Wednesday, March 9, 2016

Domain Name Scams Are Alive And Well, Thank You

Is somebody actually trying to register your company name as a .cn or .asia domain? Not likely. And don't pay them.

It has been a while since anybody tried to talk me into registering a domain name I wasn't sure I wanted in the first place, but it has happened before. Scams more or less like the Swedish one are as common as they are transparent, but apparently enough people take the bait that the scammers keep trying.

After a few quiet years in my backwater of the Internet, in March of 2016, we saw a new sales push that came from China. The initial contact on March 4th, from somebody calling himself Jim Bing read (preserved here with headers for reference, you may need MIME tools to actually extract text due to character set handling),

Subject: Notice for "bsdly"

Dear CEO,

(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)

We are a Network Service Company which is the domain name registration center in China.
We received an application from Huabao Ltd on March 2, 2016. They want to register " bsdly " as their Internet Keyword and " bsdly.cn "、" bsdly.com.cn " 、" bsdly.net.cn "、" bsdly.org.cn " 、" bsdly.asia " domain names, they are in China and Asia domain names. But after checking it, we find " bsdly " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
8006, Xinlong Building, No. 415 WuBao Road,
Shanghai 201105, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnweb-registry.com


The message was phrased a bit oddly in parts (as in, why would anybody register an"internet keyword"?), but not entirely unintelligible as English-language messages from Asians sometimes are.

I had a slight feeling of deja vu -- I remembered a very similar message turning up in 2008 while we were in the process of selling the company we'd started a number of years earlier. In the spirit of due diligence (after asking the buyer) we replied then that the company did not have any plans for expanding into China, and if my colleagues ever heard back, it likely happened after I'd left the company.

This time around I was only taking a break between several semi-urgent tasks, so I quickly wrote a reply, phrased in a way that I thought would likely make them just go away (also preserved here):

Subject: Re: Notice for "bsdly"
 
Dear Jim Bing,

We do not have any Chinese partners at this time, and we are not
currently working to establish a presence in Chinese territory. As to
Huabao Ltd's intentions for registering those domains, I have no idea
why they should want to.

Even if we do not currently plan to operate in China and see no need
to register those domains ourselves at this time, there is a risk of
some (possibly minor) confusion if those names are to be registered
and maintained by a third party. If you have the legal and practical
authority to deny these registrations that would be my preference.

Yours,
Peter N. M. Hansteen


Then on March 7th, a message from "Jiang zhihai" turned up (preserved here, again note the character set issues):

Subject: " bsdly "
Dear Sirs,

Our company based in chinese office, our company has submitted the " bsdly " as CN/ASIA(.asia/.cn/.com.cn/.net.cn/.org.cn) domain name and Internet Keyword, we are waiting for Mr. Jim's approval. We think these names are very important for our business in Chinese and Asia market. Even though Mr. Jim advises us to change another name, we will persist in this name.

Best regards

Jiang zhihai

Now, if they're in a formal process of getting approval for a that domain name, why would they want to screw things up by contacting me directly? I was beginning to smell rat, but I sent them an answer anyway (preserved here):

Subject: Re: " bsdly "

Dear Jiang zhihai,

You've managed to make me a tad curious as to why the "bsdly" name
would be important in these markets.

While there is a very specific reason why I chose that name for my
domains back in 2004, I don't see any reason why you wouldn't be
perfectly well served by picking some other random sequence of characters.

So out of pure curiosity, care to explain why you're doing this?

Sincerely,
Peter N. M. Hansteen

Yes, that domain name has been around for a while. I didn't immediately remember exactly when I'd registered the domain, but a quick look at the whois info (preserved here) confirmed what I thought. I've had it since 2004.

Anyone who is vaguely familiar with the stuff I write about will have sufficient wits about them to recognize the weak pun the domain name is. If "bsdly" has any other significance whatsoever in other languages including the several Chinese ones, I'd genuinely like to know.

But by now I was pretty sure this was a scam. Registrars may or may not do trademark searches before registering domains, but in most cases the registrar would not care either way. Domain registration is for the most part a purely technical service that extends to making sure whether any requested domains are in fact available, while any legal disputes such as trademark issues could very easily be sent off to the courts for the end users at both ends to resolve. The supposed Chinese customer contacting me directly just does not make sense.

Then of course a few hours after I'd sent that reply, our man Jim fired off a new message (preserved here, MIME and all):

Subject: CN/ASIA domain names & Internet Keyword

Dear Peter N. M. Hansteen,

Based on your company having no relationship with them, we have suggested they should choose another name to avoid this conflict but they insist on this name as CN/ASIA domain names (asia/ cn/ com.cn/ net.cn/ org.cn) and internet keyword on the internet. In our opinion, maybe they do the similar business as your company and register it to promote his company.
According to the domain name registration principle: The domain names and internet keyword which applied based on the international principle are opened to companies as well as individuals. Any companies or individuals have rights to register any domain name and internet keyword which are unregistered. Because your company haven't registered this name as CN/ASIA domains and internet keyword on the internet, anyone can obtain them by registration. However, in order to avoid this conflict, the trademark or original name owner has priority to make this registration in our audit period. If your company is the original owner of this name and want to register these CN/ASIA domain names (asia/ cn/ com.cn/ net.cn/ org.cn) and internet keyword to prevent anybody from using them, please inform us. We can send an application form and the price list to you and help you register these within dispute period.

Kind regards

Jim
General Manager
Shanghai Office (Head Office)
8006, Xinlong Building, No. 415 WuBao Road,
Shanghai 201105, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.cnwebregistry.com

So basically he's fishing for me to pony up some cash and register those domains myself through their outfit. Quelle surprise.

I'd already checked whether my regular registrar offers .cn registrations (they don't), and checking for what looked like legitimate .cn domain registrars turned up that registering a .cn domain would likely cost to the tune of USD 35. Not a lot of money, but more than I care to spend (and keep spending on a regular basis) on something I emphatically do not need.

So I decided to do my homework. It turns out that this is a scam that's been going on for years. A search on the names of persons and companies turned up Matt Lowe's 2012 blog post Chinese Domain Name Registration Scams with a narrative identical to my experience, with only minor variations in names and addresses.

Checking whois while writing this it turns out that apparently bsdly.cn has been registered:

[Wed Mar 09 20:34:34] peter@skapet:~$ whois bsdly.cn
Domain Name: bsdly.cn
ROID: 20160229s10001s82486914-cn
Domain Status: ok
Registrant ID: 22cn120821rm22yr
Registrant: 徐新荣
Registrant Contact Email: 1725093@qq.com
Sponsoring Registrar: 浙江贰贰网络有限公司
Name Server: ns1.22.cn
Name Server: ns2.22.cn
Registration Time: 2016-02-29 20:55:09
Expiration Time: 2017-02-28 20:55:09
DNSSEC: unsigned

But it doesn't resolve more than a week after registration:

[Wed Mar 09 20:34:47] peter@skapet:~$ host bsdly.cn
Host bsdly.cn not found: 2(SERVFAIL)


That likely means they thought me a prospect and registered with an intent to sell, and they've already spent some amount of cash they're not getting back from me. I think we can consider them LARTed, however on a very small scale.

What's more, none of the name servers specified in the whois info seem to answer DNS queries:

[Wed Mar 09 20:35:36] peter@skapet:~$ dig @ns1.22.cn bsdly.cn any

; <<>> DiG 9.4.2-P2 <<>> @ns1.22.cn bsdly.cn any
; (2 servers found)
;; global options:  printcmd
;; connection timed out; no servers could be reached
[Wed Mar 09 20:36:14] peter@skapet:~$ dig @ns2.22.cn bsdly.cn any

; <<>> DiG 9.4.2-P2 <<>> @ns2.22.cn bsdly.cn any
; (2 servers found)
;; global options:  printcmd
;; connection timed out; no servers could be reached



So summing up,
  • This is a scam that appears to have been running for years.
  • If something similar to those messages start turning up in your inbox, the one thing you do not want to do is to actually pay for the domains they're offering.

    Most likely you do not need those domains, and it's easy to check how far along they are in the registration process. If you have other contacts that will cheaply and easily let you register those domains yourself, there's an element of entertainment to consider. But keep in mind that automatic renewals for domains you don't actually need can turn irritating once you've had a few laughs over the LARTing.
  • If you are actually considering setting up shop in the markets they're offering domains for and you receive those messages before you've come around to registering domains matching your trademarks, you are the one who's screwed up.
If this makes you worried about Asian cyber-criminals or the Cyber Command of the People's Liberation Army out to get your cyber-whatever, please calm down.

Sending near-identical email messages to people listed in various domains' whois info does not require a lot of resources, and as Matt says in his article, there are indications that this could very well be the work (for some values of) of a single individual. As cybercrime goes, this is the rough equivalent of some petty, if unpleasant, street crime.

I'm all ears for suggestions for further LARTing (at least those that do not require a lot of effort on my part), and if you've had similar experiences, I'd like to hear from you (in comments or email). Do visit Matt Lowe's site too, and add to his collection if you want to help him keep track.

And of course, if "Jim Bing" or Jiang zhihai" actually answer any of my questions, I'll let you know with an update to this article.

Update 2016-03-15: As you can imagine I've been checking whether bsdly.cn resolves and the registration status of the domain via whois at semi-random intervals of at least a few hours since I started the blog post. I was a bit surprised to find that the .cn whois server does not answer requests at the moment:

[Tue Mar 15 10:23:31] peter@portal:~$ whois bsdly.cn
whois: cn.whois-servers.net: connect: Connection timed out


It could of course be a coincidence and an unrelated technical issue. I'd appreciate independent verification. 

Update 2016-11-03: Another variant of the same appeared today, with one "Kenn Lau <kenn@qosl.org.cn>" given as the contact. The full message including headers can be found here.

The main message is:

From: Kenn Lau <kenn qosl.org.cn>
To: peter <peter nuug.no>
Subject: nuug
Date: Thu, 3 Nov 2016 19:00:25 +0800


The question is closely related to your company name "nuug",please forward it to your company's top management. Thanks!

Dear President&CEO,

We are the organization specializing in network consulting and registration authorized by Chinese government. On November 2. 2016,a applicant named Mr. Brian Lee from BIO Technologies Co., Ltd wants to record and register the brand name nuug and some domains by our office.

After our preliminary review and verification,we find BIO Technologies Co., Ltd has nothing to do with your company. But If you have permitted this company to apply these names, or you think the application will not damage the interests of your company,please allow us to fulfill all the registration for BIO Technologies Co., Ltd. If you against the company's application,please let me know by email ASAP.

Best Regards,

Kenn Lau
Manager of Registration department
Address:No. 68 FuNan Road,Hefei 230000,China
Tel: (+86) 0739-5266069
Fax:(+86) 0739-5266069

I'm sure Kenn would like to hear from you, and of course I'm happy to hear from you if you hear from him too.



Update 2022-07-09:  Eight years later, another, near-identical message of this type turned up here. If you're interested, you can find the original message and my reply preserved at their respective links. For anyone with similar ideas out there, I would recommend looking into other lines of business entirely.

Update 2022-11-18: Yet another campaign is in progress. During the early hours of November 18th CET, the following message landed in my NUUG inbox (preserved here with headers):

Date: Thu, 17 Nov 2022 21:01:07 +0800
From: Steve Liu <steve@cnnetworks.net>
To: peter <peter@nuug.no>
Subject: nuug
X-Mailer: Foxmail 7, 1, 3, 52[cn]

(It's very urgent, therefore we kindly ask you to forward this email to your CEO. If you believe this has been sent to you in error, please ignore it. Thanks)Dear CEO,We are the domain registration and solution
+center in China. We received an application from Hongjia Ltd on November 17, 2022. They want to register "nuug" as their internet keyword and China (CN) domain names (nuug.cn, nuug.com.cn, nuug.net.cn,
+nuug.org.cn). But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company
+is your distributor in China? Best Regards
Steve Liu   Service & Operations Manager

China Registry (Head Office)





Tel: +86-2161918696

Fax: +86-2161918697

Mob: +86-13816428671

6012, Xingdi Building, No. 1698 Yishan Road, Shanghai 201103, China

*****************************************

This email contains privileged and confidential information intended for the addressee only. If you are not the intended recipient, please destroy this email and inform the sender immediately. We appreciate you
+respecting the confidentiality of this information by not disclosing or using the information in this email.

To which my response was (archived here),

Date: Fri, 18 Nov 2022 11:12:42 +0100
From: "Peter N. M. Hansteen" <peter@nuug.no>
To: Steve Liu <steve@cnnetworks.net>
Cc: peter@nuug.no
Subject: Re: nuug
User-Agent: Mutt/1.10.1 (2018-07-13)


Hope this helps.

Yours,
Peter N. M. Hansteen

On Thu, Nov 17, 2022 at 09:01:07PM +0800, Steve Liu wrote:
> (It's very urgent, therefore we kindly ask you to forward this email to your CEO. If you believe this has been sent to you in error, please ignore it. Thanks)Dear CEO,We are the domain registration and solution
+center in China. We received an application from Hongjia Ltd on November 17, 2022. They want to register "nuug" as their internet keyword and China (CN) domain names (nuug.cn, nuug.com.cn, nuug.net.cn,
+nuug.org.cn). But after checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it's necessary to send email to you and confirm whether this company
+is your distributor in China? Best Regards
> Steve Liu   Service & Operations Manager
>
> China Registry (Head Office)
>
>
>
>
>
> Tel: +86-2161918696
>
> Fax: +86-2161918697
>
> Mob: +86-13816428671
>
> 6012, Xingdi Building, No. 1698 Yishan Road, Shanghai 201103, China
>
> *****************************************
>
> This email contains privileged and confidential information intended for the addressee only. If you are not the intended recipient, please destroy this email and inform the sender immediately. We appreciate you
+respecting the confidentiality of this information by not disclosing or using the information in this email.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


There must be a non-zero number of people who fall for this, for some odd reason.

Update 2023-01-12: Another message turned up today, this time from "Simon Lui", archived here in the original MIME mail format and as PDF. My response can be found here (plain text mailbox).


28 comments:

  1. I hear there's a Chinese prince who wants help transferring his wealth.

    It's a scam. not worth even spending the time to do a whois or dig. Just click the delete or spam button and move on.

    ReplyDelete
  2. Thank you for sharing your experience with "Jim" of cnwebregistry.com. I recently got a similar message and it made me curious. Your post made it easier for me to decide what to do.

    Thanks again.

    ReplyDelete
  3. Got the exact same email (with my company's domain..)! Like you said, seemed weirdly legit because of the odd Asian wording that is sometimes common. Thanks for confirming it's a scam!

    ReplyDelete
  4. I just received the exact same email (obviously with my domain), and my google search landed on your article. Needless to say the sender's now on my blacklist.

    ReplyDelete
  5. Came here after googling "We are a Network Service Company which is the domain name registration center in China."

    Yep, same email. I'll report it as phishing. If we all do that it might slow them down.

    ReplyDelete
  6. I got an email from "Jim Ying" this morning. Thanks to your post, when I Googled Jim's mailing address it brought your site up first and confirmed that it is a scam.
    Thanks again,
    Michael V.

    ReplyDelete
  7. Hi, Peter, thanks for posting this information, I have received an email from Jim Gong,this morning, 09/11/16 with a similar message. I Googled cnweb registry and found your blog, appreciate you posting it. I thought it would probably be a scam but just wasn't too sure, your blog has really helped me thank you.

    ReplyDelete
  8. Hi, Peter,
    Jim Gong has been busy. I received two identical emails on November 5 2016 with the same wording as the one you got. The duplication set off my mental alarms even before I Googled the company mentioned in the email and saw how nonsensical it would be for this business to use my domain name.

    Thanks for sharing your experience and confirming that my instincts were correct.

    ReplyDelete
  9. Thanks for your exposition. Just got an email from the same fellow this morning. Was baffled at first but can now see the scam.

    ReplyDelete
  10. Thank you for sharing your experience with that scam. I just received the same email for an .in domain.

    ReplyDelete
  11. Too funny! I just received the exact same email. This Jim dude is working some holiday overtime. Found your blog when I googled for information. Thanks for sharing your experience, as now I know it's a scam.

    ReplyDelete
  12. We received the same email this morning. Thank you.

    ReplyDelete
  13. April 2017 and it's still going. Just got the identical email this AM. Thanks for setting me straight on this. I just searched the company name/address and found you immediately.

    ReplyDelete
  14. It's still going - was sent an email from Jim Bing this morning.

    ReplyDelete
  15. Thanks for posting your experience and research Peter. I received the same email only yesterday. Cheers, Neil

    ReplyDelete
  16. I got same emails, thank god we have Google! Thankyou everyone for your input. Peter your a Gentleman for sharing this post from start. Godbless you and your family.

    ReplyDelete
  17. Thanks Peter for sharing. Mr Jim Bing struck again. Google is awesome! Cheers, Mick

    ReplyDelete
  18. Jim it's going back to the ciber-streets... We recieved the same e-mail a couple of days ago..thanks for share!

    ReplyDelete
  19. Same email with the same names!!!
    They must think we are incompetent and as if we wouldn't do our research LOL
    Thanks for sharing

    ReplyDelete
  20. Hi Peter
    Simon Zhang sent me the same letter today, im in Australia FYI
    thanks for your help
    cheers
    Richard

    ReplyDelete
  21. Hi Peter,
    I am in Australia & I got the same email.
    I responded as per below:-
    I own the domain name (my company name).
    I am happy to allow for the company wanting to purchase this domain name from me as a 'commercial business' decision.
    I am willing for the company to pay me AUD $3,000 for EACH domain they would like to secure.
    Once you confirm this arrangement back to me via email - I will send instructions (and bank details) where to make the payment to.
    I await your response.

    Feel free to also access the information contained in the below links.

    http://www.hoax-slayer.net/domain-name-application-scam/
    http://www.safecommunitiesportugal.com/cybercrimealerts/beware-this-domain-name-scam-originating-from-china/
    https://security.stackexchange.com/questions/56290/is-this-domain-registration-service-email-a-scam

    Hope this helps anyone else who is looking to alert others about these 'SCAMMERS'!!!

    LDV

    ReplyDelete
  22. Hi Peter,
    I am in Australia & I got the same email.
    I responded as per below:-
    I own the domain name (my company name).
    I am happy to allow for the company wanting to purchase this domain name from me as a 'commercial business' decision.
    I am willing for the company to pay me AUD $3,000 for EACH domain they would like to secure.
    Once you confirm this arrangement back to me via email - I will send instructions (and bank details) where to make the payment to.
    I await your response.

    Feel free to also access the information contained in the below links.

    http://www.hoax-slayer.net/domain-name-application-scam/
    http://www.safecommunitiesportugal.com/cybercrimealerts/beware-this-domain-name-scam-originating-from-china/
    https://security.stackexchange.com/questions/56290/is-this-domain-registration-service-email-a-scam

    Hope this helps anyone else who is looking to alert others about these 'SCAMMERS'!!!

    LDV

    ReplyDelete
  23. I received an email today from Jim, I've let him know that I've reported his scam to the NZ governemt.......after I had a bit of fun with him.
    Jim even got lin-jianfeng@vip.163.com to contact me saying they were the ones wanting to register, and even though Mr Jim had told them to choose something else, they were going ahead anyway.
    Likewise, after a bit of fun, I mentioned the government....just for sh*ts and giggles.

    ReplyDelete
  24. Hi Peter, I just received an email as well. Sydney, Australia.
    For a split second your heart skips a beat, but for someone like me that tends to look at something negative first, before positive; I knew something was up.
    Thanks for the post about this. For someone who is new to owning a business things like this certainly helps.
    I appreciate the time its taken to post this information as it's also definitely made me add sender to block list and know for the future if something similar pops up to ignore it.
    Cheers
    Mel

    ReplyDelete
  25. We just got the same message this morning in Sydney Australia too, from Jim Bing, so it's definitely still going.

    ReplyDelete
  26. Hi Peter thanks a lot, we are based in Italy and we've got the same kind of request. Here after the sender:

    Jim | Service Manager

    Domain Registry Asia (Head Office)

    8006, Xinlong Building, No. 415 WuBao Road, Shanghai 201105, China

    Tel: +86-2161918696 | Fax: +86-2161918697 | Mob: +86-1582177 1823

    Web: www(dot)domainregistryasia(dot)com

    ReplyDelete
  27. Hi Peter,

    It seems that they are still in business, I got the same email and the sender is:

    Mike Zhang | Service Manager
    Domain Registry Asia (Head Office)
    No. 300, Xuanhua Road, Changning District, Shanghai200050, China
    Tel: +86-2161918696 | Fax: +86-2161918697 | Mob: +86-1582177 1823
    Web: www(dot)domainregistryasia(dot)com

    ReplyDelete

Note: Comments are moderated. On-topic messages will be liberated from the holding queue at semi-random (hopefully short) intervals.

I invite comment on all aspects of the material I publish and I read all submitted comments. I occasionally respond in comments, but please do not assume that your comment will compel me to produce a public or immediate response.

Please note that comments consisting of only a single word or only a URL with no indication why that link is useful in the context will be immediately recycled so those poor electrons get another shot at a meaningful existence.

If your suggestions are useful enough to make me write on a specific topic, I will do my best to give credit where credit is due.