snubbr.com

GoDaddy reviews : Recommend I use GoDaddy?? g6u.com - STOLEN!

Get GoDaddy web hosting for just $1.99. Click here to use coupon...

Special $7.49 .COM sales. Click here for this special deal...
Hi,.

Well finally it has happened to me too.

I just read an email from Godaddy:.

"This email is to confirm the recent change of registrant.

Of the following domain name(s):.

G6U.COM.

The change has been completed and the available information.

Has been recorded in our system.

If you feel this change is incorrect, please immediately contact /domains-for-...0-similar.html Post added at 03:39 PM Previous post was at 03:22 PM UPDATE3: I am now going through yesterday's PMs, looks like the thief sold my name and a few lll.nets and ll.biz domains too..

Also I am seriously disappointed in people who with no suspicion bought names way under normal prices!!!..

Comments (233)

Aren't you Oskar? You sold me ZHI.NET yesterday and I realized that this is a stolen name just after this. You accepted to send my money back and also I was awaiting your godaddy account info to send that domain back to you.

I have all of the proofs. Please fix this issue as soon as possible. It becomes very annoying...

Comment #1

Hi themaster,.

As I explained to you in PM, I am Oskars, but the one you were contacting yesterday was not. That is how account thief happens!.

I have now changed all passwords, no one should be able to access my account, hopefully we will be able to sort this out.

I don't know from whom the zhi.net was stolen, and I also would like to find out who bought my g6u.com..

Comment #2

Does anyone know who the real owner of zhi.net is? Please send pm to me..

I contacted with to send back this domain to the previous account who sold it to me. I don't want this stolen name in my account.

And any idea how to issue dispute for paypal masspay?..

Comment #3

Yesterday, someone with an hacked account sold this domain (zhi.net) to me. Just after the transaction over, I realized that this domain a stolen one. I have contacted with seller but no luck. My money was gone. But now I want to give this domain to real owner.

Can anyone contact with them? At google cache it seems that, their contact number is: (USA) 1-888-427-7723, or elsewhere, +1+860+535+1715.

Or anyone has a domaintools account to check whois history?.

Btw,.

I did contact with to reverse that account change to previous owner. But I am not sure if that previous account is belong to real owners or not. So before godaddy take action to reverse this account change, we need to contact with real owners and push domain to their account.

All helps are appreciated.

Thanks...

Comment #4

It was my account which was hacked/accessed, I have contacted all people from PM history to find out what names were traded. Hopefully at least some of them will be returned to their real owners...

Comment #5

I commend you themaster for the way you are handling buying a stolen name. Maybe you could share the paypal address which you paid so that we know who not to deal with...

Comment #6

OK I am not sure what is going on here but.. The person selling the name zhi.net here yesterday under a different username signed in using YOUR pc.

That is why you got the infraction for a duplicate account .. it was not just an ip match or an account hack..

Comment #7

I have commented about this in the other thread I am very as the seller of the name yesterday registered via your pc..

Comment #8

Thanks. was one of the email adress of him, as he stated. I am not sure about that mail because I didn't contact with that mail. I used private messaging at NP...

Comment #9

These appear to be one of the same persons - ssamriga..

Comment #10

Ops, this makes this problem a bit more cunfusing. @ssamriga, can you clarify this issue? I believed that you are honest but now I become suspecting about you again.

@~mm~,.

Can you also check our pms? I want to see if he was using same pc while pm'ing me or not...

Comment #11

I will post some facts to see if this helps in anyways..

But I would suggest no movement of names at this point....

Yesterday member m107 signed up and posted Yesterday, 03:39 PM.

Hi.

Selling zhi.net for just $350.

Reg at godaddy,exp 2012.

Thanks.

Hes account was closed as a duplicate to ssamriga and the thread deleted.

At Yesterday, 09:10 PM ssamriga posted a thread saying.

Zhi.net.

Bin is around $450.

But accepting offers for quick sale.

Thanks.

He has since deleted these posts... Post added at 03:17 PM Previous post was at 03:14 PM BTW times are UK..

Comment #12

This is the thread that I bought the domain from: http://www.namepros.com/domains-for-...4-zhi-net.html.

Opened by @ssamriga, and edited just after the transaction...

Comment #13

~mm~ how can you state that?? "ssamriga" is not a person it is my Namepros account name. As I said my account was accessed by someone else!.

Check the IPs I last logged on some time last week, I was away from Internet since Friday evening on a trip. Today I found out that somebody was using my Namepros account on June 13, early morning June 14...

Comment #14

I am just, like everyone else trying to get to the bottom of this And your assistance in anyway is of much help.

Where do you access Namepros from? It is not just an ip match or account hack ......

Comment #15

I can tell you IPs privately. But it is always only from Latvia and should be 2 diferent places- work (static IP, from which I am posting right now) and home with a changing IP, but the first address fields should always be the same anyways....

Please PM me if you need any other info, which should not be disclosed publicly...

Comment #16

My problem with understanding this whole mess is.... The person whom tried to sell the name yesterday joined up using.

Your pc.

........

Comment #17

Hi,.

Please PM me on what makes you believe it was my PC. After a few hours I will be home and will scan my computer for trojans etc. Maybe my computer was hacked and used remotely... although I doubt it.....

Comment #18

~hope~ bought g6u and 4 llll .Coms.

Check your started threads, inoticed he posted sold!.

Goodluck..

Comment #19

I also bought a domain name from him - ssamriga.

But it's on godaddy dispute now.

The domain owner have sent me two messages from the emails listed in the whois information before making deals at two of his domains.

So how come he can send me 2 messages from the two emails of the owner's account???.

Its unbelievable that someone will do all the following at the same time:.

1- hack two emails that are listed in whois to send messages from them to me..

2- hack the user's namepros account.

3- hack his godaddy account.

4- use his own pc to push domains and for replying on pms!.

He now isn't also replying to my pms regarding transferring the domain back to me or refunding me my money, so this is a scammers act for not replying me while he is reading all what goes here and I am sure it's him who was dealing with me.

@ mm , I hope that you interfere in that issue and find solutions for us for this case...

Comment #20

I also doubt about this. Can you share the emails or paypal ids too?.

Edit: can you share the headers for that emails you recieved?..

Comment #21

I really am sorry to hear of your story also.

I will assist in anyway I can..

This is something that is being looked into and hope we can get to the bottom of this .. Any help .. links or information anyone has .. is very welcome..

I dislike scammers very much..

Comment #22

I am not sure if this help but there are some other sale links for zhi.net at dynadot and digitalpoint. [WTS] lll.net for just $350 Forum Topic: zhi.net for just $350 - Dynadot.com..

Comment #23

Here you are the copy/paste of the header of the message he sent me from the exact owner email as listed in whois:.

" tfl , net for sell ".

Its sure now that he made that lies and invent stories while he is the real scammer, he also sold links on the domains I were dealing with him about for $200.

From my trackings to that scammer, I see that he collected around $1-$1.5k in only 24 hours!!.

Paypal id is same to the one you sent to.

Any solution for getting refunds or winning disputes?..

Comment #24

That's a subject, not a header.

Header includes the To, From, Subject, etc. plus IP information for the mail server and sender, etc etc...

Comment #25

No, I mean email headers. You can look by selecting show full headers or show original etc at your email account. At there you can see the IP adress of the sender. You will find IP of sender at "X-Originating-IP:" section..

So we can check the IP location etc...

Comment #26

Moustafa,.

If you can tell us what email client you are using we can describe how to get email headers.

For instance , if you are using gmail:.

1. Open the email you received..

2. On the right side click on the small arrow next to the "reply" button.

3. select "show original".

4. Copy all the section before the email body.

By the way, at dynadot this zhi guy has posted many messages for long time: https://www.dynadot.com/account/foru...-350-5351.html https://www.dynadot.com/account/foru...-400-4959.html https://www.dynadot.com/account/foru...-700-5328.html https://www.dynadot.com/account/foru...-750-5313.html https://www.dynadot.com/account/foru...sale/5312.html https://www.dynadot.com/account/foru...-340-5144.html https://www.dynadot.com/account/foru...main-5133.html https://www.dynadot.com/account/foru...-100-4960.html https://www.dynadot.com/account/foru...-100-4993.html https://www.dynadot.com/account/foru...main-5001.html https://www.dynadot.com/account/foru...-100-5006.html.

Have a close look on the first two. There is a guy warning others about the zhi person. Post added at 06:30 PM Previous post was at 06:23 PM We need to create a list of all stolen domains: I wonder whose account that was. Post added at 06:33 PM Previous post was at 06:30 PM ... Post added at 06:34 PM Previous post was at 06:33 PM ..... Post added at 06:42 PM Previous post was at 06:34 PM OK.

Post added at 06:44 PM Previous post was at 06:42 PM Here he uses another email:..

Comment #27

And this is what I have regarding this, might as well get it all out there.

Received a PM from themaster on 6/13 7:28 PM PST.

Telling me about the stolen ZHI.net.

I sent a PM to ssamirga inquiring about ZHI, and on 6/13 10:24 PM PST.

Got back this response. Then on 6/14 5:24 AM PST time I received another PM telling me The thread opened by the 2nd account (m107) email address /thread-grave...-com-just.html..

Comment #28

I am using yahoo mail and got two messages from him coming from two different emails, each of which was the email listed on whois for the domain we deal on.

I am sure that he is the same person that is a member here since 2007 with lots of reviews and bla bla thats really unfair method of judging people!.

This is not really the first time to deal with that issues,, I have been scammed lots of times in the previous and current month.

Is there any method for refunding my money that I paid yessterday providing that I paid as a service not a masspay or gift ?

Comment #29

I found another thread about this guy. DOMAIN SCAM ALERT - GoDaddy Accounts Hacked..

Comment #30

Moustafa,.

When you open that email you received at yahoo you will see a text link that says "Full Headers" on the right bottom corner. Can you click on that and copy the headers from there?.

Moustafa,.

The link looks like this at yahoo: http://img10.imageshack.us/img10/8103/headersk.gif.

This information could be important. Can you paste the headers for both emails?..

Comment #31

Return-Path: < designates 67.18.125.14 as permitted sender).

X-YMailISG: HIJkO1ocZApKA9WQdK3K.PE5jiUmaAny3qIV3CRSJc3drJZU 2NJws_J1xPUvYtRrUeKBsbzVMOyRjTZh1NWc11xm1Ob_JtyRZJ itRl6JgHKf FqRL8Y5pKuI3fX5XFf7sC3iWcbNpe.JNCZQlsrjcqzbIu7i3G5 _r7DjonWKQ R7q1gqmlsAWgu2Z02akeAqNtljFvBqumMHs39GMFxBeXUCkCic IBzZbcIjo6 BPh2K6FJFgBlM0tH01Jks0tfDbY3bf29Qrf3dzAHva4egnAe70 LL9nN1SASG CIDj08.ZXo9BTcPp649IFpdwyMTJeP5gHQgrFNMvI26zwWmIIk flkVJoEovr HOtGb4tpvinAJXu5bS0BQHI5BvaMLt1OuL4NThORv99vuhe3Rt cgyadaKLIe LnAiscWgbDlbdNlyWwh3vLRtBHWTYF7ezN5wsFoFE1OcJrZVVi _zJqLlFfGC 3XDsC.NGpcPOZ87ZGv_3s5NJYxRBvvfX_Pm2tznFjFRYJq5.mK hF1Lb8Tl_R ddLeN4.hVUczARoO_BvlJC_NZ3J3e1pAMfBSzG1pvnEJ9kx0hU eIrWhFiD07 Nm0taV2HeowlohM8Q38ftcp8Zxm21WbNozuTx5lHL9mbUZdCzI S8_rpKQHDi pRh.5Qj_ll3N7HWYoIiNxKU9qE7v.

X-Originating-IP: [67.18.125.14].

I took long time because I was opening a dispute at paypal to get a refund.

Please if anyone can assist me on how to get a refund or what to provide exactly to get a refund...

Comment #32

Moustafa,.

You need to tell paypal that you never received the item. Don't select something else or you won't get your money back...

Comment #33

67.18.125.14 is an IP owned by ThePlanet, which is a large hosting company.

OrgName: ThePlanet.com Internet Services, Inc..

OrgID: TPCM.

Address: 315 Capitol.

Address: Suite 205.

City: Houston.

StateProv: TX.

PostalCode: 77002.

Country: US.

ReferralServer: rwhois://rwhois.theplanet.com:4321.

NetRange: 67.18.0.0 - 67.19.255.255.

CIDR: 67.18.0.0/15.

OriginAS: AS13749, AS21844, AS30315, AS36420.

NetName: NETBLK-THEPLANET-BLK-11.

NetHandle: NET-67-18-0-0-1.

Parent: NET-67-0-0-0-0.

NetType: Direct Allocation.

NameServer: NS1.THEPLANET.COM.

NameServer: NS2.THEPLANET.COM..

Comment #34

I think that might be his website. He is sending spam from there:..

Comment #35

I selected "Virtual items - sent electronically".

And I wrote a review about that scammer including the link of this topic and submitted it to paypal in details.

By the way, same procedure I did exactly 1 month ago twice when I got scammed for domains but I didn't get a refund..

Do you think I have to remove the dispute and make a new dispute without adding any information?..

Comment #36

I found an interesting hostgator word document here: Your HostGator Order?.

This is the .doc version: http://trydominatingcb.com/APublicRe...tor%20Info.doc.

Is this guy a hostgator reseller?.

What do you make up of this information? Why is his website mentioned here? ge6.Com..

Comment #37

I have a thread open looking to buy a 3 character .com domain. I just realized I got a PM about this very domain...

Comment #38

Erdinc,.

Can you read my previous reply and tell me your opinion about what to do exactly to get a higher chance of getting a refund of my payment?.

Thanks...

Comment #39

I found here an interesting page: UGTeam.net open ’ng ki thanh vin m I t I 22/03/2010 - Cung Tham - Cung Tham - Yahoo! 360plus It says mailed-by altezza.websitewelcome.com. This suggests the mail was send using a script from that site. There are two new emails. Of course if the guy is selling hosting this can be one of his hosting customers. The message is in vietnamese. ". I'm guessing this is how the reseller accounts work there...

Comment #40

Exactly, the resellers use websitewelcome. Lots of them use that domain...

Comment #41

Im not happy at all, this is the 2nd time this week I have been scammed on NP since my join date in 2005. The user is claiming to be a victim of scam, yet he verified his ownership using the WHO is email.

This is BULL SHIT, now the domain is in dispute and my payment of GIFT is not disputable at paypal...

Comment #42

Sorry to hear that HOPE.

Can someone pull up the whois history and see when it changed?..

Comment #43

As I said before, I have contacted Godaddy to reverse that domain to real owner. I have just recieved a reply from Godaddy. They said they locked the zhi.net, and after determining the appropriate party they will return the domain back to them...

Comment #44

"altezza.websitewelcome.com" is this person's hostgator reseller account. He hosted there many websites.

Here is an example: www.168.net - 168 web stats.

Notice the nameservers:.

Ns2.ge6.com.

Ns1.ge6.com..

Comment #45

Heres the email I received from the WHO IS ADMIN EMAIL last night - I asked that the owner verify his account, now this ahole is trying to claim has been hacked. BS.

My payment to his paypal account is not disputable, cause it's gift.

Received: (qmail 4338 invoked from network); 13 Jun 2010 17:50:49 -0000.

Received: from unknown (HELO m1pismtp01-013.prod.mesa1.secureserver.net) ([10.8.12.13]).

(envelope-sender <.

Thanks..

Comment #46

His hosting account was suspended because of malware.

2010/04/15_07:51, -, 174.120.21.216/~melcochi/, altezza.websitewelcome.com. exploit, -, 21844. 2010/04/15_07:51, -, 174.120.21.216/~melcochi/muphin.exe MalwareURL - Search.

According this data, there was an infected pdf file, an exe file called muphin.exe and the load.php file was infected as well...

Comment #47

@ssamriga has this email adress "oskars. You can check whois to see admin email.

I couldn't dispute on my paypal payment too, because it was masspay...

Comment #48

Payment Sent (Unique Transaction ID #37P05493N51808708).

Sent to:.

Rita camila.

Email:.

Amount sent:.

-$100.00 USD.

Fee amount:.

-$0.50 USD.

Net amount:.

-$100.50 USD.

Date:.

Jun 13, 2010.

Time:.

10:51:35 PDT.

Status:.

Completed.

Funding Type:.

PayPal Balance.

Funding Source:.

$100.50 USD - PayPal Account Post added at 12:18 PM Previous post was at 12:16 PM this guy is trying to scam us all for our funds and claim he has been hacked..

Comment #49

Wow I am sorry for hope and other who lost $ or domains but glad I did not jump when. I was told $200 masspay or personal would be accepted for zhi. Got busy during day and lost track of it.

I know it is undisputable that's stupid paypal should change that IMHO.

Also we live we learn, next time just add $5 or whatever to cover the tax incase so you can get your $$ back.

Damn shame though. I'm going to change some passwords of mine now..

Comment #50

Something is fishy here.

I received a PM from ssamriga selling a 3 character .com domain yesterday. Some hours later I received another PM from ssamriga stating that his account was hacked and asking if I bought any domains.

I replied and told him that I never replied to the first PM. Then I deleted both PM's.

But it dawned on me, namepros does not store the sent PM's by default, at least not for my account. I have to check a box to store the sent PM and I've never done that.

Why would the thief store his sent PM?.

Also the mods or team leader or whatever stated that the thief and the real ssamriga both logged in from the same computer. Not just the same IP, they stated it was the same COMPUTER.

That is pretty suspect.

I want to see the whois historical data for g6u.com for the last couple of months, does anyone have access to that?..

Comment #51

Lothos,.

Go to your private messages folder and on the left menu scroll down to the middle and click send items. You will see all the personal messages you have send. The box you are clicking is probably to get confirmation about the delivery...

Comment #52

Thanks for the suggestion, but I know the difference, and my sent folder is empty...

Comment #53

Oskars Rumpeters.

ADEX Senior Account Manager at TNS Latvia.

Latvia Post added at 12:40 PM Previous post was at 12:39 PM this lame duck thinks he can fool us in thinking his account was hacked Post added at 12:42 PM Previous post was at 12:40 PM.

When I questioned his paypal EMAIL he emailed me from the WHO IS email...

Comment #54

Can someone please post the whois history for g6u.com?..

Comment #55

Oskars Rumpeters BLOG Oskars Rumpeters - Latvia | LinkedIn.

He is also using this email: austris.zeimuls@tns.lv TNS Latvia.

TNS Latvia.

Kronvalda bulvaris 3-2.

Riga, LV-1010, Latvia..

Comment #56

For your information.

The scammer likes to post on the Dynadot forum sales board. Dynadot allows the creator of the thread to change his name anytime he wants. As of this posting you can find the creator name zhi and all his posts. I am sure if he is reading this he will change this immediately and all his threads will have name changed creators or he will simply rewrite and delete the thread which he has not done as yet. So if you want to see them, do it now before they are removed Domains For Sale Forum - Dynadot.com.

Whoever it is, this is the same scammer I dealt with a few months ago, when I was scammed and bought over 100 stolen domains. This ended up in a huge forum thread right here on NamePros whereby the true owner of the domains "blasted" me dramatically. That thread is no longer available. But, anyway, here is the thread I answered when I bought my stolen domains. Notice the "creator's name" (if still available) zhi Forum Topic: 116 .com domain names (lots of month left for expires) - $100 - Dynadot.com.

Good luck to all the victims. I feel for you today and wish you best. If I can help, please pm back.

Mitch..

Comment #57

Nice catch.

His personal blog states that he is selling domains on namepros. He edited the sales post but someone replied with an offer for g6u.com.

Clearly that domain was listed for sale by him...

Comment #58

HOPE,.

You can send an email from any email address but you can not receive it. So sending an email using the whois email address doesn't prove anything. Moreover, according the email headers you posted the email was send from a script from the scammers hostgator reseller account at "altezza.websitewelcome.com".

I think you and lothos are jumping in too quickly to judgements. Why would an old time members suddenly start scamming everybody for little money? Oscars is running a domain site and has about 100 domains and is a NP member since 2007. This doesn't look to me like a scammer profile.

Maybe mm can enlighten the issue with IP addresses. Post added at 08:58 PM Previous post was at 08:55 PM Hmm, that's getting interesting. A scammer would certainly not hack into Oscars account and then list g6u.com on his website dnfit.com website for sale and ask for sedo offers.

Was g6u.com stolen from anybody? Can we get historical whois for that domain? Did Oscars post any comment on g6u.com today? Did he say this domain doesn't belong to him?..

Comment #59

I just finished talking to a supervisor at paypal, they send due to the payment option I used, I can not dispute this payment, so they have forwarded the case to fraud department. I notified them that his person has collected money from our NP Community, and that we are all hard working Domainers, I've had an account with paypal since 2005, clean record. I asked them to review the IP address on the account and see if it's associated with other accounts, I also told them the account has collected no just 1 but few from other members.

SO I ASK THAT ALL who are a victim of this scumbag to contact paypal at.

18882211161 and request to talk to a supervisor - and he or she will take your case and send to fraud department.

Tell them, that you were asked to make payment by masspay or gift, he then delivered nothing...

Comment #60

Erdinc, I'm not jumping to conclusions. There are a lot of unusual things going on with this situation, that's why I asked for the historical whois info for the domain.

IMO the most suspicious points are the logins from the same computer, and the blog post listing this domain for sale.

Erdinc, are your sent PM's stored by default? Because mine aren't...

Comment #61

Yes, he has used the same IP to register two accounts, then he claims someone hacked into his computer, why would someone go to all this trouble for few hundred dollars! This person has violated our trust and our community - he must be facing the end of hid domaining courier and decided to take a risk and make up a story to scam us all.

My defense is the IP he has used to create two accounts on NP. As long as that is liable, we know he is the true scammer...

Comment #62

All my send personal messages are stored by default. I don't know why yours wouldn't.

I checked "ssamriga"s (Oskars) messages. He does not deny that g6u.com was his domain. So having that domain listed at his website dnfit.com is normal. He is claiming that both his godaddy account and his namepros account was hacked.

When you see historical whois for g6u.com, it is probably going to show Oskars info as he claims...

Comment #63

Yeah okay, same IP from the same computer that he has used for months suddenly is used in two accounts and he is not at fault? Post added at 01:13 PM Previous post was at 01:10 PM another thing is, as soon as he sold me the domain, he erased the other LLLL's from the thread he started, now why would a SCAMMER go out of his way to delete the other domains, in recent cases - Scammers just post and collect and then exit with the money, however in this case, this scammer edited threads and deleted evidence of the transaction - thats because he is the scammer...

Comment #64

~HOPE~,.

What might have happened is that namepros might flagged the account as duplicate because somebody accessed two different namepros accounts during the same day from the same IP.

Assuming your namepros account was hacked today and somebody would login to your current account and then register one more account. One of them would be flagged as duplicate. And both of them would have the same IP. This doesn't prove that you have logged from either of them account.

Hopefully namepros will have IP records spread over a few days...

Comment #65

I understand, but again looking at the way these domains were sold and erased from threads goes to show you that this is not your regular scammer...

Comment #66

This is not what mm said. If it is so then this would be a proof. Anyway I should leave this to NP management. I'm too hoping namepros has ip records spread over time.

But you guys are jumping to conclusions. This users NP profile doesn't look like a scammer. He might have indeed have his NP account and his godaddy account hacked. There are over hundred stolen domains, probably from a few different accounts.

If g6u.com indeed belongs to Oskars as he claims are you accusing him stealing his own domain and selling for cheap??? It is easy to check isn't it. Somebody here must have access to domaintools historical whois...

Comment #67

Not just the same ip, but the same COMPUTER was used. I'm not sure how that was determined. But MM is indeed saying that the 2 sellers used the same computer...

Comment #68

We like all of you are trying to get to the bottom of this.

I would have liked the OP to have stayed online and answered questions and hopefully by leaving his account open for now, he will ...

I can confirm that it does at this time appear that it was as stated above not just an ip match .....

I would like to thank all the pms to myself and other mods /tls that you guys are sending adding links and information for us to check..

The Namepros community really shines when in need.. You guys rock..

Comment #69

From Digital Point> uses name M107 [WTS] ccc.com domain $125 http://forums.digitalpoint.com/showthread.php?t=1835129.

NOTE: It looks like DP pulled this account...

Comment #70

Can I ask how you are determining it was the same computer?..

Comment #71

I can only confirm at this time that... It appears that another person signed up for an account here using the same computer to sell this name....

Comment #72

Mm,.

Do you mean the same machine was used for the m107 and ssamriga accounts during the same day? How does this prove ssamriga being the scammer? Do you have records of earlier days as well? Was the same machine also used in earlier days originally by ssamriga? To me it looks like somebody used ssamriga's NP account and the fake m107 from the same machine but this does not contradict with ssamriga's story. What if this guys NP account was really hacked? Obviously the hacker would login to his account and to the fake m107 from the same machine. How about today's records? It would be very useful to compare today's records.

I still hope Oskars isn't a scammer. Why would he ruin his domaining career? From dynadot threads we know that there was a lot of activity with a lot of stolen domains. There was even some guy at dynadot calling the zhi a scammer. It is very obvious that whoever mentions zhi.net would also be connected to the zhi at dynadot. It doesn't look realistic that ssamriga would mess his whole domaining career so stupidly. Post added at 11:16 PM Previous post was at 10:47 PM Just to summarize what I found:.

This is a hostgator reseller account.

"altezza.websitewelcome.com".

The scammer used that account to host many domains and a lot of them were infected with trojans. He had also a pdf file infected.

The "altezza.websitewelcome.com" address was used to send emails and it shows up in some email headers.

I believe his hostgator username was melcochi.

174.120.21.216/~melcochi/.

If you type melcochi to google you will find some infected files.

By the way, I suggest that people don't download pdf files you will find a few infected files. For instance there is a link that starts with.

Wepawet....org which is infected.

The scammer is also know as zhi at dynadot. https://www.dynadot.com/account/foru...-400-4959.html.

From that message it looks like he has send a list to a few domainers. I suspect that list might be an infected pdf file. If you received such a file then you might have a trojan on your machine that records every key you press.

There were also over 100 stolen domains offered at dynadot forum. 7178.com was one of them. The owner of this domain still didn't show up. I guess this is one of the most valuable domains he stole.

Activities at dynadot started on 13.th May, which is a month ago. https://www.dynadot.com/account/foru...-100-4960.html.

Why didn't the owner of those domains (about 100) show up during that time is a mystery to me. Hopefully they will show up and tell how their account was hacked into...

Comment #73

Hello.

I have not once said ssamriga was infact a scammer. I have only provided alittle information on what appears to have happened to this account yesterday. All information is being looked at and I hope that OP will log back in and give some light on what is going on.

I for one am now going to get some sleep ....

Comment #74

I believe Vbulletin is logging the MAC address of the computer which is posting?.

Anyway, it looks to me like if the same computer was used and sam is innocent(until proven guilty), someone indeed used his computer remotely, from the same IP..this is easily done with the right malware/trojan/tool without a trace...btw there is another possibility, a MAC address can be cloned but then this still is not explaining the same IP unless the scammer found another way to do both, these days who knows?.

Cheers.

Liquid..

Comment #75

It is impossible for vbulletin to log a MAC address..

Comment #76

Lothos,.

Vbulletin might be tracking a user with a cookie. If you login to a different NP account using the same machine and same browser, it would understand.

Liquidcherry,.

I don't think somebody has ever used Oskars (NP member ssamriga) regular IP or mac address. What mm was saying is that yesterday the scammer used the same machine to login to two different Namepros accounts. One of them was therefore disabled. After that Oskars posted a message and said that it should be easy to compare the IP's and see that he was not the person accessing either of those namepros accounts.

Anyway, leaving that story aside, I have now found a new lead to track the scammer.

1. This is the scammer posting at dynadot forum: https://www.dynadot.com/account/foru...-700-5328.html.

There he offers 433.net for sale. Last message is 4 june 2010.

2. two days later he shows up here with the same domain: 433.net for sell - $500 - quick sale!.

3. In that forum he uses the username 433. He has a few more messages: Search Results - Mobility.mobi Mobile Forum.

4. five days ago he was trying to sell the domain here: 433.net for sell - $500 - quick sale! - Domain Name Forum.

5. The same person appears here making an offer for devil.mobi to keithmt..

I hope keithmt didnt get scammed by this guy. Devil.mobi.

The 433.net lead comes to an end here. This guy looks very active in many forums.

7178.com starts here 28 may:.

1. https://www.dynadot.com/account/foru...-750-5313.html.

2. 29 may it continues here at namepros. Maybe Wendy can have a look at this: http://www.namepros.com/domains-for-...om-double.html.

There is also the poor guy bicoss who bought a stolen domain from this person. It's going to take a lot to clear all this mess.

Seir, does a good thing posting an early warning. It is a shame this person wasn't tracked down then. His NP membership started april 2010. This is the scammer: NamePros.com - View Profile: domain.l.

Here the scammer buys $1 domains. He wants dated domains. This is typical spam behaviour: http://www.namepros.com/domain-names...mains-1-a.html.

Alex P, you must have dealt with that person. Do you have any email records? Paypal address?.

(I contacted Alex)..

Comment #77

Hey, I didn't deal with him no he said he would pay but never did. Sorry..

Comment #78

Each Account on vBulletin System records all IP Addresses used by the account holder. So if their is more then 1 ip recorded, then we can track down the dates as everything is recorded in the VB Database, I know this cause I administrated a vb forum..

Comment #79

Yeah, problem is it's not 100% proof, everything can be faked nowadays...

Comment #80

I had this in my PM's on DP:.

Jun 1st 2010 2:53 pm.

Youo.

* View Profile.

* View Forum Posts.

* View Blog Entries.

* View Articles.

* Send Email.

Youo is offline Banned youo is on a distinguished road.

Join Date.

Apr 2010.

Posts.

38.

Feedback Score.

0.

Nnn.

Hi.

433.net on namecheap.

Thanks.

Well I don't know if this is any help I just saw the same domain mentioned in a post above.

ALSO on my vb forum there is a button near the REPORT POST and REPUTATION button that can show the IP of from where the posts are being made, like if I go to my moms house and post it will show her IP and when I am here it shows mine, NP might have that feature also I am not sure if this is what ~mm~ was talking about when she checked IP addresses...

Comment #81

We need somebody from NP to check out this account: NamePros.com - View Profile: domain.l.

And the m107 account that was closed and compare their IP addresses to any other record there is.

The NP account "domain.l" is linked to the stolen domain 7178.com..

Posted message on 28 may here: https://www.dynadot.com/account/foru...-750-5313.html.

And on 29 may here: http://www.namepros.com/domains-for-...om-double.html.

This person should be banned and his IP should be compared to all existing records: http://www.namepros.com/members/169806.html..

Comment #82

The next step is to check with previous buyers that purchased domains from this member and see what emails they used to issue payment. I have PMD 3 of them. Waiting for reply...

Comment #83

I meant IP address lol...(and the MAC cannot, never be submitted via the net, I know that)...but again it is easy accomplished with the remote exploit he maybe have on his computer, where is the OP anyway, he seems pretty quit lately....

Cheers.

Liquid..

Comment #84

Erdinc thanks for finding this>.

4. five days ago he was trying to sell the domain here:.

433.net for sell - $500 - quick sale! - Domain Name Forum.

Yes, he was there on the DDForum. And I am a moderator there. I have banned him with a notation on his thread. http://www.ddforums.com/showthread.p...4383#post14383..

Comment #85

Can you please post all IP's you have recorded under his account?..

Comment #86

Domain.I.

184.82.38.233 , , Unknown.

69.163.41.195 Amherst, New Hampshire, United States.

M107.

85.9.85.183 , , Unknown..

Comment #87

Do they match the IP used in this scam? Post added at 06:04 PM Previous post was at 05:58 PM 85.9.85.183.

United States - Houston.

Linked to:.

Country Iran, Islamic Republic of Iran, Islamic Republic of.

Country Code IR.

184.82.38.233.

Australia - Brisbane.

Country Iran, Islamic Republic of Iran, Islamic Republic of.

Country Code IR.

Region Yazd.

City Yazd..

Comment #88

184.82.38.233.

Querying whois.arin.net.

Redirected to rwhois.hostnoc.net:4321.

Querying rwhois.hostnoc.net.

Rwhois.hostnoc.net.

%rwhois V-1.5:003fff:00 rwhois.hostnoc.net (by Network Solutions, Inc. V-1.5.9.6.

Network:Class-Name:network.

Network:ID:net-184.82.38.224/27.

Network:Auth-Area:184.82.0.0/16.

Network:Network-Name:NET-184.82.38.224/27.

Network:IP-Network:184.82.38.224/27.

Networkrganization;Irg-38-14239224-0.

Networkrg-Name:7x24 WEB SERVICES c/o Network Operations Center, Inc..

Network:Street-AddressO Box 591.

Network:City:Scranton.

Network:State-ProvA.

Networkostal-Code:18510-0591.

Network:Country-Code:US.

Networkhone:+1-570-343-8551.

Network:Abuse-Email:.

Network:Tech-Phone:+1-570-343-8551 Post added at 06:33 PM Previous post was at 06:32 PM LOL = the text includes symbols that are confused by VB as icons! LOL..

Comment #89

I know how to use whois, can you answer my questions?..

Comment #90

Thats what I got from tracing it, maybe connected to Proxy servers[COLOR="Silver"] Post added at 06:35 PM Previous post was at 06:34 PM.

Geobytes.com/IpLocator.htm?GetLocation&IpAddress=184.82.38.233.

Ip links to AUS..

Comment #91

ON DDForum this comes up>.

4.0 member.

Registration IP Address 85.9.75.22.

This was his only post- 5 days ago..

Comment #92

Country Iran, Islamic Republic of Iran, Islamic Republic of.

Country Code IR.

Region Yazd.

City Yazd..

Comment #93

4.0 and m107 are both on the same Iran ISP..

Comment #94

184.82.38.233.

This looks like Burst / Nostnoc VPS, but I'm not sure...

Comment #95

184.82.38.233 - This IP is in Scranton, Pennsylvania.

EDIT: Yes this is a BURST IP range.

69.163.41.195 Portland, Oregon DirectSpace Networks.

85.9.85.183 - this IP is in Iran..

Comment #96

I really hope paypal pays me back my $300 - ive never been in this situation. It sucks!..

Comment #97

Someone with a domaintools account can get this, I dont have an account...

Comment #98

I think I missed something but have you point blank asked the person who sold you the domain name to refund your money through paypal??? And if you did, what did he say??..

Comment #99

I actually emailed the person 5 minutes ago to see if I get a reply. And the correct amount is $360..

Comment #100

Is it possible that 9h8.com also a stolen domain? http://www.namepros.com/domains-for-...bin-115-a.html..

Comment #101

Mirul, yes - unfortunately it could be.

There are issues/questions about his other sales so I'd be leary.

Just found this info based on IP for m107 85.9.85.183 , , Unknown.

85.9.85.183.

WHOIS = % This is the RIPE Database query service..

% The objects are in RPSL format..

%.

% The RIPE Database is subject to Terms and Conditions..

% See http://www.ripe.net/db/support/db-terms-conditions.pdf.

% Note: This output has been filtered..

% To receive output for a database update, use the "-B" flag.

% Information related to '85.9.80.0 - 85.9.95.255' inetnum: 85.9.80.0 - 85.9.95.255.

Netname: IR-PISHGAMAN.

Descr: pishgaman kavir yazd.

Country: IR.

Admin-c: MJFT14-RIPE.

Tech-c: MJFT14-RIPE.

Status: ASSIGNED PA.

Remarks: PLEASE ATTENTION.

########################################.

# #.

# "WE ARE NOT SPAMMING OR HACKING YOU" #.

# #.

# Please contact : #.

# #.

########################################.

Mnt-by: PISHGAMAN-NET-MNT.

Mnt-lower: PISHGAMAN-NET-MNT.

Mnt-routes: PISHGAMAN-NET-MNT.

Source: RIPE # Filtered.

Person: Mohammad Javad Fallah.

Address: Yazd,Iran.

Phone: +98 351 7251148.

Phone: +98 351 7253545.

Nic-hdl: MJFT14-RIPE.

Mnt-by: Pishgaman-Net-MNT.

Source: RIPE # Filtered.

% Information related to '85.9.64.0/18AS34918' route: 85.9.64.0/18.

Descr: Pishgaman Route..

Origin: AS34918.

Mnt-by: Pishgaman-MNT.

Mnt-lower: Pishgaman-MNT.

Source: RIPE # Filtered % Information related to '85.9.64.0/19AS34918' route: 85.9.64.0/19.

Descr: Pishgaman Route..

Origin: AS34918.

Mnt-by: Pishgaman-MNT.

Source: RIPE # Filtered.

Not sure what it means or if will help...

Comment #102

Im disgusted by all this, what people do to one another...

Comment #103

My payment to that scammer - ssamigra was marked as service.

And I opened a dispute yesterday at paypal.

Do you think I will be able to get back my money?.

I provided that the type of service is "virtual items -sent electronically" and submitted some evidences along with the link of this topic.

Do anyone believe that there is something wrong in what I did?.

I hope that someone can guide me to the right way to get back my money...

Comment #104

Heres other emails he has used to sell domains and collected funds through paypal.

Hamid novotel Post added at 12:13 AM Previous post was at 12:12 AM make sure you contact the fraud department and forward this thread to them ASAP...

Comment #105

Paypal especially does not cover items that are send electronically. You need to make it look like an item that you supposed to receive by post. If this option is not available for "services" then there is nothing you can do.

The only way getting your money back is if you were supposed to get the item by post and the person didn't send you. Then paypal will ask the person to provide an online tracking number and online tracking link. If the seller can not show paypal that he has send the item with online trackable courier, he will lose the dispute no matter what.

But if this option was not available during the dispute, then I don't have any more suggestions. Post added at 09:28 AM Previous post was at 08:48 AM The scammer uses a web script to send emails. Therefore tracing those emails leads only to information related to his hostgator account. "altezza.websitewelcome.com".

To track down this person information is needed from hostgator and dynadot. What was his IP when he opened a hostgator reseller account. What paypal address did he use to make the payment? What was his IP when he posted at dynadot under the forum username "zhi"? Did he make any payments there?.

I think namepros should also look into making this website more secure. For instance at elance.com If I log out and then want to login again it asks me only my username. But if I clear my cookies and then try to login it asks my secret question and the answer.

Even if you have a trojan on your machine, because you wouldn't type the secret question or it's answer, the scammer could not login to your account with only your namepros login information.

I think there is also a big security issue at dynadot. They have a for sale forum that attracts scammers but the scammer operated there for a month, from 13.th May to 13.th June 2010 even though many people were aware of the scam. It shows that, that forum is not moderated.

Hostgator closed down this person's account for malware. If somebody contacted them would they disclose the information they have about this scammer? Probably not but could be worth trying. Also it shows that there should be a way to get the authorities involved in this. We also need a list of all website that were hosted under his account. Maybe he hosted a personal website there that he has long time connection...

Comment #106

I dont know if this helps, but I bought one domain from above list (originaly posted at dynadot) 2 months ago, but it turned out it was stolen from a NP member. Scenario was similar - domain was pushed directly from owners godaddy account, and he was later claiming that his passwords was stolen. Godaddy took domain from me (got mail from undo@godaddy) and returned it to account owner. Moderator Mis_chieff was was investigating that, maybe he can help. Post added at 01:20 AM Previous post was at 01:07 AM I agree, I really dont think that someone who has been active forum member for 3+ years would ruin everything for $xxx. And as I said in post above, same thing happend 2 months ago, but victim was another NP member.

Maybe it's better not to rush with accusations...

Comment #107

MattheP,.

If you have any emails exchanged can you post the email headers here? If you don't know how to get email headers just tell us what email service you are using and we will explain it.

Your information could be valuable since lately he started emailing from a webpage script and the email headers all refer to a hostgator account that is closed now. But two months ago he might have been using another method to send emails like a webmail service. Since at the time he didn't have that hostgator account.

Also how did you pay the person two months ago? Every information counts. We need to track down this person...

Comment #108

I didnt buy domain directly from a scammer, I bought it from a NP member who bought it from a scammer at dynadot.

Heres a dynadot scam post link: Forum Topic: 116 .com domain names (lots of month left for expires) - $100 - Dynadot.com.

(I know it's against the rules to post links to other forums, but I think this is very important issue.).

Scammer nickname at dynadot is Zhi (the same who is selling zhi.net). Sad thing is, his account is still active at dynadot and forum thread doesnt have any notifications about fraud (altough I contacted dynadot about that)...

Comment #109

Hi,.

Thank you Erdinc and MattheP for being levelheaded.

~Hope~ I understand you just lost some money, but please don't get hasty and remove your messages with my real name and statements of being a scammer!.

As I said my email account (oskars.rumpeters at inbox.lv) was hacked as well as my namepros account and my Godaddy account. The only possible explanation to this (all different passwords) is that my computer was infected by a trojan which allows a hacker to use it remotely.

I don't know how many and which other stolen domains he traded, but from me he only stole one name - g6u.com.

I am now only logging into accounts from another computer which I believe to be clean until I am sure that my home computer is free of any trojans.

Someone with dntools account could check all domain name historical stats so we could inform other victims whose domains were stolen and resold.

Also shame on those who don't see anything suspicious about someone suddenly selling names below their market price and only accepting paypal nonrefundable payment methods...

I feel sorry for anyone who was scammed by this person, including me.

I think my NP reputation is a good proof that I have not scammed anyone...

Comment #110

MattheP,.

Who was that NP member? We need to follow all leads until they came to a dead end...

Comment #111

Honestly my vibe tells me that ss is innocent & a victim in all of this. I can't see someone with a strong trader rating throwing it all away for a few hundred dollars. This isn't some scam that could be run over & over with how fast word travels in the community.

I feel to label him a scam artist without any proof is uncalled for. Let the matter be investigated. What happened to innocent before proven guilty?..

Comment #112

I don't think any scammer would be as stupid as to use his real name in doing something like this... Since I've been a member at NP I have never hid my real identity..

So ~hope~ when you read this please delete your post, if you prove me guilty feel free to do whatever you want...

Oskars..

Comment #113

If you are filling paranioc, you can always enter your password via virtual keyboard with mouse - troyans usually logs keystrokes only.

And beware when you access your important accounts via laptop and public, non encrypted WiFis. Starbucks is not the best place to manage your account with 2000+ domains I checked whois history stats for stolen domain I got, but nothing to be found there - scammer pushed domain directly from victims account to a buyer.

Somebody should warn Dynadot abut that Zhi account and threads. I've done that, but they didnt listen to me Post added at 02:14 AM Previous post was at 02:07 AM He is reading this thread and I am sure he'll reply to you. He was innocent (and very helpful) in this story, and I dont feel it's right to call him in public before he says it's OK...

Comment #114

You are mistaken.

I have been scammed, "hope" has been scammed, "themaster" has been scammed and many more by this scammer..

Its not few hundreds who he got in one day..

According to my track to him, I see he made around $2-$3k in about 2 days only by scamming.

And you are mistaken about someone to lose his reputation on NP.

Because I know someone who lost his reputation at DP forum who had about 4 years of activity and much more feedbacks and lost that all to scam about $400.

This time the scammer took $2k to $3k so it really worth for him to lose his account because he won't gain anything from having his NP account even if he was the second member to join, it's nothing for him..

Money is his aim!!.

And $3 k is worth making him losing all his accounts because he can start from zero again and do all that again and again once every year because this is his main source of income, fast and easy.

I am sure he isn't a victim, you can read my post in the second page besides revise the information given in this topic since it's start and you will know who are the victims and who Is the scammer!!..

Comment #115

You are sure of nothing at this point. Comparing anyone's reputation on here to Digital Point is hilarious considering how many scam artists frequent there.

Once again, innocent until proven guilty. Believe me, this community is filled with some well connected sources so if he is a scam artist, his cover will be exposed. Until then it is fair to see what the final verdict is. Wouldn't you want the same courtesy?..

Comment #116

Moustafa I know how you feel, I am angry too because of this scammer, and I even have more reasons to be angry after all it's my identity he was using..

Please note that I can't send you any money,if he has really scammed a few thousand in total maybe there is a way to take legal action, although as some people were posting above he seems to be from Iran? It may be difficult to do anything in that case..

Comment #117

If the person who bough a domain from zhi and then sold to MattheP would step in here and tell us from whom he bought the domain and provide email headers and paypal information, it would help.

People are accusing others and we need more information. Also it turns out forum threads are not very good to organise information. We should create a timeline of events and check things like wording patterns and specific spellings by the scammer. He posted many messages on many forums. There are a lot of clues to look at...

Comment #118

There is no difference.

This is forum and DP is forum.

Both have members and both have scammers .. it's the same.

So there is no any point in saying this is better than this or so!.

Because scam artists found here more than DP for me as I were going to be scammed here 4 times in one week which never happened to me that fast in DP but still I say both are the same.

He is innocent until proven guilty, ok but there were many evidences posted in this topic about that scammer by me,erdinc and admins that all proof it came from one person who from time to time play by using proxies. you know what I feel and I know what you feel, that you are happy to get around $3k in a couple of days without losing your account which is nothing for you because you can create a new one easily and repeat it to get that 43 reviews by just 43 sales of a few $$ each to scam thousands at the correct time!.

Whats your problem with Iran? and what do you mean exactly by not doing anything since the country is Iran?.

Is it hard for you to use proxies and appear as if you are from iran and sometimes from lativa or usa ?! it's the scaenario applied by you and you succeed in it without being ever threatened or stopped!..

Comment #119

Moustafa- would a scammer reveal his real name? would he keep posting here?.

Obviously you're not thinking straight right now, we just have to wait for some turn of events to be able to identify the scammer.....

Comment #120

No, you are mistaken.

I think right but you aren't.

When the scammer - you send me 2 messages from the emails listed in whois before we make a deal then it must be you..

And when I find a pm from you in the same day this topic opened, asking me to pay you again for sending me another domain then it's you..

All evidences show that it's you who are the scammer because this topic was opened and you thought I may didn;t notice it so you wanted to take some hundreds from me again before leaving!!..

Comment #121

Moustafa please read what I have stated earlier- it seems my computer was being used remotely by a hacker who had access to my email, namepros account and godaddy account..

The easiest way to determine this is to look chronologically I only started sending PMs and posting about the scam after the real scammer had sent his last PMs... This can be easily proven by any NP administrator.....

Comment #122

Maybe somebody from NP can update us how they are investigating this issue and what they have found.

NP team,.

Were these IP's ever used for any other NP account? Can you search the logs by IP?.

Moustafa,.

You have posted you email header here: http://www.namepros.com/3850306-post34.html.

And we checked that information. It goes back to a hostgator reseller account at "altezza.websitewelcome.com". Those emails you received were posted using a script that was hosted at the hostgator account. This account was later disabled because of malware.

Similarly, HOPE posted his email header here: http://www.namepros.com/3850358-post49.html.

Again those emails originated from a web script at "altezza.websitewelcome.com".

You can send an email and put any address that you like to the to field.

Because the person is sending you an email from the whois listed address doesn't mean he has access to that email. You should write back to the whois listed mail and see if he can receive that email. This would show that the person has access to that email. Because you received these emails doesn't mean the scammer had control over those emails...

Comment #123

There isnt any clear evidences against ss in this thread. Everybody can fake email address or misread cookie data. Yes, this is not a DP and I would trust 3+ year old member with perfect reputation who stands behind his real name and address...

Comment #124

I replied to the email he sent me and he recieved it and replyed to me again after it..

I can post the headers of the second email or send them to you on private if you wish. this is your words just because you weren't scammed by him..

I don't care that you trust in him because he has that account for 3 years..

Because I already have records of other members with double his number of posts and triple itraders with longer account age and were banned due to scamming for some hundreds..

So you are totally mistaken because this account is nothing to him. money is the issue to him, so $3k is enough for him but the account is worthless to him since he can make the same scenario easily...

Why do you think he can't wait another year or two and get 40 or reviews by selling or buying items at a few $$ to scam some thousands at the end?!..

Comment #125

Yes, can you post the headers of the second email as well.

Also can you post the email header of the mail that you send to him?..

Comment #126

Answer to Erdinc's requestIf the person who bough a domain from zhi and then sold to MattheP would step in here and tell us from whom he bought the domain and provide email headers and paypal information, it would help.

Yes, I have stepped in to help like you requested. This is what I have. (Keep in mind on Dynadot whoever have wrote the thread can change their names anytime they want to. In other words, it used to have the "wooster" name, not "zhi" below..

This is the ad I responded to on March 20==> http://www.dynadot.com/resource/foru...-100-4960.html.

Matt bought one of these from me.

Now here is the specific information I have>.

A. The individual who sold me the domain names was using the screen.

Name: "m_d_wooster_us" on DynaDot.

B. The seller instructed me to make payment through paypal to.

Customer Service Phone: 416-225-9125.

Good luck piecing it together..

Comment #127

I was going to make an offer on g6u.com and talked to ssamriga via pm, this pm chat took place on 09-06-2009. I have all the pms related to this in my inbox, and that means he had this domain name for a long time...

Comment #128

Thanks Mitch for the new information. "silvia saint" is a porn star. "bitijoon.com" is a domain that expired in 2008 and picked by somebody.

The term "bitijoon" refers to an Iranian female musician "Bita Joon"..

This her website: Home.

According her website she has a degree in computer science. I found a German forum about Iran: Iran-Now Network - Forum.

There is somebody in that forum with the username "Bita" with nearly 7000 forum messages: Iran-Now Network - Forum.

Her friends call her "bitijoon". Iran-Now Network :: Bitas Nickpage.

Of course this doesn't prove this is our scammer. Why would she use a porn stars name next to her? For some reason our scammer bought bitijoon.com and that domain was used in the paypal transaction.

I checked the other email as well. This is the scammers email that was used to receive paypal payment:.

"..

If authorities would get in contact with paypal they could track down this person...

Comment #129

Anyone who has lost money because of this, please contact appropriate authorities and try to find out who got the money from paypal. Paypal is definitely the best clue here, because as far as I know you have to give your real data somewhere to receive the money...

After I get home from work I will check my computer again to be sure it no longer has any malware on it (yesterday I scannd it with AVG and it didn't find anything)...

Comment #130

AVG is manily virus scanner, try with some spyware/malware removal - Malwarebytes' Anti-Malware and SuperAnti spyware are good choice for start...

Comment #131

Your full of shit - How does a person loose access to email account, godaddy account and np account. Don't bull shit us. You and maybe an associate are behind this SCAM. I dont believe one word you claim. not to mention the same computer used to create two accounts. YOUR BUSTED SCAMMER..

Comment #132

Are you really doing fine with this attitude in life?.

Can you read? My computer was obviously accessed and used remotely..

I feel sorry that someone besides me was scammed too, but unfortuntely I can't do anything about it.

Oskars..

Comment #133

Your full of lies. Yeah an iranian hacker goes out of his way to find someone in Latvia!.

Get real..

Comment #134

I totally agree with you, I got scammed by that scammer and I am sure like you if not more that he is inventing stories because he is the real scammer, he contacted me to sell me another domain although this topic was opened, that scammer thought that I may didn't notice this topic so he wanted to scam me again and again.

But someone here came to defend him and say shits like he is trusting in him because his account is 3 years.. this is tupid method of thinking because I know many members who lost their accounts that are 4/5 years with more itraders than that scammer for the sake of some hundreds of dollars..

While this scammer took around $3k after scamming for a couple of days, he doesn't care about losing his NP accountits useless for him after taking that much money in short time.

Its unbelievable that someone will do all the following at the same time:.

1- hack two emails that are listed in whois to send messages from them to me..

2- hack the user's namepros account.

3- hack his godaddy account.

4- use his own pc to push domains and for replying on pms! yes, he will keep saying shits asking people to believe him..

While if this passes safely with him, then he will continue again and again with no limit..

I have records that he sold some links for hundreds of dollars too at stolen domains claiming they are permanent but he scammed all buyers as well!.

Hopefully, we find a way to stop him..

I contacted paypal and they understood the issue and told me that they are investigating the issue of that scammer that sell stolen domains..

Lets hope we get back our money...

Comment #135

Indeed, I have been part of this community for almost 6 years now. Never have I come across a scammer that goes through the trouble this person claims.

This is a case of a greedy member who's portfolio of domains is nothing but reg fee goes on hunting the rest of us for his loss and claims to be a victim of fraud...

Comment #136

Yes, thats correct..

There is no any relation between the member account age/ activity with his honesty..

All of us know that makeing a three years old account with 40 itraders of 40 deals for $40 is nothing compared to scamming thousands of dollars in a couple of days..

Thats a very greedy scammer, he used also many yahoo emails to make chats and tried to scam me on a lot of four domains around 2 weeks ago, so he is playing here and there scamming people everywhere...

Comment #137

I understand you're upset. But let's not jump to conclusions and name calling yet. And if he has nothing but regfee domains then why did you buy one?.

Someone hacking into 2 email accounts, a namepros account, and a godaddy account, FROM this guy's computer, is a little far fetched, I agree, unless somehow they had the same password or some kind of trojan/malware/remote admin was installed.

Let's wait until ssamriga replies with what type of malware he had, if any...

Comment #138

It is not impossible to hack all of somebody's account. Please try to differentiate between an account hack and key logging somebody's pc. Key logging records all your keystrokes and sends it to the scammers email. So by observing a few days of keystrokes the scammer will know all your accounts and passwords...

Comment #139

Thats what I'm saying, he claims the Scammer stole the info through malware, he then used his computer on top of that to make the transfers, etc...

99.98% of scammers take the info they steal and do the transfers through their own computer.

Yes, I like to know as well what is the Malware you detected?..

Comment #140

Yes, that's why I said what I did.

BUT, the mods stated that the scammer used SSAMRIGA'S COMPUTER, which a keylogger wouldn't account for.

A mod has privately confirmed to me that it indeed was ssamriga's computer which was used for the second account...

Comment #141

Then you agree that he is the scammer since keyloggers can't do that function..

And by using his own pc then it's only one person who is the scammer, or if someone else then might be his father/mother/sister or any member of his family...

Comment #142

Netizen posted here and confirmed that ssamriga owned g6u.com a year ago. http://www.namepros.com/3851066-post136.html.

I'm having difficulty understanding and following things.

According this page HOPE bought g6u.com from ssamriga for $170. g6u.com with 4x 4l.com for just $170 - NamePros.com.

Ssamriga says his domain was stolen from his godaddy account and his NP account was used by the scammer and it wasn't him who sold his domain g6u.com to HOPE. Now ssamriga wants his domain back.

HOPE believes the ssamriga that he was dealing with was indeed Oskars and he sold the domain g6u.com to him. He wants his money back.

To me ssamriga's story is much more logical. If he was the scammer why would he mix his domain with stolen domains and sell his own domain for cheap as well? He owned that domain for a year and even listed it on his website DNfit.com for sale. He uses his real name and has a blog. It is very easy for people to find him. Why would he try to sell his own domain in a hurry for cheap and expose himself?.

If you were stealing domains would you mix one of your own valuable domains in them and sell it as well even though it can be traced back to you? It doesn't make sense. Post added at 08:28 PM Previous post was at 08:06 PM moustafa,.

You didn't post the email headers that you mentioned. You didn't post those yahoo emails either. If you have more evidence you should post them.

Lothos, I think what the mod confirmed was that the same computer was used to access the m107 account and ssamriga's account.

I have avast on my computer and yesterday when I was checking some of the sites I received a virus alert. You can try it yourself. Let me guide you through:.

Both HOPE and moustafa posted their the email headers they received from the scammer. According that information a script was used to send the mails from here: " was pushed from ssamriga's godaddy account. Why would a scammer stop stealing other people's domains and suddenly decide to sell his own domain for cheap?..

Comment #143

No I don't agree that he is a scammer, please don't put words in my mouth.

There is not enough evidence yet to make a clear decision of guilt or innocence.

There are a lot of weird things going on with this case, we need more evidence. No one has posted the historical whois information yet. And I want to know the exact name of the malware that ssamriga finds.

After martial arts class tonight I will see if I can gather all the evidence and compile it in one place...

Comment #144

Lothos thanks for being reasonable!.

I think the best way for you to check that it was not me you were dealing with would be to ask Paypal to confirm that I do not own the accounts to which you paid..

And I see that long NP membership really doesn't prove anything because of the way ~hope~ acts...

I will check times when the scammer was active (sent PMs) and will see if my computer was even turned on at the time. I still haven't got an answer about how forum admins determined that my computer was used.

And consider all the logic facts- why would I scam with my real identity?? Why try to prove my innocence now?..

Comment #145

Hello again we are all working together to find the answer.

Can you please inform us if you have checked if any malware has been found on your computer as yet.

Kindest regards..

Comment #146

Not sure if this info helps themaster in any way but I'd noticed ZHI.NET for sale on digitalpoint a week ago, the seller's profile - Digital Point Forums.

I'm not sure why the threads he created were deleted and hez still roaming freely on DP, he made me a $300 offer for ZHI.NET which obviously rang the alarms and I choosed not to get involved further...

Comment #147

Stop the bull shit and start answering the questions and posting the evidence. GUILTY until proven otherwise. You have done nothing but whine, provide the facts not just words, OH MY COMPUTER IS NOT IN MY CONTROL Start off with answering her question!!!!!! and provide screenshot and details to the malware...

Comment #148

Moustafa please don't invent stuff- when were you last contacted by the scammer? After I created this thread or before? You say it was after, but timestamps say it was before...

Mm please check my "contact NP member services" thread!.

I believe Paypal won't reveal the real owner of paypal accounts you sent money to without legal authorities, but try to ask for a confirmation that it was not me at least.....

Comment #149

This is not a private matter, you need to provide the facts to the community...

Comment #150

Many thanks but this is only viewable to admins.

I thank you for your help in this matter.

Please just answer the question above..

You said you would check your p.c for malware..

Did you?.

And what did you find..

Your assistance is much needed and very welcome..

Kindest regards..

Comment #151

By the way the scammer was online at digitalpoint today: Digital Point Forums.

Last Activity Today 3:58 pm.

Ssamriga,.

Can you tell us what operating system you are using?.

Can you check if remote assistance is enabled: Securing Remote Desktop for Windows XP.

0nside control panel / administrative tools, can you can all the logs and see if you will find anything unusual?..

Comment #152

WRONG It is innocent until proven guilty. We understand you lost money but acting immature is not going to help rectify the matter...

Comment #153

There is somebody at digitalpoint with the username funandlearning who is pretty pissed about this m107 guy. I contacted her and asked if she can share any evidence she has.

According this thread: [WTB] Facebook Traffic For Cheap.

It appears m107 sold pma.com to somebody and then the domain was reversed back to the original owner. Now the buyer wants to know what happened. They think m107 somehow got back the domain himself. Obviously they are not aware the domain was stolen and reversed back by the registrar.

Pma.com is a very valuable domain. I hope they will get the authorities involved. I contacted funandlearning and redirected her to this thread. Post added at 10:14 PM Previous post was at 10:08 PM HOPE,.

There is a scammer here who is stealing high value domains and selling them fast. With the addition of pma.com the chances of authorities getting involved is higher. Nobody is so stupid to use his real name and then push his own one year old domain to you.

Ssamriga said he is accessing NP regularly from work using a static IP. He can be traced back. Also he is not hiding. Many people have their account hacked. A lot of domains are stolen. ssamriga's story makes sense...

Comment #154

I would like to thank ssamriga in their continued assistance to this matter.

I understand how angry those are that have been scammed .. I dislike scammers very very much.

I would also like to thank all the pm's I am getting and still working through.

This is clearly a complex situation which I hope we willtogether find an answer.....

Comment #155

Hi,.

I have XP sp3, I just went to control panel and changed settings according to the link you gave..

So far no malware has been found except the one AVG 9.0 caught over a month ago (Trojan horse Generic2.OJ).

I am checking system logs, but I don't understand much, except that it really looks that my computer wasn't even turned on when most posts by the scammer were made...

Oskars..

Comment #156

Juicy thread! I don't know if the domain history has already been posted, but here goes:.

Year 2000:.

Registrant:.

COVENTRYINVESTMENT LTD..

FOR SALE at DomainCollection.com.

CORAL GABLES, FL 33146.

US.

Domain Name: G6U.COM.

Administrative Contact:.

Coventry Investments Ltd..

185 SHAUGHNESSY BLVD.

TORONTO, Ontario M2J1K2.

Canada.

+1.6478661514 Fax.

Domain servers in listed order:.

NS45.DOMAINCONTROL.COM.

NS46.DOMAINCONTROL.COM..

Comment #157

Hi,.

This is a screenshot of my system activity during June 13 from the Control Panel "event log" (thanks for the suggestion Erdinc).

All times are GMT+3.

As you can see no activity is recorded for the period when scammer was sending most PMs and made the sales threads. system log jpg.

Computer was off from 23:26 on the evening of June 13 until 10:57 on the morning of June 14. Most PMs and posts by scammer were made from 2:00 June 13 until 9:00 June 14..

Now I am not sure if NP administrators way of determining the computer is correct, unfortunately they still haven't contacted me...

BR,.

Oskars..

Comment #158

Just to play devil's advocate (not saying it is true, but demonstrating it'd be a possibility), you _could_ be stalling to allow for enough time to withdraw the funds or you could be playing the hacked card to keep the funds and the domains.

If what you state is true (your PC being used), you would have to refund the domain buyers. From GoDaddy's perspective the domain pushes will look bonafide. Without hard evidence to the contrary the buyers made a legitimate purchase...

Comment #159

HOPE, Moustafa, can you please login to your paypal, find the transaction details and post the information here. So far only one person did this:.

Also anybody else who paid money to this scammer, can you find the transaction details on your paypal as well? Post added at 11:11 PM Previous post was at 11:08 PM Satanclaus,.

You are the first to post whois history of any domain here. Can you also post for this domain:.

Bitijoon.com.

The scammer used this for an email for paypal. Post added at 11:19 PM Previous post was at 11:11 PM The scammers paypal login email is " sale. Was this domain really sold by this kid? From his digitalpoint messages under m107 account, he looks like a stupid teenager...

Comment #160

No recent recorded changes:.

09/2007:.

Mostashfi, Kouhyar.

1326 Captains Bridge.

Dayton, OH 45458.

US.

Domain name: bitijoon.com.

Administrative Contact:.

Manager, Domains.

5160 Yonge St., 1800.

Toronto, ON M2N6L9.

CA.

+1.4166612100 Fax: +14166610700.

Registrar of Record: Netfirms Inc..

Record expires on 2008-09-02..

Record created on 2007-09-02..

Database last updated on 2008-09-02 18:50:35...

Comment #161

Satanclaus,.

Thank you. bitijoon.com is not a stolen domain as far as I know. The domain is available at the moment. It was used by the scammer to create an email and the email was used for paypal.

The person who owned bitijoon.com also owns this domain: some domain And 6 more domains. The guy is a software engineer from Ohio. Could be same name by coincidence. some profile page.

He graduated from here:.

Wright State UniversityCollege of Engineering and Computer Science Engineering and Computer Science Faculty Receive Awards What's Inside?.

Ssamriga,.

You have two remote access logs on your log file. One in 13.th and the other in 14.th June. When you click on those events, do you see anything? Those remote access logs shouldn't be there.

Also immediately after the first remote access there is an error log. Post added 06-16-2010 at 12:03 AM Previous post was 06-15-2010 at 11:51 PM I'm growing more suspicious about this guy "Mostashfi, Kouhyar".

Above I mentioned besides "bitijoon.com" which we know was linked to the scam, he also owns iranclickbank.com.

I found some information about his website: Google Translate He runs a warez website for stolen software and music. Post added at 12:28 AM Previous post was at 12:03 AM OK. Let me explain again what leads I followed:.

1. mitch007 bought a domain from zhi and later on it turned out the domain was stolen.

2. I asked Mitch where he got that domain and he confirmed it was dynadot user zhi. Mitch kindly provided information from his paypal logs. In fact Mitch is the only person who provided information from paypal logs. I wish everybody who paid this guy would provide paypal logs. He wrote here: http://www.namepros.com/3851061-post135.html.

3. One of the emails mentioned there was to facebook, a profile comes up : Welcome to Facebook..

Comment #162

[UPDATE].

Finally Godaddy found the real owner for ZHI.NET and now the domain is at real owner account. At least I think so. Check Harpsichord by Zuckerman It looks like it is live again.

I feel good because the domain zhi.net returned to the owner..

I feel somehow bad, because I can't get my money from Paypal. I think this money will not back to me.

One more line,.

I think that @ssamriga is not scammer. I don't find any proof to say otherwise. But I am watching this thread to see if I am wrong or not about my thought...

Comment #163

Themaster,.

Can you post transaction details from your paypal account?.

So many people paid this guy money but only one person has posted paypal transaction details. You will find the datails inside your paypal account...

Comment #164

It was masspay, so I think there is no much details about that transaction. But I will post details as soon as I can access my paypal account. Now I am on public wifi, It is not safe to login to paypal...

Comment #165

So bitijoon.com used to belong to this guy from Dayton Ohio. I found one other person again from Dayton Ohio with the same name: Welcome to Facebook.

What are the chances that there might be two different Iranians with the name Kouhyar Mostashfi living in Dayton Ohia? Zero. This must be the same guy.

This guys is a software engineer: WSU - College of Engineering & Computer Science: Alumni & Friends: Dean's Leadership Institute.

Kouhyar Mostashfi, EE.

Check this out: Kouhyar Mostashfi - Software Engineer.

This person fits the profile. He is running the website iranclickbank.com which is a paypal workaround for iranians and the site collect credit card information. The site makes it possible for iranians to buy things from amazon and use visa in the US.

In the past it provided the same amazon and visa card workarounds for Iranians but it also had unlimited digital downloads for music and software: Check this out: IranClickBank.com R R.

Translated by google chrome: http://img819.imageshack.us/img819/1171/72779435.gif.

This guys looks dodgy to me. I suspect he didn't know about historical whois which is why he continued using the " originally to create a fan site for Bita Joon, the Iranian musician who fights for Independent Iran. I bet this guy is still in the US. He doesn't like the current Iran...

Comment #166

{Erdinc has cleaned up his previous post and his accusations and conclusions regarding me so this response I made does not reflect the original statement except where it is listed below.}.

ERDINC- you are a bit confusedre: these parts>.

1. Somebody sold the stolen domain zhi.net to MattheP.

2. I was curious about who sold it and I asked MattheP. It turns out it was sold by NP member mitch007 MY ANSWER: NO, I DID NOT SELL THAT NAME TO MattheP. There was no zhi.net name on the list. On the March 20 list I provided you the list-there were over a 100 names, no zhi. Forum Topic: 116 .com domain names (lots of month left for expires) - $100 - Dynadot.com.

Zhi.net was not a domain on that listI told you the scammer just changed his Dynadot screen name to "zhi".

3. I asked Mitch where he got that domain and he provided information from his paypal logs. He wrote here: http://www.namepros.com/3851061-post135.html MY ANSWER-WHAT ARE YOU TALKING ABOUT? I know nothing of zhi domain. I just know the scammer changed his name to "zhi" On March 20th when Mitch bought zhi.net from the scammer and paid toAGAIN I NEVER BOUGHT ANY zhi.net domain.

Sir, get your story correct, especially when I provide straightforward information. Bottom line- I never had or sold any zhi.net domain. Got it?? Should I say it again?? I am trying to help you out with this present scam, thats allbut please look what I sent you you are misreading it...

Comment #167

Sorry, I confused the guys dynadot forum username. Now I remembert when you said zhi you referred to his username.

I have now corrected the mistake. You can edit your above message so people don't get confused...

Comment #168

(Erdinc asked for information above regarding the info I have given below,I answered him here. He has removed the details of the request above on this thread.).

Here is the link to the ad I responded to. Scammer "zhi" changed his name recently so all his threads now show this. He was "m_d wooster". Forum Topic: 116 .com domain names (lots of month left for expires) - $100 - Dynadot.com.

Matthe bought HUMILIATION.TVAs soon I heard there was a problem I emailed him and 4 other NPers and told them the situation. I requested the name back and I would refund his money instantly. Eventually he sent it back and I refunded his money. So when you concluded this:.

"1. Somebody sold the stolen domain zhi.net to MattheP.

2. I was curious about who sold it and I asked MattheP. It turns out it was sold by NP member mitch007" I became a bit hostile!! That little piece of conclusion is 100% incorrect. Did Matthe say that? I doubt it!!.

Now I am not shouting half a page, but I am angry to be sucked into this. I went through this a few months ago and it gets messy as you well know. I provided straightforward info to you from my end. I dont like it when it get spinned into falsities. My reputation here is good- and I want to keep it that way..

Comment #169

Mitch007,.

Do you understand that I have edited and corrected that incorrect section already. Now it is only you talking about it and you are confusing people with incorrect information...

Comment #170

My incorrect information? Give me a break!! You are the one coming up with bogus MISREAD evidence I gave you trying to piece all of this together and becoming rather reckless with your accusations. When you accuse me you better be ready to back it up!!..

Comment #171

Mitch007,.

OK I confused the domain with the persons username. Both are zhi. I have now corrected my message 172. http://www.namepros.com/3851454-post172.html Is there anything wrong with it now?..

Comment #172

So now your saying your computer has no malware!.

Then I don't see how your account at NamePros, GoDaddy and Emails were hacked. Someone must have given the scammer your passwords IF THATS THE CASE!..

Comment #173

Erdinc-.

My NP reputation means alot to me. Are you retracting this false statement and conclusion you made> 1. Somebody sold the stolen domain zhi.net to MattheP.

2. I was curious about who sold it and I asked MattheP. It turns out it was sold by NP member mitch007..

Comment #174

Hmm the facebook page looks up to me.The picture changed though to a closeup of his face instead of a really grainy picture of him.

Skinny..

Comment #175

Speaking of confused...My head is spinning...

Why do you keep posting stuff about "bitijoon.com"?.

Which is an unregistered domain and obviously not stolen..

But lots of posts/links/facebook and stuff about it?.

I'm sorry I must have missed this part - did you buy.

A stolen domain as well?.

I'm so confused with what info matters and what doesn't.

Let's keep this focused on what has happened in the present.

Day and for the benefit of those affected by it, please only post.

Current info that should be checked...

Comment #176

Mitch007 bough a stolen domain from zhi and paid with paypal. Then he kindly provided transaction details from within his paypal account. In those details the email "" and added it to his paypal. Then he let that domain drop. Probably he didn't think historical whois was possible. Therefore he didn't care continuing that email.

He used it for paypal when he sold a domain to mitch007.

No, I didn't buy or sell any domain. I hate scammers and decided to track down all information that is trackable. Therefore I asked about paypal logs. HOPE, Muastafa and themaster should post their paypal logs too. It is available inside their paypal account...

Comment #177

LOL it starts here.

Interestingly I noticed the phone number 416-225-9125 which is a Toronto area phone number. Reverse lookup here.

Could this be a fake number? Maybe, but it seems too precise..

Googled the name and I get Iran related content.could this also tie all the Iranian stuff we've been finding or another red herring?.

Skinny..

Comment #178

Please keep in mind that you don't have to OWN a domain to have an email address there. Post added at 09:31 PM Previous post was at 09:27 PM You have 3 remote access events in your log. You should turn off remote assistance and scan for malware with the programs I suggested...

Comment #179

Yes I confirm #1 was incorrect. The dynadot user zhi sold you a domain. I misremembered that and assumed it was zhi.net. I already corrected this. He sold zhi.net to themaster, not to you. I'm sorry for the confusion.

#2. I was simply referring to the information you gave here: http://www.namepros.com/3851061-post135.html I confirm that this has nothing to do with zhi.net. You didn't mention at all what domain it was. So my mind filled that gap somehow and I said zhi.net..

I'm sorry again...

Comment #180

Answers to the Erdinc's thread.

YOU said: I asked who it was that bough a domain from zhi and sold to MattheP. You answered and said it was you. YES, AGREED.

You said: I mentioned the same thing a few messages later and you went crazy. YES, because you already said crap in the thread which is totally false. These are your words and accusations (which you deleted in your thread): 1. Somebody sold the stolen domain zhi.net to MattheP.

2. I was curious about who sold it and I asked MattheP. It turns out it was sold by NP member mitch007.

I am putting both statements together and reading them as one and I dont know about a few messages later. It seemed longer than that.

Now I am finished with this Erdinc. Remember just because you deleted info after you said it..the damage still remains.This hurts your credibility. You should have just left it alone and not deleted it. I did. This is the internet and a electronic trail to everything said here. Be careful what you say and the conclusions you make..

I hate scammers and know what you guys are going through. Be careful and stay focused. Try not to burn bridges of those who want to help...

Comment #181

Mitch, at Dynadot forum I read about 10 threads posted by this zhi guy. So I confused the persons username with the domain. No big deal. The zhi.net was sold to somebody else. Not to you. I corrected it immediately after you told me.

At one point it was only you talking about it.

If people don't want their name associated with something, I though it is better not to mention it at all. Therefore deleted the incorrect reference. I thought if I delete the reference to zhi.net and not mention it at all, you would be happy. Again I'm sorry...

Comment #182

I dont think you really understand what I said above and what made me angry. But that's the way it is. And I dont feel like typing it all up again. So I will say, now, this part is over...

Comment #183

Maybe a mod should clean up this thread (and in particular page 8) a little.

If anyone needs a domain history (in connection with this thread) feel free to send me a PM.

/Satan..

Comment #184

Morning everyone.

For now I feel that I should leave everything in it's place until we can get to the bottom of this mess.. As Wendy said, lets keep this on track now and work together to find the facts..

Comment #185

Good morning, can I please have pancakes,eggs, toast AND bacon??? :-).

Lol, you guys will figure it out but it is a lot confusion going on here in this thread, I have to admit :-).

Cheers.

Liquid..

Comment #186

Seller's Name: rita camila.

Seller's Email: ..

Next day godaddy took it back, same message that is in the first post of this thread!.

Everyone, beware of such scammers, especially this one..

His/her email is ALSO HIS/HER paypal account...

Comment #187

Hi,.

Erdinc thanks for your effort to find out the truth about this whole issue!.

Yesterday I scanned my computer with "Spybot" and "Dr.WEB", nothing besides some tracking cookies was found. I am now at my work computer, but as I remember nothing much was explained in "properties" for the remote access events. I will read it all through and will consult google for explanations. Also settings on my computer allowed remote access invitations to be sent, but remote desktop connections were not allowed.

As I said before paypal is our best option. The scammer has got to be using a real name somewhere to actually receive the money. So please everyone who paid anything contact Paypal and ask for as much information as possible.

BR,.

Oskars..

Comment #188

You keep ignoring the questions being asked. Review the questions and answer them ASAP...

Comment #189

Hi,.

Maybe I've missed a question, please repeat it as I have no intention to hide anything!.

Thanks!.

P.S. you keep ignoring your Paypal records, have you asked Paypal to at least confirm that I am not the owner of account/s to which you sent money to?..

Comment #190

Listen scumbag your a scammer, first you claimed your computer was hacked which explains why your IP was recorded with the same computer specs on NamePros... then you have the nerve to ask me why I have not posted my paypal info. YOU PATHETIC SCAMMER, that info has already been posted...

Comment #191

~HOPE~,.

Inside your paypal account you might have more information than you have already posted. When you press the details link for the transaction, doe you see any new information?.

Mitch,.

Can you post a screenshot of yours? I mean where did you get the information you posted here? Was it inside a paypal email or inside your paypal account or both? Post added at 08:54 AM Previous post was at 08:50 AM Neither Hope, Moustafa or themaster or anybody else who has paid money to this person has ever posted their paypal transaction details from their paypal account. I wonder if they ever look. So far only Mitch did this but he didn't post any screenshots. Come on folks, it is not time to be lazy. From every piece of information we collect lots of other information. Just login to your darn paypal account and click the details button and tell us if there is anything else like a business name, phone number, secondary email, person's name etc...

Comment #192

Hope please.

I know and understand your anger but please for now .. for me Can you please hold back on the name calling..

We will get to the bottom of things......

Comment #193

I'll just quote you for the record of acting immature and rude.

What questions have I not answered?.

Have you contacted Paypal to find out who did you send your money to?.

Don't you think a scammer would have conveniently posted a "malware he found on his computer" rather than tell the truth that nothing has been found so far?.

Also I wonder if there are any chances of contacting real owners of the names he stole and resold?.

Satanclaus can you help by posting historic whois of this name?.

Tfl.net bought by moustafa.

G6u.com bought by ~hope~ as already posted historically belongs to me.

Zhi.net bought by themaster was also already posted and as it seems is returned to the real owner?.

Tfl.net and zhi.net historical owners should be contacted to find out how the scammer gained access to them.....

Comment #194

Erdinc, As I stated before I paid with masspay option. So at details there is no info about him. Anyway, here the all of the things I had at payment details:.

Transaction Type: Mass Payment.

Date Submitted: Jun 13, 2010 17:22:54 PDT.

Date Processed: Jun 13, 2010 17:23:57 PDT.

Date Completed: Jun 13, 2010 17:23:57 PDT.

Payment Amount: $xxx.00 USD in 1 payment.

Fee Amount: $1.00 USD.

Total Amount: $yyy.00 USD.

Completed Amount: $xxx.00 USD in 1 payment.

Unclaimed Amount: $0.00 USD in 0 payments.

Returned Amount: $0.00 USD in 0 payments.

Denied Amount: $0.00 USD in 0 payments.

Transaction ID,Recipient,Unique Identifier,Amount,Fee,Status,Reason Code,Custom Note.

Xxxx,"","","$xxx.00 USD","$1.00 USD","Completed","",""..

Comment #195

Themaster, thanks!.

Please ask Paypal what can they reveal about the owner of "". Surely they won't tell you any personal data even if you tell you were scammed, but maybe they can reveal at least that the owner of account is not "Oskars Rumpeters"?.

Since you have actually lost money, haven't you considered turning to authorities? Maybe they can ask for that Paypal accounts details without court order or something?..

Comment #196

Ssamriga,.

When I download the payment details as csv file, I found transaction ID at there now. And I tried my chance to open a dispute with this. Suprisingly it worked. While I am placing dispute, I got seller name at that page. Here what I got,.

Seller Name & Email: rita camila,.

I hope this dispute will work. I selected item not recieved and choose virtual goods- delivered electronically. Let see if this works or not.

But they may not accept it because I think masspay couldn't be used for this...

Comment #197

Great, although dispute I think will not go through once they find out it was a domain name being sold..

I wonder if Rita Camila is a real person, probably it isn't. Scammer most likely used fake info for this account and quickly transferred the money to his real account. Please talk about such posibility with Paypal...

Comment #198

Themaster,.

Please post any screenshots that you can post.

Also remember that you need to file the dispute in such a way that you should say you were supposed to receive an item by post but you didn't.

Never select digital items...

Comment #199

Erdinc-.

You asked this above:.

"Mitch,.

Can you post a screenshot of yours? I mean where did you get the information you posted here? Was it inside a paypal email or inside your paypal account or both?".

The info I already posted in this thread was part of the transaction history that paypal keeps on our records. It is also sent in an email as soon as the transaction is complete. But you already know that and so does everyone else in NamePros land. Therefore, the info already sent by me is adequate and enough imo. You do not need my transaction number nor my name and address as they would be on the original screenshot...

Comment #200

Erdinc, I got that payment details in csv file that is produced by paypal. If you have a masspay at your payment history at paypal, just quick check to see what info at there. At payment details there is nothing but just payment amount. And under that details there is a link to produce csv file that include transaction details. I have just copied the content of that csv file to here. Do you need ss of that csv file? If so, why?.

If you need ss of paypal page, believe me there is nothing to see All I can say that, go and please check a masspay details at your own paypal account. Everything will be same beside payment amount. There is no other specific info about the transaction...

Comment #201

I never said you bought zhi.net. Acctualy, I've never mentioned your name in public in this thread, only mods were involved with our situation. And I can confirm that your reputation is very good - Mitch solved our problem with the scammer fast and professional - domains where returned to rightful owners and money refunded. Mitch was the one who lost lots of money that day, but he is not bit*hing and accusing other NP memember like some people here.

Same thing what is happening here happend to us, 2 or 3 months ago - domains we bought where stolen from NP memeber godaddys acc like from ssamriga. I am goaddy VIP member, and my VIP representative later found out that domains were really stolen from NP member and sold on the forums. Same person** started with selling stolen domains agian, zhi.net anf g6v.com as far as we know.

Heres the proof that it's the same person - same username:.

Dynadot for sale thread, Mar 13, 2010 : https://www.dynadot.com/account/foru...-100-4960.html.

Dynadot for sale thread, Jun 12, 2010 : https://www.dynadot.com/account/foru...-350-5380.html.

Domains from the first thread are confirmed as stolen from a NP member godaddy acc, confirmed by undo@goaddy and my godaddy rep...

Comment #202

Btw ~hope~ I just re-read your PMs with the scammer and as far as I understand, he sold you g6u.com for $100, you paid and he transferred the name to you, right?.

So if this is true why do you accuse me of scamming you? From your perspective that's a normal deal. Or are you just acting on behalf of people who actually lost money in this incident?.

In your deal of g6u.com I am the one who was scammed, because I bought that name for $200+ which is my loss, you gained a stolen domain for cheaper than it's normal price.

Thanks!.

Oskars..

Comment #203

Who is currently holding g6u.com right now?.

Oskars, are you saying that YOU sold it to hope or a scammer did?.

Oskars, are you saying you will not contest domain ownership of g6u.com?..

Comment #204

Tfl.net changed just recently, retained the same nameservers:.

Current WHOIS:.

Registrant:.

Moustafa Mahmoud.

Alexa.

Alex, NA 21554.

Egypt.

Registered through: GoDaddy.com, Inc. (Domain Names, Web Hosting and SSL Certificates - Go Daddy).

Domain Name: TFL.NET.

Created on: 13-Oct-96.

Expires on: 12-Oct-10.

Last Updated on: 13-Jun-10.

Administrative Contact:.

Mahmoud, Moustafa.

188 E 2nd. St..

Lowell, LA 97452.

United States.

+1.4055008890..

Comment #205

Hi,.

I don't know for sure who has it, but judging by PMs looks like it is ~hope~.

That is my domain which was sold by a scammer.

I have not yet decided what do with it, at first I thought to leave it to ~hope~ as a good faith buyer, but after seeing his attitude I might just try to retrieve it through Godaddy undo system, because after all it was stolen form me. Post added at 04:48 PM Previous post was at 04:41 PM Thanks for the info!.

This certainly looks like the name was owned by Thomas Lettington, then it was stolen by the one using the name of Rita Camila and sold to Moustafa..

Unfortunately there is no sure way to tell if anyone by the name of Rita Camila is connected to the scammer or if that is just a random name he chose to use.....

Comment #206

Have you used the godaddy undo system on any of the domains that were stolen from you? If you have, why did you retrieve some and not all?..

Comment #207

Hi,.

G6u.com was the only name stolen from me...

Comment #208

I see that somebody registered bitijoon.com today..

I was going to register it and set up catchall E-mail. Who knows, you sometimes receive interesting mail on previously registered domains..

Comment #209

I noticed that it got registered yesterday too. Can whoever got it send me a PM?..

Comment #210

Just for you I will keep my mouth shut. I will let NP Staff resolve this issue...

Comment #211

Here you are the transaction details:.

Payment Sent (Unique Transaction ID #62H41725874755XXX).

Sent to:.

Rita camila.

Email:.

Amount sent:.

-$xxx.00 USD.

Fee amount:.

$0.00 USD.

Net amount:.

-$xxx.00 USD.

Date:.

14-Jun-2010.

Time:.

07:35:54 GMT+05:30.

Status:.

Completed.

Funding Type:.

PayPal Balance.

Funding Source:.

$xxx.00 USD - PayPal Account.

This transaction is subject to a buyer Complaint, Chargeback or an Unauthorised Claim. Go to the Resolution Centre to resolve this issue.

Wait me to add the headers of the second email too...

Comment #212

It looks like the scammer started to cover his tracks in recent transactions. We need to find older transactions from March 2010 or earlier. The recent paypal details don't show any useful information. It looks like the rita camila paypal account is used as a transport.

Mitch, did you dispute the transaction in March? It looks like you have paid to a more important account. This could be his main paypal account. We should get that one locked up. Generally, if anybody wants to dispute, don't select digital items because they are not covered.

There was somebody from digitalpoint whose friend got scammed for a LLL.com but they didn't come forward. Somebody said they tried calling this number and they have heard something in Iranian. This could be the scammer business phone number. I don't think paypal allows you to add a bogus number there. If I remember correctly when I opened a business account and added my phone number, they called me on that to verify.

Can anybody do a reverse lookup on this number: 416-225-9125?..

Comment #213

Hi,.

I didn't find anything wrong with these but in case I missed something here are Spybot logs for computer as NP claims from which the scammer was accessing NP as well as my second home computer which connects to the Internet through the first one...

2nd computer: Unfortunately no one of the NP administration has answered me yet how is it possible that according to them my computer was used at the time it was actually turned off...

Comment #214

Here you are the full headers for the second email sent to me from rita camila (ssamriga) :..

Comment #215

Please check this at a current whois server. Here you can see current details: WhoIs Search Results.

I think you see cached info...

Comment #216

There are two origination IPs so why did you check the one at the end of the headers form not the one at the start ?

Comment #217

I already posted this information here.

416 is a Toronto Area Code phone number. Reverse Look Up For This Number.

I haven't called this number so I can't be positive that it is Iranian. But when I do a Google search on the name from the reverse look up I get Iran related content.. so that's why I was wondering if this is a good clue because we have seen some fake Iranian names used before.

Skinny..

Comment #218

I found something new.

The Canada Toronto phone number (416) 225-9125 is real and it is connected to the person I found before. So we have two different leads ending at the same person Kouhyar Mostashfi, a software engineer from Iranian background, living in Dayton Ohio, US.

This person studied Engineering and Computer Science at Wright University, Dayton Ohio. (source).

Her is a Software Engineer. (source).

He is also running a website called iranclickbank.com which provides a paypal alternative for Iranian shoppers and collects financial information.

Screenshot: http://img819.imageshack.us/img819/1171/72779435.gif.

URL: http://web.archive.org/web/200708181...clickbank.com/.

Let me explain it all step by step.

1. mitch007 bought a domain from zhi and later on it turned out the domain was stolen.

2. I asked Mitch where he got that domain and he confirmed it was dynadot user zhi. Mitch kindly provided information from his paypal logs. He wrote here: http://www.namepros.com/3851061-post135.html 3. The dynadot user m_d_wooster_us is our scammer who later on changed his dynadot username to zhi .The reason why he did this is because he is trying to create the image he owns zhi.net which is a stolen domain and sold to somebody else.

The proof that dynadot user zhi and m_d_wooster_us are the same person is here:.

Screenshot: http://i50.tinypic.com/2q8x5br.gif.

Url: https://www.dynadot.com/account/foru...-400-4959.html.

4. Two different piece of information from Mitch's paypal transaction records will lead to the same peson. These two pieces of information are:.

This email: Customer Service Email: /jv5186.gif.

Kouhyar gave his friends phone number to paypal.

So there you have it. Two different pieces of information pointing to the same person. The guy is living in Dayton, Ohio and he isn't planning going anywhere. If I was scammed I would contact the authories.

Mitch, I understand that you don't want to show your transaction detail or your email. But can you not take a screenshot and hide these fields in an image editor. Even ms paint should do the job. You can paste in paint, cross those sections with the brush, click file/ save as and chose JPG and then publish the image at imageshack.us. I know you don't want to bother but this is just such an important piece of evidence. Others might print it out and use it.

You are the only one who has that paypal information. Other people have different paypal records. I think this is probably because you dealt with this guy earlier.

So far it has been a great team work.

Thanks to Mitch for posting that important paypal information..

Thanks to Satanclaus for spending from his own pocket to get historical whois info.

Thanks to Skinny for providing reverse phone lookup link.

Erdinc..

Comment #219

Erdinc excellent work.

I have this thing that's bugging me though.maybe I'm totally wrong, but something is bugging me. What if Kouhyar Mostashfi isn't our man?.

Yes he is in Engineering and Computer Science which is a hard knock but this would also mean that he would know others who know engineering and computer science.

Now his wife has a PHD from Queens and he is a Sr. Software Engineer.

Now how much money do you think they are making? A ton probably.

I Google Mapped his address and they seem to live in a very well to do nieghbourhood.. large homes. You can't street view his house but look at the surrounding area with homes that seem just as big and you will know what I mean.

Now what would a wealthy person making probably pretty good money be doing stealing a few k from some people. Yes he "could" do it, but why? What's his motive.? Edit: Iranclickbank is registered at yahoo domains. Domainers usually use GoDaddy, Namecheap, etc. How much about domaining would what we think to be our suspect know so as to discern which domains to hack and sell for a quick profit?.

His name is associated with 6 domains, and his yahoo email is only associated with 2 domains. (via domaintools).

So was this guys name a slip up or was it just like the phone number. Perhaps it is a friend of our current suspect who is really behind all of this.

That's my brain playing tricks with me.. probably read to many mystery novels as a kid. Anyway all I'm saying is we have to be sure this is the guy. because it could all be a good setup.

Were making progress though.I like I like.

Skinny..

Comment #220

Somebody used the email has also a contact in Tehran, Iran, although in the whois it has Ohio, US.

I think somebody who was scammed should call Negin (416) 225-9125 and ask her who might have used her phone number for paypal who also has technical knowledge on software and Internet.

And ask her if the business name "Arian FX" means anything to her, where FX is likely to mean Forex.

I'm guessing she doesn't know her details were used for fraud and she wouldn't be very happy when she finds out. But this is really for the authorities to investigate...

Comment #221

Yes the first scenario is impossible, the second is the one I was referring too. Sure it's a long shot.

Also if you read the forum posts of our scammer his english is terrible. I'd find it hard to believe that a senior software engineer would write like that and hold down a job.. but he could be faking it too.

Good work though.

Skinny..

Comment #222

I agree. His English isn't very good and using names like pornstar's name "silvia saint" in an email is just kids thing. I'm too thinking it could be a younger relative of them from Iran.

The iranclickbank.com website has public whois information. If I was a scammer would I put my name and contact details on display like this? I don't think so. So yes, this scenario is of course possible.

I would contact them and ask about this if I was scammed...

Comment #223

Hi,.

Has anyone who was scammed contacted Paypal or police about this? Involving the authorities might be the best option to find out where the money went. Since I have only lost (for now at least) $230 + time and nerves I doubt my local authorities will be willing to start an international research....

Somebody from USA should be able to do it easier, at least to check this Ohio lead..

Language used and the amount of money stolen obviously doesn't make it look like a senior software engineer would do that. (As well as me- a senior account manager at a multi-billion international corporation).

Thank you very much for all the effort you are putting into this Erdinc. I wish all to go well also with your stolen website...

BR,.

Oskars..

Comment #224

Erdinc, dude, you need to be in the private eye business. Great work Hope the real scammer gets exposed soon...

Comment #225

His case better be the truth and not just a bunch of search and find evidence! So far member (ssamriga) has no explanation to why his computer and IP were recorded for two accounts.

Until this matter can be explained none of the evidence put forward have anything to do with this member`s IP SCAM.

3 Domains were sold to me in less then a week, and two of those came from another scammer.

Unless member (ssamriga) and NP Staff know something the rest of us don't. Member ssamriga has to do better then use the words "I Don't Know"...

Comment #226

He posted a screenshot that shows "remote access" on his machine 3 times during the day where the NP posts were made. Isn't this more than words?.

If it was my machine I would do a screen recording. You can actually click on these logs and a new window will pop up with detailed information. But still on the screenshot there is "remote access" mentioned.

Do you have remote access on your event logs? I don't. I guess nobody else does. I means somebody is using your machine remotely. For instance if you would give somebody remote access, they could use your computer to post messages on namepros. On the other hand, how somebody can get remote access to your machine is beyond me. I'm not that technical...

Comment #227

Ssamriga,.

At this point, the best I can tell, this person logged into your NamePros account hence the reason why it's showing as a duplicate account.

I've not had the chance to read over the entire thread yet, but at this point I'd highly recommend changing your password here at NP (if you haven't already). That also goes for your GoDaddy account (again, if you haven't already done so).

I'm still researching this, but it seems ya'll have gathered a lot of information already.

EDIT:.

Can you confirm for me what email is supposed to be set for your NP account? I see that your email was changed twice on the 14th of this month both @inbox.lv.

EDIT #2:.

The IP's I've found for "m107" all trace back to Iran, while ssamriga's traces (and has always traced) to Latvia/Lithuania. At this point, I have no reason to believe that "m107" & "ssamriga" are one in the same. If his GoDaddy account was somehow compromised, it's highly possible that his NP account was as well.

EDIT #3:.

I see nothing suspicious in your HijackThis logs, btw...

Comment #228

Hi Eric,.

Thanks for your involvement!.

I changed all my passwords on the same day I discovered this of course..

Please confirm that you have evidence that my computer was used to access NP during June 13th!.

So far I have not found anything suspicious on my home computer (which was claimed to be used)..

Remote access events actually seem to be coming from my second home computer which is connected to the first one for Internet access (it is connected through LAN, I am also not technical I have no idea why would it show as remote access, so maybe the remote access is suspicious after all)..

I will send you the email info privately...

Comment #229

I show that your account was accessed by "m107" (based on IP) at:.

2010-06-13 11:05:43 AM.

2010-06-13 10:01:17 AM.

This doesn't necessarily mean they logged in through your computer, but through your account (username/password).

The "m107" account was last active:.

2010-06-13 10:56 AM.

And thank you for providing the email information, that seems to check out fine...

Comment #230

~HOPE~ who is upset with me because of my contribution to this thread is coming after me on other threads I posted just post annoying arguments.

Can you please help me out here? Can you check THIS and THIS topic and report this guy if you think he is making an untrue statement. The guy is accusing me of copying freshdrop.net which I didn't. Yes I created a website that does a similar job.

Why am I posting here? Because clearly ~HOPE~ is upset with me because of this thread and you can see his childish behaviour.

~HOPE~ I'm very disappointed with you. You don't have to act like this. In this thread you have been namecalling and ignoring facts. The guy posted a screenshot you say it is only words. When I point out you come after me on other threads I posted.

I'm already upset some unconsidered person copied my site files and created a replica. I don't want to deal with your nonsense at the moment...

Comment #231

Was the IP you recorded by the scammer any different then the IP's on file?..

Comment #232

I would like to know why and by whom his account was closed. We still have an unresolved issue with g6u.com.....

Comment #233


This question was taken from a support group/message board and re-posted here so others can learn from it.

 

Categories: Home | Diet & Weight Management | Vitamins & Supplements | Herbs & Cleansing |

Sexual Health | Medifast Support | Nutrisystem Support | Medifast Questions |

Web Hosting | Web Hosts | Website Hosting | Hosting |

Web Hosting | GoDaddy | Digital Cameras | Best WebHosts |

Web Hosting FAQ | Web Hosts FAQ | Hosting FAQ | Hosting Group |

Hosting Questions | Camera Tips | Best Cameras To Buy | Best Cameras This Year |

Camera Q-A | Digital Cameras Q-A | Camera Forum | Nov 2010 - Cameras |

Oct 2010 - Cameras | Oct 2010 - DSLRs | Oct 2010 - Camera Tips | Sep 2010 - Cameras |

Sep 2010 - DSLRS | Sep 2010 - Camera Tips | Aug 2010 - Cameras | Aug 2010 - DSLR Tips |

Aug 2010 - Camera Tips | July 2010 - Cameras | July 2010 - Nikon Cameras | July 2010 - Canon Cameras |

July 2010 - Pentax Cameras | Medifast Recipes | Medifast Recipes Tips | Medifast Recipes Strategies |

Medifast Recipes Experiences | Medifast Recipes Group | Medifast Recipes Forum | Medifast Support Strategies |

Medifast Support Experiences |

 

(C) Copyright 2010 All rights reserved.