The 31st of July 2019, hundreds of websites became unreachable from inside Kazakhstan and during several days no one knew why. This article investigates the real target of the blocking, “Rainbow Spa” and its connection to an illegal prostitution ring.
The first reports of the massive blocking were published in social media, and pointed to a filter of two IP addresses implemented by Kazakhstan Telecom in their infrastructure. As most of the providers route their traffic via the national operator, the affected sites were inaccessible in the whole country.
The two filtered IP addresses belonged to a client hosted with Tilda Publishing, a Russian website-builder that enables quick deployment of websites. It took a day for Tilda to react to the blocking while many of their customers’ websites were unreachable in Kazakhstan.
Tilda re-allocates customers to new data center
The first hint of the blocking was prompted by Tilda themselves when they publicly announced it in a simple website kzalert site that clients that were experiencing problems had to change their website location to a new IP address (220.127.116.11) pointing to the commercial hosting provider Hoster.kz.
Two days later on August 2nd, Tilda informed their customers that they were blocked by a Kazakhstan Telecom filter, and asked them to reallocate their websites to yet a new IP address, in this case 18.104.22.168.
Affected sites requested to move to Kazteleport and DDOS-Guard
On August 8th, at least 800 domains and subdomains affected by the IP blocking had migrated to a new hosting address 22.214.171.124 at Kazteleport, a datacenter that it is a subsidiary of the Halyk Bank. All the domains are protected against Denial of service attack by DDOS-Guard, a Russian company that provides services to the Russian’s Ministry of Defense.
It is unclear to us why the “DDoS protection” was used as a justification for moving the websites to Kazteleport.
A list of domains that migrated to the data center follows below:
Why hundreds of websites were blocked?
A statement from Kazakh Telecom the 1st of August reported that the blocking of the websites was enforced against the website rainbow-spa.kz. The website was hosted in the Tilda Publishing platform in the IP addresses: 126.96.36.199 and 188.8.131.52. According to their report, a court order was issued to block the website that contained videos and pornographic material that violated the “media law” and the “law that protects the rights of the child”.
As the website shared IP address with many others, all of them were brought down. Some of the websites blocked were Manusq Media or the Clique Film Festival.
A website with .kz domain
The first thing that caught our attention was that the controversial website rainbow-spa.kz uses the .kz domain and we wonder why the court order was not sent to the domain registrar ICPS – Internet Company PS “Интернет-компания PS” .
Not until the 7th of August, one week after the IP blocking, the registrar reflected that the domain was put on hold (serverHold) due to “bad owner information”.
What is Rainbow-spa.kz?
By the time of the public alert, the website was already offline and we could not obtain any copies of the content. We looked into the contact details of the domain and the domain registration address Сатпаева, 30а к2
To our surprise, at that address we could find a business with the name “R.N.B.W. massage salon”. The “massage business” RaiNBoW” offers erotic massage services. Could this be rainbow-spa.kz?
More domains linked
We looked for all the domains that re-assemble the blocked site. It is not uncommon to see business of this type running multiple websites. During our search we found two more domains: rnbw.kz and rnbw-spa.kz
Both domains were registered in May and June 2019, they share postal address (Satpaeba, 30a K2, Tengiz Towers, Almaty) and phone number (774 713 77 621).
- rnbw-spa.kz 2019-06-23 22 MEGAHOST email@example.com Askar_rx@mail.ru
- rnbw.kz 2019-05-11 11 ICPS firstname.lastname@example.org (mail from Бизнес-Технологии?”
- rainbow-spa.kz 2019-06-10 12 ICPS Rainbowsalone@gmail.com
- karaokeboom.kz 2019-03-01 04 MEGAHOST email@example.com
Rnbw Luxury Body-Spa is registered with phone contact +7(747)137-76-21 as a place to find prostitutes.
Prostitution rings under .kz
During our research we also found that there were several websites that offered information about how to find prostitutes in Kazakhstan. Although prostitution is itself legal, acts facilitating prostitution, such as operating a brothel or prostitution ring, are illegal. It comes to a surprise that a country that pretends to protect their citizens from cybercrime screening all communications is not acting in obvious cases of human trafficking that can be found using a search engine.
Contact details and bogus e-mail addresses
Several mails seems to be connected to the domains Rainbowsalone@gmail.com, firstname.lastname@example.org and email@example.com
- grgburdell might refer to fictitious student Gerge P Burdell
- firstname.lastname@example.org that appears in the SOA record of rnbw-spa is connected with Askar Aldasugirov, that runs several cleaning companies: Tazaline Cleaning and DI-Cleaning.
dig SOA @ns1.ps.kz rnbw-spa.kz
rnbw-spa.kz. 86400 IN SOA ns1.ps.kz. Askar_rx.mail.ru. 2019080503 10800 3600 604800 10800
Looking at the domain details it seems possible that rainbow-spa.kz is one more placeholder of Rainbow Luxury Spa sites (rnbw.kz and rnbw-spa.kz)
- Why the court order was not sent to the domain registrar? Internet Company PS.
- Why Tilda Publishing did not receive any notification of such illegal content in their platform?
- Why hundreds of websites were blocked for a website that might have two similar copies still online?
- Why the blocked websites were asked to re-allocate to a server inside Kazakhstan to remain online?