Internet Mail Spam

enom is the source of recent spam campaigns

I’m still watching over spam. The latest trend are spam campaigns which have a few characteristics in common perhaps the most interesting of which is that the domains have all been registered at

The details
Some other things in common. These recent campaigns fell into two main categories. One set uses domains which are semi-pronounceable. The other are domains which incorporate sensible english words. Both categories have these other features in common.

– brevity (no HTML, for instance)
– valid SPF records (!)
– domains were used for spam almost immediately after having been registered (new domains)

Today’s example

From:        Patriot Survival Plan <[email protected]> 
To:        <[email protected]> 
Date:        05/22/2014 04:22 AM 
Subject:        REVEALED: The Coming Collapse 
[email protected]
Since I exposed this I'm getting a lot of comments. 
People are terrified and they are asking me to spread the word even more...
So don't miss this because it might be too late for you and your family!
Obama's done a lot of stupid things so far, but this one will freeze the blood in your veins!
He's been trying hard to keep this from American Patriots... but now his betrayal has finally come to light.
And he'll have to pay through the nose for this.
But here's a Warning: the effects of Obama's actions will hit you and your family by the end of this year.
And they'll hit you like nothing you've ever seen before...
So watch this revealing video to know what to expect...
and how to protect against it.
-> Watch Blacklisted video now, before it's too late -->       
No_longer_receive_this _Warning :
Patriot Survival Plan _405 W. Fairmont Dr. _Tempe, AZ 85282
First off, there's nothing special 22409526 in the Ironbound. Food in quantity, 22409526not quality. It's amazing how many people 22409526 rate these establishments as excellent. This said, I've always had fun going to these places, 22409526 as long as your dining expectations are gauged accordingly. Therefore, 22409526 my rating reflects those reduced expectations. :)
Being a steakhouse, 22409526 one would expect a thorough steak menu such as those at Gallagher's, Luger's, or even Del Frisco's. However, you're not getting true steakhouse fare here; 22409526 it's the Ironbound after all. So, you're getting a less than Prime cut of beef, 22409526 sometimes cooked to your liking.

Whois lookup of shows this:

Registry Domain ID: 1859701370_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2014-05-21 17:26:19Z
Creation Date: 2014-05-22 00:26:00Z
Registrar Registration Expiration Date: 2015-05-22 00:26:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4252744500
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: DONI FOSTER
Registrant Organization: NONE
Registrant Street: 841-4 SPARKLEBERRY LN
Registrant City: COLUMBIA
Registrant State/Province: SC
Registrant Postal Code: 29229
Registrant Country: US
Registrant Phone: +1.8037886966
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Organization: NONE
Admin Street: 841-4 SPARKLEBERRY LN
Admin City: COLUMBIA
Admin State/Province: SC
Admin Postal Code: 29229
Admin Country: US
Admin Phone: +1.8037886966
Admin Phone Ext:
Admin Fax: +1.5555555555
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Organization: NONE
Tech Street: 841-4 SPARKLEBERRY LN
Tech State/Province: SC
Tech Postal Code: 29229
Tech Country: US
Tech Phone: +1.8037886966
Tech Phone Ext:
Tech Fax: +1.5555555555
Tech Fax Ext:
Tech Email: [email protected]

See 1) that it was registered yesterday at 17:26:19 Universal Time, and 2) that the registrar is enom?

And the SPF record:

> dig +short txt

"v=spf1 a mx ptr ~all"

Actually this domain is a small aberration insofar as it does not have a SPF record with a -all at the end – the others I checked do.

What to do, what to do
Well, I reported the spam to Postini, but I don’t think that has any effect as they are winding down their business.

I am pinning greater hopes on filling out enom’s abuse form. Of course I have no idea what actions, if any, they take. But they claim to take abuse seriously so I am willing to give them their chance to prove that.

enom’s culpability
I don’t feel enom is complicit in this spam. I’m not even sure they can easily stop these rogue operators. But they have to try. Their reputation is at stake. On the Internet there are complaints like this from years ago, that enom domains are spamming.

Every one that comes across my desk I am reporting to them. The time it takes for me to report any individual one isn’t worth the effort compared to the ease of hitting DELETE, but I am hoping to help lead enom to find a pattern in all these goings-on so they can stop these registrations before new ones cause harm – that is why I feel my actions are for the greater good.

Other recently deployed enom domains


First spam seen

First registered





























etc – there are plenty more!

Finally we hear back
Weeks later, on June 14th, I finally received a formal response concerning and

From: [email protected]
Subject: [~OOQ-128-23745]: FW: eNom - Report Abuse - Reference #ABUSE-11116
Thank you for your email. While the domain name(s) reported is registered with Namecheap, it is hosted with another company. So we cannot check the logs for the domain(s) and confirm if it is involved in sending unsolicited bulk emails. We can only take an action if a report is confirmed by blacklists of trusted anti-spam organizations like SpamHaus or SURBL.
Thus, we have initiated a case regarding the following domain(s) blacklisted by trusted anti-spam organizations:
In case the listing is not removed, the domain(s) will be suspended.
The following domain(s) has already been suspended:
Let us also suggest you addressing the issue to the hosting company which servers were involved in email transmission for help with investigating the incident of spam. You may find their IP address in the headers. To find their contact details, please whois this IP address. You may use any public Whois tool like 
Kindly let us know if you have any question.
Alexander XXX.
Legal & Abuse Department
Namecheap Group

Analysis of their response
Reading between the lines, here’s my analysis. There’s some not-well-documented relationship between enom and I reported the abuse to enom and got a response from I kind of agree that suspending a domain is a BIG DEAL and a registrar has to be on firm footing to do so. As I write this one Jun 16th, the domains do not yet appear to be suspended. Are you really going to trust Spamhaus to render your judgement? That’s basically one of those extortionist enterprises purportedly offering a take-it-or-leave-it service. If the author of that email was a lawyer, well, their English isn’t the best. That doesn’t provide a lot of confidence in their handling of the matter. And wasn’t my complaint by itself good enough for them to initiate action? I do have to concede the point that the sending of the spam was probably out of their control and probably did come from another hosting company. But it is glib advice to suppose it is that easy to track them down the way they describe. Since they are part of the problem and have the evidence why don’t they follow up with the hosting provider themselves?? There was no mention of my other eight or so formal complaints. So this still seems to be getting an ad hoc one-by-one case treatment and not the, Whoa, we got a problem on our hands and there’s something systemically wrong with what we’re doing here reaction I had hoped to provoke.

Actually I got two responses but with slightly different wording. So they were crafted by hand from some boilerplate text, and yet the person stitching together the boilerplate was sufficiently mindless of the task as to forget they had already just sent me the first email??

So their response is better than a blackhole, but perhaps could be characterized as close to the bare minimum.

I have gotten several other responses from some of my other complaints as well, all saying pretty much the same thing. In August the responses started to look different however.

August responses
Here’s one I received this morning about, 19 days after my initial complaint:

This is to inform you that domain was suspended. It is now pointed to non-resolving nameservers and will be nullrouted once the propagation is over. The domain is locked for modifications in our system.
Thank you for letting us know about the issue. 
Alexander T.
Legal & Abuse Department

I hope my actions spur enom into some action of their own in figuring out where there domain registration requirements are too lax that spammers are taking wholesale advantage of the situation and sullying their reputation.

June, 2014 Update
The storm of spam from enom has subsided. I’m basically not seeing any. Oops. Spoke too soon! New enom-registered domains popped up and created more spam storms (documented in the table above), but not as severe as in the past. I don’t know if our anti-spam filter got better or enom stepped up to the plate and improved their scrutiny of domain registrants. If another spam storm hits us I’ll report back…

August, 2014
enom-generated spam is back!

My most popular spam-fighting article describes how to defeat Chinese-language spam.
A new type of spam that uses Google search results for link laundering is described here.

32 replies on “enom is the source of recent spam campaigns”

I have just done a whois on ~500 spam emails that I have received. These emails span the gamut from harmless to phishing. Approximately 90% of these are from enom registered (and perhaps enom hosted) domains! Given the number of registrars out there, I doubt that this is coincidence. I have sent some documentation (e.g., domain names and name servers for those domains). A huge percent of my 500 are using the same nameservers ( or Enom has not replied.

I’ve contacted both eNom & the reseller, NameCheap about phony Facebook postings on many, many comment sites. They claim to know nothing & have no control over their clients. Regardless, NO ACTION!

My company has also been impacted by a high number of SPAM emails coming from enom registered and DNS hosted addresses. I have had some success reaching them via Twitter and LinkedIn, but the SPAM continues. I suspect their registrar reseller platform has APIs that have been scripted against, allowing mass domain registrations. They could track this activity down I suspect if they took an active same day approach, but their complaint forms I bet don’t get processed timely enough to track down IP addresses. But, how are these domains being paid for? Follow the money, disable accounts and plug the API holes allowing this type of exploitation!! Pretty clear their platform is getting abused. Maybe Verisign (.com & .net registry) could help guide them as I can’t imagine they enjoy fraudulent registrations and abuse of their domains.

I get 30 to 40 spam emails from enom registered domains every day. I just don’t have the time to do much about about them. I fear that completing their abuse report form just adds fuel to the fire.

I try to add the domains to the domain blocker on my spam filter but to no avail as the spammers just register a new domain.

I am receiving ~1000 spam/phishing/fraud emails from domains registered by enom or registered BY enom with Eurid (.eu domains). Some of the Eurid domains have Jeff Eckhaus, a principal at Enom, as a contact. Spams contain links to (non-existant) companies with domains also registered by Enom, NameCheap all traceable to Enom. Enom is not just the registrar, there is ample evidence THEY ARE THE SPAMMER/SCAMMER. Enom will respond to an abuse report with lip service that they are or have taken action on a domain… actually there is typically only one single broadcast made from a given domain, so five minutes after the broadcast they can suspend or cancel a domain and it has no effect… by then they are using the next one for the next broadcast. At this point in time, of the total spam email I receive, over 98% is sourced to Enom. Mr. Eckhaus is the “primary point of contact between Enom and ICANN”. Mr. Eckhaus and Enom are making my email useless… anyone else???

I’ve seen similar patterns for groups of .click email bulk registered at eNom (or perhaps via a reseller of theirs).

In general, have people found the whois data to leads to a stolen credit card?

enom spam namecheap spam tucows spam icann. there are several domain name registrars that allow domain registrants to spam. is a company (domain registrar) that takes no action when confronted with spammers from registered icann domains at their company. will simply ignore you, if you send them spam headers, complete spam headers. (namecheap) is a silly company that also ignores you when you let them know that their registrants (domain owners) are spamming. namecheap is particularly funny because they have a policy anti-spam, but it is not enforced. the policy says that if you spam, and a hoster (hosting company) has an anti-spam policy, then your domain can be revoked. I showed their own policy in the paragraphs of their terms of service page and they did not care. tucows is another company that will not help you will spammers from their registry. they simply will tell you that they have wholesalers and middle-men, and are not responsible! i wrote about my issues on onmyminddailycom

I have been active in the trenches on the anti-spam side of the front for 20 years, and I can tell you that eNom is aware of their spammers and complicit to them; probably because their spammers provide them with so much revenue in domain registrations. Trying to educate them is pointless. I have taken to blocking emails with domains registered through eNom. While this catches a few false positives, managing a whitelist for those is much easier than a blacklist for recently registered spammer domains. I also attempt to get legitimate domain owners registered through eNom to move to a different registrar. Their ‘anti-spam’ stance is phony.

Can you help me out with how you are blocking spam that is registered through I too am getting deluged with spam from them, though I cannot see a way to block email from registrars in my cPanel or via Spam Assassin. Any help would be greatly appreciated.


there is one example : , a famous dating website registered in enom and they have a terrible policy to leave scams , they delete profiles without warning, they never answer to mails, and leave no contact datas to contact them, so I would say avoid enom if possible, it’s not professional as far as I can see ….

Could you please tell me if helpinghandsbulldogs with is a legitimate website/company? I checked the domain, and found enom, but also read your posts, so unsure how to tell. Thank you so much. Lynn

I assume you mean Yes it’s with enom. Country of registration is Panama – already sounds fishy. As for general reputation, I use Cisco’s site If you look it up it has a Poor web reputation.

I wouldn’t touch it.

I have been receiving spam from the enom/namecheap combination for about 2 months, and get 2-8 emails per day. I have contacted both enom and namecheap repeatedly, have received many “ticket numbers”, but the spam continues. I have set a blocking filter on every single friggin email, but it makes no difference. The exact same sender/domain still comes through.. My question is — how do you block all mail coming from domains registered with enom? I am using Mozilla and their tech help seems to indicate that blocking an entire domain is not possible. Please help coz this is pissing me off and lord knows, there are plenty of more important issues to get pissed off about!! JoAnn

Someone who is spelling-challenged tried to post a comment to report it to, “it worx.” I am deeply skeptical that that would do anything at all. Has anyone heard of anything coming of reporting spam with non-monetary losses to to any effect? How do you report spam to them? What if spam originates from overseas? I think the guy was trying to spam my site, but as the comment was topical I wanted to summarize and respond.

Blocking filters have finally had an effect. I have also blocked replies from enom and namecheap. Only 1 email per week coming through at the moment, but who knows how many are still being sent, as I set the filters to automatically delete.

I have reported 80 of these spams to Enom and now have accumulated over 1300 additional.

As soon as I complained to Enom I started getting deluged with them as If Enom gave them my address after I filed a complaint with them.
I would like to strip all but the origination information from the headers and send them to addresses at Enom corporate. That, however could take a week of my time.

Any suggestions other than a DDOS attack?

I am getting spam text messages and calls from owned sites. how does one contact them and get this to stop? im almost to the point of violence! the phone numbers i am contacted with are non working numbers. this im sure means they are using some sort of “spoofing” software to avoid an FTC crackdown. i am on the do not call registry and have been for some time. when i try to register a complaint the number i was contacted from of course is not working so they can do nothing about it. when i get a text message from them, if i follow the link i can go to the FAQ section where i get a “contact us” number that of course doesnt work…….any help with real phone numbers would be great!

I just filed a complaint with the better business bureau and the Washington State Atty General . It is very clear that enom is not doing anything , probably never will , without some political pressure

eNom is owned by a company called The spam messages you describe (in May of 2014, over two years ago) are still pouring in a torrent as of August 2016, and still advertising domains registered at eNom…and hosted by eNom’s parent company, Rightside.

These spam emails are from a ROKSO (Register of Known Spam Operations) listed spammer, who has been spamvertising the same products from an ever-changing array of eNom-registered domains for many years. (I still receive spam messages that are nearly word for word identical to the message you posted two years ago.)

It is impossible, at this point, to conclude anything other than eNom and their parent company Rightside are bulletproof spam supporters.

Wow. Your comment is really illuminating, and saddening and maddening. It is appropriate to give the benefit if the doubt for apparent bad behavior that is unintentional, short-lived and corrected. But an established pattern over years…that is beyond the pale and shows systemic failure or more likely complicity.
I was going to call on all and admins and Netizens to starve eNom of revenue by banning access to/from their domains wherever feasible due to these egregious violations of Netiquette; but even I have friends who use them – I think through Namecheap – that I can’t dissuade to change. So if we were to ban them as high-minded and appealing as that sounds, there would be a lot of collateral damage.

What can we do to stop the SPAM? I am finding dead-ends in my fight against SPAM.
I get a multitude of recognizably, “similarly formatted” emails daily. A link to a SPAM email (look up , SPAM from came today, 01/19/17).

The chain goes something like this.
* Registrar is always originating via
*Reseller of bogus spam email domain is always via
* Reseller
* Registrant always hides behind out of Panama
I use to look up each domain individually.

So who is the culprit? The paper trail ends in Panama because Juan Carlos Mata (whose website’s Registrar is “strangely” haha, via, is protected as Registrant using his own service.

Neat little arrangement huh?

So who is culpable for this SPAMocracy?
The folks in Kirkland, WA?
Or the folks in Phoenix, AZ?
Or, the folks in Panama City, Panama?

Any ideas how to stop this nonsense? Ive done the same as you Dr J… similar email response from There’s no way to stop them as the new domains are a never-ending, SPAM abyss.

I know this thread is dated, but just an update as the emails continue.


I became deluged with ENOM / NameCheap spam beginning on Jun 2016 and I get from 2-4 spam emails from one or the other each day since then and continuing up through today. Unfortunately, my spam filter catches only about 5% from each registrar.

Here is the way my history transitioned. The initial roll out with me as a target started June 2016 and with all of the spam coming from ENOM registered domains. I kept sending abuse@enom daily reports all went ignored. No response whatsoever. So I wrote to the BBB and reported them as being a spam haven partner and after about a week, to my surprise ENOM responded back through the BBB and with that stated they had killed all of the domains I had reported as well as sent me a list of the twelve or so they had deleted. Still this meant little, since the spammer relies on the domain to be productive primarily on the day the spam email is delivered. Well further complaints to ENOM seemed to fall on deaf ears and the spammer moved to using registrar while attempting to depend on the language barrier to stop reports to the .co organization of the bogus WhoIS contact data (I took care care of reporting to them because I am bi-lingual).

Now today the only process that seems to work against ENOM/ NameCheap spam partnership is to report to the registar’s regulating authority the bogus name, address and phone for the domains that are being logged into WhoIS. This still takes up to a week to process, so the spammer and their ENOM / NameCheap spam partner still is virtually unaffected.

Today the spammers have shifted back to NameCHeap almost exclusively and the spammer seems to no longer care that invalid whois data reports are being sumitted to ICANN and the Columbian .co authority, since the evil deed they are doing is completed long before any authority can get to the queue to take down the domain.

NameCheap differs primarily from ENOM in that while ENOM pretends to “take spam seriously” they will do nothing regarding your reports for several days, assuming they do anything at all, and then they make a whoopla about taking action long after it is too late to stop the payload of “first responders” to the spam emails. NameCheap differs in that their abuse@namecheap will blatantly tell you they don’t get involved in customer’s spamming activity and suggest you take it up with some legal authority, saying their hands are tied.

Speaking of legal authority, does anyone know of any lawyer that would take on a class action lawsuit and file it against NameCheap and ENOM? It seems that the loss of more money than their $10 – $40 daily spammer windfall may be the only language that these two can understand.

Im in the process of looking into a class action suit against They can’t be stopped (see my post prior to yours Don Anthony). This may interest you, just the other day I received a similarly formatted SPAM email with the host registrar coming from (rather, the unsubscribe weblink was via namesilo). HOWEVER, when I hit “reply”, the website registrar was once again via

All my emails to enom and namecheap fall on deaf ears. They always say write the registrant (I find it funny that all their reply emails noting whois information are extended hyperlinks -hovering over them reveals a likely trackable hyperlink -not the simple whois url as it appears).

So now, somehow, enom and namesilo appear to be in bed together. I can’t believe the blatant disrespect these companies have for one’s privacy and email address. Id like to bury the email address and forget about it, but unfortunately it is one many work related colleagues know and I feel that it may take a toll on prospective business interests.

These guys must be stopped. Lets keep this thread active if anyone can offer some sort of ideas to put an end to these jerk-offs.

Thanks you all!

Most of the spam I receive nowadays are those sexy new “invalid e-mail address” types, which use an unblockable e-mail address as the “sender” – example: <"”@–>

Note the use of non-text characters…Naturally, my e-mail provider allows this rubbish into my Inbox, yet will tell me the e-mail address can’t be blocked because it’s “invalid”. My response: if you can detect that the incoming e-mail is coming from a fake address, why the HELL are you allowing it to proceed?

While the spam comes from a plethora of supposed senders, they consist primarily of images, which are most often hosted via and, both of which operate through Enom.

Only thing I’ve really done is set up rules redirecting e-mails containing and in the header to [email protected]

I’ve been collecting domains from which I receive spam and came to the same conclusion (hence why I ended up on this blog post) that a lot of these domains have been registered at Below a few of these domains, you can clearly see these have been randomly generated:

@Bootsy Collins I would like to join in on the class action. We could even start a crowd funding campaign to fight these guys.

This is what Wikipedia says about

As of April 2013, Enom is listed as the #1 registrar in terms of the number of spammer registered domains listed on URIBL.

Hey Brt. I’ll keep you posted w/ respect to the class action. I’m receiving 10-15 Enom Registrar, Namecheap Reseller, and Whoisguard protected spam emails per day (and if I check my junk folder, +10). They send the same nonsense reply each time I bother complaining to [email protected]..

As far as compiling a list of namecheap/enom domains originating spam -it’s futile. Although if you have the time, save them all in a folder, and maybe attach a quick whois search as you archive. Their spam domains populate as quick ast they dissipate. I’ve looked up domains registered the same day +/- as the day I receive their SPAM.

Anyone with any ideas how to stop them? On the email account they’re killing me slowly w/ SPAM is an account I can’t utilize many, or any of the typical tools. I wonder if a service like Barracudanetworks tracks daily each domain via Enom registrar, Namecheap Reseller, Whoisguard privacy enabled, and their subsequent IPs? I’m at a loss.

Any ideas how to involve ICANN more proactively? Namecheap’s slick little scheme seems to be one that’s unstoppable without one, an ICANN disciplinary action, or two, a large class action suit. In the meantime, harvest all Enom/Namecheap/Whoisguard spam. Stash it in a folder, and again, time permitting, maybe attach a whois report when you file each email.

One other thing, they’ll occassionally throw a curveball and send SPAM using a different Registrar than enom or namecheap (but enom owned), but if you click “reply” to the email, instead of looking at URL domain w/in link, you’ll find it’s originating via enom/namecheap. Keep this thread alive. These hoods are relentless and falsely feel bullet-proof. They can, and will be taken down.

Absolutely have no respect for ENOM, INC. Google bought blogger. From there, ENOM has tricked many bloggers into registering their domain names with ENOM. Then they take your renewal fee and your blog is still not visible. When you call it’s a disconnected number. These crooks are disgusting. Sneaky. Shady. NEVER AGAIN.

I am flooded by spam email and phishing mails from apple, amazon, LinkedIn ( all fake of course) and I traced it back to enom and a company called select insights. None of the email addresses provided worked. The phone number does no good as no one answers and we are supposed to leave a message . It is really frustrating and I am at a loss. I keep forwarding the phishing mail to the companies mentioned above but so far nothing has been resolved, I did send a mail to enom. Time consuming and a real invasion of private space.
Please if someone has a solution share with us.

Leave a Reply

Your email address will not be published. Required fields are marked *