It is with regret and pity that I have to inform you all that recent interactions with a Leland Vandervort of GANDI have indicated beyond doubt that GANDI are knowingly providing Spam Support services to a known ROSKO spammer (Wayne Mansfield/Clarity1)
Even after several of my volunteers pointed out spam, domain registrations and names as well as the services used, GANDI has responded with:
| Then you are obviously unfamiliar with the laws of various | countries... In a number of European countries, France included, it is | illegal to refuse customers who engage themselves on a contract which | includes conditions on behaviour and fair use. If they breach those | conditions, then we can terminate service, not before. To take | pre-emptive action based on lack of concrete evidence concerning the | service actually requested amounts to discrimination. | | I wish I could help further, but you are asking us to undertake an | action which is illegal, and therefore we are not in a position to do | so.
We followed up pointing out that in section 3 of their own domain registration terms and conditions use of the domain for illegal purposes is in breach of the GANDI contract.
They replied indicating the email (which was sent through their own servers) advertising said domain could have been altered as it was 'cut and pasted' therefore it was not sufficient as proof of spamming.
Several other responses were made exposing Wayne Mansfield/Clarity1 as the spammer, and the fact he is illegally running a business (a breach of another of GANDIs terms and conditions) indeed he is even using fake names for the registrations of other domains (known to be VERY fake.)
The final response from GANDI was that we had not provided evidence of abuse (despite providing emails with the spamvertised domain) so we can only assume that GANDI has been paid enough for this domain and hosting.
The domain in question is bsadetails.com - yet another "Business Seminars Australia" website (some of which hosted on StumpJump.net.)
SORBS is exploring moving it's domains to other Registars as we will not knowingly support companies providing support to spammers (or their fake companies and operations.)
<michelle_s-n...@sorbs.net> wrote: > It is with regret and pity that I have to inform you all that recent > interactions with a Leland Vandervort of GANDI have indicated beyond > doubt that GANDI are knowingly providing Spam Support services to a > known ROSKO spammer (Wayne Mansfield/Clarity1)
> Even after several of my volunteers pointed out spam, domain > registrations and names as well as the services used, GANDI has > responded with:
> | Then you are obviously unfamiliar with the laws of various > | countries... In a number of European countries, France included, it is > | illegal to refuse customers who engage themselves on a contract which > | includes conditions on behaviour and fair use. If they breach those > | conditions, then we can terminate service, not before. To take > | pre-emptive action based on lack of concrete evidence concerning the > | service actually requested amounts to discrimination. > | > | I wish I could help further, but you are asking us to undertake an > | action which is illegal, and therefore we are not in a position to do > | so.
Awwww dammit!
-- greylines
if you must mail me ihatespam at greylines dot net
> This situation has arisen because of our customer protection processes that are core > to our beliefs. Where a customer of ours is a spammer, then we will of course take > action. We don’t protect spammers.
> But we cannot take action against a customer until we are provided with proof that > they actually are a spammer. The requirement of proof is something
that we keep strict.
> There are many situations where complaints by one party against
another without proof
> have led to action by domain companies which is hasty
> So when you want to make a complaint about a domain or a customer of ours, please > do (abuse at gandi.net), but you will require proof. And by proof we mean original > and complete documentation showing the offense. In the case of spam, this must be > full and complete email headers, and not extracts or a sample, or a cut and paste > of something. The original headers please.
> Similarly, we cannot take action based solely on circumstantial evidence that a > given domain or individual may or may not be simply associated in some form with > another person or entity, nor on the basis of simply subjective opinion.
Of course we showed them clearly that it was Wayne Mansfield, but they insisted on our disclosing of the spamtrap information. We refused as there was no basis to disclose it to GANDI as the spam itself was not from their network.
domain: bsadetails.com reg_created: 2006-03-21 01:39:33 expires: 2011-03-21 00:39:33 created: 2007-06-22 23:58:46 changed: 2010-03-03 09:42:34 ns0: a.dns.gandi.net ns1: b.dns.gandi.net ns2: c.dns.gandi.net owner-c: nic-hdl: EB1926-GANDI owner-name: Elaine Butcher organisation: Elaine Butcher person: Elaine Butcher address: 20/40 Lord Street zipcode: 6000 city: Perth country: Australia phone: +61.892210300 fax: +61.892210355 email: 6f6cb23b6b11e4a3dd56435e13c1de16-732...@contact.gandi.net lastupdated: 2010-03-03 09:26:13 admin-c: nic-hdl: WM500-GANDI organisation: ~ person: Wayne Mansfield address: 20 / 40 Lord Street zipcode: 6004 city: East Perth country: Australia phone: +61.429823325 fax: '' email: 4a8c1d46eb52baba4ca71f530fb2f50c-732...@contact.gandi.net lastupdated: 2010-03-03 09:38:04 tech-c: nic-hdl: WM500-GANDI organisation: ~ person: Wayne Mansfield address: 20 / 40 Lord Street zipcode: 6004 city: East Perth country: Australia phone: +61.429823325 fax: '' email: 4a8c1d46eb52baba4ca71f530fb2f50c-732...@contact.gandi.net lastupdated: 2010-03-03 09:38:04 bill-c: nic-hdl: WM500-GANDI organisation: ~ person: Wayne Mansfield address: 20 / 40 Lord Street zipcode: 6004 city: East Perth country: Australia phone: +61.429823325 fax: '' email: 4a8c1d46eb52baba4ca71f530fb2f50c-732...@contact.gandi.net lastupdated: 2010-03-03 09:38:04
Seems I didn't post a follow up to my original post pointing out that "Leland Vandervort" is actually Ryan of GANDI. Why someone such as Ryan thinks he needs to hide behind an alias I guess I'll never know.
> registrar: GANDI > type: Isp Option 1 > address: 15 Place de la Nation > address: PARIS > country: FR > phone: +33 1 43 73 78 51 > fax-no: +33 1 43 73 18 51 > website: http://www.gandi.net > anonymous: NO > registered: 09/03/2004 > source: FRNIC
Proxad is the right party to contact in this case, as I believe the site is compromised, and the domain oax.fr is not under direct control of the malware authors. There's nothing (nothing sane at least) that Gandi can do here.
> Proxad is the right party to contact in this case, as I believe the > site is compromised, and the domain oax.fr is not under direct control > of the malware authors. There's nothing (nothing sane at least) that > Gandi can do here.
Agreed. Registrars are not responsible for sites compromised that are hosting malware.
If on the other hand www.aox.fr is hosting malware and is setup just to host malware/spammers then the registrar should pull the domain registration.
That said all I see is
Forbidden
You don't have permission to access / on this server.
when trying to get to http://www.oax.fr/ so anyone know if this is a legitimate domain that has been compromised or is it a bogus domain setup to host malware?
> when trying to get to http://www.oax.fr/ so anyone know if this is a > legitimate domain that has been compromised or is it a bogus domain > setup to host malware?
Given that it's relatively hard to get a .fr domain, and that 3 letter domains are in high demand, I do not think that this domain belongs to malware authors/spreaders.
Carel wrote: > Michelle Sullivan wrote: >> when trying to get to http://www.oax.fr/ so anyone know if this is a >> legitimate domain that has been compromised or is it a bogus domain >> setup to host malware?
> Given that it's relatively hard to get a .fr domain, and that 3 letter > domains are in high demand, I do not think that this domain belongs to > malware authors/spreaders.
That's what I figured, but the malware authors/distributors seem to have fairly limitless resources these day.
Michelle Sullivan wrote: > Carel wrote: >> Michelle Sullivan wrote: >>> when trying to get to http://www.oax.fr/ so anyone know if this is a >>> legitimate domain that has been compromised or is it a bogus domain >>> setup to host malware?
>> Given that it's relatively hard to get a .fr domain, and that 3 letter >> domains are in high demand, I do not think that this domain belongs to >> malware authors/spreaders.
> That's what I figured, but the malware authors/distributors seem to have > fairly limitless resources these day.
"Only people with French nationality or organizations that can be identified as being registered in France (Trademark, SIREN, Journal Officiel registration...) may register a domain name in this extension.
The administrative contact must be in France at any rate."
France != Ruskraine, never attribute to malice that which can be adequately explained by stupidity, etc.
On Onsdag 24. mars 2010 11.51, Michelle Sullivan wrote:
> Agreed. Registrars are not responsible for sites compromised that are > hosting malware.
> If on the other hand www.aox.fr is hosting malware and is setup just to > host malware/spammers then the registrar should pull the domain > registration.
> That said all I see is
> Forbidden
> You don't have permission to access / on this server.
> when trying to get to http://www.oax.fr/ so anyone know if this is a > legitimate domain that has been compromised or is it a bogus domain > setup to host malware?
Felis silvestris wrote: > On Onsdag 24. mars 2010 11.51, Michelle Sullivan wrote:
>> Agreed. Registrars are not responsible for sites compromised that are >> hosting malware.
>> If on the other hand www.aox.fr is hosting malware and is setup just to >> host malware/spammers then the registrar should pull the domain >> registration.
>> That said all I see is
>> Forbidden
>> You don't have permission to access / on this server.
Michelle Sullivan wrote: > If on the other hand www.aox.fr is hosting malware and is setup just to > host malware/spammers then the registrar should pull the domain > registration.
The website is hosted by dedibox apparently (cheap dedicated boxes provided by proxad network, one of the biggest provider in France) -- probably a r00ted machine. You may try abuse at dedibox.fr or https://console.dedibox.fr/accueil/abuse/?page=english
> Proxad is the right party to contact in this case
Proxad.net/dedibox (free.fr) is kind of ignorant though. I had a french Computer shop spammer spamming me almost daily for month, and never Proxad replied to my complaints, or took the spammer down. -- Andreas (PGP Key available on public key servers) You know you're a Redneck when 8. Your entire family sat around waiting for a call from the governor to spare a loved one.
Andreas Kohlbach wrote: > Carel wrote on 24. March 2010:
>> Proxad is the right party to contact in this case
> Proxad.net/dedibox (free.fr) is kind of ignorant though. I had a french > Computer shop spammer spamming me almost daily for month, and never Proxad > replied to my complaints, or took the spammer down.
Unfortunately there are a few problematic French ISPs. There are a few more outside of France, but that doesn't change the fact that banging on the door of someone who can't solve the problem is not the right thing to do.
On Onsdag 24. mars 2010 13.51, Xavier Roche wrote:
> Michelle Sullivan wrote: >> If on the other hand www.aox.fr is hosting malware and is setup just to >> host malware/spammers then the registrar should pull the domain >> registration.
> The website is hosted by dedibox apparently (cheap dedicated boxes > provided by proxad network, one of the biggest provider in France) -- > probably a r00ted machine. You may try abuse at dedibox.fr or > https://console.dedibox.fr/accueil/abuse/?page=english
I got an e-mail from gandi, cc'ed to free.fr saying that they were investigating. Looks like they took action, too. Well done, that desk.
