Christopher Lawell and the CraigslistSafe.LocalSafe.org Scam: A Review of the Evidence So Far

Let’s review everything that has been discovered regarding the scam site CraigslistSafe.LocalSafe.org and Christopher Lawell over the past few weeks.

On November 17th, a post was made on this blog that showed the following:

  1. Mysafenet.net, CraigslistSafe.LocalSafe.org, and some of the other sites used for the scam were all in a DNS zone that was administered by someone with the e-mail address finishlinehosting@cli-us.com.
  2. Cli-us.com is the website for Christopher Lawell Inc (CLI). At the time, the site consisted only of a home page with his logo.
  3. There was a publicly viewable LinkedIn profile for the Christopher Lawell of Christopher Lawell Inc that showed he lived in the Las Vegas area.
  4. There was a dating scam site called CraigslistSafe.SafeAndLocal.org that was discussed on Broadbandreports.com that was registered to Christopher Lawell of Henderson, Nevada. This site was very similar to CraigslistSafe.LocalSafe.org.
  5. Christopher Lawell wrote articles showing people how to spam Craigslist, which is one of the methods used by scammers to get traffic to these fake dating sites.

That same day, a little while after this post was made, complaints about the scam were sent by e-mail to Ecatel (the ISP for the scam sites), finishlinelinehosting@cli-us.com, and ThePlanet.com (the ISP for one of the sites used for sending the scam messages). These complaints contained a link to the blog post. Within a few hours, the scam sites hosted by Ecatel were shut down and Christopher Lawell hid his LinkedIn profile and removed his company’s logo from cli-us.com.

A few days after this, Christopher Lawell’s links to these scam sites were publicized. On November 26th, after some joker made a mock Facebook profile for Chris that some of his friends saw, he wrote a letter in which he denied having taking part in the scams and also denied ever being involved in marketing porn.

First, he said that regarding the hiding of his personal information:

When someone brought to my attention several days ago your current campaign against me, I contacted my attorney and they said to “lock everything down and wait for it to blow over. Addressing these claims will only fuel the fire.” At that time I took down my image from cli-us.com and locked down my linked in account…

But this just doesn’t agree with the facts. The personal information was hidden just a few hours after the e-mail message was sent to Ecatel, ThePlanet.Com and finishlinehosting@cli-us.com informing them of the post on this blog with the evidence implicating Chris in the scam. Outside of that single post and the complaints e-mailed to the ISPs and cli-us.com, there was no mention of Christopher Lawell in regards to the the scam anywhere on the Internet.

Second, he gave this story of how the site SafeAndLocal.org got registered in his name.

Over a year ago, I had someone contact me via my web design company 350dollarwebsites.com where we register domains then design and host websites for businesses that may not have a web presence. The person said they would like to register a domain and buy a hosting account. They already were working on a web design so I registered the domain he asked for with my Go Daddy account and set up a hosting account for him. I figured, why not, it’s an easy $20. I was notified at a later date by HostGator (my webhost) that he was violating our terms of service and I promptly canceled his account and refused to refund any money. He hassled me for some time and I blocked him on IM and email and he went away., or so I thought. When the complaint showed up on the broadband reports forum, I wrote multiple letters to the admins of that site explaining the situation and asking that the thread be removed, they ignored every request.

This story makes no sense. Since he registered the domain, he owned it and controlled it. Therefore, once he had suspended the account of this alleged client of his, SafeAndLocal.org would have been shut down and it would no longer have existed by the time the thread on Broadbandreports.com was created; there would have been no site for the people in that thread to discuss.

Even though this story makes no sense, he used it as a setup for his claim of how he believes that the e-mail address finishlinehosting@cli-us.com got to be used for the administrator of the DNS zone for the scam sites.

You base the fact that I am involved in this scam because my url “@cli-us.com” was used in registering the hosting account. However, I can start a hosting account right now with your email in it and it doesn’t mean that it is your hosting account…. It appears to me that this person who signed up for the domain registration and web-hosting through 350dollarwebsites.com using faked credentials and a stolen or fake PayPal has found a way to get back at me by listing my url as his hosting contact.

To begin with, the cli-us.com address wasn’t used for the scam sites’ registration information, it was used for the administrator of the DNS zone for the sites. This information is stored in the sites’ SOA records. Registration data is easy to fake while SOA records are controlled by DNS server administrators. In addition, the SOA record for a site is rarely seen by people. The registration information is of general public interest but the SOA record is almost never looked at by anyone other than DNS server administrators. If this alleged client of Chris was looking to get back at him by stealing his personal information, putting that information in this obscure place would not have been an effective means of doing that.

Finally, Chris tried to blow off the proof that he has had experience spamming Craigslist by talking about the articles he wrote on the subject as if they were mere attempts at article marketing. He didn’t address the content of the articles, and what that content says about him, at all.

The Craigslist article you point to was an early attempt at article marketing 3 YEARS ago. If you will notice in the article, there is reference to an affiliate link that no longer even exists. As I am sure you know, 3 years on the internet is a lifetime. I have not posted on Craigslist more than 1 ad per month (probably longer) in years.

As if all of this weren’t suspicious enough, further investigation revealed that

  1. There is someone on the site Freelancer.co.nz who has the alias VegasChris, lives in Henderson, and is affiliated with the company CLI. This VegasChris has placed ads looking for people to post fake dating ads on Craigslist for him. He also placed an ad looking for someone to ghost write articles on internet gaming for him. Christopher Lawell said in his letter that he makes money from “internet marketing efforts in the online gaming vertical”.
  2. There is also someone on the site MoneyMakerDiscussion.com who uses the alias VegasChris. This VegasChris also posted ads looking for people to spam Craigslist with fake dating ads and moreover we saw that he discussed his involvement with marketing porn for the site PornProfit.com. He used to use his board posting signature to promote the company InCorp of Henderson, Nevada and he says that he used to be the VP of a mortgage company, just as Christopher Lawell once was. In addition, he once mentioned Chris Lawell’s company Clearline Media as an example of some good website design that his friend SnBirdi did.
  3. On Facebook there is a profile for a Chris Lawell who posted an advertisement for the chatbot MiyaBot on his wall back in March. VegasChris of MMD has also promoted MiyaBot a few times and is in fact the owner of the company MiyaBot. VegasChris’ friend SnBirdi, the website designer who worked on ClearlineMedia.com, also designed MiyaBot.com

Now, tell me, when we consider all of the evidence discovered, and also consider just how full of holes the explanations in Christopher Lawell’s letter were, what are we supposed to conclude?

UPDATE

It has now been confirmed that Christopher Lawell is VegasChris. See the evidence.

Some More Questions For Chris Lawell

Chris, up until Friday, the SOA records for the scam sites all listed the email address for their DNS zone administrator as finishlinehosting@cli-us.com. But on Friday, the day that you responded to the allegations made against you, the SOA records for all of these sites except finishlinehosting.com were deleted. Could you explain how that happened?

You can view the DNS records by visiting

http://who.is/nameserver/ns1.finishlinehosting.com/

and clicking on the DNS links in the More Information column in the table.

Also, it is very important to note that we are discussing SOA records here, not registration information. You say in your letter that anyone can use any email address when registering a domain. True, you can pick any fake email address for the registration information and if the registrar or hosting service doesn’t bother to check it out, then it will end up going into the registration databases. But we’re not talking about registration data here, we’re talking about SOA records. These are records that are created by the administrators of DNS servers. You can’t fake this data unless you have access to the DNS server in question. The DNS server would in this case most likely have been controlled by a hosting company or the ISP Ecatel. It appears that it was controlled by Finishline Hosting (which looks like a pretend hosting company), which means that it would have been involved in the scam, too. Again, what do you know about Finishline Hosting?

Regarding this:

The only thing I am guilty of is being naive 3 years ago and writing about posting on CL as an attempt at article marketing.

Article marketing, that’s all? So you weren’t obviously instructing people on how to spam Craigslist?

Craigslist can be tricky to post multiple ads in one day so here are some easy tips to post successfully on Craigslist.

First, it takes a lot of ads posted daily to list build fast.

You should post a minimum of 30-50 a day.

Here is how to post a lot of ads…

You need a way to change your IP address (your connection to the internet that determines where you are located).

You need a lot of subdomains that are setup to forward to your website(s).

You need a lot of email addresses (I use Gmail.com)

I have found that you can post about 10-15 ads with the same IP, email address and subdomain.

Do more than that, and you run the risk of all your ads being deleted.

That is why I use this submission software… CL Autoposter

Using multiple email addresses and multiple IP addresses to avoid having your numerous ads flagged and using automated ad submission software that helps you change your identity, those are tricks to avoid having your spam flagged.

Message to Christopher Lawell

Chris,

Thank you for contacting me. I read your reply at ChristopherLawell.com and there are a few things about it that bother me.

To begin with, you say that no one ever contacted you about the scam sites. Well, we know that at least two complaints were sent about the scam sites to finishlinehosting@cli-us.com, and that there were many complaints sent to Ecatel prior to those complaints, too. The first known complaint sent to this address was sent on November 14th. The complaints were sent to that address at cli-us.com because that was the only business contact address that was then available. No replies to those complaints were ever received. It was only after a further complaint was made on November 17th, one that mentioned that the site SafeAndLocal.org was registered in your name and that finishlinehosting@cli-us.com was the address for the DNS administrator for the recent scam sites, that the scam sites were promptly taken down.

At the same time, on November 17th, just a few hours after this new complaint was made, you removed your company’s logo from your website and hid your LinkedIn profile. There was no campaign against you as you claim, there were just some postings on this blog that mentioned the web pages that linked your name to the scam sites. Read these postings. Do they amount to character assassination? No, they don’t. They plainly present facts that strongly pointed to you being involved in the scams. They leave open and acknowledge that it is possible that the scammer was merely a client of yours or someone else entirely. (And, as a matter of fact, before coming across the cli-us.com address, there was another person that we believed was behind the sites.) The fact that you hid your personal information at the same time that the sites got shut down, along with the fact that the sites did not get shut down until it was revealed that your name was linked to them, was very suspicious, you must admit.

I know that you don’t care to answer any questions about this, but would you be so good as to answer these?

1) Why were there no replies to the messages sent to finishlinehosting@cli-us.com? Is it not a valid email address? If it isn’t, then there should have been an error message sent back from your website. No replies including error messages were ever received, so it must be a valid email address. If it is a valid email address, then what is your relationship with finishlinehosting?

2) As I said, on November 17th, the day that you hid your personal information, the only public postings made on the internet regarding this matter were the ones you see on this blog. They are calm and rational, analytical. You could have easily posted something here regarding the matter. There was no fire for you to fuel. So why didn’t you post anything?

3) Likewise, concerning SafeAndLocal.org, you write

When the complaint showed up on the broadband reports forum, I wrote multiple letters to the admins of that site explaining the situation and asking that the thread be removed, they ignored every request. They are obviously more concerned about freedom of speech even if it is inaccurate and damaging to innocent people than posting accurate content. I didn’t address this on the forum as I felt most people would want to believe the worst and it would only serve to fuel the fire.

However, there was no fire to fuel. There is no complaint in that thread on BroadbandReports.com. The thread was started by someone who wanted some advice. He wasn’t sure that SafeAndLocal.org was a legitimate dating site, and he wanted other people’s help on figuring that out. There was no hostility or any words at all for that matter that were directed to you or about you. As a matter of fact, the way that your name ended up being mentioned was that someone wanted to point out that the site had only been registered a couple months earlier, and he showed this by posting the registration information in its entirety. The discourse in that thread was calm and reasonable; saying that you didn’t just go ahead and post an explanation in it because you didn’t want to fuel the fire makes no sense: there was no fire to fuel. You could have easily just posted a note saying that you had registered the site for a client and that you had terminated that client’s account; there was nothing for you to be afraid of and there was no reason why you would have needed the thread to have been deleted. So could you explain why you didn’t just do that?

I would really like it if you could answer these questions. In your letter you say:

I am going to address your statements this one time. I will not fuel the fire by entering into a debate. 

As I’ve repeatedly said, there is no fire for you to fuel. We can calmly and rationally discuss this matter, so why don’t you want do that? I’d really like to find these scammers, and I’m sure that you’d like to see them brought to justice too seeing as they’ve implicated you in all this. If you give us the information that you have about them, even if it’s old, it could help us track them down. So why don’t you just talk to us and answer the questions that we have? I am sending an email message to chris@cli-us.com informing you of this post and I hope to hear from you again.

P.S. Christopher Lawell posted several comments on this blog. They all said the same thing, “Please read my full response here: http://www.christopherlawell.com”, so I’ve deleted all but one of them. That is the only reason I deleted his comments, because they were redundant.

Account Suspended?

Complaints were sent to Ecatel, the ISP for the scam sites, and also to cli-us.com. Now, mysafenet.net, localsafe.org, safe4mail.org, and all of the other sites used for the scam that were in the zone administered by finishlinehosting@cli-us.com have been taken down. When you look at these sites now you see a page that says either “This Account Has Been Suspended” or “This Account Has Been Suspended by Finishline Hosting”. However, one of the sites that was used for sending the spam, arc.archangelwebdesign.info, is still up. This site is not in a zone administered by finishlinehosting@cli-us.com and it doesn’t use an IP provided by Ecatel, as the other sites did. It has an IP of 174.122.133.9, which is provided by ThePlanet.com. Complaints were sent to ThePlanet.com about this site but the site remains active.

So have the scammer’s sites really been shut down? Did Finishline Hosting suspend their customer’s account? I don’t believe that this is the case. I think that this Finishline Hosting isn’t a real hosting company but a front that was created to hide the scammer’s identity. First of all, the site FinishlineHosting.com is blank, it has no content and doesn’t offer any services. When I search for information about this company, I find nothing. There is a company in Joplin, MO with a similar name. It’s called Finish Line Hosting (three words instead of two) and its website is Finishlinehost.com, but it does not appear to be related to finishlinehosting.com at all.

Second, there is the fact that the zone administrator for the sites at Ecatel had an email address at cli-us.com, not at finishlinehosting.com, so the administrator would be someone at Christopher Lawell, Inc.

Third, cli-us.com has undergone a facelift. A couple days ago it featured the logo for Christopher Lawell, Inc:

but now that logo is gone and the home page of the website is completely blank.

Finally, Christopher Lawell’s LinkedIn profile

has been hidden from public view.

I get the feeling that someone is trying to cover his tracks.

Christopher Lawell, Inc.

I’ve done some more investigating of mysafenet.net and localsafe.org and it looks like I’ve found out who’s behind them.

First of all, localsafe.org, mysafenet.net, and several other servers share the name server ns1.finishlinehosting.com:

 SAMPLE OF DOMAINS USING NS1.FINISHLINEHOSTING.COM

Domain Registrar Create Date Expire Date More Information
finishlinehosting.com INTERNET.BS CORP. 2010-06-21 2011-06-21 DNS
localsafe.org Internet.bs Corp. (R1601-LROR) 2010-03-18 04:31:32 2011-03-18 04:31:32 DNS
mail4now.net INTERNET.BS CORP. 2010-03-18 2011-03-18 DNS
mail4time.org Internet.bs Corp. (R1601-LROR) 2010-10-29 04:42:25 2011-10-29 04:42:25 DNS
mysafenet.net INTERNET.BS CORP. 2010-11-01 2011-11-01 DNS
safe-local.net INTERNET.BS CORP. 2010-03-18 2011-03-18 DNS

Safe-local.net is another server that is used for the scam. It redirects to craigslistsafe.localsafe.org. Mail4now.net and mail4time.org are servers that are used for for sending spam for mysafenet.net and safe-local.net. Since these sites all share the same name server and they were all used for the scam, it’s a good bet that they are all owned by the same person.

A useful piece of information about a website is its SOA record. This record contains the e-mail address of the person responsible for administering the domain’s zone. The SOA record for mysafenet.net is this:

MYSAFENET.NET SOA RECORD

Name Server ns1.finishlinehosting.com
Email blank@cli-us.com
Serial Number 2010110101
Refresh 1 day
Retry 2 hours
Expiry 41 days 16 hours
Minimum 1 day

The e-mail address of the zone administrator is an address at cli-us.com, which is a website for Christopher Lawell, Inc.

Given its name, we’d assume that finishlinehosting.com would be the website for the hosting company used by these sites, but instead it’s a blank website. Let’s look at the SOA record for finishlinehosting.com:

FINISHLINEHOSTING.COM SOA RECORD

Name Server ns1.finishlinehosting.com
Email finishlinehosting@cli-us.com
Serial Number 2010081305
Refresh 1 day
Retry 2 hours
Expiry 41 days 16 hours
Minimum 1 day

The e-mail address of the zone administrator for this site is also an address at cli-us.com. So who is this Christopher Lawell?

Googling “Christopher Lawell” brings up a number of interesting pages. For instance there’s the LinkedIn profile of a Christopher Lawell in the Las Vegas, NV area who is a partner at Clearline Media and president of both http://www.350dollarwebsites.com and Christopher Lawell, Inc. When we Google

“Christopher Lawell” craigslist

we find some articles where he gives tips on spamming Craigslist. For instance:

http://www.articlepros.com/online_business/More-In-Internet-and-Online-Business/article-94976.html
http://make-money-online12.blogspot.com/2008/02/how-to-post-on-craigslist.html.

Doing some more searching for his name shows that it has been linked to other verification scam sites. For instance, there is this thread on broadbandreports.com:

http://www.broadbandreports.com/forum/r23659525-craigslistsafesafeandlocalorg-scam-site-or-not

The Christopher Lawell discussed in this thread had an address in Henderson, NV, which is a suburb of Las Vegas, and he was listed as the owner of craigslistsafe.safeandlocal.org, a verification scam site that is no longer active:

Domain ID:D157651283-LROR
Domain Name:SAFEANDLOCAL.ORG
Created On:21-Nov-2009 16:02:05 UTC
Last Updated On:21-Nov-2009 16:02:08 UTC
Expiration Date:21-Nov-2010 16:02:05 UTC
Sponsoring Registrar:GoDaddy.com, Inc. (R91-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:CR29951201
Registrant Name:Christopher Lawell
Registrant Street1:318 Canyon River Court
Registrant Street2:
Registrant Street3:
Registrant City:Henderson
Registrant State/Province:Nevada
Registrant Postal Code:89012
Registrant Country:US
Registrant Phone:+1.7023358990

(The current registration information is different because the registrant acquired whois privacy protection to hide his identity.)

Not only is the name of this site very similar to craigslistsafe.localsafe.org, but SafeAndLocal.org is what is shown for the title of the page on craigslistsafe.localsafe.org:

(Click the image to see it in full size). This could be because when the current site was created, the person who set it up used a copy of the HTML for the old site and forgot to change the page’s title.

When we look at all of this evidence, though it hasn’t been proven for certain, it does appear that this Christopher Lawell is the owner of the current scam sites, too.