2SafeLocals.net and Verify-Locals2.com

Here are two more fake dating sites:

2safelocals.net
verify-locals2.com

If you try to visit the home page of either of them, you see the message "Error 401. Please enter the full Link". You need to include a path to one of the viewable pages. For example, these URLs both work.

2safelocals.net/emily4u
verify-locals2.com/emily4u

The sign-up form for 2SafeLocals.net is inside a frame that loads content from amateurpleasuretube.com or some other porn site, as you can see by right-clicking on the form and looking at the frame source.

Verify-Locals2 has a dummy login form in the top right corner. If you enter a name and password and click enter, nothing happens. This is the same form, and as a matter of fact, this entire page is almost identical to the one we saw on craigslistsafe.localsafe.org. The sign-up form for this site sits in a frame that loads its content from cashuniversity.com, and when you sign up you get directed to some adult site or other. Again, you can see this by looking at the frame source.

More Scam Sites

The following are scam sites similar to the ones that have been reported here before. They're used to trick you into signing up for porn sites. Right now, we are just listing them. More information about them will be provided later, but for now, trust us, they're fake dating sites, not real ones.

backpageconfirm.com

craigs-safety.com

craigslistdatesafely.com

craigssafety.info

facebookconfirm.com

verify-locals1.com

LiveSafeToday.net

Another dating verification scam site has been discovered. The site is LiveSafeToday.net.

LiveSafeToday.net (Click to enlarge)

See where it says "The SAFEST way to meet people online in [Your location]" in the top right corner of the page? The site uses IP location technology to get your approximate location and display it where [Your location] is. The verification form in the bottom right corner is used to get you to sign up for the porn site DiscreetHoneys.com, not LiveSafeToday.net. It is in a separate frame and the code comes from join.securepaypass.com. Also, notice that in the top left corner there are the words "Craigslist Safe" in big blue letters.

Although it says in the bottom left of the page that they have "successfully verified thousands of users since August, 2008", The site has only been in existence since December 3, 2010, as you can see by looking it up at who.is.

REGISTRY WHOIS FOR LIVESAFETODAY.NET

Domain Name: livesafetoday.net 
Updated: 3 seconds ago - Refresh 

Registrar: INTERNET.BS CORP.
Whois Server: whois.internet.bs
Referral URL: http://www.internet.bs
Status: clientTransferProhibited

Expiration Date: 2011-12-03
Creation Date: 2010-12-03
Last Update Date: 2010-12-04

Name Servers:
    ns1.global-host.org
    ns2.global-host.org
See livesafetoday.net DNS Records

The name servers for the site are ns1.global-host.org and ns2.global-host.org and the SOA record for the site shows that the DNS server administrator for its zone is admin@global-host.org.

LIVESAFETODAY.NET SOA RECORD

Name Server	ns1.global-host.org
Email	admin@global-host.org
Serial Number	2010120803
Refresh	1 day
Retry	2 hours
Expiry	41 days 16 hours
Minimum	1 day

Global-host.org is a fake hosting company. Its home page consists simply of a design template for a hosting company. Another site with this template is rcchost.com. Also, the site global-host.org was just created on November 19th, 2010.

Global-host.org is a fake hosting company.

The IP for LiveSafeToday.net is 93.174.94.138 and the IP for Global-host.org is 93.174.94.133. Both of these IPs are owned by Ecatel.

Proof That Christopher Lawell Owns MiyaBot and Is Therefore VegasChris

Some more has been discovered about MiyaBot, the chatbot sold by VegasChris of MoneyMakerDiscussion.com, the man who was once a VP of a mortgage company and now markets porn on the internet by means of hiring people to post fake dating ads on Craigslist. On the site uowow.com, which now has nothing but a default website page, there was once a source code repository for a Microsoft Visual Studio Solution (a collection of software development projects) with the name MiyaBot. It no longer exists but is still partly viewable in Google's cache.

The MiyBot solution was located at http://www.uowow.com:8080/svn/CLI/AimBot/Miyabot.sln (Click to enlarge)

In the screen shot above, see that the URL given for the solution file was

http://www.uowow.com:8080/svn/CLI/AimBot/Miyabot.sln

In this path, there is a directory called svn, which stands for Apache Subversion, the name of the source code control system being used here. It's standard practice in using Subversion to create your source code repositories in directories underneath this one. The source code repository in this case happens to be called CLI, which just happen to be the initials of Christopher Lawell Inc.

Well, it was discovered that the person who owned this server is a computer programmer who was one of Chris Lawell's Facebook friends. It was thought that he was the person who created MiyaBot. We contacted him and asked him how he was involved with Christopher Lawell. This is a screen shot of part of the conversation. His name, picture, and other identifying information were blanked out since he doesn't want to be associated with any illegal activities.

Conversation about Chris Lawell

More of the conversation

So this person confirms that Chris Lawell is the owner of MiyaBot, which means that Chris Lawell is VegasChris of MoneyMakerDiscussion.com.

Christopher Lawell and the CraigslistSafe.LocalSafe.org Scam: A Review of the Evidence So Far

This summary is not available. Please click here to view the post.

Chris Lawell on Facebook: Is the Chris Lawell Who Plugs MiyaBot the Same Chris Lawell of 350DollarWebsites.com? Is He VegasChris of MMD?

There is more than one Facebook profile for someone called Chris Lawell. Besides the one that the partner at Clearline Media and president of Christopher Lawell Inc. and 350dollarwebsites.com acknowledges owning, there is also one with no profile picture uploaded. The owner of this other profile does, however, have his wall visible to the public so that we can see that on March 15th he used his wall to plug a chatbot called MiyaBot. (You must login to Facebook in order for the link to work so that you can view his wall.)

Someone with the name Chris Lawell plugging MiyaBot. (Click to enlarge)

I've already pointed out that in Google's cache there is a now deleted thread where the MMD VegasChris recommends his friend SnBirdi for website design and gives as an example of his work the site for Chris Lawell's company Clearline Media. Look at the page again and notice that he also gives Miyabot.com as an example of SnBirdi's work.

Click to enlarge.

VegasChris has also recommended the product MiyaBot in the thread Dating Bot Jenny she walks she talks she converts :)

That's only one of the benefits of using MiyaBOT. You can set up unlimited tokenized responses for messages.

The person can say "what's your name?" and you can reply differently everytime.

And in the thread WTB MSN/AIM Bot, where user darkcrypt is looking to buy a chatbot, VegasChris says:

You are in luck. I just put one on the market today...

Contact me via pm with any questions!!

http://www.moneymakerdiscussion.com/...-chat-bot.html

So VegasChris of MMD doesn't just promote MiyaBot, he is the owner of the product. The link in the quote above goes to a thread that is no longer available that was titled "MiyaBot - The worlds most innovative Chat-Bot".

Finally, in this deleted web page that is still in Google's cache, VegasChris talks about the great job that his friend SnBirdi (aka Nick) has done on his website Miyabot.com.

VegasChris discussing Nick's work on Miyabot.com

Chatbots, for those of you who don't know, are computer programs that simulate conversations with real people. They are used sometimes by businesses like PayPal to provide automated support to their customers. They are also used by people who engage in e-Whoring, the scam of cheating men on the internet out of their money by getting them to believe that there is a real girl online who is interested in them.

We don't know yet that these two Chris Lawells are the same person. But suppose that they were. The question arises, why would he have two Facebook accounts? A possible answer would be that he wanted to use one for his personal life and one for his business relationships. People who run their own businesses often have separate personal and business profiles on Facebook.

A Little Bit More About VegasChris of MoneyMakerDiscussion.com

On MMD there is a thread titled Hello! started by OnlineMom to introduce herself to the forum. VegasChris, being the polite man that he is, welcomes her and tells her a little about himself.

Welcome Online Mom. I as the VP of a national Mortgage company. Now I work from home as a full time IM'er (Internet marketer)

Our friend Chris Lawell was also once the Vice President of a mortgage company, Ace Mortgage Funding. (Click the image to enlarge it.)

In a previous post I showed you a screen shot of a past version of VegasChris' profile where he used the name AnitaJohnson. In that profile he used his posting signature to promote the company InCorp of Henderson, Nevada. Look again at the URL for the link to InCorp which you can see in the browser status bar:

The URL that MMD redirects you to when you click the InCorp link is

http%3A%2F%2Fwww.InCorp.com%2Fdefault.aspx%3Freferredbyaccountid%3D65123

which gets decoded to

http://www.incorp.com/default.aspx?referredbyaccountid=65123

See that portion of the URL after the question mark? That tells us the the account ID of the affiliate who is directing Web traffic to InCorp's website. Using that ID, InCorp could tell us exactly who this VegasChris, the man who hires people to spam Craigslist with fake dating ads to promote porn sites, really is.

More on VegasChris of MoneyMakerDiscussion.com

In Google's cache you can see a now deleted thread where the MMD VegasChris recommends user SnBirdi (aka Nick) for website design. As an example of his work he presents the website for Chris Lawell's company Clearline Media.

VegasChris talking about the Clearline Media website. (Click to enlarge.)

If the link doesn't work for you, search Google for

VegasChris ClearlineMedia

and look at the cached copies of the results. Notice that VegasChris wrapped his mentioning of ClearlineMedia.com in a code block instead of putting it in normal text. This is a trick that is used to prevent the page being discovered by MoneyMakerDiscussion.com's search function. Any text wrapped in code is ignored by the search function, so that someone who uses MMD's search feature to find references to ClearlineMedia won't find this page. (It still can be found with a Google search, however.) The reasons that an MMD user would want to hide his reference to a company should be fairly obvious.

Also, there is a thread on MMD titled WE ACCEPT ALL TYPE OF TRAFFIC! started by Cody04, a representative of PornProfit.com. [WARNING: Their site has a link to their promotional video. Do not click on that link unless you have a very strong stomach.] Cody writes:

Hey,

If you want to promote or are looking to promote adult, hit me up we can accept CL traffic, Chat Traffic,Search Engine Optimization... As long as the traffic converts we will take it!

We pay ON TIME and are very easy to get a hold of... We work with CCBill as our biller.. If you are interested hit me up on ICQ at 487111948

Check us out at Porn Profit Adult Affiliate Program - Pornprofit.com

In this thread we hear VegasChris complain that PornProfit.com suspended his account and didn't pay him.

These guys just banned my account and have not paid. Now Cody is unavailable via ICQ.

I have many long specific convo's with him regarding the traffic etc. he said he was fine with it.

He made a commitment to me that he would pay me for all joins to date even if he decides to cancel my traffic. He has not done so. I am giving him the opportunity to respond here. I will let everyone know if he comes through on his promise.

VegasChris of CLI in Henderson

Christopher Lawell said in his explanation that he has "not posted on Craigslist more than 1 ad per month (probably longer) in years." Could this be because he hires others to post for him? On the site Freelancer.co.nz there is a user who goes by the name of VegasChris. His profile states that he is with the company CLI in Henderson. He has posted some interesting ads.

On 1/14/2010, he posted an ad looking for a CL, BP and other classified sites poster.

Want an experienced poster for Backpage and Craigslist. MUST be experienced and able to successfully post on both sites.

Will compensate based off responses. Starting at $75 per 1k, will pay more based off the quality of conversions.

Posts are for NSA (W4M) ad category. You must provide ad content and forward replies to specific email address I provide in real time.

Will test work with a daily payout. Would like to escalate to a regular weekly order with successful traffic.

Being able to drive traffic from additional classified sites a plus.

He later posted a similar ad on 1/19/2010. Earlier, he was looking to buy 5000 Hotmail accounts, and the last ad he posted was for a ghost writer for articles about iGaming, the industry in which Chris Lawell says he does his internet marketing business.

There's another VegasChris on the web who places ads for Craigslist posters, VegasChris of MoneyMakerDisscusion.com. He used to use the name AnitaJohnson. This old version of his MMD profile is still in Google's cache. To see that this is an old version of VegasChris' profile, hover over the link labelled Find All Posts and look at the browser status bar. You'll see that the userid for the profile is 61348, the same as the userid for VegasChris. (Click the image to enlarge it.)

When you click on the link to InCorp Entity Structuring in the cached profile's signature, you are taken to InCorp.com, a company in Henderson, Nevada.

So this VegasChris also has a Henderson, Nevada connection and could very well be the same person as the other one.

On 4/26/2010, the MMD VegasChris posted the thread Looking for a craigslist poster.

I am looking to buy CL posting service or W4M lead provider in real time and exclusive.

Contact me via pm.

On 11/16/2009, he posted Looking for a CL poster.

Need a poster for adult content on CL.

Let me know what you charge. Would be willing to spend $200 a day (or more) for the right traffic.

Will start immediately.

On 11/3/2009, he posted Looking for a reliable poster on CL.

I am looking to hire a regular CL poster.

Can be creative when it comes to compensation. Would consider pay per post or JV per sale.

dating in W4M section. Possibly other areas.

Please pm me for discussion.

What both of these guys (and they're probably the same person) are doing here is hiring people to spam the dating sections of Craigslist with fake ads. This is done to promote real dating sites, or to promote fake dating sites used to trick people into signing up for porn sites, and sometimes to promote just plain upfront porn sites.

Servers Used For Localsafe.org Scam Now Dead

Archangelwebdesign.info has been shut down and is not mapped to any IP address. Also, the finishlinehosting.com domains:

b8mail.com
safe4mail.org
mail4now.net
mail4time.org
mysafenet.net
safe-local.net
localsafe.org

are dead. They are no longer mapped to IP addresses. Finishlinehosting.com itself is still up, however, with a blank homepage as before.

Correction

I looked at the email messages one more time and I realize that I made a mistake regarding the one of the dates. The email message sent to Ecatel and cli-us.com that mentioned Christopher Lawell was sent on November 17th, not November 18th. So the sites would have been shut down and Chris's LinkedIn resume would have been hidden on that day, too. I've gone ahead and fixed this error in my previous posts. This is the email message that was sent.

MIME-Version: 1.0
Received: by 10.14.119.135 with HTTP; Wed, 17 Nov 2010 12:31:13 -0800 (PST)
Date: Wed, 17 Nov 2010 14:31:13 -0600
Delivered-To: ***@***.com
Message-ID:
Subject: Spam again
From: **** <***@***.com>
To: abuse@theplanet.com, abuse@ecatel.net
Cc: finishlinehosting@cli-us.com
Content-Type: multipart/alternative; boundary=0016e65b5e60e9df9f0495458ddc

--0016e65b5e60e9df9f0495458ddc
Content-Type: text/plain; charset=ISO-8859-1

You've sent me more of this spam. Shouldn't these sites be shut down?
They've been reported as scam sites by lots of different people over the
past year. These are just some of the reports.

http://craigslistdatingscams.blogspot.com/
http://www.broadbandreports.com/forum/r23659525-craigslistsafesafeandlocalorg-scam-site-or-not
http://www.siteadvisor.com/sites/safeandlocal.com/msgpage
http://www.siteadvisor.com/sites/localsafe.org/msgpage
http://stopclfraud.blogspot.com/2010/09/heres-cheri-xoxo-again.html?zx=ccd6a1d877c1ffc0

The email address used for sending the messages was starred out. It appears odd that it shows up in the Delivered-To field and not just the From field, but this is nothing unusual. These are the message headers for a copy of a sent message that is given to the sender, not the copy that is delivered to the recipient. Gmail puts the sender's address in the Delivered-To field in the sender's copy because this is a copy of the message that was delivered to him by Gmail.

And once again, I'd like to reiterate a very important point. Outside of the email messages sent to the ISPs and cli-us.com and outside one post on this blog on November 17th no mention of Christopher Lawell in connection to the scam was made anywhere until after he hid his personal information. His claim that he hid that information because there was a campaign against him is completely false. It was hidden and the scam sites were shut down when the message above was sent. If he has evidence of this campaign, then let him show it to us.

Reply to Christopher Lawell's New Comments

1. I see. Then how did you find out about this blog at all? Messages were sent about all this to cli-us.com and to Ecatel. How did the person who brought this blog to your attention find out about it, if not through those email messages?

2. Wrong. They are calm, analytical, they look at the evidence presented, and all that evidence points to you being guilty. They state that it strongly suggests that you are guilty but that that has not been proven yet. You could have straightened things out but you didn't.

3. Wrong again. Again, you pretend that what was written at broadbandreports.com was some sort of attack on you but it wasn't. Something like this

That's less than two months ago. It uses a model, with hints of sex, as a lure.

There is another site "craigslistsafe.safeandlocal.net" with an almost identical page, registered just one month earlier. The main difference is that it uses a different model as a lure.

They want your credit card information.

Personally, I would not have anything to do with the site. I would be concerned that they might really be in the business of stealing credit information. It is wiser to deal only with businesses that have a well established reputation.

doesn't accuse you of anything. Your name comes up only in the presentation of the registration information. You could have posted a note saying that the site wasn't actually yours and no one would have bothered you about it.

After reading your letter (it is published in the comments to the post on November 23rd) I thought that I should give you the benefit of the doubt. But after looking at your explanations more closely, we see that they do not explain things well at all. They don't agree with the facts, or are inconsistent, or are implausible, or incomplete and avoid the real issues.

1. You say you took down your logo and hid your LinkedIn profile because someone brought to your attention several days ago the campaign against you. The fact is that you hid your personal information on November 17th, at the same time that the scam sites were shut down, which was promptly in response to messages sent to cli-us.com and Ecatel showing that your name had been implicated in all this. There was no campaign against you, as you claim. There was just a post that mentioned you on this blog and some email messages that were sent to ISPs and cli-us.com. I defy you to find any other mention of you being involved with the scam that was made before you hid your personal information. We're supposed to believe that someone you know came across this blog, told you about it, and you just by chance decided to hide your information at the same time that the scam sites were shut down, which was soon after those email messages were sent, and that you did this because of a "campaign" against you that didn't exist? Your claims just don't agree with the facts.
   
   
2. You totally mischaracterize the nature of the discussion of SafeAndLocal.org at Broadbandreports. No one in that discussion was attacking you at all. The thread is brief and the people that took part in it simply talked about whether or not the site was legitimate. More importantly, the story that you give about your involvement with SafeAndLocal.org makes no sense. You write:
   
   ...they already were working on a web design so I registered the domain he asked for with my Go Daddy account and set up a hosting account for him. I figured, why not, it’s an easy $20. I was notified at a later date by HostGator (my webhost) that he was violating our terms of service and I promptly canceled his account and refused to refund any money. He hassled me for some time and I blocked him on IM and email and he went away., or so I thought. When the complaint showed up on the broadband reports forum, I wrote multiple letters to the admins of that site explaining the situation and asking that the thread be removed, they ignored every request.
   
   If you canceled his account when you say you did, then the site would have been dead by the time the thread on Broadbandreports was created; there wouldn't have been any SafeAndLocal.org for people to discuss. Since you were the one who registered the domain, you controlled it and no one else could have used it. If the thread on Broadbandreports was posted after you terminated your client's account, then the only way that SafeAndLocal.org would have been still up and running would have been if you had been operating it. Your explanation here is logically inconsistent. It makes no sense.
   
   If instead you had found out about the TOS violations and had suspended your client's account after the thread was started (which is not what you say), then you could have simply posted a short note in the thread stating that the site was actually run by one of your clients and that you had terminated his account once it was discovered that it was a scam. There was nothing preventing you from doing that. You were afraid that people would attack you for that? That's absurd, just like the idea that you had to have the thread deleted.
   
   
3. Concerning the email address finishlinehosting@cli-us.com, you first try to twist the facts and make this an issue about registration information (which is easy to fake) when it is actually an issue concerning SOA records (which are impossible to fake unless you have access to DNS servers). You say that I base my argument that you were involved in the scam on the fact that a cli-us.com address was used for registering the domains. That is wrong. It was not used for registering the domains and I never said that it was. I know that registration data is easy to fake so I wouldn't jump to any conclusions based upon it. (As a matter of fact, in this case, the registration information for all of the sites involved in the scam was hidden using Whois privacy protection, so it was of no use.) What we're talking about here are the SOA records, which only a DNS server administrator would have access to. They are not data that any old person can specify when registering a domain. They aren't even specified when purchasing a domain but afterwards when the website is actually set up and connected to the Internet.
   
   Second, if someone wanted to get back at you for suspending his account by using a cli-us.com email address for his scam site, then he would have put that address in the registration information, not the SOA record (which he wouldn't have even had had access to unless he had access to the DNS server). The registration information is what you see when you do a whois query. The SOA record, on the other hand, is accessed via a different query and it is usually only looked at by system administrators, the general public has no interest in it. Your explanation about how a cli-us.com email address got used for the SOA records is implausible.
   
   
4. Those articles you wrote show that you have a lot of experience spamming Craigslist. Inundating Craigslist with ads is how the people who run these dating verification scam sites very often work. You dismiss the articles by saying that they just formed a brief attempt at article marketing and you ignore their conent. That content says a lot about the sort of business practices you use. Using multiple IP addresses and email addresses to get around Craigslist's anti-spam safeguards is underhanded and a violation of Craigslist's TOS. Your explanation here is incomplete and avoids the real issues.

Your explanations don't explain things at all. They misstate the facts, ignore the facts, are logically inconsistent, or simply implausible. You keep pushing this idea that you ignored everything and hid your personal information because you didn't want to "fuel the fire", but I've already shown there was no fire to fuel, not on November 17th when you hid your personal information, and not back in January when that thread on Broadbandreports was created. Your name wasn't mentioned on this blog in regards to the scam until November 17th, and it wasn't metioned elsewhere until after you hid your personal information. The truth appears to be that you preferred to hide your personal information and ignore everything until you weren't able to ignore it anymore because certain people found out about it. If you now want to ignore all of the facts presented here once again, go ahead. I don't plan to tell you anything about myself because I know better than to give out my real name when I investigate Internet fraud. Go to aa419.org or antifraudintl.org and tell the people there how unfair it is that they don't reveal their real names when they post about scam sites and suspected scammers. They'd laugh at you. In any case, who I am is irrelevant, all that matters are the facts and the facts don't look good for you.

Some More Questions For Chris Lawell

Chris, up until Friday, the SOA records for the scam sites all listed the email address for their DNS zone administrator as finishlinehosting@cli-us.com. But on Friday, the day that you responded to the allegations made against you, the SOA records for all of these sites except finishlinehosting.com were deleted. Could you explain how that happened?

You can view the DNS records by visiting

http://who.is/nameserver/ns1.finishlinehosting.com/

and clicking on the DNS links in the More Information column in the table.

Also, it is very important to note that we are discussing SOA records here, not registration information. You say in your letter that anyone can use any email address when registering a domain. True, you can pick any fake email address for the registration information and if the registrar or hosting service doesn't bother to check it out, then it will end up going into the registration databases. But we're not talking about registration data here, we're talking about SOA records. These are records that are created by the administrators of DNS servers. You can't fake this data unless you have access to the DNS server in question. The DNS server would in this case most likely have been controlled by a hosting company or the ISP Ecatel. It appears that it was controlled by Finishline Hosting (which looks like a pretend hosting company), which means that it would have been involved in the scam, too. Again, what do you know about Finishline Hosting?

Regarding this:

The only thing I am guilty of is being naive 3 years ago and writing about posting on CL as an attempt at article marketing.

Article marketing, that's all? So you weren't obviously instructing people on how to spam Craigslist?

Craigslist can be tricky to post multiple ads in one day so here are some easy tips to post successfully on Craigslist.


First, it takes a lot of ads posted daily to list build fast.


You should post a minimum of 30-50 a day.


Here is how to post a lot of ads...


You need a way to change your IP address (your connection to the internet that determines where you are located).


You need a lot of subdomains that are setup to forward to your website(s).


You need a lot of email addresses (I use Gmail.com)


I have found that you can post about 10-15 ads with the same IP, email address and subdomain.


Do more than that, and you run the risk of all your ads being deleted.


That is why I use this submission software... CL Autoposter

Using multiple email addresses and multiple IP addresses to avoid having your numerous ads flagged and using automated ad submission software that helps you change your identity, those are tricks to avoid having your spam flagged.

Message to Christopher Lawell

Chris,

Thank you for contacting me. I read your reply at ChristopherLawell.com and there are a few things about it that bother me.

To begin with, you say that no one ever contacted you about the scam sites. Well, we know that at least two complaints were sent about the scam sites to finishlinehosting@cli-us.com, and that there were many complaints sent to Ecatel prior to those complaints, too. The first known complaint sent to this address was sent on November 14th. The complaints were sent to that address at cli-us.com because that was the only business contact address that was then available. No replies to those complaints were ever received. It was only after a further complaint was made on November 17th, one that mentioned that the site SafeAndLocal.org was registered in your name and that finishlinehosting@cli-us.com was the address for the DNS administrator for the recent scam sites, that the scam sites were promptly taken down.

At the same time, on November 17th, just a few hours after this new complaint was made, you removed your company's logo from your website and hid your LinkedIn profile. There was no campaign against you as you claim, there were just some postings on this blog that mentioned the web pages that linked your name to the scam sites. Read these postings. Do they amount to character assassination? No, they don't. They plainly present facts that strongly pointed to you being involved in the scams. They leave open and acknowledge that it is possible that the scammer was merely a client of yours or someone else entirely. (And, as a matter of fact, before coming across the cli-us.com address, there was another person that we believed was behind the sites.) The fact that you hid your personal information at the same time that the sites got shut down, along with the fact that the sites did not get shut down until it was revealed that your name was linked to them, was very suspicious, you must admit.

I know that you don't care to answer any questions about this, but would you be so good as to answer these?

1) Why were there no replies to the messages sent to finishlinehosting@cli-us.com? Is it not a valid email address? If it isn't, then there should have been an error message sent back from your website. No replies including error messages were ever received, so it must be a valid email address. If it is a valid email address, then what is your relationship with finishlinehosting?

2) As I said, on November 17th, the day that you hid your personal information, the only public postings made on the internet regarding this matter were the ones you see on this blog. They are calm and rational, analytical. You could have easily posted something here regarding the matter. There was no fire for you to fuel. So why didn't you post anything?

3) Likewise, concenring SafeAndLocal.org, you write

When the complaint showed up on the broadband reports forum, I wrote multiple letters to the admins of that site explaining the situation and asking that the thread be removed, they ignored every request. They are obviously more concerned about freedom of speech even if it is inaccurate and damaging to innocent people than posting accurate content. I didn’t address this on the forum as I felt most people would want to believe the worst and it would only serve to fuel the fire.

However, there was no fire to fuel. There is no complaint in that thread on BroadbandReports.com. The thread was started by someone who wanted some advice. He wasn't sure that SafeAndLocal.org was a legitimate dating site, and he wanted other people's help on figuring that out. There was no hostility or any words at all for that matter that were directed to you or about you. As a matter of fact, the way that your name ended up being mentioned was that someone wanted to point out that the site had only been registered a couple months earlier, and he showed this by posting the registration information in its entirety. The discourse in that thread was calm and reasonable; saying that you didn't just go ahead and post an explanation in it because you didn't want to fuel the fire makes no sense: there was no fire to fuel. You could have easily just posted a note saying that you had registered the site for a client and that you had terminated that client's account; there was nothing for you to be afraid of and there was no reason why you would have needed the thread to have been deleted. So could you explain why you didn't just do that?

I would really like it if you could answer these questions. In your letter you say:

I am going to address your statements this one time. I will not fuel the fire by entering into a debate.

As I've repeatedly said, there is no fire for you to fuel. We can calmly and rationally discuss this matter, so why don't you want do that? I'd really like to find these scammers, and I'm sure that you'd like to see them brought to justice too seeing as they've implicated you in all this. If you give us the information that you have about them, even if it's old, it could help us track them down. So why don't you just talk to us and answer the questions that we have? I am sending an email message to chris@cli-us.com informing you of this post and I hope to hear from you again.

P.S. Christopher Lawell posted several comments on this blog. They all said the same thing, "Please read my full response here: www.christopherlawell.com", so I've deleted all but one of them. That is the only reason I deleted his comments, because they were redundant.

Report on Christopher Lawell Inc. And Craigslistsafe.localsafe.org Posted At Antifraudintl.org

A report on Christopher Lawell Inc. and the craigslistsafe.localsafe.org scam was posted today by my friend PhilW over at antifraudintl.org. Thank you, Phil, for posting it, and also thank you for all of your assistance on this project. You've been a great help!

Update on 11/26: This thread has now been deleted.

Account Suspended?

Complaints were sent to Ecatel, the ISP for the scam sites, and also to cli-us.com. Now, mysafenet.net, localsafe.org, safe4mail.org, and all of the other sites used for the scam that were in the zone administered by finishlinehosting@cli-us.com have been taken down. When you look at these sites now you see a page that says either "This Account Has Been Suspended" or "This Account Has Been Suspended by Finishline Hosting". However, one of the sites that was used for sending the spam, arc.archangelwebdesign.info, is still up. This site is not in a zone administered by finishlinehosting@cli-us.com and it doesn't use an IP provided by Ecatel, as the other sites did. It has an IP of 174.122.133.9, which is provided by ThePlanet.com. Complaints were sent to ThePlanet.com about this site but the site remains active.

So have the scammer's sites really been shut down? Did Finishline Hosting suspend their customer's account? I don't believe that this is the case. I think that this Finishline Hosting isn't a real hosting company but a front that was created to hide the scammer's identity. First of all, the site FinishlineHosting.com is blank, it has no content and doesn't offer any services. When I search for information about this company, I find nothing. There is a company in Joplin, MO with a similar name. It's called Finish Line Hosting (three words instead of two) and its website is Finishlinehost.com, but it does not appear to be related to finishlinehosting.com at all.

Second, there is the fact that the zone administrator for the sites at Ecatel had an email address at cli-us.com, not at finishlinehosting.com, so the administrator would be someone at Christopher Lawell, Inc.

Third, cli-us.com has undergone a facelift. A couple days ago it featured the logo for Christopher Lawell, Inc:

but now that logo is gone and the home page of the website is completely blank.

Finally, Christopher Lawell's LinkedIn profile

has been hidden from public view.

I get the feeling that someone is trying to cover his tracks.

Christopher Lawell, Inc.

I've done some more investigating of mysafenet.net and localsafe.org and it looks like I've found out who's behind them.

First of all, localsafe.org, mysafenet.net, and several other servers share the name server ns1.finishlinehosting.com:

 SAMPLE OF DOMAINS USING NS1.FINISHLINEHOSTING.COM

Domain	Registrar	Create Date	Expire Date	More Information
finishlinehosting.com	INTERNET.BS CORP.	2010-06-21	2011-06-21	DNS
localsafe.org	Internet.bs Corp. (R1601-LROR)	2010-03-18 04:31:32	2011-03-18 04:31:32	DNS
mail4now.net	INTERNET.BS CORP.	2010-03-18	2011-03-18	DNS
mail4time.org	Internet.bs Corp. (R1601-LROR)	2010-10-29 04:42:25	2011-10-29 04:42:25	DNS
mysafenet.net	INTERNET.BS CORP.	2010-11-01	2011-11-01	DNS
safe-local.net	INTERNET.BS CORP.	2010-03-18	2011-03-18	DNS

Safe-local.net is another server that is used for the scam. It redirects to craigslistsafe.localsafe.org. Mail4now.net and mail4time.org are servers that are used for for sending spam for mysafenet.net and safe-local.net. Since these sites all share the same name server and they were all used for the scam, it's a good bet that they are all owned by the same person.

A useful piece of information about a website is its SOA record. This record contains the e-mail address of the person responsible for administering the domain's zone. The SOA record for mysafenet.net is this:

MYSAFENET.NET SOA RECORD

Name Server	ns1.finishlinehosting.com
Email	blank@cli-us.com
Serial Number	2010110101
Refresh	1 day
Retry	2 hours
Expiry	41 days 16 hours
Minimum	1 day

The e-mail address of the zone administrator is an address at cli-us.com, which is a website for Christopher Lawell, Inc.

Given its name, we'd assume that finishlinehosting.com would be the website for the hosting company used by these sites, but instead it's a blank website. Let's look at the SOA record for finishlinehosting.com:

FINISHLINEHOSTING.COM SOA RECORD

Name Server	ns1.finishlinehosting.com
Email	finishlinehosting@cli-us.com
Serial Number	2010081305
Refresh	1 day
Retry	2 hours
Expiry	41 days 16 hours
Minimum	1 day

The e-mail address of the zone administrator for this site is also an address at cli-us.com. So who is this Christopher Lawell?

Googling "Christopher Lawell" brings up a number of interesting pages. For instance there's the LinkedIn profile of a Christopher Lawell in the Las Vegas, NV area who is a partner at Clearline Media and president of both www.350dollarwebsites.com and Christopher Lawell, Inc. When we Google

"Christopher Lawell" craigslist

we find some articles where he gives tips on spamming Craigslist. For instance:

http://www.articlepros.com/online_business/More-In-Internet-and-Online-Business/article-94976.html
http://make-money-online12.blogspot.com/2008/02/how-to-post-on-craigslist.html.

Doing some more searching for his name shows that it has been linked to other verification scam sites. For instance, there is this thread on broadbandreports.com:

http://www.broadbandreports.com/forum/r23659525-craigslistsafesafeandlocalorg-scam-site-or-not

The Christopher Lawell discussed in this thread had an address in Henderson, NV, which is a suburb of Las Vegas, and he was listed as the owner of craigslistsafe.safeandlocal.org, a verification scam site that is no longer active:

Domain ID:D157651283-LROR
Domain Name:SAFEANDLOCAL.ORG
Created On:21-Nov-2009 16:02:05 UTC
Last Updated On:21-Nov-2009 16:02:08 UTC
Expiration Date:21-Nov-2010 16:02:05 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR29951201
Registrant Name:Christopher Lawell
Registrant Street1:318 Canyon River Court
Registrant Street2:
Registrant Street3:
Registrant City:Henderson
Registrant State/Province:Nevada
Registrant Postal Code:89012
Registrant Country:US
Registrant Phone:+1.7023358990

(The current registration information is different because the registrant acquired whois privacy protection to hide his identity.)

Not only is the name of this site very similar to craigslistsafe.localsafe.org, but SafeAndLocal.org is what is shown for the title of the page on craigslistsafe.localsafe.org:

(Click the image to see it in full size). This could be because when the current site was created, the person who set it up used a copy of the HTML for the old site and forgot to change the page's title.

When we look at all of this evidence, though it hasn't been proven for certain, it does appear that this Christopher Lawell is the owner of the current scam sites, too.

ArchangelWebDesign.info

ArchangelWebDesign.info is being used for sending out email messages for the Cheri Craigslist dating scam. The spam is coming from the subdomain arc.archangelwebdesign.info, as you can see from the headers of a sample fraudulent email message below.

Delivered-To: ***@***.***
Received: by 10.151.15.8 with SMTP id s8cs74788ybi;
Thu, 11 Nov 2010 19:43:18 -0800 (PST)
Received: by 10.150.189.2 with SMTP id m2mr3084169ybf.48.1289533397732;
Thu, 11 Nov 2010 19:43:17 -0800 (PST)
Return-Path:
Received: from arc.archangelwebdesign.info ([174.122.133.9])
by mx.google.com with ESMTP id l55si6539186yhd.141.2010.11.11.19.43.16;
Thu, 11 Nov 2010 19:43:17 -0800 (PST)
Received-SPF: fail (google.com: domain of pers-p5gm3-2052632382@craigslist.org does not designate 174.122.133.9 as permitted sender) client-ip=174.122.133.9;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of pers-p5gm3-2052632382@craigslist.org does not designate 174.122.133.9 as permitted sender) smtp.mail=pers-p5gm3-2052632382@craigslist.org
Received: from [69.25.188.179] (helo=3e414603b1a244c)
by arc.archangelwebdesign.info with esmtpa (Exim 4.69)
(envelope-from )
id 1PGkXi-0004kH-VS
for ***@***.***; Thu, 11 Nov 2010 21:43:15 -0600
MIME-Version: 1.0
Date: Thu, 11 Nov 2010 19:43:15 -0800
Message-ID:
X-Priority: 3 (Normal)
Subject: RE: criagslist
Reply-To: pers-p5gm3-2052632382@craigslist.org
From: "meee ;)"
To: "***" <***@***.***>
Content-Type: multipart/alternative;
boundary="-----_chilkat_cf1_4bd0_4a664414.d03cbf62_.ALT"
In-Reply-To: AANLkTi=osGdv+pi325ZdDM7SVJopt1gzODnVHATgRPVQ@mail.gmail.com
X-Mailer: Microsoft Outlook, Build 10.0.6822
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - arc.archangelwebdesign.info
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - craigslist.org


Hey Babe, hehe you seem to be my kind of guy.

thanks for the reply. Totally honestly, i just want some no strings action today or tomorrow. You into that?

You ever do this? I've a couple times b4. Everytime I think about hooking up with no strings I get really horny but a little worried. I don't want to meet some underage kid or something.

I'm a pretty upfront person so let me just lay this out before we go any further. This is a NSA thing with nothing else. I just got out of a relationship and am not looking for a guy to hold me back.

If you are good with that then there is one more thing I have for you. I am getting a lot of emails from HS kids and creepy guys out there so i am requiring everyone to register for my peace of mind. Its no cost but I promise if you do this, Ill make it worth your while and will be more open to whatever you want to do. If you dont want to do this then i am afraid we can't go any further because it wont be any fun for me being stressed and afraid of you the whole time.


If you want to meet me still then just go here [Here there was a link to mysafenet.net. Do not visit that site!]. You can find my profile and contact information there.

I'm looking forward to seeing you

Call me at the number on there.

Bye for now

Cheri

The reason that this is a scam is because the person that is supposedly sending the messages doesn't exist. The messages are actually being sent by someone who makes money from directing you to the dating sites that you are being asked to join. These scammers like to call this "affiliate marketing", but it is fraud.

Other servers that have been used for sending these scam messages are:

mail4time.org
mail4now.net
safe4mail.org
b8mail.com

The Cheri Scam: Craigslistsafe.localsafe.org

If you get messages like the ones below, do not click on the links in the messages. The sites that are linked to in the messages, mysafenet.net and safe-local.net, redirect you to craigslistsafe.localsafe.org, which is a fake site used to trick you into signing up for yet another fake dating site. How do we know craigslistsafe.localsafe.org is not a real dating site? First of all, that sign-in form at the top of the page (click the picture to enlarge it):

It does nothing. If you put in a random user name and password and click the login button, you don't get logged in to the site and you don't get an error message as you'd expect to get from a random user name and pasword. The form doesn't do anything, it is just a fake form put on the page to make the site look real.

There is also a sign-up form in the bottom right of the page. Its appearance varies based upon which other site is being promoted. Here is one of the forms you may see:

This form is actually a sign-up form for another site. It is contained in an iframe that loads content from that other site. For instance, if you look at the page source you might see an iframe like this defined:

<iframe marginheight="50" marginwidth="0" name="iFrame" src="http://xxxl.hornywivesonline.com/signup/signup.php?nats=MzguOC4xMy40NC44LjAuMC4wLjA&amp;step=2" frameborder="0" height="1150" scrolling="no" width="700"></iframe>

In this case, the iframe loads content from xxl.hornywivesonline.com and the scammer is trying to get you to sign up for that site.

Also, sometimes the people that send you these messages make money just from directing traffic to these fake dating sites. We don't want to help them stay in business, so don't click on the links in the messages at all.

Here are some sample scam messages:

Hey Babe, hehe you seem to be my kind of guy.

thanks for the reply. Totally honestly, i just want some no strings action today or tomorrow. You into that?

You ever do this? I've a couple times b4. Everytime I think about hooking up with no strings I get really horny but a little worried. I don't want to meet some underage kid or something.

I'm a pretty upfront person so let me just lay this out before we go any further. This is a NSA thing with nothing else. I just got out of a relationship and am not looking for a guy to hold me back.

If you are good with that then there is one more thing I have for you. I am getting a lot of emails from HS kids and creepy guys out there so i am requiring everyone to register for my peace of mind. Its no cost but I promise if you do this, Ill make it worth your while and will be more open to whatever you want to do. If you dont want to do this then i am afraid we can't go any further because it wont be any fun for me being stressed and afraid of you the whole time.


If you want to meet me still then just go here go here. You can find my profile and contact information there.

I'm looking forward to seeing you

Call me at the number on there.

Bye for now

Cheri

Here is another message that "Cheri" sends.

Hiya

I never heard back from you. I must be nuts to do this, but your email caught my attention. I really want to meet you if you are still game. I hope the verification thing didnt scare you away but it really only takes a minute and i promise you won't be dissapointed! Here is the link again in case you are still interested in meeting. http://mysafenet.net/cheri382

After you register, call me ASAP I'm making plans for tonight. My number is on there.

I hope to hear from you soon. :)

Cheri

And yet another.

Hey

I owe you an apology. I just found out that site I sent you to tries to charge people and it wasn't supposed too. I was just trying to do something to stay safe and feel a little better about meeting you. Someone just told me that it isn't free like they said it was and I paid $150 to sign up to use it... :(

Well, i still want to meet you if you aren't too upset with me. If you are, I understand. i would like to get together sometime, maybe chat on the net a bit first then meet in a public place or something. i'd feel more comfortable that way.

I joined a site that IS free for you to join. They don't even ask for a card or anything. Only an email so you can verify your registration. I have pictures on there, there is free video chat etc. It would just make me feel more safe to meet you and have some in between contact 1st you know?

Here it is, check it out and you will see that I have checked things out this time and it is free. I hope you'll contact me there. Here is the link, and my username is "letsplay" so you can contact me there.

www.mysafenet.net/letsplay

Hope I see you soon,



Cheri

The person who sends these messages also sends messages for a "Brandi". These are the URLs used for her profile:

http://mysafenet.net/brandi318
http://mysafenet.net/brandi382

And here are some of the other URLs used for this scam.

http://mysafenet.net/letsplay
http://mysafenet.net/letsplaynow
http://mysafenet.net/cheri318
http://safe-local.net/ready2playyyy