Trying to figure out spamsource - spamcop vs WHOIS

[andyroo]

Hi!

For the last week I've been getting targeted spam (to .edu addresses) that spamcop identifies as being from liquidweb.com. When I run a whois by domain name, the owner comes back whoisguard protected, registered by either namecheap or enom. when I run by IP address, the address block comes back registered to liquidweb. Both enom and namecheap state that they have policies prohibiting users of their services from sending unsolicited bulk commercial email, but they don't come up in spamcop reporting as options to email to. Liquidweb is unresponsive. I am preparing to manually report the spam to enom and namecheap, but I wanted to get feedback on this. A detailed description of the spam sources and content follows.

I'm guessing that liquidweb is allocated the block of IP addresses that these domain names (six so far) are registered to. But I haven't seen any replies from them in over a week of spams. I'm getting 5-10 per day from these addresses (IP addresses are just the last few I've reported):

[http:// flightsinthedark.com] ( 69.16.251.182 )( 69.16.242.62 )

[http:// bigbrownsquares.com] ( 69.16.242.61 )

[http:// medianaliter.com] ( 69.16.251.181 )( 69.16.242.61 )

[http:// nomoechopollo.com] ( 69.16.242.59 )( 69.16.242.60 )( 69.16.242.210 ) ( 69.16.242.211 )( 69.16.242.212 )( 69.16.251.180 )

[http:// fishgrantisotis.com] ( 69.16.242.59 )( 69.16.242.61 )

[http:// beejungleribbon.com] ( 69.16.251.180 )( 69.16.251.182 ) ( 69.16.242.62 )

Each email has links that redirect to a site that runs you through a kajillion offers (I just filled in the info from the unsubscribe address when I was looking into it). Then, right before you're supposed to get whatever free thing they're offering, the page hangs on a survey (in MSIE or firefox). It appears to be a deceptive site designed to get you to fill out a whole bunch of personal info on a whole bunch of marketing lists. I imagine they get a kickback. If you want to follow the links, some valid three digit codes are 156,157,158,064

The general email format is:

From: Financial Department <studentpromotion[at][insert domain name from above]>

Subject: [insert promotional offer name here

To: myemail[at]university.edu

Students Get our [ insert offer here] What are you waiting for?

Congratulations! You have been selected to receive a [insert offer here] Simply click on the link to complete the application.

Click Here (http:// nomoechopollo.com/redir.php?id=158&e=myemail[at]university.edu)

[more offer-specific text)

Click Here (http:// nomoechopollo.com/redir.php?id=158&e=myemail[at]university.edu)

Sincerely,

[offer dependent signature]

College Group Only Sends Top Offers and Services To Students. We Wish You Great Success This Fall. Please click here to unsubscribe or mail your unsubscribe request to the address below. [http:// nomoechopollo.com/uns.php?c=studentpromotion&m=] [ten digit identifier]&e=myemail[at]university.edu College Group Services 5715 Will Clayton #2158 Humble, TX 77338

Moderator edit - URLs delinked ... Farelf

[Wazoo]

A Tracking URL on one or a few of these would answer many questions ....

From the gist of what you are saying;

.. The "source" is from liquidweb ... taking hat to mean the "source of the e-mail/spam"

This would not necessarily have anything to do with the (assumed) spamvertised web-sites you've listed.

But then you suggest that these "sources" also fall under a liquidweb IP block.

So what's the IP address involved as "the source" of these e-mails? (Or maybe I'm foguring out what you posted?)

For example, you list: ht tp://flightsinthedark.com ( 69.16.251.182 )( 69.16.242.62 )

but the web-site is currently located at; Trace flightsinthedark.com (69.16.242.234) ...

Tossing a safe-browse/GET command at that site returns no content ...

The same result in an attempt to "look at" ht tp://bigbrownsquares.com/

I'm guessing that you are suggesting that you received two spam e-mails originating from the tw UP addresses you quoted, both including references to the spamvertised site ...????

I'm guessing that liquidweb is allocated the block of IP addresses that these domain names (six so far) are registered to.

Actually, the technical wording would be "this is where they are hosted" . one can "register" anywhere, it's the DNS records that end up pointing to 'where' the site is actually sitting. There are many instances noted in other discussion here relating to spammer use of "rotating DNS records/data"

Both enom and namecheap state that they have policies prohibiting users of their services from sending unsolicited bulk commercial email, but they don't come up in spamcop reporting as options to email to.

Domain Registrars are not normally a target for SpamCop.net reports. This type of notification requires 'manual' reporting.