Jump to content
Sign in to follow this  
fritz2cat

[Resolved] Do you know these ads^H^H^Hspams ?

Recommended Posts

Hello,

I have several hosts that connect several times a day, all targeting one single user hosted in my server.

They have in common:

- they are using dedicated hosts

- they set-up correctly their host name, and reverse, their MX and even their SPF

- their hostname is named ssl.*

- they send from an address within their domain. Didn't check whether the user part in the address is valid.

- they send thru real MTA's, that defeat greylisting

- the message itself is either in plaintext, html, or both (multipart/alternative)

- all the links contain tracking data

- usually, they have an unsubscribe link which is highly suspect.

Here is the lists of hosts seen in the last 7 days:

ssl.moinchtail.com [208.110.69.190]

ssl.amazillypretty.info [64.187.120.83]

ssl.arcfinal.info [64.187.120.85]

ssl.armsideways.com [64.187.120.87]

ssl.waspinger.com [64.187.120.89]

ssl.asponnilia.com [64.187.120.91]

ssl.buyournest.com [64.187.126.156]

ssl.bullish-commerce.com [64.187.127.72]

ssl.svcsources.info [64.187.127.73]

ssl.illetrades.info [64.187.127.74]

ssl.theboatsail.biz [64.187.127.79]

ssl.rebollo.biz [64.187.127.80]

ssl.deacorntrail.com [64.187.127.85]

ssl.undrawnera.com [64.187.127.89]

ssl.bumaspring.com [66.63.168.130]

ssl.onlinesequoiatypes.com [66.63.168.98]

ssl.rush-trades-now.com [66.63.188.167]

ssl.scarduaconsulting.com [67.205.113.241]

ssl.thebecksourcer.com [67.205.113.244]

ssl.thebacksorter.com [67.205.113.248]

ssl.autoprofilesearch.info [67.205.113.249]

ssl.bagthorr.com [67.205.113.250]

ssl.bailtired.com [67.205.113.251]

ssl.bakerwildy.com [67.205.113.252]

ssl.fardilla.com [69.42.97.17]

ssl.warayson.com [69.42.97.18]

ssl.suarkovery.com [69.42.97.19]

ssl.benger16.com [69.42.97.25]

Some are operating since months ago. 67.205.64.0/18 (hosted by iWeb) is blocked here since 4 months...

Here is the e-mail addresses they have used (in the RFC_2821 envelope) , also during the 7 last days

123Inkjets[at]amazillypretty.info

123Inkjets[at]onlinesequoiatypes.com

24HourSaleonprinter_inkcartridges[at]amazillypretty.info

24HourSaleonprinter_inkcartridges[at]svcsources.info

AbRocket[at]armsideways.com

AbRocket[at]theboatsail.biz

BusinessCards[at]bagthorr.com

CashFinder[at]bakerwildy.com

CashFinder[at]fardilla.com

CherylTiegs[at]amazillypretty.info

CherylTiegs[at]fardilla.com

CherylTiegs[at]undrawnera.com

ChurchDating[at]arcfinal.info

ChurchDating[at]bumaspring.com

Clarisonic[at]theboatsail.biz

Collectiblestoday[at]arcfinal.info

Collectiblestoday[at]bumaspring.com

CreditReportSpecialists[at]amazillypretty.info

DIRECTSatelliteTV[at]arcfinal.info

Dollars4Gold.com[at]bullish-commerce.com

Dollars4Gold.com[at]onlinesequoiatypes.com

EndurRxSpecialOffer[at]autoprofilesearch.info

EndurRxSpecialOffer[at]deacorntrail.com

ENSupport[at]armsideways.com

ENSupport[at]buyournest.com

ENSupport[at]theboatsail.biz

FederalGrantAdvisors[at]buyournest.com

FoodSampleSurvey[at]bumaspring.com

FoodSampleSurvey[at]moinchtail.com

GiftDepotDirect[at]bumaspring.com

Glycogone[at]benger16.com

Glycogone[at]deacorntrail.com

Glycogone[at]illetrades.info

GrantsOnline[at]amazillypretty.info

GrantsOnline[at]buyournest.com

GrantsOnline[at]fardilla.com

GrassSeed[at]asponnilia.com

GrassSeed[at]benger16.com

GrassSeed[at]buyournest.com

GrassSeed[at]svcsources.info

GroceryCoupons[at]rush-trades-now.com

HealthyCredit[at]armsideways.com

HealthyLegs[at]theboatsail.biz

HomeownersInsurance[at]theboatsail.biz

HumanResources[at]bakerwildy.com

HumanResources[at]bumaspring.com

HumanResources[at]fardilla.com

InsuranceCompany[at]fardilla.com

InsuranceCompany[at]rush-trades-now.com

JohnCummuta[at]autoprofilesearch.info

JohnCummuta[at]thebecksourcer.com

MightyPutty[at]arcfinal.info

Moneyisavailable[at]autoprofilesearch.info

Moneyisavailable[at]deacorntrail.com

noreply[at]amazillypretty.info

noreply[at]arcfinal.info

noreply[at]armsideways.com

noreply[at]autoprofilesearch.info

noreply[at]bailtired.com

noreply[at]bakerwildy.com

noreply[at]benger16.com

noreply[at]bumaspring.com

noreply[at]buyournest.com

noreply[at]deacorntrail.com

noreply[at]fardilla.com

noreply[at]illetrades.info

noreply[at]moinchtail.com

noreply[at]onlinesequoiatypes.com

noreply[at]rush-trades-now.com

noreply[at]svcsources.info

noreply[at]thebecksourcer.com

noreply[at]theboatsail.biz

noreply[at]undrawnera.com

noreply[at]warayson.com

noreply[at]waspinger.com

ParkRoyalCancun[at]autoprofilesearch.info

ParkRoyalCancun[at]deacorntrail.com

PCServiceNews[at]armsideways.com

PCServiceNews[at]bakerwildy.com

PCServiceNews[at]illetrades.info

PCServiceNews[at]undrawnera.com

PDFSolution[at]amazillypretty.info

PDFSolution[at]svcsources.info

PerfectSmile[at]armsideways.com

PerfectSmile[at]bakerwildy.com

quotes[at]armsideways.com

quotes[at]theboatsail.biz

RobertAllen[at]deacorntrail.com

RobertAllen[at]illetrades.info

RobertAllen[at]undrawnera.com

SellTimeshare[at]amazillypretty.info

SellTimeshare[at]buyournest.com

SellTimeshare[at]fardilla.com

SmokeFreeIn30Days[at]svcsources.info

SmokeFreeIn30Days[at]theboatsail.biz

StopForeclosureOption[at]illetrades.info

SuperFoodsRxMessage[at]illetrades.info

SuperGreenTeaPatch[at]bailtired.com

SuperGreenTeaPatch[at]fardilla.com

SuperGreenTeaPatch[at]theboatsail.biz

swimmingpoolquotes[at]amazillypretty.info

swimmingpoolquotes.com[at]bagthorr.com

swimmingpoolquotes.com[at]waspinger.com

TimeshareCash[at]armsideways.com

TimeshareCash[at]bakerwildy.com

Trade-In[at]amazillypretty.info

Trade-In[at]onlinesequoiatypes.com

UnlimitedInternetMovieDownloadCenter[at]arcfinal.info

UnlimitedInternetMovieDownloadCenter[at]thebecksourcer.com

Vegas4Free[at]illetrades.info

Vegas4Free[at]warayson.com

Victoria[at]moinchtail.com

Victoria[at]waspinger.com

VitalAcai[at]autoprofilesearch.info

Weightloss[at]autoprofilesearch.info

WorldSeriesOfPokerSeatOpportunity[at]arcfinal.info

WorldSeriesOfPokerSeatOpportunity[at]thebecksourcer.com

WRF[at]svcsources.info

WRF[at]thebacksorter.com

YourDebtSource[at]benger16.com

YourDebtSource[at]onlinesequoiatypes.com

Most of these messages bear a postal address, e.g.

Entertainment Publications, Inc.,

1414 East Maple Road,

Troy, MI 48083

1-866-826-1619

Pedi Paws is located at P.O Box 600991 San Diego, CA 92160

6965 El Camino Real

Suite 105 - 698

La Costa, CA 92009

Consumer Service 9-334 Queen Street South, Suite 200, Bolton, Ontario, Canada L7E-2N9

Technical Support

30 East 23 rd. St. New York, NY 10010

Pure Play, 660 4TH Street, Ste 294, San Francisco, CA 94107

Sorry for this long post. But I would be glad to have your advice.

Frédéric

Share this post


Link to post
Share on other sites
<snip>Sorry for this long post. But I would be glad to have your advice.

Frédéric

...Did I miss your question? I did not see one.

Share this post


Link to post
Share on other sites
I have several hosts that connect several times a day, all targeting one single user hosted in my server.

Taking a stab at providing something ...???? If it was me, I'd suspect the user of doing something a bit silly. However, that statement made on very little actual/specific data.

Share this post


Link to post
Share on other sites
...

I have several hosts that connect several times a day, all targeting one single user hosted in my server.

They have in common:

- they are using dedicated hosts

- they set-up correctly their host name, and reverse, their MX and even their SPF

- their hostname is named ssl.*

- they send from an address within their domain. Didn't check whether the user part in the address is valid.

- they send thru real MTA's, that defeat greylisting

- the message itself is either in plaintext, html, or both (multipart/alternative)

- all the links contain tracking data

- usually, they have an unsubscribe link which is highly suspect.

Here is the lists of hosts seen in the last 7 days:

ssl.moinchtail.com [208.110.69.190]
ssl.amazillypretty.info [64.187.120.83]
ssl.arcfinal.info [64.187.120.85]
ssl.armsideways.com [64.187.120.87]
ssl.waspinger.com [64.187.120.89]
ssl.asponnilia.com [64.187.120.91]
ssl.buyournest.com [64.187.126.156]
ssl.bullish-commerce.com [64.187.127.72]
ssl.svcsources.info [64.187.127.73]
ssl.illetrades.info [64.187.127.74]
ssl.theboatsail.biz [64.187.127.79]
ssl.rebollo.biz [64.187.127.80]
ssl.deacorntrail.com [64.187.127.85]
ssl.undrawnera.com [64.187.127.89]
ssl.bumaspring.com [66.63.168.130]
ssl.onlinesequoiatypes.com [66.63.168.98]
ssl.rush-trades-now.com [66.63.188.167]
ssl.scarduaconsulting.com [67.205.113.241]
ssl.thebecksourcer.com [67.205.113.244]
ssl.thebacksorter.com [67.205.113.248]
ssl.autoprofilesearch.info [67.205.113.249]
ssl.bagthorr.com [67.205.113.250]
ssl.bailtired.com [67.205.113.251]
ssl.bakerwildy.com [67.205.113.252]
ssl.fardilla.com [69.42.97.17]
ssl.warayson.com [69.42.97.18]
ssl.suarkovery.com [69.42.97.19]
ssl.benger16.com [69.42.97.25]

...

Hi Frédéric - another point of similarity sems to be that the registrants of the above domains are using Protected Domain Services (protecteddomainservices.com) for anonymity (not that I checked them all). They don't look very promising:

Protected Domain Services

125 Rampart Way

Suite 300

Denver

CO

80230

US

(... which is the same address as *their* registrar domainsite.com/Spot Domain LLC). Sometimes complaints work - see http://forum.spamcop.net/forums/index.php?showtopic=9613 and I suppose it wouldn't hurt to try with domainsite.com. But the website for protecteddomainservices.com seems to have gone into hibernation (who knows what AUP/TOS/CRA provisions there might be) and I see no specific grounds for service termination for spamming in www.domainsite.com/registration_agreement.php.

It is fair to say you seem to have tagged a substantial spam group - that is the sort of stuff that might be a better fit for CastleCops and/or Spamhaus than it is for SpamCop. But it is of more than passing interest 'here' if they routinely evade the SCbl.

And on the 'unsubscribe link which is highly suspect' - yes they (almost) always are but unfortunately 'the law' will always assume otherwise unless it is actually proven to be unproductive or exploitative and the 'why unsubscribe to something I didn't subscribe to?' common sense is *too* common sense to have legal weight. Just anticipating the usual 'but we're CAN-ЅРАМ compliant' justification when complaints are made.

Share this post


Link to post
Share on other sites
Taking a stab at providing something ...???? If it was me, I'd suspect the user of doing something a bit silly. However, that statement made on very little actual/specific data.

Hello Wazoo,

No, this person does as much as possible for keeping this address clean, he always uses other throw-away addresses when possible. I can trust him. But, as Farelf suggests, we may be in the presence of a spam gang operating in the "grey zone", barely legal...

...Did I miss your question? I did not see one.

Dear turetzsr, the question was more in the subject of the thread: Do you know these ads^H^H^Hspams ?

Have a nice week-end !

Frédéric

Share this post


Link to post
Share on other sites

:) Problem solved.

I sent couple of mails to their colo hosting services. I warned these people that I would start reporting all offending items to Spamcop the next day. So I did, messages processed in realtime.

Those reported messages contained plenty of tracking data, so they obviously knew who was complaining.

Two days later, all these hosts were then quiet. [but the reporting filter is still monitoring, and ready to shoot an extra ball]

Frédéric

Share this post


Link to post
Share on other sites

We put em in our blocklist and they didn't get the clue so they became firewall fodder and everything is fine now.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×