[At-Large] Godaddy & ICANN Compliance: Port 43 whois
derek at aa419.org
Sun Nov 5 03:07:00 UTC 2017
An edited version of a post I made on the APWG. Certain parts have
been redacted to protect innocent victims. The rest is topical here.
Certain parties at Godaddy were copied on the original.
I'm not sure if here is anybody on list that can address this issue. I
have lodged an ICANN complaint on it, but this is extremely topical in
doing what we do, fighting fraud as this affects each of us. So I'll
I have reached out to folks in other communities fighting abuse. The
issue is global and complaints are sandbagged.
To show what a harmful effect this has:
Consider bogus courier (removed - revealing this leads to innocent
victims losing their privacy)
This domain is being used in international fraud targeting companies
and consumers by an international Cameroonian syndicate.
While local distinct members have been identified in law enforcement
related operations, this blew into the international sphere.
Many domains in this syndicate have been documented, all evidence
fully captured for LE, in ongoing efforts since Thursday evening.
We were working hard at this, when we hit (removed-domain) on
Godaddy - a simple issue of not being able to capture a "standards
compliant" port 43 whois output format, something supposedly well
defined as per ICANN policy that should be available, yet this became
a time wasting stumbling block.
It took me about 2 hours to get a usable format of whois for this
domain. That's how stupid it gets ...
(removed-domain) has been scamming and piling up victim companies
and consumers since 2016.
The targets (each separate) are in:
Vietnam - 1 ton of waste paper
Malaysia- 1 ton of waste paper
USA - 100 GRAM Discrete parcel (Drug scam?)
USA - 300 Kg lobster tail
USA - 1.35 tons of skin care products
Armenia - 1 ton nuts
Thailand - 20ft container of seafood
Ukraine - 5kg Wooden pellets
Russia - 2500 reams of paper *
Brussels - 2 x 40ft containers of wooden pellets
USA - not much info, except from somebody selling "Legal Marijuana".
USA - 1 oz purple kush
India - 18 tons (20ft container) of ???
Turkey - 50 tons of old newspapers
India - 25 tons of waste corrugated paperboard
Dubai - 2kgs of red lentils, chick peas, mung beans
USA - 50kg crayfish
USA - Yacht
Saudi Arabia - 10kgs round mullet
Fiji - 5 cartons of BIC gas lighters, 1000 pcs/carton
India - 2600 reams of paper *
Each scam leads to another fake supplier and more of these fake
couriers. This is akin to "How long is a piece of string?".
So now that we know how this $3 bill domain is being abused, we look
at it's whois after much effort at getting it only to find another
domain attributable to the same party, but suddenly in Thailand, shut
down for involvement in paper scams. (removed-domain states an Indian
While there is "so much concern for the privacy" of the owners of
(removed-domain), the owners of this domain do not have any
problem trivially leaking personal details of their targets onto the
web. Simply search for (removed) and follow the directory up
... enough said.
It's also the last issue on tel nr (removed), that leads to
alerts such as:
I hope this sheds some light on which fight being fought by very few
volunteers, is being hampered by ill advised non-policy conforming
registrars blocking of whois details.
It's not always LE that opens the "can of worms". LE deals with the
result (hopefully) once it's made clear it is a "can of worms". But if
LE is not shown the evidence and relevance, they have nothing to go on
and it did not happen. Yet tell that to these parties targeted and
exposed internationally. Sadly most such cases gather dust at local
police stations or like. Yet the victim may be a mom-and-pop shop
business, the livelihood of the owners and all associated with them
destroyed by the scam.
Privacy and protecting privacy is a delicate balancing act between
protection and disclosure, very ill understood. I had some discussions
with numerous expert who failed to understand how due diligence down
to whois level protects all. In this case I used the loan scam nest
from Benin as an example. Whois details were vital to untangling this
nest and mess. They were either shocked or did a quick pass-the-buck
exercise. Luckily EU Registrars did a stellar job mitigating the Benin
nest, devastating it. But what about next time? I shudder to think we
encounter such a nest on Godaddy.
Hopefully this makes the people here think of exactly what effect
whois, or the inability of obtaining whois details, has in a real
world environment. Sweeping problematic whois under the carpet of
blanket privacy in an environment where policies are weakly enforced,
is a recipe for a bloodbath. We're already seeing the effects at one
such US registrar who have become the go-to registrar for badness in
the domain space.
Artists Against 419
More information about the At-Large