A tale of two abuse departments

In the last two days I was in contact with two abuse departments at webhosters. Though the reasons for contacting them were similar, I came away with impressions that were as opposite as could be. I called because of two websites, both highly illegal. Both were advertised in spam and I encountered them when checking suspect domains found by my spam filter.

The first encounter was prompted by a phishing site, a clone of a Wachovia bank website designed to obtain account information to steal money via online banking. The email, subject line “Update Your Account Now!” claimed to be from Wachovia Bank, but predictably the links to the site that asks for your password led elsewhere, to a domain named (Wa-) “choviainfo.com”. The domain resolved to an IP address that, according to a WHOIS lookup, belonged to Hetzner, a leading webhosting company in South Africa.

I dialled the customer service number listed in the WHOIS entry and spent less than three minutes on the phone altogether. After stating that I found a phishing site on a Hetzner server, I was transfered to the technical department. There I repeated my quick explanation and was transfered to the abuse desk. I explained the problem and spelled the domain name to technician, who immediately checked the site and confirmed the existing of the phishing site on the machine. Using the Linux tool “chmod” he then disabled all access to the site. The website stopped working and the phishing gang was prevented from uploading another set of files. I was impressed how quickly Hetzner had resolved the problem and mentioned to the technician that I was a customer of Hetzner in Germany (their parent company) and was pleased to see their service was as efficient in South Africa as in Germany 🙂

Today I came across another site I found worth reporting, a child pornography site hosted on a GoDaddy server. Phishing is done by unscrupulous criminals who steal millions of dollars, but child pornography is far worse. It’s about small, helpless children getting raped and others making money out of that.

This site, created by a criminal gang calling itself “CP COMPANY” and claiming to be based in Ukraine, was advertised in spam in the following way:

Hello pedo lover!
We present to you NEW PEDO COLLECTION!
High Quality h^rd CP content! Low Prices on the net!
See free preview now and get instant access!


(I only added the actual domain name in this blog posting after the site was finally shut down).

Again, I looked up the IP address and then the WHOIS record for the IP, which included the phone number of the GoDaddy abuse desk.

I called the number and explained I had come across a child pornography site on one of their servers. The representative replied that I would have to put my request in writing because otherwise “you won’t get any action on this.” They needed to be notified in a way that creates a record. I should put the details in an email to abuse (at) godaddy (dot) com.

I said I would do that, but I would like to give him the URL anyway, which I did. The call was finished in less than a minute, but without the desired result.

Checking the details on the domain again, I found it was one of the child pornography sites I had already reported by email as part of my daily spam domain verification procedure, some 15 minutes earlier. So I could only wait, checking at iregular intervals if the site still responded by using the Linux “wget” program that lets me download the text portions without having to retrieve the pictures as a browser would.

It is now more than four hours since I reported the site to GoDaddy by email and more than 3 1/2 hours since I told them by phone. The criminal site is still offering pictures and videos of raped children to willing customers with a credit card.

In the index.html I downloaded with “wget” the criminals explain to their prospective customers:

Buying production at us you support creation of new kids porn films.

I only wish a company as large as GoDaddy was able to take action against criminal abuse of their services as quickly as Hetzner.

P.S. The child porn site was still active 29 hours after reporting it, despite two emails, one phone call and one voicemail left. I have contacted a US law enforcement officer about this.

P.P.S. When the site was still active 56 hours after reporting it, I filed a criminal report with the German police. When I checked again on the following day I found that the site had finally been disabled by GoDaddy.

3 thoughts on “A tale of two abuse departments

  1. Pingback: 277539 Blog Verification

  2. Pingback: Joe Wein’s blog » Blog Archive » Yahoo abuse handling improves, OfficeLive and Earthlink have their work cut out

  3. E.A.A.S Lottery Headquarters.
    Customer service.
    580 N. TENTH Street
    Sacramento, CA 85914.
    Euro_Afro_Asian Sweeptake Lottery
    an Affiliate of Fundmoney international.
    Arena Complex Km 18 Route de Rufisque
    I.P.P Award Dept.
    Amsterdam Holland.

    DATE: 19/03/2009
    REF: ILP/HW 47509/02
    WINNING NUMBER: 11 13 26 34 44 48


    Trust Me Iam Arabic Man !

    dear / sir

    We happily announce to you the draw of the Euro – Afro Asia Sweepstake Lottery International programs held on the 21st of August 2007 in Amsterdam Holland.
    Your e – mail address attached to ticket number : 77336483485 l44 which subsequently won you lottery in the 2nd category. you have therefore been approved to claim a total sum of US$450.000.00 ( four hundred and fifty thousand united state dollers) in Cheque. This is from a total cash prize of US$450.000.00 Dollars, won among each of the frist sixty ( 60) lucky winners in this category.
    please note that your lucky winning number falls within our Asian booklet representative in Jakarta Indonesia as indicated in your play coupon. In view of this, your US$100.000.00 ( four hundred and fifty thousand united state Dollarsf) Cheque would be release ased to you by our fudiciary agent in jakarta indonesia.

    Our Fudiciary agent will immediately commence the process to facilitate .
    the release of your cheque as soon as you contact him.
    quest book through computer draw system and extracted from over 100,000 individual and companies .
    This promotion takes place annually and it is sponsored by sultan of Brune, Bill Gates of Microsoft and his associates to encourage the use of internet and computers world wide. For security reasons, you are advise to keep your winning informations confidential till your claims is processed and your cheque is delivered to your nominated address through an approved delivering officer appointed specially for this program.
    This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements. please be warned.
    To file for your claim, please contact our fiduciary agent:


    Email : 2l@yahoo.com

    TELE:+62 88 81 55 72 28

    To avoid unnecessary delays and complications, you are to contact BARRISTER SAHID AHMED. with the following details below:

    1.You full name, contact adress, age, private telephone/fax number,and occupation.
    2. Quote your ticket number in any correspondences with us or our designated agent..
    Winners under 20 years of age will be authomatically disqualified.

    Congratulations, once more from all members and staffs of this program .
    Thank you for being part of this promotional lottery program. our special thanks and gratitude to sultan of Brunei, Bill Gates of microsoft and all his associates.


    We advice that you adhere strictly to these procedures to avoid disqualifications and subsequent cancellation.The above detailed information will be absolutely necessary to facilitate the process of your winning Cheque.Once again! please Note that this winning is valid for one month and failure to issue claims after this period, your Cheque will be automatically void.


    Lottery Zonal co-ordinator.

Leave a Reply

Your email address will not be published. Required fields are marked *