Please don’t pay these guys!  It is completely waste of money!

Dear Network Solutions® Customer,

On Fri, 31 Oct 2008 10:20:36 +0530 we received a third party complaint of invalid domain contact information in the Whois database for this domain Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.

Please note: ICANN (the Internet Corporation for Assigned Names and Numbers) regulations state that the WHOIS Administrative Contact may initiate and approve domain name registration transfers from your Network Solutions account to other Registrars. If you are not listed as the WHOIS Administrative Contact a transfer can occur without your knowledge if Domain Protect is not enabled for the domain name registrations listed above.

To change the WHOIS Administrative Contact Information for any of your domains, please login to Account Manager:

1. Log in to Account Manager at: https://mail.yourdomainname.com/exchweb/bin/redir.asp?URL=https://mail.yourdomainname.com/exchweb/bin/redir.asp?URL=http://www.networksolutions.com.sys78.biz” target=_blank>http://www.networksolutions.com.
2. Click on the “Profile & Accounts” tab in the left navigation menu to be taken to a page listing your account details.
3. Click on “Accounts” and select the account you wish to edit.
4. Click “View/Edit WHOIS Contacts” to make your updates.

If you believe someone requested this change without your consent, please contact Customer Service.

If you would like to order additional services or to update your account, please visit us online.

Thank you for choosing Network Solutions. We are committed to providing you with the solutions, services, and support to help you succeed online.

Sincerely,
Network Solutions® Customer Support

What you need to look at is the ultimate domain name of the url: http://www.networksolutions.com.sys78.biz which means that if you click on the link, it actually goes to the sys79.biz website. This is just one example as there are several others going around out there.

What you need to do is make sure you know where your domain name is registered and keep up with how to log in and check on the expiration dates. If you have a company managing your domain name, like we do at Giraffe Web Development for out clients, then contact your domain manager to double-check on your domain before clicking any links.

It is definitely a learning experience for me as I have limited knowledge of linux and ssh, etc.

However, as I am trying to familiarize myself with the full admin access to the server, I noticed on the desktop a link to the Mail Queue. So, I clicked.

What I found was that there were 12,000 e-mails sitting in the remote queue. And, most of them were from anonymous@myserversdomainname.com. Also, there were other, legitimate e-mails stuck in various sections between the spam messages. So, I started to use the Mail manager to delete these messages, 100 at a time. Have I gotten any real work done in the past 6 weeks? I would say NOT!

I started doing some house cleaning looking at all the applications that were being used for all the sites on the server, who has ftp access, etc. What applications can be moved to somewhere else? The first one I decided to move off was the php WebCalendar. Google’s is just as good and I had already started to move client’s calendars to use Google’s already, so I moved everyone else off.

Still, spam filled up the mail queue.

So, as I have been wanting to do for years, I started moving client’s e-mail off the server, moving them over to Google Apps. A lot of the incoming spam stopped, of course, but the outgoing continued.

At this point, I had figured out how to ssh into the server and use qmail to delete all e-mails with a certain subject. Until about 20,000 showed up with no subject. This resulted in me having to delete the entire queue (which I did over the weekend). I was still receiving mail so incoming was coming in. I waited until incoming dropped down to zero, then blasted all the remote away.

Up to this point, I had already instructed clients to not use the server for outgoing e-mail, but use their ISP. So, I knew that there had to be some vulnerability on the server that was allowing e-mail to be sent from the server.

I started cleaning out every domain account, going through all the pages to make sure they were in use, deleting all orphans, deleting all old php forms no longer in use (as I had determined some time ago that these were not secure).

After the server filled up with 140,000 outgoing e-mails, I had enough. I finally got some relief from my friend who helps me out in my business. She was looking at the spam this week, and saw a reference to a file on a client site. My second clue (first is below).

I immediately clicked on the file, and to my horror, what had been links.php, with a list of links to legitimate websites, was now a form!

Earlier on I had found a clue in one spam that referenced a client’s php WebCalendar, and this changed file was in the same account.

I immediately got rid of the offending form, and the mail queue is back to normal. However, I decided to search on the web to see how many others have this form or something like it, and you would be amazed. I looked up the links to the website in the form and the webhost is one of the top 25 spammers in the world.

In addition, I found where a security advisory was issued back in April about the php Webcalendar. The version I was using supposedly had these fixed, but I have obviously found otherwise.

As I finish cleaning up what I can with this server, I am planning to upgrade to a newer server and find someone who knows how to manage it, as this is only what one novice has been able to do. Yes, the web gets you coming and going. In order to have the flexibility you need to work in this arena, you really need to have your own server, but then you get stuck with all the headaches along the way. Sometimes I am not certain the flexibility is worth the trouble!

* Domain Registry of America
* Internet Listing Service (ILSCORP.NET)
* Simple.net
* Domain Registry Support

Let’s examine all of these a little closer:

DOMAIN REGISTRY OF AMERICA (DROA):
At this point, they are not really doing anything illegal. This company mails a letter to the admin contact of a domain name reminding the person to renew the domain name before it expires. This becomes a problem when the domain is NOT registered through Domain Registryof America. The letter makes it look like if you don’t go ahead and renew, you will lose your domain. What you lose is your money because if you do not unlock your domain to be transferred to Domain Registry of America, then you have to go through the added headache of cancelling the check or credit card you gave them.

At Giraffe Web, we manage hundreds of domains, and invariably one of our clients gets the dreaded DROA letter. Most of our clients inform us they received the letter. However, we have a large handful of clients that manage their own domains, or their ISP manages it for them, and we have no control over those being transferred.

Domain Registry of America appears to be a legitimate registry if you go to their website, but you cannot find them on the ICANN approved list of registrars (so appears they are a reseller).

INTERNET LISTING SERVICE (ILSCORP.NET)
This letter is mailed directly to the Admin contact of the domain name. The reference here is “Subscription.” An unsuspecting person will think an annual fee is required to keep the domain name showing up in search engines. For someone who doesn’t understand much about web sites, they will go ahead and the pay the $65 annual fee. The letter does have this disclaimer in the middle of the page: “THIS IS NOT A BILL. THIS IS A SOLICITATION. YOU ARE UNDER NO OBLIGATION TO PAY THE AMOUNT STATED UNLESS YOU ACCEPT THIS OFFER.”

The best way to get your web site listed in search engines is to have your site coded correctly and make sure it validates according to w3C recommendations, among many other factors, and there is NO guarantee where your site will show up on search engines. If you have any questions about your site and search engines, discuss this issue first with your web designer/developer or a firm that specializes in Search Engine Optimization.

SIMPLE.NET:
Another scam is one that arrives in the mail as the form of a check. You deposit it and you have just approved an automatic, monthly draft to your account for internet services. One such scam is Simple.net and the deposit provides bank routing numbers to Simple.net, an ISP and website building, hosting provider. (Thanks to Oregon Sue for alerting us to this one!).

DOMAIN REGISTRY SUPPORT:
Another scam is coming over fax machines. One that looks like your domain name is going to be available for sale and it is actually not a domain name you already own… such as if you own www.mydomain.com it will tell you your domain, www.mydomain.us, is about to be lost, when you own the .COM not the .US version of your domain. The top of the fax says, “URGENT NOTICE OF DOMAIN EXTENSION”. It will look like an official document, and contain wording such as, “Please be advised that the above noted domain has become eligible for registration. Consequently, the possibility of conflicting domain name registrations may occur.”

Before you pay that invoice from any of the above companies or someone else, do your homework first:

1. Check a legitimate whois information service if you do not know where your domain is registered, such as http://www.checkdomain.com or at Network Solutions where you can click on the WHOIS link.
2. Call your webmaster to confirm your domain registration information. If you webmaster is not available, call the registrar listed under your whois information (at the very least, the technical contact).

If anyone finds any other scams that fall within the above categories, please post them here!