compliance with the relevant provisions of the Specification on Privacy and Proxy Registrations of the 2013 Registrar Accreditation Agreement (RAA).
ICANN considers this matter now closed.
Please do not reply to the email. If you require future assistance, please email compliance@icann.org; if you have a new complaint, please submit it at http://www.icann.org/resources/compliance/complaints .
ICANN is requesting your feedback on this closed complaint. Please complete this optional survey at https://www.surveymonkey.com/s/8F2Z6DP?ticket=XTO-568-35273 .
Sincerely,
ICANN Contractual Compliance
At this stage no proxy provisions are show. All that has changed is a link to the Registrant Rights and Responsibilities has been added. The irony is, that as per definitions, the Proxy owner is the Registrant (Registered Name Holder) for a domain registered with a proxy, the user using it a Licensee.
Escalation to ICANN Complaints 19 Jun 2018
Subject: Compliance complaint: [~XTO-568-35273]: Privacy/Proxy
complaint re: ncitioline.com closed
Date: Tue, 19 Jun 2018 21:20:55 +0200
From: Derek Smythe
To: complaints at icann.org
Dear ICANN Complaints Office
Please find a complaint closed by ICANN Compliance (see below included email).
While this complaint was closed by ICANN compliance, the issues highlighted to ICANN Compliance where this proxy was in violation of the ICANN RAA 2013, still remains. This is part of an ongoing pattern on serious issues reported to ICANN Compliance over a period of time and being closed, seeing the same lack of compliance enforcement. This is also not the first time a proxy issue was addressed in a similar way, in turn leading to much consumer harm. It is of concern that a registrar can deliberately lie, and despite evidence to the contrary, this is blindly accepted and the complaint closed. In turn this leads to harm.
This complaint was lodged as the reseller managing this proxy has a renown reputation in terms of malicious domain registrations. Where the proxy is not used, the visible registration details do not pass muster and begs the question as to whether any registration details are in fact verified as required in the ICANN RAA 2013. In turn this leads to mass DNS abuse and has a knock on effect in terms of fraud and other malicious activities.
Most recently, during the ICANN GDPR discussions, “Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation”, “#5.3.3. Accuracy of Registration Data” (https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf), the conclusion was reached that domain registrations are verified as per the ICANN RAA and as such “The GDPR therefore does not require the introduction of a new verification or validation requirements.”. As such much reliance was placed on ICANN and Registrars to uphold the terms of RAA. In fact this conclusion was flawed. This complaint and an associated sibling complaint illustrates the basis for saying that the public discussion conclusion is flawed.
It is an established fact that this is not happening at this reseller and upstream ICANN Accredited Registrar. This also led to a previous ICANN Compliance complaint XFS-327-35074 in 2016 which was closed, similarly resolved, with the issue never really resolved. The long ongoing sibling complaint UNY-783-11184 against the upstream Registrar is in fact a continuation of XFS-327-35074 (and incidentally the same bad actors and registration issues are used to conclusively prove weak compliance). This bigger issue saw the Reserve Bank of India spoofed more than a hundred times with clear and patently fake registration details (https://snapper.aa419.org/DS/Namesilo/ – a small example). In the same linked issue, other banks such as Citibank, Royal Bank of Scotland etc are spoofed, international commerce is massively spoofed, lawyers are spoofed – or have their websites stolen and republished – all this in ongoing 419 fraud with the registrar and reseller consistently allowing such abuse. What is more disturbing, domains are suspended, leading interested anti-mitigation parties to believe the issue is resolved, to only find the domain has been un-suspended with the same fake registration details and abuse still ongoing (example: patriotlobsters.com spoofing http://www.patriotlobster.com and where job applicants are asked to submit their personal details for jobs, http://swiftcfgroup.com/uk/ spoofing http://www.swiftcouriers.com/ in Romance and like scams). Issues such as this led to this registrar and downstream reseller being the second most abused registrar for long-lived domains abused in organized cyber fraud emanating from West Africa. To be clear, these are not merely content issues, the abuse starts off during registration when fake details are supplied. Some of these domains have no content, but we even find NATO spoofed in procurement scams (natoprocurement-int.com). How can this be anything but DNS abuse? These domains have no legitimate purpose. While this may harm business, the concern of Artists Against 419 is that the consumer with no real protection in vast areas of abuse, with no overlap with commercial interests, and where consumers are hardly acknowledged as a third party in any agreements. These are the parties loosing their privacy and livelihoods in fraud, undermining their rights. We see cancer sufferers become victims to fraud. We see victims commit suicide.
While it’s easy making malicious behavior out to be purely a law enforcement issue, this is a buck passing exercise. Law enforcement engages after the fact of harm done, and only if in their jurisdiction and they have the capacity to address such, also if the financial loss is above a certain amount typically. By then it is too late for victims and the harm is already done. Restitution, if ever, is minimal. It’s a published fact that the UK’s Action Fraud system is only flagging for investigation if a loss is above a certain amount. Additionally we see only 1% of cyber-crime is prosecuted. Yet even those statistics are flawed as a very low percentage of victims report such crimes due to social factors. The enforcement efforts elsewhere may be better or worse, but the fact remains the authorities are overwhelmed with cyber crime, with much of this crime starting off with domain registrations – DNS abuse. Consumer and business losses are at an all time high and reported on regularly. DNS abuse forms much of the underlying infrastructure needed by criminal elements.
As such, having tickets with valid concerns illustrating the consumer harm done, incidentally also violating trademarks with impunity, closed with poor ICANN Compliance enforcement, is of extreme concern. Registrars are hiding WHOIS details in an effort at meeting GDPR compliance. Yet while the GDPR is meant to protect consumer privacy, weak registrar compliance at certain registrars and more to the point, ICANN Compliance not addressing these issues, undermines and perverts any GDPR efforts by turning privacy for malicious registrants into a tool to massively deprive innocent consumers not only of privacy, but to also defraud them and undermine their rights. Even now we are finding rogue proxies hidden behind a GDPR cloud. Only by looking at historic WHOIS and registration dates can we determine these are reseller proxies. We may even have a situation where a proxy is hidden behind a proxy in at least one case – all in an unaccountable fashion.
Much of the information I can share may be made publicly available, but certain information or keywords are sensitive.
Looking specifically at this ticket:
I pointed out exactly where the reseller is violating the ICANN RAA 2013. The reseller simply made one single change to their website at https://www.qhoster.com/domains.html by placing a titled and link on this page:
> Please note the following rules from ICANN
> ICANN Registrant Rights and Responsibilities
The last line then links to the ICANN RAA 2013’s section on this at https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#registrant
However, this same document, the ICANN RAA 2013, also contains the requirements for a proxy: https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#privacy-proxy
As pointed out in the complaint to ICANN Compliance, the terms of Section 2 of the RAA 2013 is not met. This situation has not been remedied.
Nowhere on the website, do we find the word proxy. Nor the name of the upstream sponsoring Registrar. As such we can’t presume on the Registrar’s pages.
As also stated to ICANN Compliance, the upstream Registrar has a separate and distinctly different proxy which is not this proxy.
It simply defies logic that this ticket has been closed. It also makes all the community efforts, time and money spent of reaching the Proxy Specifications as recorded in the ICANN RAA 2013 wasted and a joke, trivially ignored.
In the meantime, the harm to both consumer and commerce is ongoing. Even now again, we see ongoing abuse and harm, with the relevant terms not being in place:
– Microsoft is being spoofed with these domains – https://www.virustotal.com/#/url/31fdc76eb9ce93e727e6ab35960d19fd9bdc556d4fda4dd773abe3e46291f64a/detection
– A fake courier http://envoyskyvaultcourier.com/, with the claimed address actually being that of Legenturia Fun & Entertainment Center in Belgium, used in consumer attacks undermining privacy and enabling fraud.
etc …
How can ICANN deny any responsibility for the harm done with malicious domains if ICANN Compliance is not enforcing the ICANN RAA or the public engagement processes that led to it becoming policy?
I request this issue be investigated as a matter of urgency in the public interest and in a transparent fashion. This complaint will be published in a week’s time on the Artists Against 419 website. In the meantime I request the reseller’s website is scrutinized to validate the legitimacy of the statements made in the relevant complaint. I myself will also seek two credible parties validate what is/is not available on the reseller’s website.
Any of the incidents I refer to and which more information is required on, can be shared. Some of it may be sensitive and will be shared as both a confidential and a public version with just certain details redacted. Both versions of the detailed ICANN complaint submitted is attached hereto and marked as such.
Thank you.
Kind regards,
Derek Smythe
Artists Against 419
http://www.aa419.org
Subject: Re: Compliance complaint: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed
Date: Wed, 4 Jul 2018 03:24:15 +0200
From: Derek Smythe
To: complaints at icann.org
Dear ICANN Complaints Office
Could you please confirm if you received the below complaint?
Thank you.
Kind regards,
Derek Smythe
Artists Against 419
http://www.aa419.org
Subject: RE: [Ext] Compliance complaint: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed [ ref:_00D1aY7OU._5001afK8WN:ref ]
Date: Wed, 25 Jul 2018 17:32:30 +0000 (GMT)
From: Complaint Reply
Dear Derek Smythe,
I am writing to provide an update regarding your complaint. First, I apologize again that I did not receive your first two attempts at submitting this information as your message were caught in my spam filter. However, I now have your complaint and am currently researching it. I understand your complaint to be about ICANN Contractual Compliance’s handling of complaints. Once I complete my research, I will work with the ICANN Organization team(s) responsible for this topic to draft a response to you. Please know the research and response process is quite thorough and typically takes a fair amount of time. I will provide you with a status update in two weeks.
Additionally, I want to make sure you are aware of the Terms and Conditions for Submission to the Complaints Office. They are noted at the end of this message, but I’ve also copy/pasted them here:
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Your complaint and accompanying response will be published in the Complaints Office section of our website; see: https://www.icann.org/complaints-office. Note, your contact information will not be published but your name and organization name, if applicable, will be. Other details contained in your complaint may also be redacted prior to publishing.
Please let me know if you have questions.
Kind regards,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: Re: [Ext] Compliance complaint: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed [ ref:_00D1aY7OU._5001afK8WN:ref ]
Date: Wed, 1 Aug 2018 22:25:37 +0000 (GMT)
From: Complaint Reply
Hi Derek,
Thank you for confirming your understanding regarding publication, etc. As a rule, I typically redact contact information, references to ICANN employees, certain registrar information, names of third parties, and any other information that should be confidential. In the case of your submission, you have also included the Contractual Compliance email/ticket exchange which ICANN considers confidential so it will also be redacted from the published complaint.
Aside from the confidentiality aspect, the Complaints Office works under the notion that we are here to address issues regarding the ICANN org and therefore complaints and responses are not about people but about the org and opportunities there may be for it to improve.
Additionally, with the advent of GDPR, which based on your complaint you are familiar with, I will also need to redact the non-public Whois data and any other data that might be considered under GDPR as private.
All of that said, your cover email and the 22 page attachment you provided are what I consider your complaint. I will need to redact both based on the principles outlined above but also wanted 1) you to be aware of the additional redactions I will be making, and 2) to get your agreement that I can publish a redacted version of the 22 page document (I will ensure your redactions remain redacted and my redactions will be additional). Can you please confirm re: the 22 page document?
I hope this message was clear as there was a lot to explain. If not, please let me know and I’ll try again.
Thanks!
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: Re: [Ext] Compliance complaint: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed [ ref:_00D1aY7OU._5001afK8WN:ref ]
Date: Thu, 2 Aug 2018 15:14:52 +0200
To: Complaint Reply
I fully understand what you’re saying and why. I am happy for you to redact whatever you believe inappropriate for public consumption. The goal was to supply information as completely as possible and not been seen as trying to hide anything, allowing your office to reach factual conclusions. (aa419 has refrained from publishing anything on our blog thus far).
To clarify, the complaint is not about people, rather about policies agreed to in community participation processes, including ICANN SSAC, where a balance was sought between different interests, but these then ignored by ICANN Compliance and not enforced. In turn this leads to DNS abuse where we find extreme consumer harm, yet the very Resellers and Registrars ignoring these policies are distancing themselves from such harm and continues affording criminal enterprise unaccountability. In turn this undermines not only consumer trust, but also makes a mockery of other ICANN agreed to protection mechanisms and processes like UDRPs etc. This is clearly illustrated in the other part of the bigger complaint (the Namesilo complaint referred to). The choice of reseller and registrar in the set of two complaints was selected as the ones responsible for the second highest incidence of consumer harm and affording unaccountably to criminal enterprise. As such, they nominated themselves based upon recorded statistics. Ultimately ICANN is the only party that can insist that Registrars and their resellers abide by agreed to contractual policies. A such it is of concern when this does not happen and consumer harm follows. This complaint is an attempt to restore some the intended balance and accountability.
We really have no desire to “flame” anybody or any party. Composing reports such as the one submitted, takes away time that could have been better spent directly mitigating consumer harm, a group that is extremely ill represented or protected on the net. We have no commercial goals or any ulterior motives, only a purely altruistic attempt at consumer protection. This complaint only followed after the stated processes failed or the N-th time at this level, each failure leading to harm.
Thank you for understanding.
Kind regards,
Derek Smythe
Artists Against 419
http://www.aa419.org
Subject: Re: [Ext] Compliance complaint: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed [ ref:_00D1aY7OU._5001afK8WN:ref ]
Date: Thu, 2 Aug 2018 18:17:36 +0000 (GMT)
From: Complaint Reply
Thanks for the additional information, Derek. Sorry to be a stickler about this, but can you confirm you are okay with me publishing the sensitive version of the 22 page report you sent? I just want to be certain I have your okay as I wouldn’t want to violate your trust by assuming I do.
Note: It will have additional redactions from me as previously explained.
Thanks!
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: Re: [Ext] Compliance complaint: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed [ ref:_00D1aY7OU._5001afK8WN:ref ]
Date: Thu, 2 Aug 2018 21:11:26 +0200
To: Complaint Reply
I would not like to see the “sensitive” version published. I included both the sensitive and public version so that your office can see what was redacted, yet allowing for transparency. Looking at the differences:
(Redacted. Details not shown as it contains reference to law enforcement actions.)
Thank you VERY much for checking.
Kind regards,
Derek Smythe
Artists Against 419
http://www.aa419.org
Response from ICANN Compliance shown on associated ticket ~UNY-783-11184 as it refers to this ticket, ticket XTO-568-35273. Emphasis that of the aa419.
Subject: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed
Date: Fri, 03 Aug 2018 10:31:29 +0000
From: Compliance Tickets
Dear Derek Smythe,
Thank you for submitting an Abuse complaint concerning the registrar NameSilo, LLC. ICANN has reviewed your complaint with the registrar:
– The registrar indicated that they did not receive your abuse report. However, upon further review of your complaint, the registrar indicated that they have investigated your abuse reports and the reports do not fall within the registrar’s purview. The registrar also indicates that their abuse procedures are clearly listed on the registrar’s website, and they are not responsible for the content on web sites, and not an arbiter of the legality of content hosted on web sites. The registrar requested that you contact the hosting companies regarding your concerns.
– In addition, ICANN confirms receipt of your survey feedback regarding closed Privacy/Proxy complaint XTO-568-35273. To clarify this matter, the registrar of record confirmed with ICANN that the domain names referenced in your complaint (ALRAYANACC.COM, crelann.com, diamondoline.com, and ncitioline.com), and those registered with similar information, are registered to a third party or reseller and not a proxy service. Under the 2013 Registrar Accreditation Agreement (RAA), resellers may be registrants for domain names.
If you have evidence demonstrating failure to comply with the obligations of the Specification on Privacy and Proxy Registrations of the 2013 RAA, please provide that information to ICANN by submitting a new Privacy/Proxy complaint via the complaint form at https://forms.icann.org/en/resources/compliance/complaints/whois/privacy-proxy-registration-form .
ICANN considers this matter now closed.
If you require future assistance, please email compliance@icann.org; if you have a new complaint, please submit it at http://www.icann.org/resources/compliance/complaints .
ICANN is requesting your feedback on this closed complaint. Please complete this optional survey at https://www.surveymonkey.com/s/8F2Z6DP?ticket=UNY-783-11184 .
Sincerely,
ICANN Contractual Compliance
Subject: Re: [Ext] Compliance complaint: [~XTO-568-35273]: Privacy/Proxy complaint re: ncitioline.com closed [ ref:_00D1aY7OU._5001afK8WN:ref ]
Date: Thu, 30 Aug 2018 12:08:11 +0000 (GMT)
From: Complaint Reply
Dear Derek,
As promised, I write to provide you with an update regarding your complaint prior to my departure for my holiday.
I was able to finish my research prior to leaving and will draft my response to you upon my return from holiday. As previously communicated, I will be fully back in the office on 17 September and am targeting 30 September to issue you a response.
As always, please let me know if you have questions.
Kind regards,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
To: Complaint Reply
Sent: 4/27/2019 3:58 PM
Subject: Query: Complaint numbers 00006097 and 00005840
Hello ICANN Complaints Office
Re: Complaint numbers 00006097 and 00005840
Just a query to verify at what status these two complaints are.
Please note the harm that is being caused to the community is ongoing.
Additionally we also see how domains are suspended and re-activated at
this registrar, despite the domains clearly being malicious. While we
could turn this into an argument about DNS abuse definitions, if
official resellers of the Registrar are involved even (even ##redacted##
referred to in the complaint is one such – a Nigerian reseller), such
arguments become moot.
Thank you,
Derek Smythe
Artists Against 419
http://www.aa419.org
From: Complaint Reply
Sent: 5/8/2019 1:32 AM
Subject: RE: Query: Complaint numbers 00006097 and 00005840 [ ref:_00D1aY7OU._5001PrEm35:ref ]
Hi Derek,
Thank you for your follow up. I am currently traveling out of the country, but will be back in the office next week and will be in a better position to provide you an update. I will be back in touch next week.
Kind regards,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: RE: Query: Complaint numbers 00006097 and 00005840 [ ref:_00D1aY7OU._5001PrEm35:ref ]
Date: Fri, 7 Jun 2019 19:22:57 +0000 (GMT)
From: Complaint Reply
Hi Derek,
I sincerely apologize for the delay. I’ve been working on responses to your claims for sometime, however I’ve had competing priorities. I’m actively working on the responses now and hope to have something for you in the next two weeks.
Kind regards,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.