EstDomains clearing up the shit

[JohnC]

http://www.umaxforum.com/showthread.php?t=29510
http://www.master-x.com/forum/topics/108213/
http://www.domenforum.net/showthread.php?t=54514
http://www.gofuckbiz.com/showthread.php?t=4085

This one makes me curious: http://forums.acenet-inc.net/Private/showthread.php?t=2454

Private forum at a hosting company.

[sowhat-x]

http://www.google.com/translate?langpair=ru|en&u=http://www.master-x.com/forum/topics/108213/page/75/

The point where the Esthost representative refers to MDL,
and the act of de-listing the domains during the next update...
don't know,but something certainly didn't felt ok inside me there...
URIBL didn't even bothered replying back to them:
that seems to have hurted them,and I think that maybe that's the very best choice...
Why even bother start conversations with these lamers...i doubt anyone else out there has...
just let them run with no place to hide...or better said,with no place to be hosted...

[TeMerc]

Here is the latest:
http://go.theregister.com/feed/www.theregister.co.uk/2008/09/03/directi_strikes_back/

I still say we can't trust them. You know they're gonna get another setup in place all too quick.

But time will tell, as I commented in that article.

But for as long as they-Atrivo\Inhoster\Intercage\Est and whoever else have been doing bad on the Net, it will take forever before anyone trusts any parties involved in any of that if ever.

I know I'm no easy push over for this type of outright criminal behavior. Far as I'm concerned they can just drop off the Earth and never return.

[CM_MWR]

This explains the surge of XPA2008 everywhere for the last 3 to 4 weeks.

Notice that has let up a bit now.

[sowhat-x]

Heh,just got a possible idea about the number of visitors at 26 Aug...articled dated 24 August: 
http://www.sudosecure.net/archives/228

PS:Seen that now cjeremy?So let me not hear you complaining again,
that I'm supposedly the only regular reader there,ha-ha... 

[SysAdMini]

http://www.prweb.com/releases/2008/9/prweb1281234.htm

[sowhat-x]

http://www.avertlabs.com/research/blog/index.php/2008/09/04/the-darksides-domains/
http://www.theregister.co.uk/2008/09/03/directi_strikes_back/
Most of the important news/links can be found via Knujon's site though...

PS:In the very first phrase / beginning of the McAfee article,
do note the part where they make fun of Microsoft,he-he...excellent sense of humour! 

(and whilst Terry is dancing in doorways)

[CM_MWR]

Subject: InterCage, Inc. (NOT Atrivo)
To: NANOG@NANOG.ORG


Hello Everyone,

Good morning.
Seeing the activity in regards to our company here at NANOG, I believe
this is the most reasonable and responsible place to respond to the
current issues on our network. We hope to obtain non-bias opinion's
and good honest and truthful information from the users here.

Being that there are much larger operators here then us, what kind of
insight can you give to the issues that have arisen?

We've near completely removed (completion monday 09/08/08) Hostfresh
from our network. 2 of their /24's have been removed:
58.65.238.0/24 dropped
58.65.239.0/24 dropped
The machine's they leased from us have been canceled.

What do you suggest for the next move?

Thank you for your time. Have a great day.

---
Russell M.
InterCage, Inc.

[sowhat-x]

Heh,58.65.239.x...this one had filled 10 pages in the list... 

http://mailman.nanog.org/pipermail/nanog/2008-September/003645.html
http://mailman.nanog.org/pipermail/nanog/2008-September/subject.html#3630

[JohnC]

By request this thread has been made public.

[kokach]

Hi to everybody.
I'm writing on behalf of the EstDomains, Inc and I would like to explain the situation.
We really are in the middle of the total clean-up. We ask every possibly problematic customer to transfer out or make their best to remove themselves from different kinds of anti-abuse listings, in case their projects are legit.
As for the real problematic customers - we suspend them. Suspend totally, including their domains, accounts, look for connections to other accounts and so on.
We would really like to perform this total clean-up, but we need some support as well. Guys, stop accusing us please. You'll definitely see we aren't as bad as you think. We need your support and, even more important, your reports. At the moment, there is about 270,000 domains registered through us and we can't investigate the activity of each of them, so in case you do have any information about any of the domain name being involved in some shady activity, we'll really appreciate if you forward it to us.
Thank you!

[SysAdMini]

EstDomains: A Sordid History and a Storied CEO
http://voices.washingtonpost.com/securityfix/2008/09/estdomains_a_sordid_history_an.html?hpid=sec-tech

A Superlative Scam and Spam Site Registrar
http://voices.washingtonpost.com/securityfix/2008/09/estdomains.html?nav=rss_blog

[sowhat-x]

As for the real problematic customers - we suspend them.

One has certainly to wonder if only the customers themselves are the 'problematic' ones...

We would really like to perform this total clean-up...

We've noticed that EstDomains representatives have already requested people,
in various well-known security related forums/projects,
to provide them with names of well-known malware domains to 'clean' them out...
Since you're in the SEO business,I would assume you're quite familiar with scripting...
thereby,the following queries will probably be a good starting point...

http://www.google.com/search?hl=en&lr=&as_qdr=all&q=estdomains+site:www.siteadvisor.com
1470 results...

http://www.google.com/search?hl=en&lr=&as_qdr=all&q=estdomains+site:hosts-file.net
331 results...

http://www.google.com/search?hl=en&lr=&as_qdr=all&q=estdomains+site:www.castlecops.com
282 results...

[SysAdMini]

Guys, stop accusing us please

We don't accuse anyone. All what we do is collecting facts, facts about malware spreading domains.
And you have a lot of them.

[sowhat-x]

...and maybe an even faster way to clean up most of the crap at once...
Just script whois queries against the domains listed in the following two blocklists,
then grep for the matches that got returned...

http://hosts-file.net/?s=Download
http://malwaredomains.com/?page_id=66