Jump to content
jprogram

Spammers using web "middleman" URLS (tb42trk.com)

Recommended Posts

Since April 20, 2020, spammers are now using some kind of web middleware to redirect one URL to a "middleman" URL to reach the destination URL. This trickery is bypassing the e-mail provider's spam filter.

Here are those "middleman" URLs:

  • tb42trk.com
  • bx55trk.com
  • ks20trk.com
  • mrm30trk.com
  • ds62trk.com

Apparently, those are all owned by Google. So how do they work and what are those sites called?

Share this post


Link to post
Share on other sites
Posted (edited)
8 hours ago, jprogram said:

Apparently, those are all owned by Google. So how do they work and what are those sites called?

The redirection is immediately stopped if a Gmail user reports the spam as phishing just requires a click to do this.
To save redirection to Google Cloud is done by anyone with a Gmail account which are free.
A SpamCop tracking URL is always more helpful 
SpamCop will report it to Google but not sure how quick Google react on reports?

Edited by petzl

Share this post


Link to post
Share on other sites
6 hours ago, jprogram said:

Apparently, those are all owned by Google. So how do they work and what are those sites called?

I believe they are called URL shorteners.  How they work, is a person can type/paste in a URL into the shorteners site and get a shortened link.  Visiting the shortened link passes a 302 or a 301 redirect and your browser will be redirected directly to the longer URL.  During the redirect, the shortener tracks the usage.  Shorteners were started because links (such as forum post) can be  quite long.

http://forum.spamcop.net/topic/11594-my-url-shortener-website-is-spamvertised-what-to-do/

http://forum.spamcop.net/topic/10541-resolve-redirections-of-url-shrinking-url-redirection-services/

Share this post


Link to post
Share on other sites

I'll use this spam as an example...
https://www.spamcop.net/sc?id=z6642853265z193d6fb05ee9b701404ec2d508af48b0z

If you use the domain name and add either "www", "ww1", or "web" prefixes -- the directory names doesn't matter, they'll redirect you the same way.

Here is the chain of redirects (blocking out some details)
http://www.uhcphysicianfinder.com/main.html/z9zIiTTp
https://www.ks20trk.com/7BZ2W/6JHXF/?sub1=*****
https://youmeasurewellness.com/?__ef_tid=442cc3002bca40b3871fef7afecd72d4&oid=4&affid=5

In this case, ks20trk.com was used. It really does not look like a URL shortener -- not saying it's not per se.

Who do I go after from the chain? All of them? DNS severs too?

Share this post


Link to post
Share on other sites
Posted (edited)
2 hours ago, jprogram said:

Who do I go after from the chain? All of them? DNS severs too?

Looks like OVH are dead at the wheel in handling abuse. might try their website
https://www.ovh.com/world/abuse/
put in notes something like
Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS
The site I was redirected to is listed a malicious
https://www.virustotal.com/gui/url/2bbb53811e2da7a35cd8dc638edd7e454176d41684005599247f4459df39a497/detection

Edited by petzl

Share this post


Link to post
Share on other sites
2 hours ago, petzl said:

The site I was redirected to is listed a malicious

That URL is one of many. You can see the list here...

https://urlscan.io/ip/45.55.121.131

Not all of those sites are marked malicuous. Maybe rhe one for youmeasurewellness is a false negative?

Share this post


Link to post
Share on other sites
3 hours ago, jprogram said:

That URL is one of many. You can see the list here...

https://urlscan.io/ip/45.55.121.131

Not all of those sites are marked malicuous. Maybe rhe one for youmeasurewellness is a false negative?

Initially I would try to get OVH to act could be  spam blackmailing innocent websites?
They did have a Paypal link which seemed legit

Share this post


Link to post
Share on other sites
8 hours ago, petzl said:

Initially I would try to get OVH to act

OHV makes up about half of the website links in the message.

I certainly have tons of work on relorting to the following:

#1. e-mail server; #2. web server (based on e-mail's domain name); #3. Google (**trk.com); #4. DigitalOcean (end-of-the-redirect-chain website); #5. Whoever is hosting bogus unsubscribe forms.... Then you got the DNS providers for each server.

Share this post


Link to post
Share on other sites
Posted (edited)
7 hours ago, jprogram said:

OHV makes up about half of the website links in the message.

I certainly have tons of work on relorting to the following:

#1. e-mail server; #2. web server (based on e-mail's domain name); #3. Google (**trk.com); #4. DigitalOcean (end-of-the-redirect-chain website); #5. Whoever is hosting bogus unsubscribe forms.... Then you got the DNS providers for each server.

Don't do them all just a few to website the rest via SpamCop
handling abuse try their website
https://www.ovh.com/world/abuse/
put in notes something like
Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS

In windows to find registar  of websiteI use this freeware program
http://www.gena01.com/win32whois/

http://www.uhcphysicianfinder.com/main.html/z9zIiTTp
65.181.123.252
  support[AT]dedicatednow[DOT]com
Registrar Abuse Contact Email:  mailto:abuse[AT]nameking[DOT]com

Edited by petzl

Share this post


Link to post
Share on other sites
5 hours ago, jprogram said:

Does OVH own other servers? Example: velia.net

How can I tell if they run under OVH?

look at the abuse address
Windows Freeware Whois program below, 
http://www.nirsoft.net/utils/ipnetinfo.html

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×