[FAQ Entry: The Link Analysis Process]

WOW!!! Quick SUCCESS on squashing one of the three domains. Never realized it was so easy.

This is totally FUN!!!

I am awaiting word on the initial spamvertised domain WorkFor375.com, as well as the end domain where the business is actually done (TrustedSurveys.com). The middle domain that the first one redirects to (TrustedSSurveys.com) is the one I just now got shut down.

Like I said earlier, I should have reported the end domain first. Oh, well.)

What I did on this, was go around the WhoisGuard'ed domain names and go to ARIN to find out who had the IP addresses and was able to find out who hosted the sites that way. Works REALLY great!

At the end, I sent a gloating email to the email address mentioned on the end website that actually does the spamvertised business. I couldn't help myself. Why not?

Steve

====================

Hello,

Thank you for notifying us.

I have suspended the website trustedssurveys.com.

Sincerely,

Ted Smith

Security Specialist

Endurance International Group

-----Original Message-----

From: Shimon Bakshi

Sent: Tue 08-May-12 14:40

To: cogentabuse

Subject: FW: spammer using IP address registered to you

From: Steve [mailto:steve[at]vwebr.net]

Sent: Tuesday, May 08, 2012 10:43 AM

To: #CustomerRelations

Subject: spammer using IP address registered to you

Hello,

Please forward this to your abuse dept or the dept that handles webhosting or IP services.

The following is information regarding someone who is spamming a work-at-home scam using the domain workfor375.com, which redirects to trustedssurveys.com

The domain trustedssurveys.com (note there is a doubled 's') has been obfuscated because the person is using Namecheap.com's Whoisguard service.

HOWEVER, the IP address that trustedssurveys.com points to is 65.254.250.110.

According to ARIN, that IP address is in your CIDR block.

Can you please look into de-allocating/de-registering that IP address?

I will forward the spam to you with all headers right after this email, but the domain name referred to is clearly in the spam and it redirects to the domain having the IP address in your CIDR block.

Thank you,

Steve Sybesma

Lafayette, CO

720-934-2484

[Querying whois.arin.net]

[whois.arin.net]

#

# Query terms are ambiguous. The query is assumed to be:

# "n 65.254.250.110"

#

# Use "?" to get help.

#

#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=65.254.2...amp;ext=netref2

#

NetRange: 65.254.224.0 - 65.254.255.255

CIDR: 65.254.224.0/19

OriginAS:

NetName: BIZLAND-FC03

NetHandle: NET-65-254-224-0-1

Parent: NET-65-0-0-0-0

NetType: Direct Allocation

RegDate: 2004-01-06

Updated: 2012-03-02

Ref: http://whois.arin.net/rest/net/NET-65-254-224-0-1

OrgName: The Endurance International Group, Inc.

OrgId: EIG-12

Address: 70 Blanchard Road

City: Burlington

StateProv: MA

PostalCode: 01803

Country: US

RegDate: 2005-02-07

Updated: 2011-09-24

Ref: http://whois.arin.net/rest/org/EIG-12

OrgTechHandle: BBR189-ARIN

OrgTechName: Brock, Brian

OrgTechPhone: +1-781-852-3254

OrgTechEmail: bnbrock[at]maileig.com

OrgTechRef: http://whois.arin.net/rest/poc/BBR189-ARIN

OrgAbuseHandle: BBR189-ARIN

OrgAbuseName: Brock, Brian

OrgAbusePhone: +1-781-852-3254

OrgAbuseEmail: bnbrock[at]maileig.com

OrgAbuseRef: http://whois.arin.net/rest/poc/BBR189-ARIN

OrgNOCHandle: ENO74-ARIN

OrgNOCName: EIG Network Operations

OrgNOCPhone: +1-339-234-9762

OrgNOCEmail: netmon[at]maileig.com

OrgNOCRef: http://whois.arin.net/rest/poc/ENO74-ARIN

#

# ARIN WHOIS data and services are subject to the Terms of Use

# available at: https://www.arin.net/whois_tou.html

#

[FAQ Entry: The Link Analysis Process]

Hi again Steve. As Steve T says, quite simply you cannot dummy a submission to make the parser find something it couldn't do by itself and then send the report as if the parser had done it all. That's the "material changes" rule - http://www.spamcop.net/fom-serve/cache/283.html You can always use the parser to find reporting addresses with manually altered data but you can't alter the spam that is reported.

Seems frustrating I know but SC relies on INTEGRITY which is closely guarded to maintain credibility and cooperation within the internet community. That's why those other tools are needed (instead of SC reports) and the SCbl handles only e-mail originating IP addresses, not web sites. Reports to the associated network admins are a courtesy only, in the hope they will take action to shut down the spammers abusing their services. In the case of websites that is the only SC action, no SCbl entry (though the SURBL, mentioned in one of those other topics indicated, does independently use SC spamvertized site data).

The parser is completely unable to follow redirections but I suppose you might be entitled to add an additional report recipient or two (if you are a paying user) reflecting anything you have found out yourself. (You need to be more than a bit cautious about following redirections by the way.) But anyway, you might then have some difficulty explaining in notes to those additional recipients what is going on since the report won't be indicating their networks. Very few of them are highly motivated towards anti-spamming activity, sadly. And the report has no consequences for them, as said - except if they are actually hard-core spammers, then the consequences could be a bit negative.

OK, very good. I'll abide by the rules. I registered with knujon.com, am trying to register with complainterator.com (although their site seems to be timing out when I attempt) and I sent an email to see about having the latter two domains added to Bill Stearn's blacklist. WorkFor375.com I noticed is already on the WS list, but that doesn't stop the problem like squashing the domains will. Think I hit all the bases possible.

[FAQ Entry: The Link Analysis Process]

Hi ssybesma.

Yes, unlike your browser, the parser won't take an implied link like WorkFor375.com and treat it as a link (which is one reason why the spammers/authors don't put in the full link) If it had the http:// bit in front of it, it would be processed. I dummied a submission (and cancelled it) - http://www.spamcop.net/sc?id=z5322915931za...00961daa75b681z

You can see it would work then, but can't pick up the redirection.

SpamCop is all about finding the e-mail source. You need to go to other tools to address the "spamvertized" links with full rigour. There are all sorts of problems and solutions associated with the links both innocent and spammy that can be found in a spam e-mail. See http://forum.spamcop.net/forums/index.php?showtopic=12362 for a recent discussion of another type of link resolution problem and some links to those other tools. See http://forum.spamcop.net/forums/index.php?showtopic=4085 for some background, if you haven't looked there already.

Steve

Very EXCELLENT reply Steve (my name is Steve as well).

How would I go about 'dummying' the submission to add the spamvertised website? I will check out the tools you mentioned, so that may take out the necessity of doing it that way and make my question moot.

The other thing I was thinking about, is that there is probably a better strategy of reporting spamvertised websites in the case of a redirected domain and a link to a domain.

I should probably go after the domain at the end of the line and work my way up, because if the domains farther out get reported last, they may not see the connection to the domain that I had to get to before that one if it was shut down already.

I didn't think about that initially and reported workfor375.com first (yesterday), then the redirected domain trustedssurveys.com right afterward, and then the link from the redirected domain (trustedsurveys.com) was reported today.

Shoulda did it the other way. Oops!

[FAQ Entry: The Link Analysis Process]

The reporting tool is missing the spamvertised website mentioned in the headers and the body of

the spam below (my email and others obfuscated for privacy reasons). The name of the domain

is workfor375.com.

I had to do the legwork myself and reported that domain, the domain it redirects to (trustedssurveys.com)

and the domain that webpage contains a link to (trustedsurveys.com) as well as all three IP addresses to

their respective hosting/allocating companies.

When I used spamcop on the spam below, all it reported to was Yahoo.

============================================================

Return-path: <thezeroplan128[at]yahoo.com>

Envelope-to: <OBFUSCATED FOR PRIVACY REASONS>

Delivery-date: Sun, 06 May 2012 03:34:52 -0500

Received: from nm16-vm1.bullet.mail.bf1.yahoo.com ([98.139.213.131])

by server509.webhostingpad.com with smtp (Exim 4.69)

(envelope-from <thezeroplan128[at]yahoo.com>)

id 1SQwvY-0047HO-EC

for <OBFUSCATED FOR PRIVACY REASONS>; Sun, 06 May 2012 03:34:52 -0500

Received: from [98.139.212.151] by nm16.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000

Received: from [98.139.212.240] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000

Received: from [127.0.0.1] by omp1049.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000

X-Yahoo-Newman-Property: ymail-5

X-Yahoo-Newman-Id: 248258.25919.bm[at]omp1049.mail.bf1.yahoo.com

Received: (qmail 95838 invoked by uid 60001); 6 May 2012 08:34:47 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1336293287; bh=iLdWCppUyJWwtTtwpaXIbQtCd9bWuEy8P1VLHBZrY58=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=pOe5jE9noygec3LcP2Sjhym3zN39aNMDzO3lttjyLv4ZXtBfhSuAEXTLCSYnAGyeF1rOEPwYPpX/zgufkDjB9I1OX/TmpB7QA9ABKWwbAeC6uT6VgkzBlBY8CAdyhPwc2zxLGSErr9xUIu90fQDJZ0uMpQe9NnWnu+EbxLUYgXQ=

DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=yahoo.com;

h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type;

b=TQtMk7TgXQUstyeoWuy4IpDHpe+J0e5rmgOjP2I/N6nxZwzXquRJTisZbxZmaTYM4d+ilUxpuaavJRvK7IUQLbz2M//u0U2W1uiGGGDX0pvZrnuKM8jX6ih4wwIvhRTCpA0SSpX0QJX5tCW1F7L7IJjnGwADG7SaBQR/2J6nKDk=;

X-YMail-OSG: hkaRdlgVM1nA_VtrXS9FUDyXbNIPiQWwpyk9_qhcYl91fZx

VT1v0yTlsHH.VWiJ52buboOrlac6qHn6Fe27BqOODJn4zVHpUgTRl3gnCuzq

laRah9rIxXvfaymszNJgt1VbR28ikBURSt1vU10qnvMjS1.8omc7ubB6V0_a

3U5dFqmypzclf0XLA_ViVk7NNvgM.uExTBVVX2nsppmaZQMo8veRRGuYjAWi

OhdDO8HXOMtn4jEXDOu9p6VG1iCJ1Cddz9_71lJZuNCpgQ7ApubIRmb3yptO

6fXZaQbNGRlbIEe_OCTmGmfgfsoPj8o3sHe.r_Dit4ngxjegnh6_lyfIz85c

L40gRPiZj1FWPpROvutCUgPZeieeR5y1IyAtpZNuOXatv4pGxAy5PZuX3.uw

PkURDkjX3wq8hhUSdPO5dUA36jBdNYRQIzHYv8nhp6KfoEEuU.ymszV7vetj

htwBD4eh07UKioGBvrbiJ465XCcGfIFGjfOE.YD8xCnZKiaKSxX.fhlBM3_B

NqFcztSaPfspD4EafY4IO4v_mnMp9x9IJ6ALhyFn0JORf2HRyZjYBtdnMVXW

pWWpJ0cQ2ykCeVbe0_40MQUhpKRku3YU-

Received: from [178.88.10.39] by web161802.mail.bf1.yahoo.com via HTTP; Sun, 06 May 2012 01:34:47 PDT

X-Mailer: YahooMailWebService/0.8.117.340979

Message-ID: <1336293287.86220.YahooMailRC[at]web161802.mail.bf1.yahoo.com>

Date: Sun, 6 May 2012 01:34:47 -0700 (PDT)

From: Jake Bufton <thezeroplan128[at]yahoo.com>

Reply-To: Jake Bufton <thezeroplan128[at]yahoo.com>

Subject: hey, i have a question about your ad

To: mikaisme at hotmail dot com [NOTE: probably a test address or a mailing list address]

Cc: <OBFUSCATED FOR PRIVACY REASONS>

MIME-Version: 1.0

Content-Type: text/plain; charset=us-ascii

X-spam-Status: No, score=1.7

X-spam-Score: 17

X-spam-Bar: +

X-Ham-Report: spam detection software, running on the system "server509.webhostingpad.com", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

the administrator of that system for details.

Content preview: Hey, I like working with people that post ads online, since

I already know that you basically know your way around a computer. I need

a few people here in town for some part-time help with some online work that

I have. The work is very easy, but it's too much for me to by myself, so

I thought that I'd email a few people and see if you'd be interested. [...]

Content analysis details: (1.7 points, 4.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no

trust

[98.139.213.131 listed in list.dnswl.org]

1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist

[uRIs: workfor375.com]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

(thezeroplan128[at]yahoo.com)

0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit

(jake bufton <thezeroplan128[at]yahoo.com>

)

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay

domain

0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in

digit (thezeroplan128[at]yahoo.com)

-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%

[score: 0.0000]

1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)

[uRIs: workfor375.com]

X-spam-Flag: NO

Hey,

I like working with people that post ads online,

since I already know that you basically know your

way around a computer. I need a few people here

in town for some part-time help with some online

work that I have. The work is very easy, but it's too

much for me to by myself, so I thought that I'd email

a few people and see if you'd be interested.

Just go to my website for more information

and to apply if you're interested:

WorkFor375.com

Just copy and paste the above link

into your web browser.

****************************************

If you don't want to receive any

more email from us, just go to

WorkFor375.com/remove

****************************************