Chinese domain scam!

I own a number of domains for HQ Code Shop Oy. Chinese really evil crackers have coined a scam to scare domain owners with little knowledge about domain ownerships. Based on Google search there is evidence about this scam as early as 2008. This is my autopsy of this single event. My aim in the blog-entry is to provide Google-findable catch-words and information so that nobody actually pays them anything.

They start very calmly by implying that somebody else is about to register a number of Asian domains matching <enter your domain here>. Natually every owner is now alerted and wants to know more. Apparently the next step they do when you reply the Chinese scammers is that they offer you the right-of-way, you get to purchase yours before the alleged other party. Any CEO will pay immediately to get theirs first, right?

Of course there is no other party. The scammers just did some data mining and saw you having suitable domains and found public records that the owner is a company.

The company of DSH Internet solutions looks legit at a glance. They have a website at http://www.dsh-web.org/, but a closer look to their support page reveals that there are no actual methods of contacting them, all of the contact mehods are just images. No links! Even the webmail-link at top of their page leads nowhere. Looks like the "company" providing this domain service is fictitious. My plan was to call them at +86.55165223114 or fax them at +86.55165223113 or visit them at address: No.660 MeiLing Big Road, Hefei, Anhui, China. And ask Mr. Allen Zhang some further details about the e-mail they sent me.

Their web-site looked like this when I visited it:

The e-mail I got has following headers (I wrapped the really long lines):

Delivered-To: jatu@hqcodeshop.fi
Received: by 10.64.37.138 with SMTP id y10csp98501iej;
        Tue, 8 Jan 2013 00:57:10 -0800 (PST)
X-Received: by 10.68.143.100 with SMTP id sd4mr187348993pbb.107.1357635430057;
        Tue, 08 Jan 2013 00:57:10 -0800 (PST)
Return-Path: <allen@dsh-web.org.cn>
Received: from mail.umail186.cn4e.com (mail.umail186.cn4e.com. [117.27.151.73])
        by mx.google.com with ESMTP id g10si58402821pay.172.2013.01.08.00.57.05;
        Tue, 08 Jan 2013 00:57:10 -0800 (PST)
Received-SPF: neutral (google.com: 117.27.151.73 is neither permitted
  nor denied by best guess record for domain of allen@dsh-web.org.cn)
  client-ip=117.27.151.73;
Authentication-Results: mx.google.com; spf=neutral (google.com:
  117.27.151.73 is neither permitted nor denied by best guess
  record for domain of allen@dsh-web.org.cn) smtp.mail=allen@dsh-web.org.cn
Received: from allenpc (localhost.localdomain [127.0.0.1])
    by mail.umail186.cn4e.com (Postfix) with SMTP id 71C0220103BF;
    Tue,  8 Jan 2013 16:57:02 +0800 (CST)
Received: from allenpc (unknown [36.32.3.184])
    by mail.umail186.cn4e.com (Postfix) with ESMTPA;
    Tue,  8 Jan 2013 16:56:58 +0800 (CST)
From: "Allen Zhang"<allen@dsh-web.org.cn>
To:
Subject: Urgent notice about dispute domain registration
Date: Tue, 8 Jan 2013 16:56:58 +0800
Message-Id: <DM__130108100524_70544483772@mail.dsh-web.org.cn>
MIME-Version: 1.0
Content-Type: multipart/related;
    boundary="----=_NextPart_13010810060858547480271_001"
X-Priority: 1
X-Mailer: DreamMail 4.6.9.2

When I received the e-mail, it appeared almost legit. However, there is no person to whom the e-mail is addressed to. See the To: -field above. Any real approach would be clearly addressed to me with my e-mail.

The e-mail arrived to Google from IP-address of 117.27.151.73. It looks legit, it is in China. However, a number of spam / scam attempts originate from that particular ISP's address spaces. Example from YUtrade.net banning some of them. So, it looks like the ISP does not weed out the bad apples.

The e-mail's body contains three MIME-parts. Alternate plain-text and HTML texts and an image of their URL. Whaat? Why would any real company send their company web address as something that you cannot click or copy/paste.

I'll paste the HTML-part here to provide nice words for Google to catch:

(Letter to Head of Brand Business or CEO, thanks)

Dear Sir or Madam,

This is a formal email. We are the department of Asian Domain Registration Service in China. Here I have something to confirm with you. We formally received an application on January 8, 2013 that a company claimed VET Int'l Ltd were applying to register "hqcodeshop" as their Brand Name and some hqcodeshop Asian countries top-level domain names through our firm.

Now we are handling this registration, and after our initial checking, we found the name were similar to your company's, so we need to check with you whether your company has authorized that company to register these names. If you authorized this, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better. After the deadline we will unconditionally finish the registration for VET Int'l Ltd. Looking forward to your prompt reply.

Best Regards,

Allen Zhang

Tel: +86.55165223114 || Fax: +86.55165223113
Address: No.660 MeiLing Big Road, Hefei, Anhui, China

I did report this e-mail as a phishing attempt to Google. Hopefully they'll manage to warn their customers about this.