NinerNet Communications™
Blog

Corporate Blog

Zambian domains (.zm) are broken, don’t register them

12 December 2016 08:53:45 +0000

A little over a year ago we detailed the laborious process by which we managed to bypass an incompetent dot-zm domain registrar — Realtime Technologies Ltd. / Hai Alive Telecommunications — to speak directly to ZICTA (the Zambia Information & Communications Technology Authority) about a problem caused by ZICTA and misdiagnosed by Realtime/HAI.

You may or may not believe this, but the exact same thing is happening again, but with a different dot-zm domain registered through Realtime/HAI.

We contacted ZICTA and Zambia CIRT, through the same channels we used last time, early on the morning of Saturday 10 December. Over forty-eight hours later we still have not received an acknowledgement of our email, and the problem persists.

With the domain redacted to protect our client’s privacy, the evidence that is much the same as for the problem last year is presented below. What is particularly interesting about the information reported by one of the dot-zm nameservers (hippo.ru.ac.za) is that it is still reporting the pch.nic.zm and ns1.coppernet.zm nameservers as being authoritative for the dot-zm ccTLD. (See the IANA website for the nameservers for the dot-zm ccTLD.) The former was the problem nameserver last year, and was apparently promptly decommissioned after our report. However, I see that it is now back online at a new location. Ironically, this time it is actually reporting the correct DNS information for this domain. The latter belongs to the now-defunct Coppernet; although there is still an A record pointing ns1.coppernet.zm to 41.222.240.15, that nameserver simply does not respond at all.

We’ll post further updates when (or if) this problem is resolved. However, we really cannot emphasise strongly enough that you should not register dot-zm domains, and if you have one, you should transition away from it as soon as possible.

Update, 2016-12-27: Posted an update.

[00:00:05 leftseat@wrathall ~]$ whois zxxx.org.zm
Domain Name: zxxx.org.zm
Domain ID: 11559-zicta
WHOIS Server: whois.nic.zm
Referral URL:
Updated Date: 2016-11-29T11:40:45.292Z
Creation Date: 2015-05-12T09:27:15.528Z
Registry Expiry Date: 2017-05-12T09:27:15.611Z
Sponsoring Registrar: Realtime (Z)
Sponsoring Registrar IANA ID:
Domain Status: ok
Registrant Name: REDACTED
Registrant Organization: REDACTED
Registrant Street: lusaka
Registrant City: lusaka
Registrant State/Province: lusaka
Registrant Postal Code: 10101
Registrant Country: ZM
Registrant Phone: +260.REDACTED
Registrant Phone Ext:
Registrant Email: REDACTED
Name Server: ns1.niner.net
Name Server: ns2.niner.net
DNSSEC: unsigned
Additional Section
Sponsoring Registrar URL:
Sponsoring Registrar Country: ZM
Sponsoring Registrar Phone:
Sponsoring Registrar Fax:
Sponsoring Registrar Customer Service Contact:
Sponsoring Registrar Customer Service Email:
Sponsoring Registrar Admin Contact:
Sponsoring Registrar Admin Email:
>>> Last update of WHOIS database: 2016-12-12T07:31:46.321Z <<<

TERMS OF USE: You are not authorized to access or query our WHOIS database through the use of electronic processes that are high-volume and automated.  THis WHOIS database is provided by as a service to the internet community.

The data is for information purposes only. We do not guarantee its accuracy. By submitting a WHOIS query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes. The compilation, repackaging, dissemination or other use of this Data is expressly prohibited.
[00:00:14 leftseat@wrathall ~]$ dig zxxx.org.zm ns

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51871
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; ANSWER SECTION:
zxxx.org.zm.		300	IN	NS	ns1.niner.net.
zxxx.org.zm.		300	IN	NS	ns2.niner.net.

;; Query time: 4627 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:00:28 PST 2016
;; MSG SIZE  rcvd: 85

[00:00:28 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns1.niner.net

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns1.niner.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34521
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; ANSWER SECTION:
zxxx.org.zm.		300	IN	NS	ns1.niner.net.
zxxx.org.zm.		300	IN	NS	ns2.niner.net.

;; ADDITIONAL SECTION:
ns1.niner.net.		300	IN	A	65.61.166.128
ns2.niner.net.		300	IN	A	65.61.166.129

;; Query time: 97 msec
;; SERVER: 65.61.166.128#53(65.61.166.128)
;; WHEN: Mon Dec 12 00:00:36 PST 2016
;; MSG SIZE  rcvd: 117

[00:00:36 leftseat@wrathall ~]$ dig zxxx.org.zm ns @hippo.ru.ac.za

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @hippo.ru.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51448
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
org.zm.			86400	IN	NS	ns2.zamnet.zm.
org.zm.			86400	IN	NS	pch.nic.zm.
org.zm.			86400	IN	NS	ns1.coppernet.zm.
org.zm.			86400	IN	NS	ns-zm.afrinic.net.
org.zm.			86400	IN	NS	ns1.zamnet.zm.

;; ADDITIONAL SECTION:
ns1.zamnet.zm.		86400	IN	A	196.46.192.26
ns1.coppernet.zm.	86400	IN	A	41.222.240.15
ns2.zamnet.zm.		86400	IN	A	196.46.192.21

;; Query time: 347 msec
;; SERVER: 146.231.128.1#53(146.231.128.1)
;; WHEN: Mon Dec 12 00:03:14 PST 2016
;; MSG SIZE  rcvd: 212

[00:03:14 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns1.zamnet.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns1.zamnet.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5881
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
zxxx.org.zm.		86400	IN	NS	ns1.niner.net.
zxxx.org.zm.		86400	IN	NS	ns2.niner.net.

;; Query time: 330 msec
;; SERVER: 196.46.192.26#53(196.46.192.26)
;; WHEN: Mon Dec 12 00:03:35 PST 2016
;; MSG SIZE  rcvd: 85

[00:03:35 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns2.zamnet.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns2.zamnet.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27780
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; ANSWER SECTION:
zxxx.org.zm.		604800	IN	NS	ns2.zamnet.zm.
zxxx.org.zm.		604800	IN	NS	ns5.zamnet.zm.

;; Query time: 337 msec
;; SERVER: 196.46.192.21#53(196.46.192.21)
;; WHEN: Mon Dec 12 00:03:42 PST 2016
;; MSG SIZE  rcvd: 83

[00:03:42 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns-zm.afrinic.net

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns-zm.afrinic.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43162
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
zxxx.org.zm.		86400	IN	NS	ns1.niner.net.
zxxx.org.zm.		86400	IN	NS	ns2.niner.net.

;; Query time: 324 msec
;; SERVER: 196.216.168.44#53(196.216.168.44)
;; WHEN: Mon Dec 12 00:03:53 PST 2016
;; MSG SIZE  rcvd: 85

[00:03:53 leftseat@wrathall ~]$ dig pch.nic.zm any

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> pch.nic.zm any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 261
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;pch.nic.zm.			IN	ANY

;; ANSWER SECTION:
pch.nic.zm.		81758	IN	A	204.61.216.73

;; Query time: 10 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:16:20 PST 2016
;; MSG SIZE  rcvd: 55

[00:16:20 leftseat@wrathall ~]$ whois 204.61.216.73

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=204.61.216.73?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       204.61.208.0 - 204.61.217.255
CIDR:           204.61.216.0/23, 204.61.208.0/21
NetName:        WOODYNET-204-61-208-0-21
NetHandle:      NET-204-61-208-0-1
Parent:         NET204 (NET-204-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   WoodyNet (WOODYN)
RegDate:        1995-01-26
Updated:        2012-03-02
Ref:            https://whois.arin.net/rest/net/NET-204-61-208-0-1

OrgName:        WoodyNet
OrgId:          WOODYN
Address:        2351 Virginia St
City:           Berkeley
StateProv:      CA
PostalCode:     94709-1315
Country:        US
RegDate:        2001-05-16
Updated:        2013-04-02
Ref:            https://whois.arin.net/rest/org/WOODYN

OrgAbuseHandle: BW1324-ARIN
OrgAbuseName:   Woodcock, Bill
OrgAbusePhone:  +1-415-831-3103
OrgAbuseEmail:  woody_AT_pch.net
OrgAbuseRef:    https://whois.arin.net/rest/poc/BW1324-ARIN

OrgTechHandle: BW1324-ARIN
OrgTechName:   Woodcock, Bill
OrgTechPhone:  +1-415-831-3103
OrgTechEmail:  woody_AT_pch.net
OrgTechRef:    https://whois.arin.net/rest/poc/BW1324-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

[00:16:32 leftseat@wrathall ~]$ dig -x 204.61.216.73

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> -x 204.61.216.73
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46703
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;73.216.61.204.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
73.216.61.204.in-addr.arpa. 900	IN	PTR	pch.nic.zm.

;; Query time: 1670 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:16:44 PST 2016
;; MSG SIZE  rcvd: 79

[00:16:44 leftseat@wrathall ~]$ dig zxxx.org.zm ns @pch.nic.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @pch.nic.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10234
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zxxx.org.zm.			IN	NS

;; AUTHORITY SECTION:
zxxx.org.zm.		86400	IN	NS	ns2.niner.net.
zxxx.org.zm.		86400	IN	NS	ns1.niner.net.

;; Query time: 11 msec
;; SERVER: 204.61.216.73#53(204.61.216.73)
;; WHEN: Mon Dec 12 00:17:20 PST 2016
;; MSG SIZE  rcvd: 85

[00:17:20 leftseat@wrathall ~]$ dig ns1.coppernet.zm any

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> ns1.coppernet.zm any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4953
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;ns1.coppernet.zm.		IN	ANY

;; ANSWER SECTION:
ns1.coppernet.zm.	86375	IN	A	41.222.240.15

;; Query time: 11 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:36:07 PST 2016
;; MSG SIZE  rcvd: 61

[00:36:07 leftseat@wrathall ~]$ whois 41.222.240.15
% This is the AfriNIC Whois server.

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '41.222.240.0 - 41.222.241.255'

% No abuse contact registered for 41.222.240.0 - 41.222.241.255

inetnum:        41.222.240.0 - 41.222.241.255
netname:        CUNET-LSK-01
descr:          Allocation to CopperNET Solutions, an ISP in Zambia.
country:        ZM
admin-c:        KWC1-AFRINIC
tech-c:         KWC1-AFRINIC
status:         ASSIGNED PA
remarks:        Please send abuse notification to abuse@coppernet.zm
mnt-by:         COPSOL-MNT
source:         AFRINIC # Filtered
parent:         41.222.240.0 - 41.222.243.255

person:         Kasopa W Chisanga
address:        Silicon House, Kantanta Street
address:        P.O Box 22149, Kitwe
address:        ZM
phone:          +260-212-245011
phone:          +260-212-245200
phone:          +260-212-245222
nic-hdl:        KWC1-AFRINIC
remarks:        CopperNET Solutions.
source:         AFRINIC # Filtered

[00:36:20 leftseat@wrathall ~]$ dig -x 41.222.240.15

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> -x 41.222.240.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11716
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;15.240.222.41.in-addr.arpa.	IN	PTR

;; Query time: 1916 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Dec 12 00:36:30 PST 2016
;; MSG SIZE  rcvd: 55

[00:36:30 leftseat@wrathall ~]$ traceroute 41.222.240.15
traceroute to 41.222.240.15 (41.222.240.15), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.372 ms  0.780 ms  0.781 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
[00:37:15 leftseat@wrathall ~]$ dig zxxx.org.zm ns @ns1.coppernet.zm

; <<>> DiG 9.9.5-3ubuntu0.10-Ubuntu <<>> zxxx.org.zm ns @ns1.coppernet.zm
;; global options: +cmd
;; connection timed out; no servers could be reached
[00:38:21 leftseat@wrathall ~]$
Tags: , ,
Categories: Warnings
Comments Off on Zambian domains (.zm) are broken, don’t register them

Fraud alert

27 September 2016 19:33:46 +0000

We have been receiving phone calls today on our North American toll-free number from people who are claiming that we have charged their credit cards. So far the amounts have been under $100 which, in our experience with being on the receiving end of credit card fraud, are small enough amounts that they might slip under the radar of both credit card companies and some consumers.

Please be assured that NinerNet Communications does not have the facilities to charge credit cards without the explicit permission of the credit card holder. Our agreement with our payment processing company simply does not allow it. We also do not send spam, especially SEO scam spam. (We don’t even offer any kind of SEO [search engine optimisation] services.) It would seem that someone has simply lifted our company name and phone number from our website, and so we are as much a victim of this fraud as you are. We are a reputable company that has been trading under the same name for eighteen years — and only two years before that under our initial name — and plan to continue trading under our good name for many years to come.

The best advice we can give you is to contact your credit card company and initiate a chargeback. There is nothing that we can do other than post this notice so that anybody affected by this fraud can take that action.

Tags: , , ,
Categories: Warnings
Comments Off on Fraud alert

iDNS Canada: Another year, another domain scam

9 January 2016 23:24:31 +0000
iDNS Canada domain name expiration notice.

iDNS Canada domain name expiration notice

Looking very much like the “invoices” sent out years ago by the heavily-fined (and, at various times, suspended by both ICANN and CIRA) so-called Domain Registry of Canada (also known as Internet Registry of Canada, Domain Registry of America, Domain Registry of Europe, NameJuice.com, Brandon Gray Internet Services Inc. and many more), the “not a bill” “domain name expiration notice” received by NinerNet Communications recently reminds us that some people only know how to do business dishonestly — or at the very least on the fringes of legality.

Although it could have been copied, the notice received by us from “iDNS Canada” is almost identical to those of the Domain Registry of America sent out in previous years, and the maple leaf used in the iDNS Canada logo is indeed identical to that used by the Domain Registry of Canada in previous notices.

Let’s analyse a few aspects of this friendly and helpful “domain name expiration notice”:

  • Their website domain on their notice is idns.as, the dot-as country-code top-level domain (ccTLD) being registered to American Samoa, a south Pacific island nation. Trying to load the website at that address results in a redirection to idns.to, the dot-to ccTLD being registered to Tonga, another south Pacific island nation. I suspect they didn’t register a dot-ca domain because they’re not flavour of the month down at CIRA headquarters (assuming a connection, which is not much of a stretch), and might have had their domain suspended in short order had they registered a dot-ca.
  • The footer of their website claims that they are “Internet Domain Name Services Inc.” — a name also used on the return envelope in which you’re supposed to send your cheque (or credit card number) and payment stub. Their contact page (when loaded from a computer in Canada) offers the same box number address in Toronto, Ontario, Canada that is on their notice (delivered to our Canadian address; more on that in a moment), which is located in Bridlewood Mall, where there is a Canada Post outlet hosted by Shoppers Drug Mart offering post office boxes.
  • If you load their contact page from a computer located in the United States (or the United Kingdom, actually), the contact page offers a suite number address at 924 Bergen Avenue in Jersey City, New Jersey, United States of America. A quick check shows this to be a UPS Store, so the “suite number” is also actually a mail box number.
  • On their contact page is an email address on the idnsinc.net domain, which is registered to the same company at the same box number in Jersey City in the US.

There are three notable things about this notice:

  • First of all, the notice refers to ninernet.com, a secondary domain that we use but which is registered to our US address. However, it was sent to our primary Canadian address, which is also on the same contact page on our website as our US and Zambian addresses.
  • As with the almost identical Domain Registry of Canada and Domain Registry of America phoney invoices, the “notice” from iDNS Canada makes reference to another “available” domain (in this case ninernet.BIZ) and invites us to send in payment to register it. However, ninernet.biz is not available; it has been registered by us since 2010. There is no indication on the notice what would happen to this extra money if we decided to send it in to register this additional unavailable domain.
  • Finally, while similar such “notices” in the past have included fine print that authorises the sender to transfer the registration of the domain from under the management of the existing registrar to management by the sender of the so-called solicitation (a process referred to as “domain slamming“), this one doesn’t include any such fine print. In fact, there isn’t even any indication on the “notice” that sending money to iDNS Canada (aka Internet Domain Name Services Inc.) will obligate them to do anything, as they have no way to renew a domain that is not under their control!

So don’t send them money, as you’re almost certainly sending money into a black hole from which you will likely see no service and from which you will probably be unable to retrieve it!

As always, if you receive any kind of communication from a third-party (with whom you don’t already have an established and trusted relationship) about your domain — via postal mail, email, telephone, fax or even smoke signal — be suspicious, be wary. If you’re not sure whether or not it is legitimate, please contact us about it and we will be more than happy to take a look and advise you whether or not it is legitimate.

Tags: , , , , , , , , , , ,
Categories: Warnings
Comments Off on iDNS Canada: Another year, another domain scam

Yet more problems with dot-zm (Zambian) domains

9 December 2015 14:33:02 +0000

Back on 16 September a client with a dot-zm domain hosted with us came to us with a problem that had started the day before. The majority of this post documents the details of the monumental effort we had to expend to get the domain registrar (Realtime/Hai) and registry (ZICTA, the Zambia Information & Communications Technology Authority) to do their jobs and provide a working domain.

However, the reason for the timing of this post (which we should have made two months ago) is that we are seeing these same problems again with dot-zm domains. Emails sent to existing dot-zm domains, hosted with different hosting companies, are bouncing because these dot-zm domains seem not to exist on the Internet because the dot-zm nameservers are reporting differing, incomplete or even incorrect information for them.

Unfortunately there is nothing that we can do on our servers when ZICTA’s dot-zm nameservers report — incorrectly! — that a dot-zm domain does not exist or directs traffic to the wrong servers.

Our recommendation for years now, due to the shocking unreliability of dot-zm domains, is that you simply should not register dot-zm domains. This seems awfully unpatriotic — after all, you.co.zm is supposed to be a proud acknowledgement of your association with Zambia — but the sad fact of the matter is that your dot-zm domain is actually an embarrassment and a disservice to you, your business and your country.

We have written about this over and over again over the years. Here’s a recap of some of what we’ve written on our blogs (there’s more lost in the mists of time and in emails sent before we set up our corporate and status blogs):

We also have over 50 MB of raw data (some of it compressed) dating back to 2008 documenting problems with dot-zm domains, including all dot-zm domains going down worldwide. It’s the kind of material with which we could write a thesis about TLD mismanagement, if we had the time … but we don’t.

So what happened in September?

Back on 16 September a client with a dot-zm domain hosted with us came to us with a problem that had started the day before. They were suddenly receiving very little email, and they were being told by some of their correspondents that emails sent to their domain were bouncing. Of course, this galvanised us immediately, and we checked all aspects of their domain’s configuration on our nameservers and mail servers. We could find nothing wrong. However, the problem was undeniable; some mail sent to this client’s domain was indeed bouncing.

So we started digging deeper. We found that, without being asked to do so by the domain registrant (our client), the dot-zm domain registry (ZICTA, whose website is again down as I write this) had changed the nameservers of our client’s domain to those of their domain registrar, Realtime Technologies Ltd., now doing business as Hai Alive Telecommunications — whose websites on both of their domains are also down right now. (Seeing a pattern here?) Both the registrar and the registry denied being responsible for changing the nameservers and refused to explain how it happened. The nameservers were changed back to ours, but the problem persisted.

What we found was that the problem was intermittent, hence the fact that some email was getting through and some was being bounced. An intermittent problem is the worst kind of problem because when things are working there is no problem to find, and when things aren’t working you don’t know when the problem will go away and whether or not you’ll find the problem before it disappears. On top of that mail from multiple different and unrelated sources was being bounced, so we couldn’t blame a particular sender’s improperly configured mail server for the problem.

Seeing as the registrar (Realtime/Hai) blamed NinerNet for the problem, and the registry (ZICTA) refused to deal with us, telling us we had to seek help from the registrar (Realtime/Hai) who was too busy blaming us to investigate, some more investigation by NinerNet revealed that one of the six nameservers that run the dot-zm country-code top-level domain (as of today they’re now down to four) was still broadcasting to the world that the authoritative nameservers for the domain were hosted at Realtime/Hai, which was the result of the unauthorised change to the nameservers a couple of days earlier. (One of the six was failing, and one wasn’t providing the information it was supposed to provide, meaning that three of the six nameservers for dot-zm domains were not working properly!)

There was an easy temporary solution to this problem, seeing as ZICTA was being uncooperative: A few keystrokes by someone at Realtime/Hai could have set up the client’s domain on their nameservers, so that when a mail server was incorrectly directed there it would have received the correct information that we would provide to Realtime/Hai. However, Realtime/Hai refused to help unless the client signed a hosting contract with them and paid money up front, despite the fact that the client/registrant had already paid them for a working domain that they expected to work for the entire length of the contract for that domain. This, of course, was an outrageous attempt at extortion and was rejected.

After hammering away at ZICTA for over a week by email (while trying to get Realtime/Hai to take responsibility for addressing the problem, as the domain registrar is supposed to do) and being ignored (including receiving notifications that emails to them had been deleted unread) — except by one person, the head of “Consumer Protection”, who said that he would help me but then also continued to ignore me, never sending me another email again — I finally picked up the phone and eventually (after six tries and being disconnected twice; this is the “Communications Technology Authority”?!) reached a receptionist. (A month earlier when trying unsuccessfully to deal with ZICTA over another issue, the receptionist couldn’t put me through to the person who could help me with my issue because the whole organisation, except apparently the receptionist, was at a staff meeting!) After explaining the situation to the receptionist she stated that I had to deal with Realtime/Hai. After explaining that Realtime/Hai refused to help, she said that she would only continue to talk to me if I would lodge a complaint against Realtime/Hai, so I reluctantly agreed. After being on hold for over ten minutes while she did who knows what, she came back on the line. This time I literally pleaded with her to give me one minute to fully explain the problem and why the problem was caused by ZICTA and how it was within the power of only ZICTA to fix in less than two minutes.

My pleading must have had an effect, as she agreed to put me through to someone else. That person was apparently a “Cyber Security Analyst” with Zambia CIRT (Computer Incident Response Team, whose website is actually up!). I had to actually give him the computer commands to demonstrate the cause and location of the problem. Miraculously he agreed with my assessment — after eight days of banging my head against brick walls, someone finally understood and agreed! — but could do nothing to fix it right away because (although it was nine o’ clock in the morning) the person who was in charge of running the registry back end was not in yet. However, he did assure me that it would be dealt with that day, although it wasn’t until the next day that I finally received written acknowledgement from ZICTA of the problem they had caused, and it was another two days before they fixed it, twelve days after the problem was created!

So, let’s review …

… how a problem with a dot-zm domain is handled by the registry and its registrar, and how long it takes:

  • Day one: Client’s dot-zm domain stops working.
  • It is found that the nameservers for the domain have been changed to use the registrar’s (Realtime/Hai) nameservers instead of NinerNet’s, without the authority of the domain registrant.
  • Nameservers are changed back; registrar (Realtime/Hai) and registry (ZICTA) deny responsibility and refuse to explain.
  • Problem persists.
  • Registrar (Realtime/Hai) refuses to help, attempts to extort money from registrant for services (domain registration) already paid for.
  • Registry (ZICTA) finally responds, refers problem to registrar (Realtime/Hai). Will only address problem with a formal complaint about registrar (Realtime/Hai).
  • After pleading with registry (ZICTA) they relent and refer the matter to a staff member who can help.
  • We have to hold the hand of the person at the registry (ZICTA) to show him how to confirm the nature and location of the problem.
  • Day thirteen: Problem at ZICTA is finally fixed by ZICTA 3 days later, 12 days after they created the problem in the first place.

It is interesting to note that there is almost no information on the ZICTA website about the management of the dot-zm ccTLD (country-code top-level domain; compare that to, for example, the website of Nominet, the organisation that runs the dot-uk ccTLD), and their Facebook page contains nothing but pages and pages of repetitive so-called FAQs about mobile service, and not a single mention (going back to at least the end of 2014) of dot-zm domains and domain registration. Underneath almost all of the posts by ZICTA with FAQs are reams and reams of complaints about how useless ZICTA is and how they do nothing about consumer complaints. See for yourself.

Is there a solution?

Yes, there is. If someone in Zambia cannot be found to provide competent management and direction to ZICTA — and the wherewithal to whip registrars into shape and to educate them on the need to provide customer service without resorting to blaming hosting providers for issues that are demonstrably not theirs — then the job can and should be outsourced to a foreign company with a good track record.

  • Just on the other side of the boerewors curtain is ZADNA, the domain authority of South Africa. I don’t know if they offer their services to other national domain authorities to run their ccTLDs, but they’re doing a decent job of running their own (dot-za), have recently (in the last few years) launched a new competitive domain registration system, and launched the new TLDs dot-capetown, dot-durban and dot-joburg. They’re also the leading contender to run dot-africa, if ICANN ever fixes that mess and launches it.
  • In New Zealand is CoCCA Registry Services (NZ) Limited, with whom ZICTA already has a relationship as they’re using CoCCA’s registry software and have apparently provided some financial consideration for same. As you can see, CoCCA is already running the registries of at least ten TLDs, most of which are those of other small and developing countries.
  • In Canada there is OpenSRS who offer their services to registrars, but who may also be interested in providing service to a ccTLD registry.

In the more immediate term NinerNet has provided, since 2010, the option of registering a dot-zam.co domain — e.g., ninernet.zam.co. We provide it expressly because of the ongoing, years old problems with the management and administration of the dot-zm ccTLD, not to mention the exorbitant cost of dot-zm domains. Instead of registering companyzambia.com (which is probably available, I should point out) you can instead register company.zam.co. It’s the same number of characters as company.com.zm, and only one more than company.co.zm. But more importantly, it’s reliable!

I should point out that we don’t expose the flaws in the dot-zm ccTLD in order to sell dot-zam.co domains; our setting up dot-zam.co is the result of these flaws. If the dot-zm domain system worked properly, we would never have thought to create the dot-zam.co alternative ccTLD, and we’d certainly have no reason to complain. Besides, having been created in 1994, dot-zm had a sixteen-year head start on dot-zam.co! Dot-zam.co is a long way from being a threat to ZICTA and dot-zm.

Finally, you can switch to a new, non-dot-zm domain. Ideally you would never have registered that dot-zm domain in the first place, but it’s an understandable and forgivable mistake. It’s not ideal to switch to a new domain, but where would you be if your domain went down for two weeks and nobody wanted to help you? Here’s how you do it:

  1. Register your new non-dot-zm domain.
  2. Have your hosting provider set up the hosting for it, and create all of the existing email address on your old domain (e.g., phiri@example.co.zm) on the new domain (e.g., phiri@example.zam.co).
  3. Similarly you would upload your existing website to your new domain, reconfigured to use your new domain instead of your old dot-zm domain. (Doing this properly is a little more involved than what I have laid out here and there are options, but it’s very doable and quite straightforward from a technical point of view for a good host that knows what they’re doing.)
  4. Disable your old dot-zm domain and “alias” it to your new domain. This means that all email to your old dot-zm domain is automatically redirected to your new domain, and all traffic to your old dot-zm website is redirected to your website on your new domain, preserving your ranking in the search engines and all existing links to your old dot-zm domain.
  5. Start using your new domain for email by reconfiguring your email program to use the new domain. While your customers and other contacts may still email you at the old dot-zm domain, your replies will come from your new domain and so their future replies will go straight to your new domain. Of course, you would also advise your customers and contacts of your new domain by email and on your website, and in any other ways that you advertise your business.
  6. Keep your old dot-zm domain for at least a year or two, aliased to your new domain. How long you keep your old dot-zm domain is up to you and would depend on a number of factors (we can advise on that), but the good thing is that when (not if) it goes down again, you will use that opportunity to reinforce with your customers and other contacts the importance of using your new domain.

While some less sympathetic hosting companies may charge you for the time involved in making this change (which is actually quite understandable), we will not charge you even one extra ngwee to make this change away from your old dot-zm domain. We also do not charge any extra hosting fees to alias your old dot-zm domain to your new domain. In other words, changing to a new domain will only cost you the price of the new domain.

Appendix

The email below, sent to the person we spoke to at ZICTA (who also seems to be associated with Zambia CIRT) after we finally managed to talk to him, documents the problem experienced by our client with their dot-zm domain. The client’s domain has been redacted for privacy reasons (changed to example.co.zm), as have the names and email addresses of individuals.

From: Craig Hartnett <hxxxxxxx _AT_ niner.net>
To: cxxxxx _AT_ cirt.zm
CC: exxxx.cxxxxxx _AT_ hai-alive.co.zm, exxxx.mxxxx _AT_ hai-alive.co.zm,
     exxxxxx _AT_ rtaa.com.zm, mxxxxxx _AT_ rtaa.com.zm,
     rxxxxx.zxxxx _AT_ hai-alive.co.zm, servicedesk _AT_ hai-alive.co.zm,
     servicedesk _AT_ rtaa.com.zm, cxxxx _AT_ zicta.zm, info _AT_ zicta.zm,
     kxxxxxx _AT_ zicta.zm, nxxxxx _AT_ example.co.zm, ixxxxxx _AT_ jxxxxxxxxx.com
Subject: Problem with example.co.zm domain
Date: Fri, 25 Sep 2015 09:21:22 +0200
Mailer:	Evolution 3.10.4-0ubuntu2
Organization: NinerNet Communications, www.niner.net
Dear Cxxxxx,
Thank-you for taking my call this morning.
As I explained, the nameservers for the dot-zm TLD are not properly
synchronised, and are therefore reporting different nameservers for the
example.co.zm domain. In particular, pch.nic.zm is reporting incorrect
nameservers.
Of course, this results in disruption of the example.co.zm domain, and
this has been the case since at least Tuesday 15 September. At one point
last week the WHOIS showed only Realtime nameservers for the
example.co.zm domain. Realtime claims that this was the result of some
sort of registry activity -- a reset of some sort if I remember
correctly. These were changed back to NinerNet's nameservers but, as I
explained on the phone, one of the dot-zm nameservers is still responding
with Realtime's nameserver instead of NinerNet's.
Realtime have refused to assist thus far -- even though they are the
registrar of this domain -- instead blaming us (NinerNet Communications,
the company hosting the domain) for the problems. However, this is
clearly refuted by the evidence below, which are fresh queries from a
few minutes ago (with date and time stamps) on all of the dot-zm TLD
nameservers.
I have copied this email to all of the people at Realtime who have been
involved thus far, as well as representatives of the registrant of the
domain.
This should take two minutes for someone with access to the pch.nic.zm
nameserver to fix. Please ensure that this is fixed today so that the
registrant of example.co.zm can get back to running their business.
Thank-you.
Craig Hartnett
[00:13:14 leftseat@wrathall ~]$ date -u
Fri Sep 25 07:13:19 UTC 2015
[00:13:19 leftseat@wrathall ~]$ dig example.co.zm ns @hippo.ru.ac.za
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> example.co.zm ns @hippo.ru.ac.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63660
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.co.zm.                        IN      NS
;; AUTHORITY SECTION:
co.zm.                  86400   IN      NS      pch.nic.zm.
co.zm.                  86400   IN      NS      ns-zm.afrinic.net.
co.zm.                  86400   IN      NS      ns1.zamnet.zm.
;; ADDITIONAL SECTION:
ns1.zamnet.zm.          86400   IN      A       196.46.192.26
;; Query time: 348 msec
;; SERVER: 146.231.128.1#53(146.231.128.1)
;; WHEN: Fri Sep 25 00:13:28 PDT 2015
;; MSG SIZE  rcvd: 137
[00:13:28 leftseat@wrathall ~]$ dig example.co.zm ns @ns1.coppernet.zm
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> example.co.zm ns @ns1.coppernet.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17502
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.co.zm.                        IN      NS
;; Query time: 586 msec
;; SERVER: 41.222.240.15#53(41.222.240.15)
;; WHEN: Fri Sep 25 00:13:32 PDT 2015
;; MSG SIZE  rcvd: 43
[00:13:32 leftseat@wrathall ~]$ dig example.co.zm ns @ns1.zamnet.zm
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> example.co.zm ns @ns1.zamnet.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52796
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.co.zm.                        IN      NS
;; AUTHORITY SECTION:
example.co.zm.         86400   IN      NS      ns2.niner.net.
example.co.zm.         86400   IN      NS      ns1.niner.net.
;; Query time: 320 msec
;; SERVER: 196.46.192.26#53(196.46.192.26)
;; WHEN: Fri Sep 25 00:13:38 PDT 2015
;; MSG SIZE  rcvd: 88
[00:13:38 leftseat@wrathall ~]$ dig example.co.zm ns @ns2.zamnet.zm
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> example.co.zm ns @ns2.zamnet.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16638
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.co.zm.                        IN      NS
;; AUTHORITY SECTION:
example.co.zm.         86400   IN      NS      ns1.niner.net.
example.co.zm.         86400   IN      NS      ns2.niner.net.
;; Query time: 338 msec
;; SERVER: 196.46.192.21#53(196.46.192.21)
;; WHEN: Fri Sep 25 00:13:42 PDT 2015
;; MSG SIZE  rcvd: 88
[00:13:42 leftseat@wrathall ~]$ dig example.co.zm ns @ns-zm.afrinic.net
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> example.co.zm ns @ns-zm.afrinic.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36928
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.co.zm.                        IN      NS
;; AUTHORITY SECTION:
example.co.zm.         86400   IN      NS      ns1.niner.net.
example.co.zm.         86400   IN      NS      ns2.niner.net.
;; Query time: 310 msec
;; SERVER: 196.216.168.44#53(196.216.168.44)
;; WHEN: Fri Sep 25 00:13:45 PDT 2015
;; MSG SIZE  rcvd: 88
[00:13:45 leftseat@wrathall ~]$ dig example.co.zm ns @pch.nic.zm
; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> example.co.zm ns @pch.nic.zm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37546
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.co.zm.                        IN      NS
;; AUTHORITY SECTION:
example.co.zm.         86400   IN      NS      dns2.hai-alive.zm.
example.co.zm.         86400   IN      NS      dns2.realtime.zm.
example.co.zm.         86400   IN      NS      dns1.hai-alive.zm.
example.co.zm.         86400   IN      NS      dns3.realtime.zm.
example.co.zm.         86400   IN      NS      dns4.realtime.zm.
example.co.zm.         86400   IN      NS      dns1.realtime.zm.
example.co.zm.         86400   IN      NS      dns4.hai-alive.zm.
example.co.zm.         86400   IN      NS      dns3.hai-alive.zm.
;; Query time: 17 msec
;; SERVER: 204.61.216.73#53(204.61.216.73)
;; WHEN: Fri Sep 25 00:13:49 PDT 2015
;; MSG SIZE  rcvd: 214
[00:13:49 leftseat@wrathall ~]$ date -u
Fri Sep 25 07:13:56 UTC 2015
[00:13:56 leftseat@wrathall ~]$
--
NinerNet Communications | Craig Hartnett
* http://www.niner.net | info _AT_ niner.net
Phone: +1 604 630 1772 | +260 21 1 255568 | 1 855 NINERNET

Update, 2016-12-12: Updated link to CoCCA “patrons” page.

Tags: , ,
Categories: Updated posts, Warnings
Comments Off on Yet more problems with dot-zm (Zambian) domains

Yet another domain registration scam

8 December 2015 21:57:54 +0000

We bring your attention to yet another scam aimed at domain registrants. Of course, there are disclaimers in the faded fine print telling you that this is not an invoice, only a solicitation or proposal, but the email is clearly designed to look like an invoice for the renewal of a supposedly expiring domain registration.

As always, please ignore emails sent to the email address that you use in your domain registration(s) that are not from your domain registrar or registry. (If you’re not clear on the difference between a registrar and a registry — and who yours are for your domain[s] — please ask us.) In fact, we suggest using an email address for your domain registration(s) that you do not use for anything else, so that you can identify emails that are sent as a result of “scraping” your email address from the public WHOIS.

Below is one of the examples of the latest scam that we are seeing. Please note, however, that the apparent sending email (in the “from” field) can and does vary.

From: Domain Service <info@better-fit.com>
To: domains@ninernet.com
Subject: spam-slip.com expiration
Date: Mon, 30 Nov 2015 15:53:16 +0800

ATTENTION: IMPORTANT NOTICE
SEO Domain Registration Company
Notice#: 949540
Date: 11/29/2015

EXPIRATION NOTICE

DOMAIN: spam-slip.com
Notification Purchase Proposal

EXPIRATION PROPOSAL DATE: 12/07/2015
To: Domain Administrator, NinerNet
499-1685 H Street
Blaine
WA, 98230, UNITED STATES

Domain Name:

Registration SEO Period:

Price:

Term:
spam-slip.com 12/21/2015 to 12/20/2016 $64.00 1 Year

SECURE ONLINE PAYMENT
Domain Name: spam-slip.com
Attn: Domain Administrator
This important expiration notification proposal notifies you about the expiration notice of your domain registration for spam-slip.com search engine optimization submission. The information in this expiration notification proposal may contain confidential and/or legally privileged information from the notification processing department to purchase our search engine traffic generator. We do not register or renew domain names. We are selling traffic generator software tools. This information is intended only for the use of the individual(s) named above.
If you fail to complete your domain name registration spam-slip.com search engine optimization service by the expiration date, may result in the cancellation of this search engine optimization domain name notification proposal notice.

PLEASE CLICK ON

SECURE ONLINE PAYMENT

TO COMPLETE YOUR PAYMENT.
Failure to complete your seo domain name registration spam-slip.com search engine optimization service process may make it difficult for customers to find you on the web.
CLICK UNDERNEATH FOR IMMEDIATE PAYMENT
PROCESS PAYMENT FOR
spam-slip.com
SECURE ONLINE PAYMENT

ACT IMMEDIATELY

This domain seo registration for spam-slip.com search engine service optimization notification proposal will expire 12/07/2015.

Instructions and Unsubscribe Instructions:
You have received this message because you elected to receive special notification proposal. If you no longer wish to receive our notifications, pleaseunsubscribe here or mail us a written request to US Main Office: SEO Domain Registration Company, Los Angeles, CA 90036, Email: seodomainregservice@mail.com or Asia Main Office: SEO Domain Registration Company, Shenzhen Futian, Email: seodomainregservice@mail.com. If you have multiple accounts with us, you must opt out for each one individually in order to stop receiving notifications notices. We are a search engine optimization company. We do not directly register or renew domain names. We are selling traffic generator software tools. This message is CAN-SPAM compliant. THIS IS NOT A BILL. THIS IS A NOTIFICATION PROPOSAL. YOU ARE UNDER NO OBLIGATION TO PAY THE AMOUNT STATED UNLESS YOU ACCEPT THIS NOTIFICATION PROPOSAL. This message, which contains promotional material strictly along the guidelines of the CAN-SPAM act of 2003. We have clearly mentioned the source mail-id of this email, also clearly mentioned our subject lines and they are in no way misleading. Please do not reply to this email, as we are not able to respond to messages sent to this address.

If you have any questions about this or any other suspicious email you have received, please let us know.

Tags: , , , ,
Categories: Warnings
Comments Off on Yet another domain registration scam

Phishing warning for domain registrants

31 October 2015 12:38:00 +0000

We’re seeing what appears to be a concerted “phishing” effort aimed at the registrants of domains. To be honest, the first time we saw one of these emails, the allegations it contained made us angry, and we almost fell for it. This is the classic reaction that “phishers” are looking for — anger, or fear — because those emotions will cause the smartest among us to lose control, perhaps for just long enough to do something stupid.

As always, our best advice is to take a moment to calm yourself down and take a critical look at the email that you have received. It is almost certainly fake.

We have received two different versions of these emails for several domains registered to us, and the emails are likely tailored to the registrar with which you have your domain registered. Below are the emails we’ve received, with legitimate email addresses altered to prevent their being automatically harvested by yet more spammers.

Example 1

From: domainabuse _AT_ tucows.com
To: NinerNet Communications
Subject: Domain ADDRESSGAURD.COM Suspension Notice
Date: Mon, 26 Oct 2015 18:46:54 -0700

Dear Sir/Madam,

The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:

Domain Name: ADDRESSGAURD.COM
Registrar: TUCOWS, INC.
Registrant Name: Domain Administrator

Multiple warnings were sent by TUCOWS, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us by email at mailto:domainabuse _AT_ tucows.com for additional information regarding this notification.

Sincerely,
TUCOWS, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101

Example 2

From: “TUCOWS, INC.” <domainabuse@tucows.com.org>
To: NinerNet Communications
Subject: Domain GIVE-SPAM-THE-SLIP.COM Suspension Notice
Date: Tue, 27 Oct 2015 21:59:41 -0700

Dear Sir/Madam,

The following domain names have been suspended for violation of the TUCOWS, INC. Abuse Policy:

Domain Name: GIVE-SPAM-THE-SLIP.COM
Registrar: TUCOWS, INC.
Registrant Name: Domain Administrator

Multiple warnings were sent by TUCOWS, INC. Spam and Abuse Department to give you an opportunity to address the complaints we have received.

We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.

We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.

Click here and download a copy of complaints we have received.

Please contact us for additional information regarding this notification.

Sincerely,
TUCOWS, INC.
Spam and Abuse Department
Abuse Department Hotline: 480-570-6902

The text “Click here and download” was, in all cases, hyperlinked to websites NOT on domains associated with NinerNet or Tucows, the registrar with whom our clients’ domains are registered. You must always take a moment to view (in the status bar of your email program) the URL (address) of the website to which a link will take you, before you click the link.

While the first email was crafted so that it appeared to be sent from domainabuse _AT_ tucows.com — which is a real email address — subsequent messages have arrived from domainabuse@tucows.com.org. Tucows.com.org is not a real domain; however, it does exist as a sub-domain of the com.org domain which, despite how odd it looks, is an actual domain. (It is being “monetised” by its owners, who probably have nothing to do with the spammers/phishers but who have unfortunately set it up in such a way that “tucows.com.org” appears [to both humans and automated anti-spam systems] to be a working domain.) We have configured our mail servers to block messages from the tucows.com.org sub-domain, but if the contact email address for your domain is on a domain we don’t host (e.g., gmail.com, yahoo.com, etc.) then you may still receive these messages. Since tucows.com is a legitimate domain, we cannot block email from it.

As always, if you have any questions about a questionable email that you have received — or one that has made you afraid or angry — please forward it to us and we’ll take a look at it to determine whether or not it is legitimate.

Update, 2015-11-01: Minor corrections, add missing sender email address, add actual domains and remove protection for bogus email address.

Update, 2015-11-03: We’re now seeing these scam emails coming from domainabuse@tucows.com.info, and in this case the “com.info” domain (and any sub-domains) is completely bogus and should be blocked by default to most of our email clients. We checked out what happens when you click the link (don’t try this at home!) and our browser was directed to download a file named “GIVESPAMTHESLIP.COM_copy_of_complaints.pdf.scr”. This is an old trick, naming a file with a “double extension” to try to trick people into opening what they think (in this case) is a PDF file, but which (in this case) is actually (on Windows machines) an executable screensaver file (“.scr”) that can carry a malicious payload. Remember, think before you click!

Tags: ,
Categories: Updated posts, Warnings
Comments Off on Phishing warning for domain registrants

Warning about ongoing domain registration scam

9 October 2015 09:12:28 +0000

Hardly a week goes by that we don’t hear from a client with questions about a spam email that they have received regarding their domain registration(s). We appreciate hearing about these as it gives us the chance to reiterate with individual clients what to look out for in these emails, and to learn about new scams as they arise or determine that the old ones are still running.

One old one looks like the following:

From: Charles Zhang [mailto:charles@yiguandns.com]
Sent: Friday, October 09, 2015 6:01 AM
To:
Subject: yourdomain CN domain and keyword

(Please forward this to your CEO, because this is urgent. Thanks)

We are a Network Service Company which is the domain name registration center in Shanghai, China. On Oct 8, 2015, we received an application from Huamei Holdings Ltd requested “yourdomain” as their internet keyword and China (CN) domain names. But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it’s necessary to send email to you and confirm whether this company is your distributor or business partner in China?

Kind regards

Charles Zhang
General Manager
Shanghai Office (Head Office)
B06, Yujing Building, No.1 Jihe Road,
Shanghai 201107, China
Tel: +86 21 6191 8696
Mobile: +86 138 1642 8671
Fax: +86 21 6191 8697
Web: www.yiguandns.com

Note that “yourdomain” in the email above is the client’s actual domain, without the TLD — top-level domain, the part to the right of the dot. For example, if your domain is example.com, the subject of this email would be “example CN domain and keyword”. Of course, the actual wording of the subjects and bodies of these scam emails can and do vary, as well as the senders.

These emails are nothing but unsolicited solicitations to register (in this case) the same domain as your existing domain in the dot-cn (China) ccTLD (country code top-level domain) — e.g., example.cn if you already own example.com. There are other variations on these attempts to scare you into registering domains you almost certainly don’t need, usually, we have noticed, in TLDs in East Asia. However, scams like this can and do originate from all over the world. Also, remember that there is no such thing as an “internet keyword”; you cannot buy such a thing, it’s just a general description of a concept.

As always, if an unsolicited email (or, for that matter, phone call, postal letter, fax, smoke signal, etc.) tries to scare you into taking some sort of action — especially if it involves getting you to spend money — it is certainly a scam. Whether it involves domains or anything else, check with a trusted and knowledgeable advisor in whatever industry is involved before you take any action. Don’t even reply to these people, and certainly don’t send them any money.

As always, if you have any questions about emails you have received regarding your domains or hosting, we’ll be happy to address them.

Tags: ,
Categories: Warnings
Comments Off on Warning about ongoing domain registration scam

Delaying tactics by Network Solutions

21 January 2015 23:55:41 +0000

Businesses hate to lose customers, there’s no question of that. We hate to lose customers, there’s also no question of that. When a client tells us that they will be closing their account with us for one reason or another — it happens! — we’ll ask if there is anything we can do to keep their business. More often than not we’ll learn (often to our surprise) that the client is actually closing shop, and they’re not moving to another hosting provider — which is a bit of a relief (to us) in that we know they’re not leaving because of something we did, or something we didn’t do.

Sometimes, of course, the client is actually moving to a new hosting provider. As we’ve stated before, we do say that we’re sorry to see them go — and we mean it — and we ask if there’s anything we can do to keep their business, but if they’re committed then we back off. Importantly, we also don’t do anything to impede their progress into the sunset. In our opinion, that would be unprofessional, and we’d then deserve to lose that business. And given the number of clients that end up returning to us months or a year or two later, we’d be idiots to burn that bridge.

So it was interesting to learn today that Network Solutions (owned by Web.com) has apparently (at some point) implemented a three day waiting period if you ask for the “auth code” for a domain registered through them. (The authorisation code is required to effect a domain transfer from one registrar to another.) Now, it is our assertion that every domain name owner should ask for and make a note of the auth code for their domain as soon as it’s registered, and should also change it (if permitted by the registry) after a registrar transfer. (There is a long history of domain owners being caught flat-footed in times of crisis without this information.) But most of our incoming clients have not done that, and so now this client is being held hostage by Network Solutions for three days, waiting for the information — information they already own — that they need to effect the transfer they want to make. Network Solutions give the following reason, after a couple of screens of FUD-generating warnings of imminent Armageddon that are clearly designed to scare the domain owner into not obtaining the information to which they are entitled:

Your request for an Auth Code has been received and your information will be validated to ensure the security of your account. If your request is approved, you will receive your Auth Code by email in 3 days.

To cancel this request, please call one of our Customer Service Representatives at 1-800-779-4903.

Thank you.

Now, it’s all well and good that Network Solutions claims (or hides behind) the excuse of “[ensuring] the security of your account” (which is not surprising, considering they were responsible for one of the biggest screw ups in domain history when they allowed the fraudulent registrant transfer of a domain registered with them back when they held the monopoly on gTLD registrations), but this is clearly a delaying tactic to give the customer time to lose the will to transfer because now it’s just too much of a problem, too much effort, too complicated, too time-consuming … or whatever negative feeling develops in the mind of the domain owner as he or she spends three days mulling over (and perhaps having nightmares about) the things they read in the two screens of dire warnings before finally screwing up the courage to click the “yes, I really do want my auth code” button.

Shame on you, Network Solutions, for impeding the progress of this customer who has decided — as they’re free to do — to move their business to a competitor. But this is not surprising of a company that has a longer list of “controversies” listed in their Wikipedia article than most companies, along with those of their former parent company Verisign. They both also appear prominently in the “Domain name scams” article, as well as here on our own blog.

Tags: , , , , , ,
Categories: Warnings
Comments Off on Delaying tactics by Network Solutions

Domain renewal scam warning

22 March 2012 12:25:40 +0000

We have had a new domain renewal scam brought to our attention. The example we have seen includes the following wording (changed to preserve our client’s privacy):

Domain Name: EXAMPLE.COM

To: Client Name

Your order #12345678 has been received and is currently processing. Registration includes SE submission for EXAMPLE.COM for 12 months. There is no obligation to pay for this order unless you complete your payment by Mar 25, 2012. SE Services provides submission services and search engine ranking organization for domain owners.

Failure to complete your search engine registration by Mar 25, 2012 may result in the cancellation of this order (making it difficult for your customers to locate you using search engines on the web).

Here is a redacted image of what the email might look like:

Domain renewal scam email.

Domain renewal scam email.

Clicking on the links takes you to a website that looks like this:

Domain renewal scam website.

Domain renewal scam website.

While this email carefully avoids any mention of the expiry or renewal of your domain registration, the intent is clearly to fool and scare the recipient into thinking that their domain registration is about to expire so that they click one of the prominent “PROCESS SECURE PAYMENT” links and complete the payment process. If you do this, your domain will not be renewed, and you’ll be out $75 (in this case) for services of dubious value that you may or may not actually receive. Additionally, you might be opening yourself up to identity theft and/or the abuse of your credit card information.

In fact, if you have already fallen victim to this scam, we suggest that you contact your credit card company immediately, and check to ensure that your domain is “locked” and still registered to you and under your control.

Some of the domains associated with these emails and websites are the following:

  • annualurldom.com
  • iglobalmerchantservice.com
  • urldomannual.com

NinerNet attempts to protect our clients from these kinds of domain-related scams by having a policy of “locking” (as mentioned above) all domains under our management that can be locked. However, you should still be cautious before acting on any emails not from NinerNet (or your actual domain registrar if it’s not NinerNet) regarding any domains you have registered, especially if they attempt to scare you into taking action.

Please contact NinerNet support if you have any questions about emails regarding your domains, and we will help you.

Thank-you.

Tags: , , , ,
Categories: Warnings
Comments Off on Domain renewal scam warning

SEO scam warning

25 January 2011 10:23:54 +0000

We have had a new (to us) scam brought to our attention by a vigilant client. The scam arrives by email in the form of an “invoice” for “search engine registration” for a domain that you are a contact for, and will be sent to the email address of one or all of the registered contacts for the domain. At this time we have seen only one email and so we only have one example to go by, but it’s quite normal for the text and presentation of such emails to change slightly. You may even receive such so-called invoices, notifications, notices, courtesy reminders, etc. via postal mail as well or instead. Sometimes, despite the overall presentation that clearly makes the solicitation look just like an invoice (complete with an invoice number), they include (as in this case) the sentence, “This notice is not an invoice” (or something similar), just to stay barely on the right side of the law.

The fact is, there is no such thing as “search engine registration”. Many years ago (in Internet time) there was such a thing, but nowadays search engines will find and index your site within a matter of hours, as long as it’s public and linked to from at least one public page on the Web, or if it’s on a newly-registered domain. There are, of course, nuances to improving where your website ranks in the search engines, but the basic fact is you do not need to pay anyone for “search engine registration”.

Please remember to check, or have accounting staff check, such “invoices” very carefully before paying them. If you ever have any concerns about what appears to be a confusing, unusual, unexpected or otherwise questionable invoice related to your domains or hosting, please contact NinerNet support and we will be pleased to help you out.

Tags: , , , ,
Categories: Warnings
Comments Off on SEO scam warning
« Older Entries
Newer Entries »

NinerNet home page

Subscriptions:

RSS icon. RSS

General Information:

This is the corporate blog of NinerNet Communications. It's where we post announcements, inform and educate our clients, and discuss issues related to the Internet (web and email) hosting business and all it entails. This includes concomitant industries and activities such as domain registration, SSL/TLS certificates, online back-up, virtual private servers (VPS), cloud hosting, etc. Please visit our main website for more information about us.

Search:

 

Recent Posts:

Archives:

Categories:

Tags:

accounts receivable apple billing branding cira contact information domain registration domain registry of canada domain renewals domains domain sales dot-ca domains dot-zm domains down time droc email encryption facebook google happy hosting customers hosting transfer icann invoices iphone kwacha maintenance paying your bill paying your invoice quarterly kwacha rate review rates registrar transfers reputation scams search engine optimisation search engine optimization security seo service hours spam ssl ssl/tls support transparency wordpress zamnet

Resources:

On NinerNet: