Sponsored by..

Tuesday 28 October 2008

Alex Shafts, CEO / World Wide Domain Names / LunarPages spam

There's more to this spam than meets the eye.. and be certain that it IS spam and isn't any kind of communication from your domain name registrar:



Subject: Notice Regarding Your DOMAIN NAME
From: "Domain Name Support"
Date: Tue, October 28, 2008 5:16 am
To: info@worldswidedomainname.com


*****************************************
Important Notice Regarding Your Domain Name(s)
*****************************************

Dear Webmaster,

According to our records you are the ADMINISTRATIVE CONTACT.

We would like to inform you we have partnered up with LunarPages Web Hosting. We understand you are currently hosting with another provider. But we encourage you to try out LunarPages. LunarPages also has an affiliation program where you can embed banners on your website and earn $65 for every referral.

A little more information about LunarPages; Lunarpages Web Hosting was born from Add2Net in 2000, and has grown rapidly providing Shared Hosting, Dedicated, Reseller, and most recently, VPS Hosting Plans. LunarPages is BBB Accredited and is rated A for excellence. LunarPages also has received many Industry Awards including Web Host Magazines highest level of recommendation. LunarPages is one of the fewest hosting services that provide unlimited transfer and unlimited data storage.

LunarPages can fit your business needs whether you’re a small business or a large company. Join (or lurk about) Community Forums and ask our customers why they host with LunarPages. For more in depth information, news and articles about Web Hosting, Marketing, SEO, Traffic, AdWords, Design, Networking and General Fluff, visit Lunartics Blog (updated daily, sometimes hourly). Our BlogStars consist of a team of more than 20+ industry experts. You may learn something, or simply be entertained.

VISIT LUNARPAGES

If you’re not ready to give LunarPages “Web Hosting” a try just yet, TRY the affiliation program where you can earn hundreds or even thousands a month. Save this email for your records and click the link above for special promos throughout the year.

Best Regards,

Alex Shafts, CEO

World Wide Domain Names

If you are the domain administrator of more than one domain account, you may receive this notice multiple times.
-------------------------------------------------------------------

All rights reserved.



Who the heck is Alex Shafts? And who are "World Wide Domain Names"? Certainly nobody I do business with. So let's see who is sending this first of all. A look at the mail headers will be interesting:

X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blade2.cesmail.net
X-Spam-Level:
X-Spam-Status: hits=0.9 tests=HTML_MESSAGE,URIBL_RHS_DOB version=3.2.4
Received: from unknown (192.168.1.88)
by blade2.cesmail.net with QMQP; 28 Oct 2008 05:27:00 -0000
Received: from mail500.opentransfer.com (98.130.1.155)
by ********** with SMTP; 28 Oct 2008 05:27:04 -0000
Received: (qmail 624 invoked by uid 399); 28 Oct 2008 05:16:47 -0000
Mailing-List: contact info-help@worldswidedomainname.com; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Post:
List-Help:
List-Unsubscribe:
List-Subscribe:
Delivered-To: mailing list info@worldswidedomainname.com
Received: (qmail 618 invoked by uid 399); 28 Oct 2008 05:16:47 -0000
X-Originating-IP: 68.230.241.45
Received-SPF: none (mail500.opentransfer.com: domain at worldswidedomainname.com does not designate permitted sender hosts)
identity=mailfrom; client-ip=68.230.241.45;
envelope-from=;
X-Authority-Analysis: v=1.0 c=1 a=J2IRbVyBMHeSdsxzcmgA:9
a=21DexejRGg20G2OFDxsA:7 a=V6NLHKsM1nmveCJf-9nhvT6W67oA:4 a=htsp1cwEuSoA:10
a=6-9Fr_h7AAAA:8 a=Vm2oXCpbAAAA:8 a=n4JkmEeXAAAA:8 a=W_LaJHSTY1FKiyaM68cA:9
a=aa2LJqmKak3HsCtWz3EA:7 a=2hL6MRTsiU3c-Xv2ucuIwzcZna0A:4 a=ojskhZjZVJUA:10
a=pM-imOxlMqoA:10 a=fd-QgsGfzTIA:10 a=AfD3MYMu9mQA:10
X-CM-Score: 0.00
Message-ID: <802858ce0ad3496e988f0c3c39bc0060@alex>
From: "Domain Name Support"
To:
Subject: Notice Regarding Your DOMAIN NAME
Date: Tue, 28 Oct 2008 01:16:39 -0400
The originating IP address is 68.230.241.45 which is Cox Communications.. but we also have a domain name of worldswidedomainname.com. The WHOIS details for that domain match the sender's name:

Registrant:
Alex Shafts
504 LEONARD AV
Las Vegas, NV 89106
US

Domain name: WORLDSWIDEDOMAINNAME.COM

Administrative Contact:
Shafts, Alex worldsdomainnames@yahoo.com
504 LEONARD AV
Las Vegas, NV 89106
US
702.5431469
Technical Contact:
Shafts, Alex worldsdomainnames@yahoo.com
504 LEONARD AV
Las Vegas, NV 89106
US
702.5431469

Registrar of Record: TUCOWS, INC.
Record last updated on 24-Oct-2008.
Record expires on 25-Oct-2009.
Record created on 25-Oct-2008.
This domain is just a couple of days old which sets the alarm bells ringing. A Google search for "504 Leonard Av" comes up with a couple of YouTube videos [1, 2]. It turns out to be a foreclosure sale, OK that really sucks for Mr Shafts but it is no excuse to sent out spam.

So, what is this spam trying to get you to do? Is it important? Nope. It's actually just spam for the LunarPages affiliate program. Web hosting affiliate programs can be big earners - in this case LunarPages pay $65 per sign-up. Not bad, but all this email is trying to do is get you to sign up for web hosting. It is in no way an official notice from your registrar.

We know that desperate situations lead to desperate actions, but sending out spam and what is basically deceptive advertising is not going to help.

Added: just to prove himself a bigger idiot, the mailing list that he created to send out the spam ALSO accepts email from absolutely anyone so now there's a real shitstorm of comments, autoreplies and bouncebacks. What a plonker.

Added: check out the comments to this post, also this blog entry has more details. I have made a follow-up entry here explaining the problem in more detail.

28 comments:

Unknown said...

Here is the real kicker...all those replies are coming back to other people, including me. He must have set the reply e-mail to forward to innocent people...it sucks

Brown Bear said...

Agree with Aaron - we're getting a handful of pretty abusive emails telling us to stop spamming and I have no idea who this guy is or why we're getting mail about it.

aude lising said...

I just did a search on this now because I'm getting hundreds of angry emails from random people i don't even know.

How did we even END UP on that email list? Who the hell sold our email addresses? I always make sure I'm not signing myself up for stuff like that... This is just UGGGGH.

Conrad Longmore said...

I don't think anyone sold our email addresses, I think that they've been scraped from WHOIS details.

The problem is now all the bouncebacks.. it does look like the offending website has been nuked, but not the mailing list.

Unknown said...

I manage the Affiliate Program here at Lunarpages Web Hosting, and I just wanted to comment to say that we have terminated this affiliate's account and he will not be able to do any business with us in the future. His actions were a direct violation of our Terms of Service, and we simply will not tolerate spammers under any circumstances.

Our apologies to everyone who has had to deal with this spammer. I promise that our Abuse team is also looking into further actions we can take against this individual.

Thanks to everyone who's emailed us to let us know so we could delete his account and terminate his relationship with our company.

If there's anything we can do, please don't hesitate to let us know.

Tiara Rea
Lunarpages Web Hosting

Pierre said...
This comment has been removed by the author.
Pierre said...

Thanks Tiara, great to hear. I wanted to report it to you but his host had already disabled his site so there was no aff link to reference. I too have received tons of email from people thinking I spammed them. It looks like he somehow set up an email forwarder on his domain to forward replies to other people... I'm still confused by it. People would reply to domain@worldswidedomainname.com or info@worldswidedomainname.com
and somehow that would be forwarded to my email address.

Other webmasters became confused by this and would then send a test message to info@worldswidedomainname.com to see if it would arrive at their box and someone else would end up receiving it. In addition to spam complaints I received test messages by people trying to figure it out.

bgardmore said...

Well 9am here and still these come in.
Pete its not really all that confusing - this clown has a mailing list setup with probably many thousands of email addresses taken from whois ( I know it comes from the whois because we use honeypot addresses on the whois), instead of the mailing list being closed this tube has it as an open list so anyone replying or bouncing back or even the confirmation emails are being exploded to the entire list.

I have been reporting this abuse since yesterday morning ( I am a hosting company) however I have had no acknowledgement or action from any of the primary offenders.

The domain was just registered by Tucows on the 26th - they have failed to respond and 2 abuse complaints have been sent to ecommerce.com the company in charge of the IP address that these emails are originating from
Received: from mail500.opentransfer.com ([98.130.1.155])

OrgName: Ecommerce Corporation
OrgID: ECOMM-5
Address: 247 Mitch Lane
City: Hopkinsville
StateProv: KY
PostalCode: 42240
Country: US

NetRange: 98.130.0.0 - 98.131.255.255
CIDR: 98.130.0.0/15
NetName: ECOMMERCE-HOSTING
NetHandle: NET-98-130-0-0-1
Parent: NET-98-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.OPENTRANSFER.COM
NameServer: NS2.OPENTRANSFER.COM
Comment:
RegDate: 2007-10-15
Updated: 2008-06-19

RAbuseHandle: ABUSE875-ARIN
RAbuseName: eCommerce Inc ABUSE Dept
RAbusePhone: +1-614-534-1960
RAbuseEmail: abuse@ecommerce.com


I have now filtered off all mail originating from this domain and this IP range from our servers.

Pipples said...

Thanks for the message Tiara, but why is there nothing on your own website to explain this situation? That was the first place I looked after discovering worldwidedomainname.com was suspended and I'm sure it's where other people will look. As you did have an affiliate relationship with this nutter, I'm sure it's the least you can do to set out Lunarpages' position.

Conrad Longmore said...

Pipples,

Sadly all affiliate managers have to deal with breaches of their TOS. It happens more often than you might think, so I personally wouldn't expect to see anything up about it.

Kudos to LunarPages for dealing with the matter so quickly, they have also posted on at least one other blog to make their actions clear.

Unknown said...

I am also on the idiots mailing list for some reason.

Here's the server IP address:
Received: from mail500.opentransfer.com (98.130.1.155)

The originating ip would be the senders home computer, or wherever he's initiating it from, not the mail server hosting the list.

mail500.opentransfer.com is the reverse dns entry for the ip of the mail server hosting the ezlm server. A whois for opentransfer.com shows that tucows is the registrar. I think I'll send an email.

bgardmore said...

ixwebhosting are still maintaing the MX record so mail is still going through
I just contacted their tech support

Chat InformationPlease wait for a site operator to respond.

Chat InformationYou are now chatting with 'Vladimir Starkov'

Vladimir Starkov: Thank you for coming, my name is Vladimir. How may I help you?

you: worldswidedomainname.com you need to pull this guys MX record - it is spamming all over the world

Vladimir Starkov: Please create a ticket and provide spam letter inside and header please

Vladimir Starkov: Our ticket team will investigate your issue in 3 hours

you: Site has been dissabled but you have left MX intact and he is exploding a mailing list

you: Sorry done the abuse thing and no result - do a google search your company is getting some real bad publicity

Vladimir Starkov: Please create a ticket

you: http://www.dynamoo.com/blog/2008/10/alex-shafts-ceo-world-wide-domain-names.html

you: I have cut your IP range from our servers not my problem anymore this is just a heads up - deal with or not I don't care anymore

you: One of the worst abuses i have came across in 14 years in the business - have a nice day

Vladimir Starkov: You too

aude lising said...

Well, my issue is that the email address it's been sent to me is not being used for any sort of whois purposes, which is why it's got me all confused! Everything I do that is website related is linked to a gmail account, not the yahoo one I've been receiving things to?

At any rate, I'm glad steps have been taken and the issue is almost resolved. I'm getting less angry emails now, woohoo!

c4cast said...

I too have tried contacting ixwebhosting.com twice about this. All they keep saying is that the account has been disabled. I made it clear that by allowing this they are a part of this e-mail abuse, but it just didn't seem to matter to them. Seems to me they are at best an unethical company, and at worst not a legitimate hosting company at all.

Also,anyone know how to get this mail server blacklisted? It is not listed the spamhaus blacklist, but it really should be.

David said...

I think the dingus set it up as a listserv from the looks of the header:

List-Post: mailto:info@worldswidedomainname.com>
List-Help: mailto:info-help@worldswidedomainname.com>
List-Unsubscribe: mailto:info-unsubscribe@worldswidedomainname.com>
List-Subscribe: mailto:info-subscribe@worldswidedomainname.com>


Unfortunately ours is an alias as the addresses go to multiple people so I haven't had time to create a message "From" the alias to test the unsub option; but you may try that. (I just opted to blacklist all mail sent to that address.)

Unknown said...

I called, spoke to support at ecommerce.com, they say they were aware of the problem, and that it will be down within 24 hours.

Anonymous said...

7am CST and I am still getting these emails. Thanks for contacting them Miamidude, good to know that it will be over soon!

quizwedge said...

I tried the unsub option on my e-mail address and it didn't seem to work. I called ixWebhosting and got the "we've disabled the account" message. They also said that the reason the messages are still going through is because there is a script that is sending it through the user's mail server when they hit reply. Now, I doubt that even Outlook and Outlook express would allow something like that to run, so I got off of the phone and checked the MX record, which they still have running. Only IX Web Hosting can fix the problem. They either are incompetent or flat out refuse to fix the problem. They can be reached at 1-800-385-0450 or internationally at 1-614-534-1961. I chose "2" for technical support. They say they're open 24/7. Suggest everyone in the U.S. call them at the 800 number. Perhaps they'll get sick enough of hearing from us (or it'll start affecting their bottom line enough) that they'll finally do something about it.

quizwedge said...

Just got a message 25 minutes ago and decided to reply to the list with instructions on what to tell ixWebHosting and got the following error message back:

Message could not be delivered to some recipients.
The following recipient(s) could not be reached:

Recipient: [SMTP:info@worldswidedomainname.com]
Reason: The message could not be delivered because the domain name (worldswidedomainname.com) does not appear to be registered.

Reason Code: Invalid Domain Name
Error Number: 9003

So, looks like we've won! At least for now...

aaron m69 said...

Ok lets hope I was just on the phone with Ix web hosting myself cause I am still getting some spam and the guy told me that world wide domain names has switched to a new host Alabanzainc. located in blatimore he told me the r tech guy is thomas cunnigham 410 779 1400 he said ix web hosting has completely terminated there accounts but they are routing through this other company. I don't know much about any of this this is the first time I have ever had to deal with this, so if any one else has any info let me know I am going to call the above company also and see what the deal is

quizwedge said...

Looks like he's now with ecommerce.com (98.130.1.155). Their number is 1-800-861-9394.

quizwedge said...

Looks like he's now going through mail500.opentransfer.com (98.130.1.155). That IP address is owned by OpenTransfer-ECommerce (www.ecommerce.com) Admin contact for opentransfer.com is @ecommerce.com. Call Ecommerce.com at 1-800-861-9394 and you're presented with pressing 1 or 2. And 2 connects you to, drum roll please.... their ixWeb Hosting division.

Looks like the fun gets to continue.

quizwedge said...

Just called ecommerce.com and chose the non ixWebHosting option (option 1). I'm pretty sure I got the same guy as when I called ixWebHosting. He said that he's not sure why I'm still getting the e-mails. He was very hard to hear, so I plan on waiting until the morning and giving a call then if I'm still receiving messages. I could just block the IP address, but I'm quite riled up at this point and figure I might as well fight for those who can't just block the IP address.

Vikki said...

Thanks so much for working on resolving this. I was trying to ignore it all but seeing all these posts from ppl that don't understand what is going on gets more and more difficult to ignore. Folks just don't understand that replying to this type of message just creates more problems.

Vikki

laytwie said...

It is now the 31 and I am still geting this spam at my boss email and my personal email. If everyone stop testing it or replying to this email then we would not get it at all. It dose not go back to the main email server. It gose to everyone else. I am so sick of reciving this junk I'm so ready to explode. As pete said it is still coming from those two email address. If there is a way to reply to all who recived it not to reply to it just deleet it. Thanks for lisening.

Mz said...

This is a great blog post. I am stuck in the same situation as all of you.

Luckily Gmail takes care of this type of spam rather easily for me - but people keep responding back to the messages so the problem just compounds on itself.

Surely there has to be a way to get the mailing list pulled, not just the mx records? You can spoof just about any email address out there.

He can probably pull up a new mail list rather quickly, but perhaps its time to try and involve some sort of legal action.

Conrad Longmore said...

I received the last bounceback at 2327 GMT yesterday (although it was originally sent Tuesday ant 1552 and titled "envoi de emmanuel").

Although this has been very annoying and disruptive, I don't believe that the spammer intended the mailing list to work in this way! My honest feeling is that it is some poorly judged attempt at affiliate marketing badly implemented. But since this spam doesn't seem to be CAN-SPAM compliant then he's left himself wide open to action.

Unknown said...

Yes,it is very important for web-masters to be alert regarding their domains and not fall prey to such mails.

Godaddy UK domain name promo codes for a discount, these codes do not expire.
BRIL1: 10% off any order
BRIL3: 30% off .com domain names
Codes work on renewals, UK codes and US codes here:
http://brillantdeals.co.uk/godaddy-promo-coupon-codes/