Network News

X My Profile
View More Activity

A Superlative Scam and Spam Site Registrar

Over the past week, a number of the Internet's largest data carriers have ceased providing online connectivity to Atrivo (a.k.a. "Intercage"), an ISP that security experts say is home to a huge number of scammers and spammers. This week, I'm turning the spotlight on EstDomains Inc., Atrivo's most important customer and the single biggest reason so many experts have condemned Atrivo.

According to RegistrarStats.com, EstDomains is the 49th largest domain name registrar, with more than 270,000 domains. Security Fix is still working on cataloging all of those domains, but for the purposes of this analysis we'll examine some 10,000 Web site names that are both registered through EstDomains and using the company's various domain name servers to route traffic to them.

I chose to focus on that particular subset of 10,000 domains mainly so that EstDomains could not simply disavow knowledge of the sites' activities by claiming it serves as nothing more than a registrar for those domains.

est-pharm1.jpg

Turns out, at least one-third of those domains (.CSV) are currently blacklisted by SURBL.org, which tracks Web site names that are advertised in junk e-mail.

Have a look at the complete list of those 10,000 names -- which I've made available at this link here (.CSV file) -- and it should quickly become evident why so many are blacklisted.

Pick almost any spammy term that comes to mind and you will find dozens of sites with those terms currently registered at EstDomains and using their name servers. Below are just a few of the terms I picked, and beside each is the number of times the terms appeared in a domain name from the list of 10,000 (a longer list is available here):

cheapsoft.jpg

pharm-100
viagra-42
casino-62
pill-82
soft (software)-164
rx-57
drug-68
meds-66
jewelry-46
porn-301
teen-120

Snowshoe Domains: Spreading the Love

Security experts at anti-spam group Spamhaus.org say EstDomains is a pioneer in setting up domains and domain name servers to accommodate a practice known as "snowshoe spamming." Spamhaus explains:

Like a snowshoe spreads the load of a traveler across a wide area of snow, some spammers use many frequently-changing IP addresses and domains to spread out the spam load in order to dilute recipient reputation metrics and evade filters. Conversely, legitimate mailers try hard to build their brand reputation based on a known domain and a small permanent range of sending IPs. Snowshoers also use anonymized or unidentifiable WHOIS records, whereas legitimate senders are proud to provide their real identity.

A stellar example of an operation primed for snowshoe spamming can be seen in the network set up by an entity called extendedhost.com That domain name is merely a placeholder: extendedhost.com doesn't actually have an official Web site, and all of its domain names are registered at EstDomains.

Could EXTendedhost be the same company as ESTdomains (which also owns a hosting service called ESThost)? The registration records for Extendedhost.com aren't much help, placing the company variously in Canada, Panama, and the Ukraine. But a domain name server history search on extendedhost.com shows it most recently used the DNS servers of a company called Bakler.com. Bakler is a domain auction service owned by Rove Digital, an entity that claims ownership of EstDomains (I'll have more on Rove Digital in follow-up blog post).

All 500 numeric Internet addresses assigned to extendedhost.com are blacklisted by Spamhaus for sending spam. But look a bit deeper into the entity's operations, and you'll notice that each spam domain has its own distinct name server.

Why bother assigning a unique domain name server to resolve each unique spam Web site name? For starters, anti-spam groups can blacklist thousands of spam sites in one fell swoop just by listing the handful of domain name servers that all of the sites have in common. But when each spam site has its own name server, it creates far more work for anti-spam groups.

"I call it 'horizontal scaling,'" said Suresh Ramasubramanian, head of anti-spam operations at Hong Kong based Outblaze.com. "You can pump up [spam] volume one of two ways: tons more from one or two sources, or spread the load across several sources, like a snowshoe spreads the weight of your feet across the snow."

Porn, Scareware, and Search Traffic Hijacking

Fake anti-virus and fake anti-spyware Web sites comprise the most persistent nuisance and source of illegal activity emanating from EstDomains today. Chief among these fake security products is the infamous XPAntivirus family of scareware, as exemplified by the still-active antivirus2008xp.com, pictured at right.

avxpestdomains.jpg

Typically, hackers are paid to compromise legitimate Web sites and silently redirect any visitors to these fake security software sites. Those sites in turn download malicious software that bombards the victim with incessant, bogus messages warning that his or her computer is infected with multiple privacy and security threats. Spy-partners.com, registered through EstDomains, is just one example of a company that pays affiliates to redirect traffic to its stable of scareware sites.

spypart.jpg

Experts say EstDomains also is the single largest source of domains affiliated with fake "codec," scam sites. These are mainly adult Web sites (or hacked, legitimate sites seeded with pornography) that tell visitors they need to install a special video codec in order to view the featured movies. The malware served by these fake codec sites also is fed by affiliate programs, such as cashcodec.com, ruler-cash.com, and vcstats.com (bonus points if you already figured out that each of these domains is active and registered through EstDomains).

cashcodec.jpg

One function of these codecs is to install software that changes the victim's domain name service settings, so that some percentage of their Web site and search engine traffic gets redirected to Web sites and search engines controlled by the attackers. The criminals in control of machines infected with these codecs can trivially hijack any victim traffic destined for online banking and other e-commerce Web sites.

At the end of my post last week on Atrivo/Intercage, I mentioned that I planned to take a hard look at EstDomains. A number of readers took that as an invitation to post in the comments section lists of sites registered at EstDomains that were serving up fake codecs and bogus security software.

Konstantin Poltev, the registry liason for EstDomains, responded to each of those posts individually, saying he had suspended them all. However, I found a couple hundred more, detailed at this list here. It's worth noting again that I found these domains in a sample of 10,000 domains registered through EstDomains - or out of roughly 3.5 percent of EstDomains' total domain portfolio.

Poltev said his company responds to abuse complaints within 24 hours. "However, sometimes making any decision is nearly impossible as there is an obvious lack of evidences, which prove the reported domain name's involvement in the infringement of the registration agreement," Poltev said in an e-mail to Security Fix. "In general, such complicated cases are brought into court, and it must be mentioned that we are strictly bound by our policy to discharge our obligations before court decisions."

"There are some cases that force court, federal agency, police or any other authority to make an official request for providing them with all the information available for the disputed domain name or its owner," Poltev said. As to criticisms that EstDomains welcomes cyber criminal activity on its network: "I am at a loss and cannot understand why someone should confer our company the rank of cyber space criminals."

The Role of Directi

No single security company has tracked the fake anti-malware and porn codec epidemic emanating from EstDomains more thoroughly than Clearwater, Fla., based Sunbelt Software. Patrick Jordan, a senior spyware researcher for Sunbelt, maintains a massive database that charts the connections between thousands of criminal Web sites as they've come and gone over the years.

Jordan's database illustrates what he calls the "Blackweb Network," an alliance of sites erected to push fake anti-spyware and anti-spyware products, porn, and to hire affiliates who get paid to spread this junk.

Jordan said that most of the sites in his database were registered either at EstDomains or at Directi, a domain registrar based in India that does business as Public Domain Registry. As it happens, EstDomains is a reseller of Directi's registration services. Among the services Directi offers is privacyprotect.org, which allows domain name registrants to obscure their contact details from the public.

"Most of the fake anti-malware and DNS changer guys are all registered through EstDomains using privacyprotect.org," Jordan said.

In June, Security Fix covered an analysis from anti-spam outfit Knujon that indicated some 15,000 Web site names advertised in junk e-mail were registered using Directi's privacyprotect.org service. Last week, Knujon released another report detailing what it called 48 "phatom domain name registrars" that cater exclusively to spammers and virus writers and trace back to Directi.

Knujon's report coincided with a separate report from security researchers at Hostexploit.com that tied Directi to cyber crime operations.

Chris Barton, lead scientist at McAfee Avert Labs, joined the chorus of criticism against Directi, with a strongly worded blog post that asked Directi's founders: "When will you completely stop supporting the illegal acts of EST[domains] and other very obvious darkside entities and kick the bad apples out?"

Directi vehemently denied turning a blind eye to abuses by EstDomains, and said it had stopped offering the registrar the use of privacyprotect.org services. Directi chief executive Bhavin Turakhia said the company considered dropping EstDomains as a customer entirely, but decided against it. "We are forced to reconsider ONLY for the sake of the several hundred thousand innocent domain registrants that happened to have registered their domain through EST. Pulling the plug on them can lead to the potential destabilization of several thousand innocent websites."

For its part, EstDomains appears to have already found a way to obscure the registrant information for new spam and scam domains, launching its own anonymity service called protectdetails.com. For example, sh0pp0rtal.net, an EstDomains-registered Web Fraud 2.0 service Security Fix previewed this month that lets cyber crooks verify the credit limits on stolen credit and debit cards -- now shields its registrants' data using protectdetails.com.

On Sunday, Directi, Hostexploit.com and Knujon declared a truce after a week's worth of squabbling in media coverage about the reports. In a post to its corporate blog Sunday, Directi said it had suspended a list of domains provided by Hostexploit and Knujon, including loads.cc, a Web Fraud 2.0 featured site that has long been a place where scam artists can go to rent botnets, or large groupings of compromised PCs.

That post from Directi's blog concludes with these promising words:

"HostExploit and Knujon did share with Directi a separate list of additional web sites known for badware that belong to Atrivo, enabling Directi's abuse team to swiftly suspend them. Directi HostExploit and Knujon intend to continue this information exchange to speedily resolve abuse issues, and to further demonstrate transparency the community can contact either Directi or / and HostExploit to ensure action is taken."


Security Fix would like to thank Jart Armin, Nicholas Bourbaki, Matt Jonkman and James McQuaid for contributing to this story.

By Brian Krebs  |  September 8, 2008; 1:07 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Scammer-Heavy U.S. ISP Grows More Isolated
Next: EstDomains: A Sordid History and a Storied CEO

Comments

Thank you for shining the light on these criminals. For too long their activities have gone unreported on by the media.

Posted by: Dan | September 8, 2008 2:10 PM | Report abuse

Excellent work Brian!

Fwiw, someone from ESTDomains has joined the MalwareBytes forum and says he is supending rogue software domains reported there.

http://www.malwarebytes.org/forums/index.php?showtopic=6159

It's evident that fraudware domains are only part of the problem with ESTDomains, however.

Posted by: suzi | September 8, 2008 2:38 PM | Report abuse

hey. this sh0pp0rtal.net and his whole account has been suspended.
the reseller's account has been suspended as well until we see that he is not involved.
antivirus2008xp.com is at GoDaddy, not at EST. Try to report it to them.

Posted by: Dmitri | September 8, 2008 4:22 PM | Report abuse

Dimitri,

Yes, it is registered at GoDaddy but the nameservers are showing:

Name Server: MANAGEDNS1.ESTBOXES.COM (has 8,115 domains)
Name Server: MANAGEDNS2.ESTBOXES.COM
Name Server: MANAGEDNS3.ESTBOXES.COM
Name Server: MANAGEDNS4.ESTBOXES.COM

http://whois.domaintools.com/antivirus2008xp.com

What is the relationship between Estdomains and Estboxes.com?

Posted by: suzi | September 8, 2008 4:55 PM | Report abuse

Suzi, have you tried to lookup the NS records on these nameservers? There are no records regarding antivirus2008xp.com on these nameservers. So they use the nameservers without proper authorization, and this means the domain can't be resolved.

Posted by: Dmitri | September 8, 2008 5:01 PM | Report abuse

EST are a registrar these days.

I'd like to see the definition of "innocent domain" ;)

FYI Some interesting comments on our blog have finally been published too:
http://www.avertlabs.com/research/blog/index.php/2008/09/04/the-darksides-domains/

Posted by: Chris Barton | September 8, 2008 6:02 PM | Report abuse

Dmitri,

Yes, I see now antivirus2008xp.com does not resolve. I'd still like to know the relationshop between Estdomains, Estboxes.com and estsecure.com. Both redirect to estdomains.com and both are hosted on InterCage servers. One IP shows InterCage in Groton, Connecticut, and the other shows InterCage in Concord, CA.

Posted by: suzi | September 8, 2008 7:16 PM | Report abuse

it is not a secret:

estdomain.com - registrar

estboxes.com - domain for providing managed services. Managed DNS, domain forwarding, mail forwarding. Almost all registrars offer such services.

estsecure.com - security authorization (login) domain which used by clients and resellers to login to estdomains interface.
Why you see different location, I don't know, probably it is just a mistake in geoIP database.

Posted by: Alex | September 8, 2008 7:56 PM | Report abuse

Nice work, Brian!

Posted by: BlakeC | September 8, 2008 9:20 PM | Report abuse

For the last three months I have been getting six to eight emails a day advertising "acai berry" These all come through "sendex.info"
with dozens of fake(?) account names.
I will not be satisfied with blocking them at my mail server , I want them cut off at the source. This may be the work of a botnet , or just overzealous promoters.
But any promoter should know better than to send the same message every day!

Posted by: Grumpy1 | September 8, 2008 10:19 PM | Report abuse

Acai Berry - thats being advertised by typical snowshoe spam but its all from static sources (space rented in cheap colocation datacenters)..

I dont think there's a botnet connection here at all.

Posted by: SRS | September 9, 2008 12:34 AM | Report abuse

Thank you for your work on this reporting, Brian et al. I really appreciate it!

Now, let justice be done to these criminals.

Posted by: sc | September 9, 2008 1:27 AM | Report abuse

Fantastic article, well explained, detailed.

We use an anti-spam antivirus mail filtering appliance at our work but it is fascinating to see all the work the makers of the appliance now have to do these days to ensure their multiple daily updates target all snowshoe spam.

This was an excellent read.

Ilka

Posted by: Ilka | September 9, 2008 5:21 AM | Report abuse

PIDARASY

Posted by: GREG | September 9, 2008 6:03 AM | Report abuse

Видимо с к**к***айнс все туда переехали. Теперь пиздец и естам( Надо снова валить(( Ебать в рот!

Posted by: Петрович | September 9, 2008 7:04 AM | Report abuse

First of all, regarding the SURBL, we'll be in touch with them regarding the
list as it seems to be inaccurate.
As for the second list you sent us - first of all, 75% of the domains listed there were inactive at the moment of your report.
however, we have suspended all domains except 4, as their customers claim these domains to be legit, so they are currently under investigation.
Extendedhost has nothing in common with us. Their activity will be investigated as well.
spy-partners.com and ruler-cash.com are registered through DirectI.
vcstats.com and cashcodec.com have been suspended
Regarding privacy protection - kindly take a look at the
http://www.theregister.co.uk/2008/09/03/directi_strikes_back/, you could see
our attitude towards the privacy protection there.
In another article you mentioned that we are in top of the registrars for
child pornography. You could even find two domains, which are being used for
promoting it! Don't you mind if I reveal them?
Brian Krebs: "Two that come to mind right now are: xxxx.com and xxxx.com" [EDITED]
Answer: "No, the child pornography is another thing we have zero tolerance
against. As for the domains you mentioned, I wasn’t able to locate any
adolescent or link to the child porn on these sites. Could you provide me
with the exact URLs in case I missed something?"

Could you finally show us something, connected to child pornography, which
relates to us and which we refused to remove?
Can you repeat your words in court?
Could anyone find some child-porn link on these websites?

Posted by: Konstantin Poltev | September 9, 2008 8:06 AM | Report abuse

In general, we'd like to talk essentially, as we do on malwarebytes.org. If there is any exact issue, we look into it immediately. When you accuse us of something we don't relate to, what kind of answer do you expect?
You've sent us the list of questions, altered our answers your own way, removed the sentences, which represented our point of view, and presented us as some criminal gang. We understand that you need the sensation, but the real sensation doesn't need falsehood.
What I would like to add, is that we obviously won't write anything on this website, as there is no sense in it. In case anyone wants to ask or to report anything - kindly drop me an email at kokach@estdomains.com or raise the support ticket at http://support.estdomains.com.
Thank you and have a nice day.

Posted by: Konstantin Poltev | September 9, 2008 8:08 AM | Report abuse

Бля, америкосы, вы уже просто заебли! Мало того что кодеки ленитесь качать так еще и суспендить домены захотелось...

Posted by: aweqwr | September 9, 2008 9:41 AM | Report abuse

Some (even a huge number) of scammers and spammers not a reason ещ exert pressure and forcing to the closure of thousands registrations entirely legal and law-abiding web sites.
I personally own about 50-60 domains, registed through Estdomains.com, and some of my frends also use Estdomains service (becouse of best prices), but we are 100% legal users, hating spam, scam and child porno...

Posted by: Dmitri | September 9, 2008 9:52 AM | Report abuse

бла-бла-бла :)

Posted by: staf | September 9, 2008 10:04 AM | Report abuse

i think that on estdomains a lot of legal clients and resellers. malware or fraud customers are smart (use a lot of account ...) and also use e-money very comfortable for them. but i really hope that estdomain can solve these problems and remove all problem clients from them. just keep suspending problem domains like you do right now.

Posted by: john | September 9, 2008 10:05 AM | Report abuse

Konstantin -- You are being disingenuous about my message to you on the child porn sites.

First of all, I sent you two emails yesterday about this, and you know perfectly well the second one is the e-mail that has the corrected spelling of the actual child porn domains that are registered through EstDomains.

Second of all, I find it extremely irresponsible of you to post those links in the comments section of this blog.

Posted by: Bk | September 9, 2008 10:19 AM | Report abuse

Brian,

Am I? Or are you the one who is disingenious?
I have reviewed the mail logs and there weren't any information about the "correct" spelling of the actual child porn domains. Could you re-send your letter?
Anyway, so you mentioned two domain names and you made mistakes on spelling of both of them?
As for the second question - why shouldn't I reveal those domains? You call us the child porn supporters, provide those links, which do not relate to child porn, and you expect that we will keep silence, don't you?

Posted by: Anonymous | September 9, 2008 10:29 AM | Report abuse

Ну і нафуя всіх під одну "грєбьонку" рівняти? В мене, наприклад, є багато білих і пухнастих доменів, зареєстрованих через EstDomains.

Posted by: FromUkraineWithLove | September 9, 2008 10:31 AM | Report abuse

гандоны руки за бан надо поотрубать!

Posted by: PENDOS-KILLER | September 9, 2008 10:32 AM | Report abuse

I'm sorry, this - Posted by: Anonymous | September 9, 2008 10:29 AM - was mine, I forgot to put my name there.

Posted by: Konstantin Poltev | September 9, 2008 10:42 AM | Report abuse

There are a lot of good sites registered at estdomains.com i guess (besides the bad ones, you've found). So, if you've found some of them bad - just report to estdomains.com about it - i think they will react about this...

Posted by: Anton | September 9, 2008 11:20 AM | Report abuse

В рот мне ноги!

Posted by: Лукич | September 9, 2008 11:50 AM | Report abuse

Вот уёбки, пиздять про кодеки сами ссылки на ДП выкладывают. Вы вначеле с ДП разберитесь, а потом сюда лезте!
Если вы не знаете, вы отбираете наш хлеб!
А вы представьте если мы не будем кушать в Макдональсе? Вам же пиздец! Так вот подумайти перед тем как что-то делать.
Сорри за русский. Так как подругому пендосы затерут!

Posted by: Вася Пупкин | September 9, 2008 12:47 PM | Report abuse

Support from LastNickel.com
We had a lot of customers infected recently with antivirus2008. When we contacted Privacyprotect.org and told them about the problem they released the info on the owners of the rogue software. when we published the info on our blog our servers were attacked and our blog redirected to another site for 2 days until we found the attack.
The contact info is....
antivirus 2009
contact info
Domain Name: INTERNET-DEFENSE2009.COM

Creation Date: 12-Aug-2008
Expiration Date: 12-Aug-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name


Registrant:
N/A
Bob Gubko (domains2convert@gmail.com)
Green Gates avenue 244
Manama
Panamá,0223
PA
Tel. +44.67590012

Administrative Contact:
N/A
Bob Gubko (domains2convert@gmail.com)
Green Gates avenue 244
Manama
Panamá,0223
PA
Tel. +44.67590012

Technical Contact:
N/A
Bob Gubko (domains2convert@gmail.com)
Green Gates avenue 244
Manama
Panamá,0223
PA
Tel. +44.67590012

Posted by: Rick Stone | September 9, 2008 1:13 PM | Report abuse

пидоры ебучие

Posted by: вася | September 9, 2008 1:43 PM | Report abuse

internet-defense2009.com

ICANN Registrar: DIRECTI aka PUBLICDOMAINREGISTRY.COM

Status: SUSPENDED

Posted by: alex | September 9, 2008 1:45 PM | Report abuse

Regarding:

"As for the second question - why shouldn't I reveal those domains? You call us the child porn supporters, provide those links, which do not relate to child porn, and you expect that we will keep silence, don't you?"

In the US it is ILLEGAL to post child porn domains/URLs on the web.

Posted by: suzi | September 9, 2008 1:57 PM | Report abuse

Suzi. That was the way I tried to show that Mr. Krebs sent us the domains, which are NOT involved in any child-porn distribution chain. At least, Mr. Krebs was not able to show the opposite to us. In case there was any material of this kind, I'd never post such URL.

Posted by: Konstantin Poltev | September 9, 2008 2:00 PM | Report abuse

Konstantin -- I'd kindly ask you to stop posting half-truths. You have been sent the URLs, and the longer you wait to cancel those domains, the more culpable you are.

Posted by: Bk | September 9, 2008 2:19 PM | Report abuse

Brian, could you give me your phone number? I have NEVER received any more domains from you. And I asked you to re-send them, have you done that?
I can call you and you can tell me the names of the domains in case you don't want to re-send them. But as for now, what I see, is that you don't have the information about such domains, despite claiming that.
I've got all of your letters, and when it came to these two domains the letter suddenly disappeared? Seems weird.
Look forward to hearing from you soon.

Posted by: Konstantin Poltev | September 9, 2008 2:27 PM | Report abuse

RUSSKIE NE SDAUTSYA !!! :)

Posted by: Zuzya | September 9, 2008 2:38 PM | Report abuse

Well, obviously, you have irritated some pretty sensitive nerves, Brian. Keep poking, Dude!

Posted by: Pete from Arlington | September 9, 2008 3:10 PM | Report abuse

Someone from Estdomains has posted the
following in MalwareDomainList forum :

http://www.malwaredomainlist.com/forums/index.php?topic=2180.msg5381#msg5381

Posted by: Anonymous | September 9, 2008 4:10 PM | Report abuse

Wow, all of these Russian-language threats and name-calling is precisely the sort of response I expect whenever we finally see someone shut them out of their pathetic criminal domains. It's a sign that this decisive action on the part of Directi (and also the recent activity taken against Intercage) has had the desired effect.

These criminals' days are numbered. Their profits, as they should have known in the first place, were bound to stop coming in at some point. (At least in this instance, it's slowing down.)

They should have thought of this before attempting to turn every last computer into a tool for their malicious use.

Get the message, you moron criminals: we hate you, we hate your "products", and we're sick of hearing from you. Name-calling is among the most pathetic responses you could have come up with. But as I mentioned: it wasn't unexpected.

Kudos to Directi for their very swift action. That it took a very public outing via the media for this to take place is somewhat disappointing, but the fact that they did take action is certainly a good thing.

And of course thanks to Mr. Krebs and all others for keeping a sharp eye on this.

SiL / IKS / concerned citizen

Posted by: SiL | September 9, 2008 6:26 PM | Report abuse

Yes, We are Spammers and Scammers and We are still alive with our domains.
Not You not even Google could stop us, so take it easy^)

Posted by: Spammers United | September 9, 2008 6:42 PM | Report abuse

I'll say it again: pathetic.

This has been a really bad year for spammers and their supporters. :)

And correction: we just *did* stop you, "Spammers United". Watch while we continue to stop you.

SiL

Posted by: SiL | September 9, 2008 6:45 PM | Report abuse

интернет аптека

Posted by: Frammomarie | September 9, 2008 8:57 PM | Report abuse

Русские пидоры, уголовники, скоро вам конец.

Posted by: Sujok | September 9, 2008 9:27 PM | Report abuse

thats my dad :D very awesome that he does this.

Posted by: patrick jordan | September 9, 2008 9:56 PM | Report abuse

Good stuff Brian. Keep on keepin' on.

Posted by: kilgore | September 9, 2008 9:57 PM | Report abuse

Hey. My domain (and in fact my registrar zonehoster.com) was suspended for reasons I don't even understand. You guys discuss viruses and spammers, but shut down _everybody_ who registered through zonehoster. Didn't look if it is legit or not. Sounds like "hey, lets bomb Iraq because they have Saddam. War is good because among thousands of decent people we would kill couple of crooks." Don't you have "innocent befour found guilty by _court_" presuption? That is so stupid, I can't even go that deep to that stupidity to explain how wrong you are. Let's put it that way. Since you guys (americans) have some rapists living in your cities we should nuke you.

Posted by: User | September 10, 2008 12:05 AM | Report abuse

ESTdomains have 270 thousands registered domains. Even if you examined 10'000 and found some of them to be involved in something, that does not mean that all the rest of domains are crooks. Guilty by assossiation that what it means. Where is your new Martin Luther King? All blacks and spanish persons should be sent to prison using your logic (after all percent of thieves among them are much higher than among yappies).

Posted by: EST supporter | September 10, 2008 12:27 AM | Report abuse

the owner of this virus/trojan mess is:

Volodimir Chashin CEO of ROVE DIGITAL OY
Phone: +37256200924
Faks: +3727337056

information is taken from EU chamber of commerce. I think they made hell of a money from it.

Posted by: badguy | September 10, 2008 2:24 AM | Report abuse

I found the solution of how to close all those virusmakers/spammers. Since most of the companies that host/register such sites are registered in the state of Delaware, we should destroy that state. Bomb it or whatever. That would be nice.

Posted by: good guy | September 10, 2008 2:34 AM | Report abuse

К Успеху пацаны Идут! ёббаа! оппа! Бодячком пацаны!!

Posted by: Сява | September 10, 2008 3:29 AM | Report abuse

Бодрячком, пацанчики, держимся бодрячком! =)))

Posted by: VOLK | September 10, 2008 4:00 AM | Report abuse

Чето я не врубаюсь а чё аптеки теперь тоже нельзя??? можно в блэклист попасть, пипец, думаю что там помимо гавнодомена, есть еще под шумок натянутые конкуренты.

Posted by: VOLK | September 10, 2008 4:01 AM | Report abuse

Походу, всё идёт к тому что всё более-менее ценное придётся продлевать лет на пять и в руцентр переносить :-/ Там хоть договор официальный, просто так не удалят.

Posted by: Александр | September 10, 2008 4:11 AM | Report abuse

Brian Krebs seems to be really great guy with tons of words about the subjects he never heard before. Nice work Brian! Lets blame the sales person for selling an axe, later used for murder.
Brian, only one question, which color of your girlfriend t-shirt with great motto "I'm with stupid"? It should be pink, I guess...

Posted by: Domains owner | September 10, 2008 4:24 AM | Report abuse

опять протекцию убрали, что за дебилы эти эстонцы, ведутся на все провокации

Posted by: Дэн | September 10, 2008 4:40 AM | Report abuse

Мда, не радостная новость.

Hm, is not happy news.

Posted by: Ilya[Илья] | September 10, 2008 4:56 AM | Report abuse

mp3

Posted by: twepletrawn | September 10, 2008 4:56 AM | Report abuse

М-дяяя... могли бы и не светить .. цуки ..
не дают честным гражданам копеечку заработать.. и бедных эстов #бут )))

DON'T Belive in this !!! It's all gone Uncle Sam !!!!! CIA etc ....

don't touch Small business !!!

Posted by: Abuser | September 10, 2008 8:50 AM | Report abuse

Hi all!


Bye

Posted by: ereveasty | September 11, 2008 1:50 PM | Report abuse

1234

Posted by: AppodollolO | September 11, 2008 3:10 PM | Report abuse

В рот мне ноги, ну что за хуйня ? что хотят буржуи от наших любимых Эстов? живем мирно и трудолюбимо, не кому не мешаем. ну что за пиздец нахуй?
Да пошли вы нахуй бляди

Posted by: unixaNet | September 11, 2008 4:56 PM | Report abuse

Estdomains is still allowing registration of new scam domains. Just registered Sept. 11, 2008.

http://whois.domaintools.com/dailyhomesite.com

Reported here on Sunbelt's blog.

http://sunbeltblog.blogspot.com/2008/09/scam-sites-update-ii.html

There may be more in the list from Estdomains, but I don't have time to check them all.

I would ask, too, what is Estdomains doing to stop new scam and malware sites from being registered? Surely they have an idea who their customers are that are registering these domains for malicious purposes.

Posted by: suzi | September 12, 2008 1:55 AM | Report abuse

Козляры

Posted by: ку ку | September 12, 2008 5:42 AM | Report abuse

hi download porn with site washingtonpost.com
new porn video download here!

Posted by: washingtonpost.com | September 12, 2008 5:47 AM | Report abuse

Suzi, the domains have been suspended immediately upon the receipt of your report. Thank you.

Posted by: Konstantin Poltev | September 12, 2008 9:19 AM | Report abuse

Suzi, if you block thousands domains each day during 2 week then "problem" domains don’t come anymore. Maybe just few but they also will be suspended shortly.

Posted by: Alex | September 12, 2008 1:58 PM | Report abuse

блять, естхост лежит, во всём суки пендосы виноваты

Posted by: Anonymous | September 12, 2008 2:40 PM | Report abuse

Правильно. Так их, русню эту ебаную, ворьё сраное нахуй!

Posted by: РУССКИЕ - ИДИТЕ НАХУЙ | September 12, 2008 7:46 PM | Report abuse

Правильно было бы тебе в моск нассать чучело. У регистратора 200.000 доменов, 1% шлака - это очень низко!
Предлагаю по аналогии тогда сажать продавцов клавиатур, за то, что такие мудилы как выше - пишут хуйню всякую !
Бордрячком дердимся пацанчеки, не паникуем !

Posted by: Прадва | September 13, 2008 3:01 AM | Report abuse

I registered domain using zonehoster.com
Paid money for it up till 2015. Never used domain at all. Registered just because of the nice name.
Zonehoster registration was suspended, so my domain was suspended as well.
Question: who is the scammer? As I see it, somebody did scam me out of my money...

Posted by: Domain owner | September 13, 2008 6:50 AM | Report abuse

Roosky, sosite khuy, urody!

Posted by: Jamie | September 13, 2008 3:13 PM | Report abuse

Че, пидарасы, мое письмо на English публиковать неохото?
У самих рыло в пушке по самую задницу?

Posted by: Anonymous | September 14, 2008 10:35 AM | Report abuse

Я ебал!

Posted by: maximum | September 14, 2008 7:43 PM | Report abuse

Jamie: suck yourself a stupid donkey

Posted by: zer0 | September 15, 2008 9:49 AM | Report abuse

What percent of destructive domains registered in godaddy? I think that much more than at Estonians

Posted by: Hui-Vam | September 15, 2008 4:02 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company