NinerNet Communications™
Blog

Corporate Blog

Warning about sexual blackmail/extortion scam emails

13 April 2021 09:32:21 +0000

We have, in the past, warned of sexual extortion and blackmail emails. These reared their ugly heads in 2018, and have continued to circulate in various forms since. I have received them myself, and they are unnerving.

Today we warn you again, but with added urgency because we know of someone who has fallen for this scam. This is not unusual, because people fall prey to these scammers every day, but it is even more saddening when it’s someone you know.

Here is the email they fell for:

From: KJi
Sent: April 05, 2021 1:23 AM
To: Recipients
Subject: Evidences Against You

Hello,

It’s so shameful how people can’t be satisfied with their marriages.

We know you are cheating on your spouse and this has been backed-up with
evidences from your hacked mobile device for your fyi.

Just a little favor from you to me can go along way in esnuring things don’t
get bitter with your spouse finding out.

Kindly send an equivalent of 1200$ worth of bitcoin to this wallet
:bc1qt9fx8fz2fydy0q5h0ruvd30a7ujqxmx80hn3tn

Trust me, this is very little compared to what will happen if you don’t
cooporate with us and i believe you love your family no matter what.

In 48hrs time,if we don’t receive this token of 1200$ worth of btc from you,
you will receive pictures and screenshots via email and same will be sent to
your spouse as well.

Your time start counting now and note that any attempt to file a complaint
will not result to nohing as this e-mail cannot be traced and same as my
bitcoin id.

If, by any chance I find out that you have shared this message with anyone
else, I will make things go viral immediately

Rdgs,

KJ

Note all the spelling, grammatical and punctuation errors.

There is no way for this person to get their money back, as there is no way to find the scammer. And it is a scam; the sender does not have any “evidences”. It’s a shot in the dark, and the chances of their mass email finding someone who really is being unfaithful in their marriage — and are feeling guilty and don’t want to be outed — are actually pretty good!

Please take this warning seriously, and don’t be fooled by these emails. They are just scams. We strongly suggest that you circulate this information to your colleagues, co-workers, employees, family and friends. Knowledge is power against the scammers.

Compendium of scam emails

13 April 2021 09:26:41 +0000

Scam and “phishing” emails arrive daily by the truck load. We can’t send a warning every time we ourselves get a scam or phishing email. If we did, our own emails would become just noise in the background.

However, we present here eighteen screenshots of scam, spam and phishing emails that we have received or seen over the last four years. If you’re not sure what one of these emails look like, we encourage you to look these over. The approaches vary, but here are some common factors:

  • They advise you that your email account is over quota, and you must take some immediate action to prevent catastrophe — i.e., the loss of all your email.
  • Your email account is being closed or upgraded.
  • The webmail for your account is being upgraded, and you have to take action.
  • Your domain is being cancelled or expired within a few hours or a couple of days.
  • Payment for the renewal of your domain is overdue.
  • Wordy expiration notices that are unclear about what exactly is expiring and how it could theoretically affect you.
  • Domain SEO (search engine optimisation) notices made up to look like invoices for domain renewal.
  • Emails with links that disguise the true destination to which you are clicking. Always check the status bar in your email program or app — before you click, while hovering your mouse pointer over the link — to determine whether or not your browser will really be going to a domain you recognise — e.g., niner.net if you are a NinerNet Communications client.
  • Emails that try to sound like they come from your own company’s IT department, complete with copyright notices.
  • “Final” renewal notices that are a surprise.
  • Fine print at the end of the email that makes ludicrous statements that contradict the meat of the email, such as, “We do not directly register or renew domain names” or “THIS IS NOT A BILL” (in an email that looks like it’s a bill to renew your domain); “We have clearly mentioned the source mail-id of this email, also clearly mentioned our subject lines and they are in no way misleading” (in an email that tries to mislead you into paying what looks like an invoice).
  • Urgent server warnings, that aren’t urgent server warnings at all.

NinerNet Communications is judicious about how many emails we send out, and how often we do. We’re also careful to ensure that we use proper spelling and grammar. Our emails do not contain copyright notices and pages of meaningless legal notices. (Maybe they should, but currently they don’t. We’re real people who tend to believe that our clients are also real people with brains.) With that in mind, here is a non-exhaustive list of things you should look for to determine if an email you’ve received really is from NinerNet and if it’s legitimate:

  • Is it from an email address on the niner.net domain? (Configure your email program or app to show you the sender’s actual email address, not just their name.) If it’s not, it’s not from us and you can probably ignore it if it claims to be about your hosting or domain.
  • Does it try to scare you or make you angry, such that you might take immediate action? If it does, it’s definitely not from us.
  • Is it in HTML or “rich text”, with different colours and types of fonts, and does it contain images or things that look like buttons (especially that say “secure online payment”)? It’s very likely not from us.
  • Are there copyright notices in the email? Definitely not from us.
  • Does it flatter you with words such as “esteemed” or “valued”? Not from us. (You are esteemed and valued, for sure; we just don’t lay it on thick with you!)
  • Does the email address you by the name in your email address? For example, if your email address is accounts@example.com, does it address you as “accounts” as if that was your name? Not from us.
  • Does it ask for personal information or ask you to update or confirm personal information? Very likely not from us unless you’re a brand new client.
  • Look very carefully at the sender’s address. Does the font on your email program make some letters look like others? For example, if the sender looks like bob@example.com, are you sure his domain isn’t exarnple.com? With some fonts the “r” and the “n” together look like the “m” in “example”.

Of course, the above checklist can be applied to any email you receive, including emails that purport to be from your bank.

Attachments: Don’t open attachments from unknown senders or that you are not expecting, even from known senders. Also make sure you have anti-virus software installed.

Our automated notices telling you that your mail box is full, or close to it, are extremely brief and do not try to scare you or offer you links to “free upgrades” or anything like that.

If you click on a link in an email and enter information on a form — especially a password — and then realise that it’s a scam/phishing, immediately change that password. You should also contact NinerNet, or whoever that account is with, to inform them what has happened.

Finally, when we do send you an email to advise you of something that applies to all (or most) clients — such as server moves, upgrades, etc. — we include a link to our blog (blog.niner.net) so that you can confirm that information.

Below, then, are the eighteen screenshots of scam, spam and phishing emails. The first is particularly noteworthy, as it is a sexual blackmail/extortion scam that seeks payment via Bitcoin. It and similar emails will be the subject of our next blog post.

If you have any questions, please contact NinerNet support. Thank-you.

Sexual blackmail bitcoin email scam.

Sexual blackmail bitcoin email scam.

Scammers never sleep

31 December 2018 10:02:41 +0000

If you thought you could get a break from scammers over Christmas, think again. This one landed in our in box on Christmas day, as is clear from the date the countdown starts!

From: greatroadnorth.com is about to expire. <no-replay@renewal-service.info>
Reply-to: “greatroadnorth.com is about to expire.” <no-replay@renewal-service.info>
Subject: Domain Administrator
Date: Tue, 25 Dec 2018 17:52:19 +0000
Return-path: <01020167e67ef75e-d5d2ee16-fd2f-457e-9a8d-00dba3dc6492-000000@eu-west-1.amazonses.com>
X-spam-score: 2.125

Tucows Domains Inc.
====================
IMPORTANT NOTIFICATION
====================
greatroadnorth.com
Date: 2018-12-25

Dear Domain Administrator,

The Domain SEO-listing shown below are set for renewal and need to be processed in the next 48 hours.

No need to worry, please go to this link and follow the instructions:
renewal-service.info/greatroadnorth.com

Your product details are listed below:
====================

Product Name:
SEO-Renewal for greatroadnorth.com
Expire Time:
48 hours from 2018-12-25
Renewal cost per annum:
$69.00

====================
Amount due: $69.00

PAYMENT INFORMATION
Information on how to renew your domain can be found here:
renewal-service.info/greatroadnorth.com

This offer is only valid for 48 hours as a courtesy to let you know that your domain is expiring soon and this search engine optimization offer will expire.
Should your domain name expire, there is going to be a signifcant drop
in search engine services for your website, email and any other associated services.
This domain seo registration for greatroadnorth.com limited time offer will end in 48 hours from 2018-12-25.

Thank you!

Sincerely,
Renewal department

====================

Note:
You received this message because you elected to receive notification offers. Should you no longer wish to receive our offers, please unsubscribe here. If you have multiple accounts with us, you must opt out for each one individually.

Some characteristics of this spam/scam:

  • Your name (available from the WHOIS) will be in the subject, along with a flag emoji to draw attention to the email.
  • The name of your legitimate domain registrar (also available from the WHOIS) will be at the top of the email, even though they did not send the email.
  • There is the usual very close deadline (48 hours), after which the world will end for you and your domain.
  • The plain-looking links in the email mask tracking links to the domain wizz.netvalue.io.
  • The scammer makes the unusual claim that not sending them money will cause “a signifcant [sic] drop in search engine services for your … email”. This, of course, is absolutely false, as your email traffic is not tied directly to search engine traffic anyway.
  • Sent through the best and biggest “bulletproof” spam hosting service in the world: Amazon.

Given the fact that most gTLD registrars (including the ones we use) have not pubished WHOIS information since May 2018, these scams are being sent to old mailing lists compiled before publishing stopped, and are out of date. (For example, the domain that is the subject of this email no longer exists.) Changing the contact email address on your domain and shutting down the old address is something you should consider doing.

Extortion scam email

24 July 2018 04:57:43 +0000

We have had a particularly nasty extortion email brought to our attention by two different clients in the last four days. Some research reveals that it has been around since at least late last year, but variants of extortion emails are almost as old as email itself. However, the personal nature of the current incarnation of these emails is alarming to those who receive it, even those with a clear conscience.

Unfortunately, as with most (if not all) scams, the scammers have been successful. In this case, because they demand payment of their ransom in Bitcoin, and the Bitcoin system allows public tracking of all transactions (just not the identities of the senders and receivers), researchers have been able to see that the Bitcoin addresses used in these scam emails have indeed received payments. A quick glance shows payments reaching into six figures (in US dollars) for some Bitcoin addresses (like bank account numbers, but not subject to the same scrutiny as happens when you open a bank account), and since it seems that few (if any) Bitcoin addresses have been used twice (although they are probably controlled by a small number of criminals), you can multiply that many times over.

One of the key features of the current round of emails that seem to have cropped up in the last week is the inclusion of a password that you may have used at some point in the past, both in the subject and the body of the email, to get your attention. This adds plausibility to the extortion attempt. However, keep in mind that huge databases of personal information are being breached by hackers all the time. The well-known tracking website “Have I Been Pwned” includes over five billion breached accounts (and growing) in its database. They compile their database from the raw data released by hackers after they penetrate the systems of the likes of LinkedIn, MySpace, Adobe, Ashley Madison and many others, so those databases are out there and will be forever. If a website or company you use was hacked and your password was stored by them in an unencrypted form, then there are databases out there that contain enough information to put together your email address and a password you have used, and possibly your name, address and phone number too. (Some people have received these extortion attempts via postal mail.) Do an old-fashioned mail merge and voila, you have an email message that could scare you into parting with anywhere from hundreds to tens of thousand of dollars in a vain attempt to keep a secret that a scammer made up in his or her own imagination.

As with all spam and scam emails, these are best ignored. They are just mass produced by the millions and fired out at the Internet shotgun-style.

Some have commented in the links we provide below that they have contacted the police about these emails (or letters) and received the cold shoulder. This is unsurprising. One of the benefits of computers is also one of their downsides; the fact that you can send an hilarious cat video to a few thousand of your closest friends is the same technology that allows scammers to multiply their own efforts considerably and with very little effort or expense. Your national police force probably already has this in their in tray, and when combined with other law-enforcement efforts it will probably rise to the top one day when they pull Guido over for speeding and realise that he is the mastermind behind all of this. Case closed.

There are many “top ten things you should do to remain safe on the Internet” lists out there. None will cover it all in only ten items, but here are some things for you to consider in the vein of the contents of these emails that we have reproduced below:

  • Don’t reuse passwords. If you consistently use the same email address and password for different websites, then when one of them is breached, all of your accounts are breached. Use a different password for every single website. It’s not that hard. Use a password manager like KeePass to generate and track random, complicated passwords that you will never remember and never need to remember.
  • Cover your webcam lens with an opaque cover when it is not in use. Some webcams include such a cover you can flip over the lens. If yours doesn’t, you can get a sticky cover that you can easily remove and reapply that doesn’t leave residue on the lens. We buy ours from the Electronic Frontier Foundation, but you can get generic ones or small metal covers you can install that you then slide to cover the lens (do a Web search for “webcam cover“), or you could use a sticky note or even a plaster / adhesive bandage.
  • Tell your friends and family. Friends don’t let friends pay bogus ransoms for bogus extortion attempts. Send them a link to this post at blog.niner.net/2018/07/24/extortion-scam-email

If you have any questions or concerns about this, please contact us and we will be happy to answer your questions. Thanks for your time.

Links to external websites with additional information documenting this scam

The two emails brought to our attention are below. The wording is not identical, but the style and substance are the same and they seem to be written by the same person. In these emails we have masked our clients’ names, email addresses and passwords, of course.

Email 1

———- Forwarded message ———
From: Juliana Bradford <ydewillyfx@outlook.com>
Date: Mon, 23 Jul 2018 at 19:46
Subject: CLIENT NAME – PASSWORD
To: CLIENT EMAIL ADDRESS

I am well aware PASSWORD one of your passphrase. Lets get right to point. There is no one who has compensated me to investigate you. You do not know me and you’re most likely wondering why you’re getting this e-mail?

In fact, I actually setup a malware on the X streaming (pornography) web-site and do you know what, you visited this web site to experience fun (you know what I mean). While you were viewing videos, your internet browser began functioning as a Remote control Desktop that has a key logger which provided me accessibility to your screen and web camera. Right after that, my software collected all your contacts from your Messenger, social networks, as well as e-mailaccount. After that I created a video. First part displays the video you were viewing (you have a nice taste haha), and 2nd part displays the view of your cam, yea it is you.

You get two alternatives. Shall we read each of these choices in particulars:

First choice is to disregard this email message. In this scenario, I am going to send out your very own recorded material to every single one of your contacts and also just think concerning the awkwardness you will see. And consequently if you happen to be in an important relationship, just how it will eventually affect?

2nd alternative is to pay me $7000. Lets refer to it as a donation. Consequently, I most certainly will without delay discard your video recording. You could go on your daily life like this never occurred and you surely will never hear back again from me.

You will make the payment by Bitcoin (if you don’t know this, search for “how to buy bitcoin” in Google).

BTC Address to send to: 18sPsLXYDqKZnZ6Mb5xbYS168QFPYrQC75
[case sensitive, copy & paste it]

Should you are planning on going to the law enforcement, well, this mail can not be traced back to me. I have covered my actions. I am just not looking to ask you for money a whole lot, I simply want to be paid. I’ve a special pixel within this mail, and right now I know that you have read this message. You have one day to make the payment. If I do not receive the BitCoins, I will certainly send your video recording to all of your contacts including friends and family, co-workers, and many others. Nevertheless, if I do get paid, I will destroy the video right away. If you need proof, reply with Yea then I will certainly send out your video recording to your 7 friends. It’s a nonnegotiable offer and so please don’t waste my personal time & yours by responding to this message.

Email 2

——– Forwarded Message ——–
Subject: RE: CLIENT NAME – PASSWORD
Date: Thu, 19 Jul 2018 05:03:35 +0000
From: Antonio Simmons <jrcsxeugeniouks@outlook.com>
To: CLIENT EMAIL ADDRESS

I will directly come to the point. I do know PASSWORD is your pass word. More to the point, I am aware about your secret and I’ve evidence of your secret. You do not know me personally and nobody paid me to look into you.

It’s just your bad luck that I came across your bad deeds. Well, I placed a malware on the adult video clips (porno) and you visited this site to have fun (you know what I mean). While you were busy watching videos, your internet browser initiated operating as a Rdp (Remote desktop) that has a key logger which gave me access to your display screen as well as web camera. Right after that, my software program gathered your entire contacts from messenger, facebook, and mailbox.

Next, I put in more hours than I probably should’ve looking into your life and made a two view video. 1st part shows the video you were watching and second part shows the view from your web camera (its you doing dirty things).

Honestly, I am ready to forget all information about you and let you continue with your daily life. And I am going to present you 2 options that will make it happen. Those two option is with the idea to ignore this letter, or simply pay me $ 2900. Let’s explore these 2 options in more detail.

Option One is to ignore this email message. Let us see what is going to happen if you opt this option. I will certainly send your video to your entire contacts including family members, co-workers, and so forth. It does not shield you from the humiliation your self will face when family and friends discover your dirty details from me.

Option 2 is to send me $ 2900. We will call it my “privacy tip”. Now lets see what will happen if you choose this option. Your secret remains your secret. I’ll erase the recording immediately. You go on with your routine life that none of this ever occurred.

At this point you may be thinking, “I will complain to the police”. Let me tell you, I have covered my steps in order that this e mail cannot be linked to me plus it won’t prevent the evidence from destroying your lifetime. I’m not seeking to steal all your savings. I just want to get compensated for the time I placed into investigating you. Let’s assume you decide to produce all of this vanish entirely and pay me my confidentiality fee. You will make the payment via Bitcoin (if you don’t know how, type “how to buy bitcoins” on google search)

Amount to be paid: $ 2900
Bitcoin Address to Send to: 1GQK1MNV5N7B9pV8L63W7nGfChJkKp7ymq
(It is CASE sensitive, so you should copy and paste it carefully)

Tell nobody what you should use the bitcoin for or they may not provide it to you. The method to get bitcoin will take a short time so do not delay.
I’ve a specific pixel within this email message, and now I know that you’ve read this e mail. You have 24 hours to make the payment. If I don’t get the BitCoin, I will definately send out your video to your contacts including close relatives, colleagues, and many others. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll destroy the video and all other proofs immediately. It’s a non negotiable offer, thus do not waste my personal time & yours. Your time is running out.

Reminder of domain renewal scams

12 February 2017 02:22:14 +0000

The scammers trying to separate you from your money never sleep and we’ve been meaning to send a reminder about that for a while now. Were prompted today by a couple of things: the first being a client who recently mistook one of these scams for a legitimate notice from NinerNet, and the second the receipt of four emails to us that arrived in quick succession in the span of 22 minutes this morning from the same scammers.

What these scams have in common is that they’re sent to the email address you use in your domain registration, and masquerade as domain renewal notices. The management of the WHOIS system — the database of domains and their owners — is a bone of contention among many, and after more than three decades ICANN has still not figured out how to make the WHOIS system useful for legitimate purposes while protecting domain owners from scams like these. We make five suggestions in the “Lessons to be learned” section of a rather long and detailed post from last year if you’re annoyed at the amount of spam you receive. One of those suggestions is not private domain registration, despite the fact that we can make money on that service.

The two particularly active scams that you should be aware of are these two:

You’ll note that the latter dates back to at least 2015. If the scam wasn’t working, they’d stop. Don’t be scammed!

If you have any questions or concerns, please let us know. Thanks.

Another domain SEO scam

12 February 2017 01:34:28 +0000

SEO scam screenshot.

Yet another SEO scam posing as a domain registration renewal notice has been making the rounds. At first we thought it was the same as one we have posted about before — just with a new look — but we’ve received the old one recently too, so it’s not.

As always, anything you receive about your domain that is not from NinerNet Communications is almost certainly a scam, unless you have very recently initiated the purchase of a product or service connected to your domain at the time you receive the email. If you’re not sure, please forward it to us and we’ll be happy to help you determine its validity.

Please click on the thumbnail to see the scam email full size.

Zambian domains update

27 December 2016 03:17:55 +0000

To update our earlier post, ZICTA finally contacted us on the afternoon of the 12th. Again — unbelievably — we had to explain basic networking concepts to them to help them understand why our client’s domain was not working.

However, they also explained or blamed part of the problem on Zamnet for not deleting the domain from their nameservers after they had hosted it previously. Zamnet are entrusted by ZICTA with the stability and security of two of the four nameservers that run the dot-zm ccTLD, and yet they apparently can’t perform basic nameserver maintenance. This is shocking to say the least.

Our client’s domain was finally back online again and stable and functioning properly by the 13th (after we contacted ZICTA on the 10th) … but for how long? It is only a matter of time before either our client’s dot-zm domain or another dot-zm domain goes down, again caused by mismanagement by ZICTA or one of the organisations they contract to provide name service.

Don’t register dot-zm domains. Seriously.

Zambian domains (.zm) are broken, don’t register them

12 December 2016 08:53:45 +0000

A little over a year ago we detailed the laborious process by which we managed to bypass an incompetent dot-zm domain registrar — Realtime Technologies Ltd. / Hai Alive Telecommunications — to speak directly to ZICTA (the Zambia Information & Communications Technology Authority) about a problem caused by ZICTA and misdiagnosed by Realtime/HAI.

You may or may not believe this, but the exact same thing is happening again, but with a different dot-zm domain registered through Realtime/HAI.

We contacted ZICTA and Zambia CIRT, through the same channels we used last time, early on the morning of Saturday 10 December. Over forty-eight hours later we still have not received an acknowledgement of our email, and the problem persists.

With the domain redacted to protect our client’s privacy, the evidence that is much the same as for the problem last year is presented below. What is particularly interesting about the information reported by one of the dot-zm nameservers (hippo.ru.ac.za) is that it is still reporting the pch.nic.zm and ns1.coppernet.zm nameservers as being authoritative for the dot-zm ccTLD. (See the IANA website for the nameservers for the dot-zm ccTLD.) The former was the problem nameserver last year, and was apparently promptly decommissioned after our report. However, I see that it is now back online at a new location. Ironically, this time it is actually reporting the correct DNS information for this domain. The latter belongs to the now-defunct Coppernet; although there is still an A record pointing ns1.coppernet.zm to 41.222.240.15, that nameserver simply does not respond at all.

We’ll post further updates when (or if) this problem is resolved. However, we really cannot emphasise strongly enough that you should not register dot-zm domains, and if you have one, you should transition away from it as soon as possible.


Update, 2016-12-27: Posted an update.


[00:00:05 leftseat@wrathall ~]$ whois zxxx.org.zm
Domain Name: zxxx.org.zm
Domain ID: 11559-zicta
WHOIS Server: whois.nic.zm
Referral URL:
Updated Date: 2016-11-29T11:40:45.292Z
Creation Date: 2015-05-12T09:27:15.528Z
Registry Expiry Date: 2017-05-12T09:27:15.611Z
Sponsoring Registrar: Realtime (Z)
Sponsoring Registrar IANA ID:
Domain Status: ok
Registrant Name: REDACTED
Registrant Organization: REDACTED
Registrant Street: lusaka
Registrant City: lusaka
Registrant State/Province: lusaka
Registrant Postal Code: 10101
Registrant Country: ZM
Registrant Phone: +260.REDACTED
Registrant Phone Ext:
Registrant Email: REDACTED
Name Server: ns1.niner.net
Name Server: ns2.niner.net
DNSSEC: unsigned
Additional Section
Sponsoring Registrar URL:
Sponsoring Registrar Country: ZM
Sponsoring Registrar Phone:
Sponsoring Registrar Fax:
Sponsoring Registrar Customer Service Contact:
Sponsoring Registrar Customer Service Email:
Sponsoring Registrar Admin Contact:
Sponsoring Registrar Admin Email:
>>> Last update of WHOIS database: 2016-12-12T07:31:46.321Z <<<

TERMS OF USE: You are not authorized to access or query our WHOIS database through the use of electronic processes that are high-volume and automated.  THis WHOIS database is provided by as a service to the internet community.

The data is for information purposes only. We do not guarantee its accuracy. By submitting a WHOIS query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes. The compilation, repackaging, dissemination or other use of this Data is expressly prohibited.
[00:00:14 leftseat@wrathall ~]$ dig zxxx.org.zm ns

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51871
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; ANSWER SECTION:
zxxx.org.zm.		300	IN	NS	ns1.niner.net.
zxxx.org.zm.		300	IN	NS	ns2.niner.net.

;; Query time: 4627 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:00:28 PST 2016
;; MSG SIZE  rcvd: 85

[00:00:28 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns1.niner.net

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns1.niner.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34521
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; ANSWER SECTION:
zxxx.org.zm.		300	IN	NS	ns1.niner.net.
zxxx.org.zm.		300	IN	NS	ns2.niner.net.

;; ADDITIONAL SECTION:
ns1.niner.net.		300	IN	A	65.61.166.128
ns2.niner.net.		300	IN	A	65.61.166.129

;; Query time: 97 msec
;; SERVER: 65.61.166.128#53(65.61.166.128)
;; WHEN: Mon Dec 12 00:00:36 PST 2016
;; MSG SIZE  rcvd: 117

[00:00:36 leftseat@wrathall ~]$ dig zxxx.org.zm ns @hippo.ru.ac.za

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @hippo.ru.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51448
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
org.zm.			86400	IN	NS	ns2.zamnet.zm.
org.zm.			86400	IN	NS	pch.nic.zm.
org.zm.			86400	IN	NS	ns1.coppernet.zm.
org.zm.			86400	IN	NS	ns-zm.afrinic.net.
org.zm.			86400	IN	NS	ns1.zamnet.zm.

;; ADDITIONAL SECTION:
ns1.zamnet.zm.		86400	IN	A	196.46.192.26
ns1.coppernet.zm.	86400	IN	A	41.222.240.15
ns2.zamnet.zm.		86400	IN	A	196.46.192.21

;; Query time: 347 msec
;; SERVER: 146.231.128.1#53(146.231.128.1)
;; WHEN: Mon Dec 12 00:03:14 PST 2016
;; MSG SIZE  rcvd: 212

[00:03:14 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns1.zamnet.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns1.zamnet.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5881
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
zxxx.org.zm.		86400	IN	NS	ns1.niner.net.
zxxx.org.zm.		86400	IN	NS	ns2.niner.net.

;; Query time: 330 msec
;; SERVER: 196.46.192.26#53(196.46.192.26)
;; WHEN: Mon Dec 12 00:03:35 PST 2016
;; MSG SIZE  rcvd: 85

[00:03:35 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns2.zamnet.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns2.zamnet.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27780
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; ANSWER SECTION:
zxxx.org.zm.		604800	IN	NS	ns2.zamnet.zm.
zxxx.org.zm.		604800	IN	NS	ns5.zamnet.zm.

;; Query time: 337 msec
;; SERVER: 196.46.192.21#53(196.46.192.21)
;; WHEN: Mon Dec 12 00:03:42 PST 2016
;; MSG SIZE  rcvd: 83

[00:03:42 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns-zm.afrinic.net

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns-zm.afrinic.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43162
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
zxxx.org.zm.		86400	IN	NS	ns1.niner.net.
zxxx.org.zm.		86400	IN	NS	ns2.niner.net.

;; Query time: 324 msec
;; SERVER: 196.216.168.44#53(196.216.168.44)
;; WHEN: Mon Dec 12 00:03:53 PST 2016
;; MSG SIZE  rcvd: 85

[00:03:53 leftseat@wrathall ~]$ dig pch.nic.zm any

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> pch.nic.zm any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 261
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;pch.nic.zm.			IN	ANY

;; ANSWER SECTION:
pch.nic.zm.		81758	IN	A	204.61.216.73

;; Query time: 10 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:16:20 PST 2016
;; MSG SIZE  rcvd: 55

[00:16:20 leftseat@wrathall ~]$ whois 204.61.216.73

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=204.61.216.73?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       204.61.208.0 - 204.61.217.255
CIDR:           204.61.216.0/23, 204.61.208.0/21
NetName:        WOODYNET-204-61-208-0-21
NetHandle:      NET-204-61-208-0-1
Parent:         NET204 (NET-204-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   WoodyNet (WOODYN)
RegDate:        1995-01-26
Updated:        2012-03-02
Ref:            https://whois.arin.net/rest/net/NET-204-61-208-0-1

OrgName:        WoodyNet
OrgId:          WOODYN
Address:        2351 Virginia St
City:           Berkeley
StateProv:      CA
PostalCode:     94709-1315
Country:        US
RegDate:        2001-05-16
Updated:        2013-04-02
Ref:            https://whois.arin.net/rest/org/WOODYN

OrgAbuseHandle: BW1324-ARIN
OrgAbuseName:   Woodcock, Bill
OrgAbusePhone:  +1-415-831-3103
OrgAbuseEmail:  woody_AT_pch.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/BW1324-ARIN

OrgTechHandle: BW1324-ARIN
OrgTechName:   Woodcock, Bill
OrgTechPhone:  +1-415-831-3103
OrgTechEmail:  woody_AT_pch.net
OrgTechRef:    https://whois.arin.net/rest/poc/BW1324-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

[00:16:32 leftseat@wrathall ~]$ dig -x 204.61.216.73

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> -x 204.61.216.73
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46703
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;73.216.61.204.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
73.216.61.204.in-addr.arpa. 900	IN	PTR	pch.nic.zm.

;; Query time: 1670 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:16:44 PST 2016
;; MSG SIZE  rcvd: 79

[00:16:44 leftseat@wrathall ~]$ dig zxxx.org.zm ns @pch.nic.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @pch.nic.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10234
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
zxxx.org.zm.		86400	IN	NS	ns2.niner.net.
zxxx.org.zm.		86400	IN	NS	ns1.niner.net.

;; Query time: 11 msec
;; SERVER: 204.61.216.73#53(204.61.216.73)
;; WHEN: Mon Dec 12 00:17:20 PST 2016
;; MSG SIZE  rcvd: 85

[00:17:20 leftseat@wrathall ~]$ dig ns1.coppernet.zm any

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> ns1.coppernet.zm any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4953
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;ns1.coppernet.zm.		IN	ANY

;; ANSWER SECTION:
ns1.coppernet.zm.	86375	IN	A	41.222.240.15

;; Query time: 11 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:36:07 PST 2016
;; MSG SIZE  rcvd: 61

[00:36:07 leftseat@wrathall ~]$ whois 41.222.240.15
% This is the AfriNIC Whois server.

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '41.222.240.0 - 41.222.241.255'

% No abuse contact registered for 41.222.240.0 - 41.222.241.255

inetnum:        41.222.240.0 - 41.222.241.255
netname:        CUNET-LSK-01
descr:          Allocation to CopperNET Solutions, an ISP in Zambia.
country:        ZM
admin-c:        KWC1-AFRINIC
tech-c:         KWC1-AFRINIC
status:         ASSIGNED PA
remarks:        Please send abuse notification to abuse@coppernet.zm
mnt-by:         COPSOL-MNT
source:         AFRINIC # Filtered
parent:         41.222.240.0 - 41.222.243.255

person:         Kasopa W Chisanga
address:        Silicon House, Kantanta Street
address:        P.O Box 22149, Kitwe
address:        ZM
phone:          +260-212-245011
phone:          +260-212-245200
phone:          +260-212-245222
nic-hdl:        KWC1-AFRINIC
remarks:        CopperNET Solutions.
source:         AFRINIC # Filtered

[00:36:20 leftseat@wrathall ~]$ dig -x 41.222.240.15

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> -x 41.222.240.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;15.240.222.41.in-addr.arpa.	IN	PTR

;; Query time: 1916 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:36:30 PST 2016
;; MSG SIZE  rcvd: 55

[00:36:30 leftseat@wrathall ~]$ traceroute 41.222.240.15
traceroute to 41.222.240.15 (41.222.240.15), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.372 ms  0.780 ms  0.781 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
[00:37:15 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns1.coppernet.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns1.coppernet.zm
;; global options: +cmd
;; connection timed out; no servers could be reached
[00:38:21 leftseat@wrathall ~]$

Fraud alert

27 September 2016 19:33:46 +0000

We have been receiving phone calls today on our North American toll-free number from people who are claiming that we have charged their credit cards. So far the amounts have been under $100 which, in our experience with being on the receiving end of credit card fraud, are small enough amounts that they might slip under the radar of both credit card companies and some consumers.

Please be assured that NinerNet Communications does not have the facilities to charge credit cards without the explicit permission of the credit card holder. Our agreement with our payment processing company simply does not allow it. We also do not send spam, especially SEO scam spam. (We don’t even offer any kind of SEO [search engine optimisation] services.) It would seem that someone has simply lifted our company name and phone number from our website, and so we are as much a victim of this fraud as you are. We are a reputable company that has been trading under the same name for eighteen years — and only two years before that under our initial name — and plan to continue trading under our good name for many years to come.

The best advice we can give you is to contact your credit card company and initiate a chargeback. There is nothing that we can do other than post this notice so that anybody affected by this fraud can take that action.

iDNS Canada: Another year, another domain scam

9 January 2016 23:24:31 +0000
iDNS Canada domain name expiration notice.

iDNS Canada domain name expiration notice

Looking very much like the “invoices” sent out years ago by the heavily-fined (and, at various times, suspended by both ICANN and CIRA) so-called Domain Registry of Canada (also known as Internet Registry of Canada, Domain Registry of America, Domain Registry of Europe, NameJuice.com, Brandon Gray Internet Services Inc. and many more), the “not a bill” “domain name expiration notice” received by NinerNet Communications recently reminds us that some people only know how to do business dishonestly — or at the very least on the fringes of legality.

Although it could have been copied, the notice received by us from “iDNS Canada” is almost identical to those of the Domain Registry of America sent out in previous years, and the maple leaf used in the iDNS Canada logo is indeed identical to that used by the Domain Registry of Canada in previous notices.

Let’s analyse a few aspects of this friendly and helpful “domain name expiration notice”:

  • Their website domain on their notice is idns.as, the dot-as country-code top-level domain (ccTLD) being registered to American Samoa, a south Pacific island nation. Trying to load the website at that address results in a redirection to idns.to, the dot-to ccTLD being registered to Tonga, another south Pacific island nation. I suspect they didn’t register a dot-ca domain because they’re not flavour of the month down at CIRA headquarters (assuming a connection, which is not much of a stretch), and might have had their domain suspended in short order had they registered a dot-ca.
  • The footer of their website claims that they are “Internet Domain Name Services Inc.” — a name also used on the return envelope in which you’re supposed to send your cheque (or credit card number) and payment stub. Their contact page (when loaded from a computer in Canada) offers the same box number address in Toronto, Ontario, Canada that is on their notice (delivered to our Canadian address; more on that in a moment), which is located in Bridlewood Mall, where there is a Canada Post outlet hosted by Shoppers Drug Mart offering post office boxes.
  • If you load their contact page from a computer located in the United States (or the United Kingdom, actually), the contact page offers a suite number address at 924 Bergen Avenue in Jersey City, New Jersey, United States of America. A quick check shows this to be a UPS Store, so the “suite number” is also actually a mail box number.
  • On their contact page is an email address on the idnsinc.net domain, which is registered to the same company at the same box number in Jersey City in the US.

There are three notable things about this notice:

  • First of all, the notice refers to ninernet.com, a secondary domain that we use but which is registered to our US address. However, it was sent to our primary Canadian address, which is also on the same contact page on our website as our US and Zambian addresses.
  • As with the almost identical Domain Registry of Canada and Domain Registry of America phoney invoices, the “notice” from iDNS Canada makes reference to another “available” domain (in this case ninernet.BIZ) and invites us to send in payment to register it. However, ninernet.biz is not available; it has been registered by us since 2010. There is no indication on the notice what would happen to this extra money if we decided to send it in to register this additional unavailable domain.
  • Finally, while similar such “notices” in the past have included fine print that authorises the sender to transfer the registration of the domain from under the management of the existing registrar to management by the sender of the so-called solicitation (a process referred to as “domain slamming“), this one doesn’t include any such fine print. In fact, there isn’t even any indication on the “notice” that sending money to iDNS Canada (aka Internet Domain Name Services Inc.) will obligate them to do anything, as they have no way to renew a domain that is not under their control!

So don’t send them money, as you’re almost certainly sending money into a black hole from which you will likely see no service and from which you will probably be unable to retrieve it!

As always, if you receive any kind of communication from a third-party (with whom you don’t already have an established and trusted relationship) about your domain — via postal mail, email, telephone, fax or even smoke signal — be suspicious, be wary. If you’re not sure whether or not it is legitimate, please contact us about it and we will be more than happy to take a look and advise you whether or not it is legitimate.


NinerNet home page

Subscriptions:

RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.

Search:

 

Recent Posts:

Archives:

Categories:

Tags:

accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email facebook google happy hosting customers hosting transfer icann invoices iphone kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrant transfers registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam ssl ssl/tls support transparency wordpress zamnet

Resources:

On NinerNet: