Just an FYI, FBI and Secret Service are actively working these
as they are identified.
We'll make sure the information gets into the right hands. I
will say that I know many others on the list have been doing
a great job of identifying sites as well as reporting. SANS
ISC keep up the good work!
The information goes into Federal Law Enforcement who also
works with Local LE.
One of our incident handlers at the SANS Internet Storm
Center has been
trying to chase down the bogus Katrina assistance web sites.
Below is a
note of frustration he sent internally to us this morning. I
asked if I
could cross-post over to NANOG to see if any of you could assist.
Thanks in advance!
Marcus H. Sachs, P.E. KJ4WA : firstname.lastname@example.org
Director, SANS Internet Storm Center : isc.sans.org
Washington D.C. USA (EDT, GMT-4) : +1 703 707 9293
Sent: Saturday, September 03, 2005 9:32 AM
Subject: Need some help: IDEAS, Inc.
Last night, I pulled a new copy of the .com and .net zone
files down and did
another grep for "katrina" domains. Obviously, there are now
In the process of checking and cross-referencing, I found
that our friends
"IDEAS, Inc" are a little more "involved" than we originally
...and those are just the 18 I was able to find.
Right now, there are two weak points to this particular house
1) The first site listed,
"http://www.hurricanekatrinarelief.com" is what
drives all of the others. Each of the other sites, loads the
first one in
an IFRAME. That makes it easy for the bastards to update
them all. This
site is hosted by Interland. Their final word on shutting
down until they could prove they were legitimate was:
"We have been advised by our legal department that the local
should be contacted. The local authorities can submit a
subpoena to our
legal department. We will be glad to comply to such a request."
ie. "We have no balls. Go away".
2) All of the other sites are hosted at the IP address
Immediate upstream is "datasync.net/.com" and they are
located in (of
course...) Louisiana. I've emailed them numerous times, and
tried to call
("all circuits are busy..."), but they're probably running in
mode right now.
The IDEAS, Inc. scum MUST die, but I'm all out of ideas at
this point... the
only other possibility that I can think of it to take them
out at the DNS
level. All of the "slave" sites at 188.8.131.52 use
DirectNIC for their