Spam Links Blog

Chesterton Holdings are swiping spammers' domains from under their noses - but who are "Chesterton"?

Domains used by spammers in links to their websites have recently been swiped by an outfit calling themselves "Chesterton Holdings". Far from being a white knight vigilante, it seems Chesterton may themselves be a nuisance, part of a murky corporate world of "domainers", domain kiting and pinched whois searches.

I was checking out a spam sent on 1st August from a "Pharmacy Express" spammer (possibly Yambo Financials) selling "Vijagra" and "Cijalis" from a site called www.brotersad.com. To my surprise the website was one of those holding pages, used to make money out of dormant domains. It had entries to sponsored links for "Sexual Enhancement" and "Phetermine", so while it wasn't what the spammer wanted me to be seeing, curiously it did seem to know in what context the domain was to be (or had been) used. The site served links from Information.com, and a search for words on the page found several more holding pages like this hosted by Information.com. The spam was sent on the 1st, and the domain was registered by "Chesterton Holdings" on the 2nd, through the registrar Name King.

On the second occasion a week later a spam this time certainly from Yambo Financials was affected. Instead of going to a page for MyCanadianPharmacy, the URL redirected to a page entitled "Zeretcon.com: What you need, when you need it". This is the Oversee.net "DomainSponsor" service. Thousands of other sites share the same layout. Oversee.net own Information.com, so the previous site is probably part of the same service. The domain was registered in the same way to "Chesterton Holdings" very soon after (or even before) the spam was sent, giving an address and phone number in Los Angeles as the registration details.

A phishing domain has also been grabbed by "Chesterton Holdings", again with text on the holding page tailored to the right topic, such as "Midamerica Bank", and with the same "What you need, when you need it" tagline and layout.

At first sight it looks like Chesterton Holdings are somehow discovering domains that a spammer is using or intends to use in spam, registering those domains with Name King before the spammer gets there himself, and then using Oversee.net's DomainSponsor service to "monetize" the domain. The uncannily accurate wording on the would-be spam or phishing site may be influenced by people searching in the box on the page for words relevant to the phish or spam that lead them to the page. Using those words, the sites cleverly adapted their contents, as the DomainSponsor site boasts.

So, who are Chesterton Holdings? On the chestertonholdings.com website they claim that they "acquire our names in bulk through proper channels and sophisticated technology", which doesn't make things any clearer, and sounds downright fishy. A few incidents, most notably covered in eWeek's "Whois Hijacking My Domain Research?" by Larry Seltzer with more comments elsewhere, suggest they may be domain kiting (or domain tasting) after somehow acquiring results from web based whois lookups - which does not sound like entirely "proper channels" (as the spammers like Yambo might agree). The suspicions of domain kiting were confirmed by DailyChanges, who track domain sales - Chesterton both bought and sold over 100,000 domains in one day in August 2006, which is a sizeable portion of the total daily adds and deletes.

Research by Brad Waller on ReveNews (using tools listed at Server Usage> on Spam Links) shows that several similar companies are operating from the same server: 207.234.147.193 hosts Hornbrook Holdings (hornbrookholdings.com), Hornbrook Company (hornbrookcompany.com), LaPorte Holdings (laporteholdings.com), Jucco Holdings (juccoholdings.com), Munchale Holdings (munchaleholdings.com) and Field Lake and Sky (fieldlakeandsky.com), all registered with similar details and all through Name King.

A search of California State records (found off US States Public Records on Spam Links) showed that Chesterton Holdings and LaPorte Holdings are registered businesses in California, while Munchale Holdings is now suspended. Both Chesterton and Munchale were registered on 10/28/2004 at 818 West 7th St Ste 700, Los Angeles, CA 90017, while LaPorte was registered on 9/13/2004 at 5482 Wilshire Blvd #128, Los Angeles, CA 90036.

Looking into Name King, the registrar for the domains, showed that unusually there was no way to sign up to register domains with Name King on their website. One site, Domain Cargo (domaincargo.com) claimed to register their domains via Name King, and unconvincingly implied that they are separate entities. Neither NameKing nor Domain Cargo were registered as companies in California, though Domain Cargo's whois showed the registrant as Munchale Holdings, linking it back to Chesterton Holdings. Name King have been involved as registrar in past domain squatting cases, for the majority of which LaPorte were registrant and failed to answer the complaint. Of the rest, some were against "Horoshiy" and Jucco Holdings. When I checked a domain "gapbusters.com" that was once owned by Horoshiy it was instead registered with Jucco Holdings, so it is possible that Horoshiy is linked to Chesterton and friends.

Looking more closely at the registrations for the various domains listed earlier, I could see that the domains hornbrookcompany.com, hornbrookholdings.com, chestertonholdings.com, juccoholdings.com, munchaleholdings.com and fieldlakeandsky.com all had name servers provided by nameking.com and were all served from the single IP 207.234.147.193, hosted with Affinity Internet. The Name King servers were hosted out of one of Oversee's IP ranges, which suggested a connection between Name King and Oversee.net, who provide the holding pages.

The addresses used for Name King (2202 S. Figueroa St. Suite 721, Los Angeles, CA 90007), LaPorte (5482 Wilshire Blvd #128, Los Angeles, CA 90036), and Chesterton, Domain Cargo, Munchale, Hornbrook and Jucco (655 Flower St #253, Los Angeles, CA, 90017) were respectively a UPS store and two MailBoxes etc. stores. The Chesterton (and Munchale) Holdings corporate registration address (818 West 7th St #700, Los Angeles, CA 90017) is located right next to the second MailBoxes store, and a short drive both straight up S. Figueroa St to the UPS store and up Wilshire Blvd to the first MailBoxes store. Only fieldlakeandsky.com does not fit in - it is in Wyoming - but the address is another MailBoxes store. At one point the same West 7th St address was given in , but seems to have been altered since, so Name King and Chesterton, LaPorte etc. are one and the same, not registrar and customer!

Checking the phone numbers in the domain registrations, I confirmed that they are all in the core of the downtown Los Angeles business district. The number for Name King (213-220-5715) is a cell phone, as are those for Chesterton (213-407-1774) and Hornbrook/Jucco (213-924-8981). Those for Domain Cargo/Munchale (213-612-0610) and LaPorte (213-683-9910) are fixed lines, and a business reverse search on this last number of LaPorte's gave the same W 7th St address as for Chesterton Holdings, possibly taken from an old whois registration.

Going back to Oversee.net, who provided the DomainSponsor holding pages to which the swiped domains pointed, I found that the Oversee.net company headquarters are located at exactly the same address (down to the suite number) as that given in the Chesterton Holdings corporate registration - and both use the same company, Paracorp, as their registered agent. The suite number (700) was confirmed by the address given on low.com, an Oversee.net site, and on whois registrations for Oversee.net's networks. This address is also that at which Name King once gave an address in whois, and with which LaPorte holdings is associated by a reverse phone lookup. The post boxes are thus conveniently located a short drive from the Oversee.net headquarters, and the Oversee.net corporate address coincides with addresses used by Chesterton and in the past by LaPorte and Name King.

The picture that emerged was that Chesterton Holdings (and the other "holdings" companies), Domain Cargo and Name King are closely tied with each other, and with Oversee.net. Name King appears to be used to allow the group to register domains for themselves, and the holdings companies are used to dissociate the less PR-friendly activity from Oversee.net. By using mailboxes and registered agents, the relationship between Oversee.net, Chesterton Holdings, Name King and Domain Cargo was shrouded, but the evidence shows that all of them are run from the same offices. The same conclusion is reached in this thread on Domain State, though the corporate registration piece is missing from their jigsaw puzzle; this is picked in up this digg thread on the same topic.

A Friendster page of an Oversee employee helps confirm the link: Vy Tran lists her companies as "LaPorte Holdings, Oversee". That may have been enough to have her personally named in a lawsuit that the Scouts brought against Oversee back at the start of the year.

Who are Oversee.net?

Oversee.net is an Internet advertising company. A large part of their business revolves around "monetizing" and growing their domain name portfolio. Lawrence Ng is the head of Oversee.net. Aged 21, in 2000 he co-founded the company with Fred Hsu. Ron Sheridan is Director of Business Development, whose saying is "He who controls the traffic, makes the rules". Jothan Frakes is Director of Strategic Accounts, who hosted a recent ICANN meeting on these very issues in the "domain marketplace".

Swiping and monetizing domains searched in whois might appear to be a natural extension of the Oversee.net business model ("He who controls the traffic, makes the rules"), but given the secrecy surrounding the Chesterton Holdings page, Oversee.net apparently do not wish to be associated with this. The press contact for Oversee.net stated that the "business model of Oversee.net is not based on deliberate bad-faith domain registration", but failed to respond to further questions.

As to how domain swipers get the data, Larry Seltzer and others point the finger at harvested web based whois searches, but exactly from where and how the whois search data reaches "Chesterton" remains unclear. The number of domains registered as Chesterton Holdings is large and rapidly changing so it is likely they will cross another spammer or two (as well as less deserving victims) in the future.

Timeline:

30 Nov 2000	OVERSEE.NET company registered
18 Mar 2001	oversee.net registered
21 Mar 2001	targetwords.com registered
03 Jul 2001	inboxrewards.com registered
31 Jul 2001	domainsponsor.com registered
17 May 2002	proredirect.com registered
02 Sep 2004	C AND J VENTURES, INC. registered
13 Sep 2004	LAPORTE HOLDINGS, INC. registered
28 Oct 2004	MUNCHALE HOLDINGS, INC. registered
28 Oct 2004	CHESTERTON HOLDINGS, INC. registered
   Nov 2004	Oversee.net launches DomainSponsor 2.0
29 Nov 2004	hornbrookcompany.com registered
30 Nov 2004	laporteholdings.com registered
30 Nov 2004	hornbrookholdings.com registered
22 Jan 2005	First page in archive.org with NameKing.com in current form
08 Mar 2005	chestertonholdings.com registered
19 May 2005	domaincargo.com registered
03 Mar 2006	juccoholdings.com registered
07 Jun 2006	fieldlakeandsky.com registered
21 Jun 2006	munchaleholdings.com registered

(A similar domain swipe seems to have happened back in April this year, to the same "Pharmacy Express" spammer, this time affecting the domain swigotis.com. The site showed the same DomainSponsor layout, but the registration of the domain is to a "C and J Ventures Inc", based in Long Beach, California. It is not immediately clear how much this has to do with the main Chesterton Holdings domains, but the location may be more than coincidence.)

[Edited to add employee details, and move swigotis paragraph to the end.]