Its too early to know if this attempt to steal userids and passwords for some of those eleven million domain names is related to the announcement that ICANN has terminated ESTDomains privileges. As we mentioned yesterday, the absence of ESTDomains may be a great inconvenience to criminals who are accustomed to using their services to register new domains for their criminal activities.
The spam from the earlier version looked like this:
Dear eNom Customer,
Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be conducting maintenance on our database and datacenter resulting in the following sites and services being unavailable:
* Main site
* All web hosting services
* Email services
* Communication with the registry affecting new registrations, renewals, and transfers
For access your account follow this link - http://www.enom.com
The following services will not be affected and will continue to be fully operational:
* DNS will resolve normally - although operational through this downtime, any changes to DNS settings may be delayed intermittently for a period of up to 24 hours from the start of the maintenance period
* Email forwarding and site redirection will operate normally
We anticipate the maintenance will only last up to 3 hours. We apologize for any inconvenience during this short maintenance and thank you for your patience.
eNom Tech Support
The UAB Spam Data Mine received 298 copies of the earlier campaign, which resolved to seven unique domain names. Instead of sending the user to the actual domain for Enom, they were redirected to:
The email subject lines for the first batch were:
Maintenance at eNom
Maintenance at eNom - attention
Maintenance at eNom - warning
Maintenance at eNom.com
Maintenance at eNom.com - attention!
Maintenance at eNom.com - warning!
Sending names including:
eNom Support Team
eNom Tech Support
eNomCentral Tech Support
From addresses were email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, or email@example.com
We got roughly fifty of these spam messages so far today. Here's a typical one:
On Wed, 29 Oct 2008 12:22:39 +0530 we received a third party complaint of invalid domain contact information in the Whois database for this domain. Whenever we receive a complaint, we are required by ICANN regulations to initiate an investigation as to whether the contact data displaying in the Whois database is valid data or not. If we find that there is invalid or missing data, we contact both the registrant and the account holder and inform them to update the information.
The contact information for the domain which displayed in the Whois database was indeed invalid. On Wed, 29 Oct 2008 12:22:39 +0530 we sent a notice to you at the admin/tech contact email address and the account email address informing you of invalid data in breach of the domain registration agreement and advising you to update the information or risk cancellation of the domain. The contact information was not updated within the specified period of time and we canceled the domain. The domain has subsequently been purchased by another party. You will need to contact them for any further inquiries regarding the domain.
PLEASE VERIFY YOUR CONTACT INFORMATION - http://www.enom.com
If you find any invalid contact information for this domain, please respond to this email with evidence of the specific contact information you have found to be invalid on the Whois record for the domain name. Examples would be a bounced email or returned postal mail. If you have a bounced email, please attach or forward with your reply or in the case of returned postal mail, scan the returned letter and attach to your email reply or please send it to:
Attn: Domain Services 14455 N Hayden Rd Suite 219 Scottsdale, AZ 85260
LINK TO CHANGE INFORMATION - http://www.enom.com
The domains are of course Fast Flux hosted. At the moment of this writing each resolves to the following IP addresses:
But a quick history shows that they have also resolved to all of the following:
This botnet of hosting machines is also associated with the group of child pornography servers. These domains use "ns4.nastynameserver.com" (ns5, ns6) and "ns1.xwhlwww.com" as their nameservers, with such domains as "littlelolita", "lolita-bbs", and "nude-kids", "xlsites" and others. (More information available to law enforcement, just ask.)