ICANN Compliance complaint UNY-783-11184 : Namesilo Standards Compliance
This is a rendition in HTML of a PDF format document sent to ICANN Compliance in the below complaint.
This is followed by esclatation attempts at ICANN.
Time span: 01 Mar 2018 – 07 Jun 2019 (last contact)
Note: minor edits were made to avoid email address harvesting. One link was substituted as it shows a victim driver’s license (marked).
ICANN Compliance complaint UNY-783-11184
Derek Smythe
Artists Against 419
2018-03-17
Namesilo is an ICANN Accredited registrar that is bound by the ICANN RAA 2013:
https://www.icann.org/registrar-reports/accreditation-qualified-list.html
As such this registrar is obliged by the terms of the RAA.
This complaint opens up underlying systematic issues at the Registrar previously mentioned in ICANN Compliance Complaint XFS-327-35074. This complaint was originally opened as Registrar Standard Compliance Complaint, changed to a WHOIS complaint by ICANN, ending with ICANN Compliance showing the registrar has complied. Yet the domain used for a bank spoof was still active and still spoofing the same bank with invalid registration data. This becomes more topical in the face of the GDPR.
Background
Most Advance Fee Fraud (AFF) activities use domains. Such domains are normally registered with proxies or deliberately supplied inaccurate registration details. Unlike phishing, domains are central to these activities and we even find continuous re-use of the same name by the same syndicate after suspension or lapsing.
It needs to be understood that this fraud could not be as effectively perpetuated without a domain. Such a domain is under malicious control. A hosting suspension will see such a domain merely rehosted, or even repurposed to such as the domain bonlineb.com (Bank of America) which was on IP 81.17.30.245. After suspension, it changed it’s MX to migadu.com with no online content. Likewise the fraudster may even now use subdomains which are extremely difficult to detect. As such this is clearly not a mere content issue. A malicious party registers a domain with malicious intent. The domain has no other legitimate purpose for such a party other than the anticipated malicious usage.
Registrar Namesilo was found to be the sponsoring registrar with the second highest count of long lived malicious recorded by Artists Against 419 in 2017. See https://blog.aa419.org/domain-abuse-2017/#pr_active
While Advance Fee Fraudsters continuously probe all registrars to try and obtain a foothold for their malicious activities which are illegal internationally, most registrars will promptly terminate such a domain where given evidence of such malicious activities, especially if linked to proxy abuse or fake registration data.
This is not the case with Namesilo. They believe any such domain usage not their responsibility.
This complaint address some of the issues where such malicious domains are registered at this Registrar and the lack in honouring of the RAA 2013 obligations, which in turn leads to massive consumer harm.
Issues at hand:
- Knowingly allowing an affiliate RAA violating proxy
- Registrar does not validate registration data.
- Registrar obligations
- Registrar reporting system does not allow for accountability metrics..
Knowingly allowing an affiliate RAA violating proxy
Please refer ICANN Compliance complaint ~XTO-568-35273: Privacy/Proxy complaint. This complaint shows that emails to reseller QHoster and Registrar Namesilo were sent and were acknowledged by the reseller. It shows that the proxy is mentioned that still violates the RAA 2013. This was never addressed.
The ICANN RAA obligates the sponsoring Registrar to ensure that their affiliates abide by the RAA. This never happened.
3.12 Obligations Related to Provision of Registrar Services by Third Parties. Registrar is responsible for the provision of Registrar Services for all Registered Names that Registrar sponsors being performed in compliance with this Agreement, regardless of whether the Registrar Services are provided by Registrar or a third party, including a Reseller. Registrar must enter into written agreements with all of its Resellers that enable Registrar to comply with and perform all of its obligations under this Agreement. In addition, Registrar must ensure that:
…
3.12.4 Its Resellers comply with any ICANN-adopted Specification or Policy that establishes a program for accreditation of individuals or entities who provide proxy and privacy registration services (a “Proxy Accreditation Program”). Among other features, the Proxy Accreditation Program may require that: (i) proxy and privacy registration services may only be provided in respect of domain name registrations by individuals or entities Accredited by ICANN pursuant to such Proxy Accreditation Program; and (ii) Registrar shall prohibit Resellers from knowingly accepting registrations from any provider of proxy and privacy registration services that is not Accredited by ICANN pursuant the Proxy Accreditation Program. Until such time as the Proxy Accreditation Program is established, Registrar shall require Resellers to comply with the Specification on Privacy and Proxy Registrations attached hereto.
…
3.12.6 In the event Registrar learns that a Reseller is causing Registrar to be in breach of any of the provisions of this Agreement, Registrar shall take reasonable steps to enforce its agreement with such Reseller so as to cure and prevent further instances of non-compliance.
Registrar does not validate registration data.
This issue is extremely topical at the dawn of the UDPR. In the current discussions on WHOIS data, the importance the thereof is discussed. In the latest ICANN published document on the issue at https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf we find (emphasis my own):
5.3.3. Accuracy of Registration Data (Pg12)
Legal Analysis and Response to Community Comments
5.3.3.4. The GDPR requires that personal data must be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.” In addition, it is important to note that compliance with local laws is expressed or implied in ICANN’s agreements with contracted parties.
5.3.3.5. In principle this accuracy principle is similar in its sco pe and content to the accuracy principle stated in currently applicable European data protection law27 and contemplated in the Registrar Accreditation Agreement. (The current Registrar Accreditation Agreement already includes accuracy requirements such as the validation and verification of some data elements, and the provision of notice to registrants about how to access, and if necessary rectify the data held about them.) Also, ICANN has other accuracy related initiatives such as WHOIS Accuracy Reporting System project. The GDPR therefore does not require the introduction of a new verification or validation requirements.
We need to ask what happens if a Registrar becomes aware of illegal activities where they are the sponsoring registry? More so, what happens when the registration data is patently and obviously bogus? This is issue also reflected in ICANN Advisory dated 3 Apr 2003, https://www.icann.org/news/advisory-2003-04-03-en
On the other hand, where a registrar encounters a severe Whois inaccuracy being exploited by a registrant to evade responsibility for fraudulent activity being carried out through use of the domain name, prompt action by the registrar is appropriate.
In the previous case we referred in regarding the massive Reserve Bank of India spoofs we saw patently fake registration data that easily seen. Please see a report, the Petifre report, found here:
https://snapper.aa419.org/DS/projects/petifre2/Petifre.pdf
These are essentially later evens after the earlier report and by the same party. This report shows one party using many bogus identities and telephone numbers to spoof banks and other business, establish fake non-existent business entities such as couriers and like. Extremely prominent is the Reserve Bank of India being continuously spoofed. In essence this is a continuation of the earlier complaint XFS-327-35074. While this may be seen as “content issues”, the analytics done on the registration data is not. This shows DNS abuse for fraudulent purposes.
Clearly this shows how this party has been the cause of direct losses to legitimate companies as well for UDRP costs, yet they are ineffective as the registrant uses the same bogus registration data to register a replacement malicious domain.
The analysis shows how one party is using telephone numbers that does not exist, where the same number has both UK and Nigerian prefixes. It shows how, despite having made Namesilo aware that province IMC does not exist in Nigeria, these are still used. It shows non-existent 5 digit postal codes. Phone verification could not have succeeded, it would be impossible. Yet these details are continuously used. Essentially party is a Faker Maker: Ref https://snapper.aa419.org/DS/projects/fakermaker/
Ironically these details would put Namesilo in violation of the GDPR as well.
Apart from Petifre above, we can look at registrations linked to email address clementjohnson38@yahoo.com at Namesilo:
https://db.aa419.org/fakebankslist.php?psearch=clementjohnson38%40yahoo.com&Submit=GO&psearchtype=
Registrant Name: David Lastman Registrant Organization: Registrant Street: High St, Congleton, Cheshire Cheshire Registrant City: machester Registrant State/Province: Cheshire Registrant Postal Code: 64 016 Registrant Country: GB Registrant Phone: +44.4402074964000 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: clementjohnson38@yahoo.com |
Obviously something is drastically wrong UK postal code as that is not the format for UK postal codes. Not obvious, is that Congleton is 25 miles away from Manchester (as machester here). Yet the RAA 2013 states “Validate that all postal address fields are consistent across fields (for example: street exists in city, city exists in state/province, city matches postal code) where such information is technically and commercially feasible for the applicable country or territory.”
This information is available and technical feasibility exists.
Something is obviously also drastically wrong with the telephone number format. Yet the ICANN RAA 2013 specifies “Validate that telephone numbers are in the proper format according to the ITU-T E.164 notation for international telephone numbers (or its equivalents or successors).” Correcting this number by removing the extra .440, we get +442074964000. But this is the telephone number of British Petroleum, (BP), UK?
The below snapshot is from https://otp.tools.investis.com/clients/uk/bp_plc1/SEC1/sec-show.aspx?FilingId=11981694&Cik=0000313807&Type=RTF , where this link is found on the official BP website at https://www.bp.com/en/global/corporate/investors/regulatory-news-service-and-filings/20f-and-sec-filings.html
It’s clear this phone number was never properly validated.
Yet this fake set of registration details is used in advance fee fraud to spoof Barclays Bank, Standard Chartered, Coca Cola, Lloyds, Kuveyt Turk, Swed Bank A B etc, also used to create fictitious couriers and other entities. These are all malicious domains. It is also no surprise that these domains originate at reseller QHoster, where more than 60% of the malicious domains attributable to Namesilo are registered.
We continuously see such obvious inaccurate registration data at this registrar. It would be impossible to make a list of all the domains seen to date which fails merest scrutiny and was not validated. One such example would be UK phone numbers being too short once “fixed” due to format issues, example domain iconsultuk.com.
In turn these lacking checks have been massively abused to register malicious domain that are being abused in consumer facing fraud.
Registrar obligations
Once a malicious domain has been detected, it is desirable that such a domain should be suspended or otherwise disabled as soon as possible. The harm is ongoing while it’s active.
Ideally the ICANN reporting system should be used if possible, but this does not allow for rapid escalation. As such it’s desirable rather to contact the sponsoring registrar directly. Theoretically this should not matter. After all, the ICANN RAA WHOIS ACCURACY PROGRAM SPECIFICATION Par 4 mandates the registrar to investigate, the registrar Obligations 3.18 says:
Looking at Namesilo’s web page, we find terms to be here: https://www.namesilo.com/Support/Abuse-Reporting-Procedures. It says (emphasis my own):
Abuse Reporting Procedures All abuse reports must be made via our abuse reporting form. Once we receive abuse complaints, we follow the steps as listed below:
Please note that we are not a shortcut around due process. We are not an arbiter of trademark, copyright, intellectual property, etc. disputes. There are established processes in place for dealing with many common disputes, but we are not to be used as a shortcut around those processes. We are also not a law enforcement investigative body. We are a domain registrar. We do not believe it is the role of domain registrars to determine what is legal and what is not. This is the purview of the legal process within the locales in which alleged offenses occur. Please do not contact us with the goal of circumventing the legal process. Remember that we are a domain registrar and not a government agency, a police force or a judge of legal matters. Please do not ask us to determine if content on a web site is legal or not. In the vast majority of such cases, that determination is not objective and there are nearly always areas of disagreement between parties. As a domain registrar, we are not to be used to render decisions on these matters unless directed to do so via a court or similar agency of adequate jurisdiction, or indisputable evidence that a violation of our terms has occurred. |
The abuse reporting form is at https://www.namesilo.com/report_abuse.php and says:
Report Abuse You can use this page to initiate an abuse report concerning a domain registered with us. Before doing so, it is extremely important that you understand our positions and the services we do and do not provide. We are an ICANN-accredited domain registrar. This means we allow our customers to register and manage domain names. We also provide other optional ancillary services such as DNS managmement, web site forwarding and WHOIS privacy/proxy service. We are not a web site host and do not host any web pages. We are not an email service provider, and, as such, our network cannot be used for sending email. We are also not a shortcut around due process. We are not an arbiter of trademark, copyright, intellectual property, etc. disputes. There are established processes in place for dealing with many common disputes, but we are not to be used as a shortcut around those processes. As a result of the foregoing, we will not consider abuse complaints dealing with any of the following unless directed to via a court of adequate jurisdiction, or our WHOIS privacy/proxy service is being used and your sole request is to reveal the Registrant’s details:
The only type of content for which we make an exception to the policies above is in relation to child pornography or the unethcial use of minors in any way. We will consider reports concerning this type of content immediately. (form) You may also contact us via abuse at namesilo.com, but the above form is the proper way to submit abuse reports. |
This goes with the earlier statement made, the registrar considers all malicious domain issues to be content issues. This is an extreme disjoint from the realities of many fraud issues and in contradiction with issues such as botnets and Advance Fee Fraud where much of such is self-evident, even phishing where the registrant registers a domain for phishing. This is DNS abuse.
If this registrar cannot decide on obvious issues such as clear self-evident illegality, why did this registrar decide to become a registrar? After all, in the RAA 2013, we find:
1.13 “Illegal Activity” means conduct involving use of a Registered Name sponsored by Registrar that is prohibited by applicable law and/or exploitation of Registrar’s domain name resolution or registration services in furtherance of conduct involving the use of a Registered Name sponsored by Registrar that is prohibited by applicable law. |
In fact, a registrar’s accreditation may even be terminated:
5.5.2.1.3 with actual knowledge (or through gross negligence) permitted Illegal Activity in the registration or use of domain names or in the provision to Registrar by any Registered Name Holder of inaccurate Whois information; or |
This acknowledges the role the registrar should be playing.
AFF is predominantly domain based fraud. A malicious registrant registers a domain for malicious purposes, to defraud consumers. The domain has no legitimate purpose. It may be used to spoof a real company or not, that is incidental to the fraud. Relying merely on copyright and trademark issues does not address the issues consumers are facing nor would we have the rights to access those tools like the UDRP and URS mechanisms. Reporting such a domain to law enforcement results in the questions: Who is the victim, what was the loss, in which jurisdiction is your victim. Only if the victim is in the respective law enforcement’s agency and if (collective) losses are great enough will they intervene. This is after the fact and not consumer protection. This would assume these incidents can be linked. Fake whois undermines this right. This leaves consumers in a quandary and allows the fraudsters to flourish. This is partially the reason why consumer fraud losses are also at an all-time high. The BBB study clearly showed what a devastating effect this had had on the consumer and the legitimate pet trade industry: https://www.bbb.org/puppyscamstudy/ – this is but merely the tip of the iceberg.
Further AFF also massively leads to privacy loss. The GDRP expects validation and accountability. Yet under the above circumstances the AFF make no attempt to even protect the consumer, instead defraud them, steal their identities in identity theft, extort them and abuse them in ways that are unthinkable. Many of the website trivially leak consumer data. There is zero respect for the victim in this fraud. An example would be the mentioned malicious clementjohnson38@yahoo.com registrant with BP’s phone number; domain aoaexpressdelivery.com. Snapshot: https://db.aa419.org/docs/DB/00/0013/001301/00130171/20180308_212437_rhiee87d.jpg
These details can be found in the clear with no protection.
The big issue with host suspension for a malicious domain is it offers zero mitigation relief and has no lasting value; the registrant is still in control of the domain by being in control of the DNS, ironically also mentioned in Namesilo’s services where they try to distance themselves from the issue. It’s this reluctance to act, that has seen an exodus of Advance Fee Fraudsters from other registrars to Namesilo where they find sanctuary, resulting in them becoming the second most Advance Fee Fraud used registrar.
Registrar reporting system does not allow for accountability metrics
Emails to Namesilo results in no reply ever being received. Submissions via their web form do not result in an acknowledgement.
As was seen in the previous complaint against this registrar, they in fact denied ever receiving such notices. This begs the question: Is this ICANN accredited registrar actually abiding by the RAA 3.18.3 : “Registrar shall maintain the records related to such reports for the shorter of two (2) years or the longest period permitted by applicable law, and during such period, shall provide such records to ICANN upon reasonable notice.”. Or are they filtering such records. Or is their system really losing messages. Best practice and metrics allows for acknowledgements which are trivially easy to implement.
This lead to one incident below where Mr Horton of Legitscript and Mr Bruen of KnuJon are eventually included in frustration:
On 5/9/2017 2:40 PM, Derek Smythe wrote:
Hello Namesilo
I lodged a complaint via your web form a bit back on domain fastweedonline.com, since you absolutely insist your web forms be used.
No ticket or reply was ever received. Additionally this domain is still active as well despite showing the issues with this domain registration.
For the sake of accountability, may I please have a dated ticket reference and a copy of what was submitted?
Thanks.
Derek Smythe
Artists Against 419
http://www.aa419.org
On 2017-05-09 11:58 PM, NameSilo Support – 8 wrote:
Sorry, but we do not have purview over the content on web sites as we clearly state on our web site. You are advised to contact the host.
Thanks,
Skyler
NameSilo support
On 5/9/2017 4:59 PM, Derek Smythe wrote:
Skyler
I pointed out fake registration details in the ticket ?!!
I once again pointed out this in this request:
despite showing the issues with this domain registration.
But it’s fine. I’ve done a pretty good reconstruction and summary. It also prompted me to question what is actually happening here and is wrong with your reply.
This now becomes an ICANN community issue. I’ll once again explain the problematic registration details.
I’ll copy you on it, also ICANN compliance as I’ve already shown them why your form usage is form abuse in the past, despite their unwillingness to address it.
Derek
On 2017-05-10 02:35 AM, NameSilo Support – 8 wrote:
Derek,
Sounds great – have a fantastic evening. Also, for you edification, the WHOIS details reflect usage of our privacy service, so, despite your claims, there are no problems with the WHOIS registration details.
We advise you to read our abuse reporting procedures in full and please do not make frivolous reports of data that clearly has no problems. It wastes our time, as well as everybody’s time that you bring into your baseless complaint.
Thanks,
Skyler
NameSilo support
On 5/9/2017 7:13 PM, Derek Smythe wrote:
Cc: John Horton & Garth Bruen & ICANN Compliance
No problem Skyler.
I simply asked for a copy of an original complaint since you did not respond to it. You replied that you have no purview over content of websites. Not exactly what I asked, is it?
Your extreme concern in ensuring a safe accountable internet is also noted. Also how you view your proxy services as a shield for a known bad apple.
Since it seems you are a bit “slow at joining the dots”:
Your hidden registrant is a fake entity and the domain is malicious.
To explain the term malicious domain: A domain purposely registered by a malicious party for associated malicious usage, is malicious.
We’ve been tracking it before it moved to you:
https://db.aa419.org/fakebanksview.php?key=104810
Look at the name server and make a note of it:
> Name Server: ns1.ourcountry48shop.com
> Name Server: ns2.ourcountry48shop.comLook at his other domain, which he incidentally reported himself – yes, it is a “he” and yes it is the same party: cocaineonlineshopusa.com.
Once again note the nameserver:
> Name Server: NS1.OURCOUNTRY48SHOP.COM
> Name Server: NS2.OURCOUNTRY48SHOP.COMPlease do not believe the bank details you see on the second domain cocaine domain … they may belong to an innocent party. Please ask the US Dept of Homeland Security if you require more details since you claim to be US based. I can put you in touch with them if required.
Look at the whois details of OURCOUNTRY48SHOP.COM
This email serves as a notice that you were informed of the nature of domain fastweedonline.com using the privacyguardian.org. As such ICANN RAA 3.7.7.3 applies. I trust privacyguardian.org will accept the responsibility as promised.
Additionally you now also know about domain cocaineonlineshopusa.com claiming to be selling cociane in the USA. Naturally selling cocaine is illegal in the USA. You are the sponsoring registrar for this domain.
Domain Name: cocaineonlineshopusa.com
> Registry Domain ID: 2115747588_DOMAIN_COM-VRSN
> Registrar WHOIS Server: whois.namesilo.com
> Registrar URL: https://www.namesilo.com/
> Updated Date: 2017-05-03
> Creation Date: 2017-04-19
> Registrar Registration Expiration Date: 2018-04-19
> Registrar: NameSilo, LLC
> Registrar IANA ID: 1479
> Registrar Abuse Contact Email: abuse @ namesilo.com
> Registrar Abuse Contact Phone: +1.4805240066To insure your unaccountable system becomes semi-accountable, I request Mr Horton and Mr Bruen please also submit this email via the privacyguardian.org form at https://www.privacyguardian.org/ which should serve as evidence of such an alert being submitted to privacyguardian.org.
Have a marvelous day!
Derek
Subject: Re: fastweedonline.com (add cocaineonlineshopusa.com) Date: Tue, 9 May 2017 20:01:17 -0700 From: NameSilo Support - 8 <support at namesilo.com> To: derek at aa419.org CC: Garth Bruen at KnujOn <###############>, ######@legitscript.com, compliance at icann.org <compliance at icann.org>We never received any abuse report filed via our web site form for the domain you listed (fastweedonline.com).
My concern is for following our abuse reporting guidelines as that ensures that we are able to process, review and consider abuse reports. However, as noted above, no form was ever submitted on our site. Further, your assertion that the Registrant is a “fake entity” is not something you are in a position to state as the Registrant information has always been shielded via our privacy service while the domain has been registered with us.
If you want to file a proper abuse report, we recommend you do so via our online form, not via your email below.
Thanks,
Skyler
NameSilo support
Ironically Skyler knew about the “content issue”, despite not seeing the complaint?
Header for last email:
Return-Path: <support at namesilo.com> Delivered-To: derek at aa419.org Received: from m2.emailowl.com (m2.emailowl.com [198.199.111.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.aa419.org (Postfix) with ESMTPS id 6EC33600C9 for <derek at aa419.org>; Wed, 10 May 2017 03:01:24 +0000 (GMT) Received: (qmail 6100 invoked by uid 89); 10 May 2017 03:01:21 -0000 Subject: Re: fastweedonline.com (add cocaineonlineshopusa.com) To: derek at aa419.org References: <7951b659-9aa4-30b2-8206-85e0b79502d5@aa419.org> <0953bd6f-9397-90a8-3b1b-3cb39a9c438d@namesilo.com> <8b5ea170-16e7-84ef-9698-32ec60530a91@aa419.org> <207606d6-9c00-8d4e-cafb-f0f4794e4fa8@namesilo.com> <f1d7762e-7097-a3c2-6e0d-1c5d9d0b6d44@aa419.org> Cc: Garth Bruen at KnujOn <######>, ######@legitscript.com, "compliance at icann.org" <compliance at icann.org> From: NameSilo Support - 8 <support at namesilo.com> Message-ID: <6d33f6ed-96e1-80db-9f39-a3341c35bd1b@namesilo.com> Date: Tue, 9 May 2017 20:01:17 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <f1d7762e-7097-a3c2-6e0d-1c5d9d0b6d44@aa419.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: Avast (VPS 170509-4, 2017-05-09), Inbound message X-Antivirus-Status: Clean |
The issue here was that the domain was registered at Joker, along with numerous sibling domains. These claimed to be selling anything from marijuana to hard drugs such as cocaine, heroin, also suicide drugs such as Euthasol. These all abused Registrar Joker’s proxy service. When Joker was alerted, they first revoked their proxy, the registration details were fake, then they started terminating them. During this last step the registrant moved some of the domains to Namesilo. The registrant is a well-known malicious actor who spams his drug domains on online forums. One such was even on our own forums. Using DNS elements it is possible to trace this party.
Despite Mr Horton, Mr Bruen and I having also reported this to Namesilo’s proxy, no details as per ICANN RAA 3.7.7.3 were ever received.
These domains are Cameroonian in origin (see whois of mentioned OURCOUNTRY48SHOP.COM) and are commonly also associated with extortion after fraud on cancer patients.
Ref: https://www.deadiversion.usdoj.gov/pubs/pressreleases/extortion_scam.htm
Ref: (Removed content. Victim identifying details on drivers license – substitute munged link supplied: https://db.aa419.org/docs/DB/00/0012/001247/00124767/20190723_181443_ofye9g2f.jpg )
It’s no surprise to find the same domain (not ICANN regulated) http://usdea.us/ now used for a pet scam. Indeed, this ties in with issues also mentioned in Mr Steve Baker’s report in pet-scam fraud. Pet scams are the tip of this iceberg, ill-defined and massive domain abuse, originating from the Cameroon.
It’s this situation that is currently developing and growing at Namesilo. Consider just one of this party’s identities, cynthialori2008@gmail.com : https://www.whoxy.com/email/36468183
(Feel free to follow the name and dig deeper, returning to the start and more fake identities)
Essentially this makes a mockery of RAA compliance as mentioned in the GDPR discussions and ties up with the earlier mentioned problematic WHOIS issues.
Another example: Submitted via both webform and email No response. Domain is still active.
Subject: Reported via form: primepharma-laboratory.com Date: Sun, 10 Sep 2017 01:26:18 +0200 From: Derek Smythe <derek at aa419.org> Reply-To: derek at aa419.org Organization: aa419.org To: abuse at amesilo.com CC: #####@legitscript.com, Garth Bruen at KnujOn Hello Namesilo The following has just been reported via your online abuse form. Dropping a mail here since i know from history your form does not always work. Domain Name: primepharma-laboratory.com Desired Resolution: Deactivate Domain Details: Fake phrama Claims to sell LSD and other schedule drugs http://primepharma-laboratory.com/shop/add-adhd/lsd-lysergic-acid-diethylamide-150mcg-tablets/ Credit card details theft: http://primepharma-laboratory.com/submit-payment/ Ref: https://www.deadiversion.usdoj.gov/pubs/pressreleases/extortion_scam.htm ————————————- Derek Smythe |
Legitscript were copied and listed this:
https://www.legitscript.com/websites/?lookup_type=website_search&website=primepharma-laboratory.com&product=
It is common cause that LSD is illegal in the USA. However, what we are seeing here is an attempt at claiming to sell the drug, but having no access to it. In turn this leads to extortion typically via bogus couriers claiming to do “discrete” shipping.
We also see the attempted credit card details theft. This is a self-sustaining caustic environment also funding further domain purchases. This leads to massive consume harm.
Conclusion
Despite this registrar being ICANN accredited, they do not uphold the norms of the ICANN RAA.
We see this in the way proxies are used at their reseller. We see this in the lacking quality of registration data. We see them massively abused by criminal syndicates, abusing malicious domains for advance fee fraud, as a bullet-proof registrar. These syndicates know fake registration details will shield them. They also know the authorities can impossibly investigate each and every issue.
The registrar feels themselves absolved from any responsibility in this issue and are happy to facilitate the trade in malicious domains. In turn this creates an environment where there is a lack of confidence to report serious issues to them.
This leads to gross ongoing fraud and consumer harm in self-evident illegality.
—ooo000ooo—
Lodging of complaint to final closure at ICANN Compliance:
Original complaint until Compliance closure: 1 March to 3 Aug 2018
Subject: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed
Date: Fri, 03 Aug 2018 10:31:29 +0000
From: Compliance Tickets <compliance-tickets at cann.org>
Dear Derek Smythe,
Thank you for submitting an Abuse complaint concerning the registrar NameSilo, LLC. ICANN has reviewed your complaint with the registrar:
– The registrar indicated that they did not receive your abuse report. However, upon further review of your complaint, the registrar indicated that they have investigated your abuse reports and the reports do not fall within the registrar’s purview. The registrar also indicates that their abuse procedures are clearly listed on the registrar’s website, and they are not responsible for the content on web sites, and not an arbiter of the legality of content hosted on web sites. The registrar requested that you contact the hosting companies regarding your concerns.
– In addition, ICANN confirms receipt of your survey feedback regarding closed Privacy/Proxy complaint XTO-568-35273. To clarify this matter, the registrar of record confirmed with ICANN that the domain names referenced in your complaint (ALRAYANACC.COM, crelann.com, diamondoline.com, and ncitioline.com), and those registered with similar information, are registered to a third party or reseller and not a proxy service. Under the 2013 Registrar Accreditation Agreement (RAA), resellers may be registrants for domain names.
If you have evidence demonstrating failure to comply with the obligations of the Specification on Privacy and Proxy Registrations of the 2013 RAA, please provide that information to ICANN by submitting a new Privacy/Proxy complaint via the complaint form at https://forms.icann.org/en/resources/compliance/complaints/whois/privacy-proxy-registration-form .
ICANN considers this matter now closed.
If you require future assistance, please email compliance@icann.org; if you have a new complaint, please submit it at http://www.icann.org/resources/compliance/complaints .
ICANN is requesting your feedback on this closed complaint. Please complete this optional survey at https://www.surveymonkey.com/s/8F2Z6DP?ticket=UNY-783-11184 .
Sincerely,
ICANN Contractual Compliance
############################################
The problem summary
Time of submission/processing: Thu Mar 1 19:51:11 2018
Reporter Name: Derek Smythe
Reporter Organization: Artists Against 419
Reporter Email: derek at aa419.org
Domain Name that is subject of complaint: rbind2.org
Registrar that is subject of complaint: Namesilo
Description of problem: While a domain is being mentioned, the underlying issue is abuse of the DNS system and the registrar not investigating, allowing the issue to continue, allowing fraud under the mantle of “we are only a registrar”. In turn this makes a mockery of consumer rights, commercial rights and even policies and processes like UDRPs.
Example, subject of acomplaint sent to Namesilo three weeks ago:
https://snapper.aa419.org/DS/projects/petifre2/Petifre.pdf
Downstream reseller QHoster appears to be responsible for ~60% of the issues. May be higher. QHoster provides their own domain proxy services, yet do not adhere to the RAA specification on proxies. Namesilo abuse notified 28/10/2017 with example. No reply.. Domains still being registered with this proxy using info@QHoster.com. Current example of abuse accessonlnc.com used for http://us.accessonlnc.com/
Repeat of https://db.aa419.org/fakebanksview.php?key=116099
Esentially this is a continuation of previous complaint re Namesilo.
Note – this is not a mere whois issue, rather gross policy violations undermining accountability and numerous rights, allow fraud at industrial scale.
The whois at the time of processing is:
REGISTRY WHOIS:
Domain Name: RBIND2.ORG
Registry Domain ID: D402200000004538071-LROR
Registrar WHOIS Server: whois.namesilo.com
Registrar URL: www.namesilo.com
Updated Date: 2018-02-12T03:45:54Z
Creation Date: 2017-12-13T11:37:40Z
Registry Expiry Date: 2018-12-13T11:37:40Z
Registrar Registration Expiration Date:
Registrar: Namesilo, LLC
Registrar IANA ID: 1479
Registrar Abuse Contact Email: abuse @ namesilo.com
Registrar Abuse Contact Phone: +1.4805240066
Reseller:
Domain Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: C200203609-LROR
Registrant Name: Stanleg Board
Registrant Organization:
Registrant Street: No. 2 Olena Avenue
Registrant City: imc
Registrant State/Province: imc
Registrant Postal Code: 23454
Registrant Country: NG
Registrant Phone: +234.07084086464
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: starboard881@yahoo.com
Registry Admin ID: C200203609-LROR
Admin Name: Stanleg Board
Admin Organization:
Admin Street: No. 2 Olena Avenue
Admin City: imc
Admin State/Province: imc
Admin Postal Code: 23454
Admin Country: NG
Admin Phone: +234.07084086464
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: starboard881@yahoo.com
Registry Tech ID: C200203609-LROR
Tech Name: Stanleg Board
Tech Organization:
Tech Street: No. 2 Olena Avenue
Tech City: imc
Tech State/Province: imc
Tech Postal Code: 23454
Tech Country: NG
Tech Phone: +234.07084086464
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: starboard881@yahoo.com
Name Server: NS1.STEELDNS.COM
Name Server: NS2.STEELDNS.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form:
https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2018-03-01T20:24:06Z <<<
For more information on Whois status codes, please visit
https://icann.org/epp
Access to Public Interest Registry WHOIS information is provided to assist
persons in determining the contents of a domain name registration record in
the Public Interest Registry registry database. The data in this record is
provided by Public Interest Registry for informational purposes only, and
Public Interest Registry does not guarantee its accuracy. This service is
intended only for query-based access. You agree that you will use this data
only for lawful purposes and that, under no circumstances will you use this
data to: (a) allow, enable, or otherwise support the transmission by
e-mail, telephone, or facsimile of mass unsolicited, commercial advertising
or solicitations to entities other than the data recipient’s own existing
customers; or (b) enable high volume, automated, electronic processes that
send queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or modify
existing registrations. All rights reserved. Public Interest Registry
reserves the right to modify these terms at any time. By submitting this
query, you agree to abide by this policy.
Registrar:
Whois Server:
##########################################
Ticket Details
Ticket ID: UNY-783-11184
Department: Abuse
Type: Issue
Status: Manual Process
Priority: Compliance Hold – ICANN
Escalation to ICANN Complaints 3 Aug 2018
https://www.icann.org/en/system/files/files/complaint-00006097-redacted-03aug18-en.pdf
Complaint 00006097 @ https://www.icann.org/complaints-report
Subject: Fwd: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed
Date: Fri, 3 Aug 2018 16:15:12 +0200
From: Derek Smythe
Dear Mr Marby and ICANN Complaints Office
Please note I do not accept this response from the ICANN Compliance office.
I clearly showed how the registrar does not check registration details as per the RAA 2013 WHOIS ACCURACY PROGRAM SPECIFICATION and is where the issues start, at DNS level. This is not addressed.
I clearly showed how the Namesilo contact system (webform and email) does not allow for accountability and performance metrics and this is abused. Ironically this is being used as an excuse here again for the second time in about 2 years in two separate ICANN Compliance Complaints where this is pointed out yet not addressed! I also gave an example of how Namesilo claims they did not receive a complaint, then mysteriously knows what the complaint is about.
I explained WHY this is not mere content issues, rather DNS abuse. yet we find the blanket “we are only a registrar” type response while allowing the DNS abuse to continue. This essentially says a Registrar is allowed to facilitate organized crime by self blinding to the obvious fake registration details and ignoring the RAA Accuracy Specification. This is not in line with other promises made and also not what was said to the European regulators.
This issue is NOT phishing on a hacked website or like. I also strongly suggest that ICANN SSAC be tasked to look at this DNS issue and similar. Simply put, many of these types of domains never have content and are used for emails in Advance Fee Fraud which is currently at an all time high (as statistics all around the world shows), is illegal in almost every country, yet depends on DNS abuse to succeed as shockingly spectacularly as it does. This leads to human rights issues. Many WIPO decisions are mistakenly made and won on phishing grounds whereas the underlying abuse is actually Advance Fee Fraud, something different. As such this issue should and must be taken seriously.
I even showed how Société Générale wins a UDRP, yet while this was ongoing, the respondent simply registers a replacement spoof of Société Générale. This makes a mockery of the UDRP system and subjects any such rights holder to perpetual victimhood at the whim of a malicious registrant – a $10 registration at a tolerant Registrar trumps a $2,500 UDRP every time as we see.
It cannot be denied that these oversights are not in line with stated and agreed upon ICANN policies and leads to gross harm. It is for this reason that I am now escalating this issue to the ICANN Complaints office as this is linked to another issue. Hopefully this can be turned into a learning opportunity.
Note: These responses are also being shared with various enforcement agencies and like in a confidential manner. I further also reserve the right to share this with the parties harmed or even publicly if needed, as the general public is also a victim to these oversights.
Regards,
Derek Smythe Artists Against 419 http://www.aa419.org
Subject: RE: Fwd: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed [ ref:_00D1aY7OU._5001ab28aj:ref ]
Date: Fri, 3 Aug 2018 16:08:10 +0000 (GMT)
Dear Derek Smythe,
Thank you for your message. I write to confirm you would like this submission treated as a complaint to be handled by the Complaints Office. Once you confirm, I will proceed with the complaints process.
I understand the compliance ticket referenced in this message is related to the compliance ticket (XTO-568-35273) that you have submitted a separate complaint for.
Thanks,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: Re: Fwd: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed [ ref:_00D1aY7OU._5001ab28aj:ref ]
Date: Fri, 3 Aug 2018 19:12:55 +0200
To: Complaint Reply
Dear Complaints Office
This is indeed correct, please consider it as such. This ticket is essentially a continuation of XFS-327-35074 dated July 2016 where the serial fake registration details not checked and broken Namesilo communication mechanisms were pointed out and never fixed. This ticket was similarly closed. As such this “never received …” excuse does not cut it. Ironically where see registrations by the same party mentioned continue abusing the DNS system with the same fake registration details. More similar examples exists … one instance was escalated to the ICANN Ombusdsman. Unfortunately this case died a silent death when he left.
The compliance ticket (XTO-568-35273) is the one I have separately submitted a complaint on. Essentially this ticket is the other side of the same bigger issue that allows abuse into the DNS system via the above registrar. This is also not the first ticket on non-complying proxies. At least two other ICANN Accredited Registrars had two non-complying proxies; one simply denied the evidence supplied (WHOIS details saying otherwise) claiming a language problem, the other pointing to their website (with no proxy provisions) and this being accepted blindly, while the evidence supplied was not checked or followed up upon with the tickets blindly closed.
These are the very methods whereby malicious registrants gain a foothold in the DNS system. It is for this reason I also strongly suggest ICANN SSAC be known in this issue.
Thank you for the fast response.
Regards,
Derek Smythe
Artists Against 419
http://www.aa419.org
Subject: Re: Fwd: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed [ ref:_00D1aY7OU._5001ab28aj:ref ]
Date: Thu, 9 Aug 2018 22:11:00 +0000 (GMT)
From: Complaint Reply
Dear Derek Smythe,
I am writing to provide an update regarding your complaint. I have your complaint and am currently researching it. I understand your complaint to be about ICANN Contractual Compliance’s handling of complaints. Once I complete my research, I will work with the ICANN Organization team(s) responsible for this topic to draft a response to you. Please know the research and response process is quite thorough and typically takes a fair amount of time. I will provide you with a status update in two weeks.
Additionally, I want to make sure you are aware of the Terms and Conditions for Submission to the Complaints Office. They are noted at the end of this message, but I’ve also copy/pasted them here:
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Your complaint and accompanying response will be published in the Complaints Office section of our website; see: https://www.icann.org/complaints-office. Note, your contact information will not be published but your name and organization name, if applicable, will be. Other details contained in your complaint may also be redacted prior to publishing.
Please let me know if you have questions.
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: Re: Fwd: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed [ ref:_00D1aY7OU._5001ab28aj:ref ]
Date: Thu, 30 Aug 2018 12:10:52 +0000 (GMT)
From: Complaint Reply
Dear Derek,
As promised, I write to provide you with an update regarding your complaint prior to my departure for my holiday.
I was able to finish my research prior to leaving and will draft my response to you upon my return from holiday. As previously communicated, I will be fully back in the office on 17 September and am targeting 30 September to issue you a response.
As always, please let me know if you have questions.
PS. I don’t recall whether I sent the redacted version of this complaint to you so I have attached it to this message – just in case.
Kind regards,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: Re: Fwd: [~UNY-783-11184]: Abuse complaint re: rbind2.org closed [ ref:_00D1aY7OU._5001ab28aj:ref ]
Sent: 27 April 2019 3:58 PM
To: Complaint Reply
Subject: Query: Complaint numbers 00006097 and 00005840
Hello ICANN Complaints Office
Re: Complaint numbers 00006097 and 00005840
Just a query to verify at what status these two complaints are.
Please note the harm that is being caused to the community is ongoing.
Additionally we also see how domains are suspended and re-activated at
this registrar, despite the domains clearly being malicious. While we
could turn this into an argument about DNS abuse definitions, if
official resellers of the Registrar are involved even (even Petifre
referred to in the complaint is one such – a Nigerian reseller), such
arguments become moot.
Thank you,
Derek Smythe
Artists Against 419
http://www.aa419.org
From: Complaint Reply
Sent: 8 May 2019 1:32 AM
Subject: RE: Query: Complaint numbers 00006097 and 00005840 [ ref:_00D1aY7OU._5001PrEm35:ref ]
Hi Derek,
Thank you for your follow up. I am currently traveling out of the country, but will be back in the office next week and will be in a better position to provide you an update. I will be back in touch next week.
Kind regards,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.
Subject: RE: Query: Complaint numbers 00006097 and 00005840 [ ref:_00D1aY7OU._5001PrEm35:ref ]
Date: Fri, 7 Jun 2019 19:22:57 +0000 (GMT)
From: Complaint Reply
Hi Derek,
I sincerely apologize for the delay. I’ve been working on responses to your claims for sometime, however I’ve had competing priorities. I’m actively working on the responses now and hope to have something for you in the next two weeks.
Kind regards,
Complaints Officer
ICANN
Terms and Conditions for Submission to the Complaints Office
Submitted complaints will be handled in accordance with the ICANN bylaws and the ICANN Privacy Policy. By submitting this document to complaints@icann.org you acknowledge that the complaints process shall operate to the maximum extent feasible in an open and transparent manner and consistent with procedures designed to ensure fairness. Except as noted above, information you submit is subject to being published on the ICANN website.