Jump to content

DDR

Members
  • Posts

    3
  • Joined

  • Last visited

Everything posted by DDR

  1. I'm not trying to close businesses, just spammers & their links. Stopping the spam helps business to not be associated with spam against their knowledge. Also, this is spam... I've only seen about 2-3 legitimate businesses (and lately, maybe 0) out of hundreds to thousands of spam messages (they repeat a lot). (unless we're counting spammers as pillars of industry: brokering the untapped potential of unpatched servers and a captive audience - building a market for premium mail filtering) You have to assume it's all malicious - but I think spammers are less focused on link revenge and more on making money: maybe sliding in a few "legitimate" businesses to normalize their spam style / get paid for purchases through affiliate links, selling lists of live addresses, selling nonexistent products from layered babooshka businesses through a legitimate payment processor, phishing the banking details of the unwary... Alerting a hacked server is probably the best action -- delisting one DNS entry or getting one image/redirect closed do almost nothing, the spammer expects limited-use and has near-infinite options... But buying all those domains (and hidden whois records) can't be cheap? And if they impersonate a real business - real businesses have lawyers. It seems that poking around inconvenienced my spammer for about a week. They seem significantly less diversified now... I've gotten replies that I've alerted a few servcies to intruders sending spam (It would be nice to get spam bounties...) It looks like they've switched to: mostly sending from Russian servers, private whois records, mostly free image hosting and link redirectors (like imgur.com), unicode subject lines "Y๐• ๐•ฆ'๐•ฃ๐•– A๐•ก๐•ก๐•ฃ๐• ๐•ง๐•–๐••". No more "This is an advertisement" text. Sites are similar: random names, guid links for tracking and forwarding, basically (and sometimes literally) lorem-ipsum text. eg. sleeveplot.com; responstvview.store; dreammediainfo.com; datalari.org.uk; mrliving.org.uk
  2. I've tried contacting EuroDNS (the dns host for the parent domains), but those domains are (technically) not (directly) sending or linked to in the spam, so they won't do anything without "blatant proofs". Any suggestions for what I should try to assemble as proof? I've contacted the other domain registrar (namecheap) a few times with dozens of domain links from the spam -- they remove reported domains -- but they obviously haven't blocked the spammer from registering new domains with them. The registrar may not be able to block the spammer, because they can infinitely spin up a new website/email and PO box and look like a new customer. Other interesting things: I've tried to alert several "advertised" business that look legit -- I've gotten one reply that said they would take action and demonetize those referrals. These spam have all switched to mime encoding (was previously plain text, which was easier for me to extract links/domains) -- but SpamCop does decode and extract the links. Some of these spam domains were registered 6 months ago. Does Domain tasting always show up as will expire after 1 year? For example: from today --Bare Mind baremindsupport.com 9620 S Las Vegas Blvd Suite E4 #1003 www.inygess.com www.ropevalue.com --Hook Advantage hookadvcomp.com 7181 N. Hualapai Way Suite 130 - 924 www.duspyramid.com www.sulless.com www.nomorsurte.com www.izessheart.com --Powerful Business officepowerfullbusiness@gmail.com 2540 S Maryland Pkwy, Unit #5024 shrinese.com mitively.com apyine.com --Tech Everest officetecheverest@gmail.com 8635 W Sahara Ave, Unit #4036 catcapecar.com --Cyclone Pure cyclonepure.com 8635 W Sahara Ave Unit #4016 www.dergydess.com --Gaggle Nectar gagglecontact.com 6130 West Flamingo Road Unit #3001 www.stronsix.com
  3. It may be interesting to index the whois info on reply-to/links, to find multiple domains registered by a single company (or groups of companies...) I'm persistently seeing a lot of spam (10+ messages/day) that seems to be from a single source - some domains share registration info & the message text has patterns. The problem is, they use a nested structure: a disposable first layer, and second layer for privacy. (isn't that a Stephenson or Gibson idea, to have an AI setup & constantly modify the structure of deeply nested corporations for hiding/privacy/early-warning/deniability? - If someone calls you, you say -- I'm only a consultant for the board of Corporation 123...) The mail is sent from random(?) servers The text usually includes a postal address, and "This is an advertisement" (if their opt-out link worked, they would almost be can-spam compliant...) Links/images contain giant tracking IDs (88 characters) domain of the link forwarders & ReplyTo address is random There is no website at the domain root (only 404) Is always registered to one of several PO boxes (in Nevada) Is it possible to just ask for a PO box owner's name (over the phone?), since it is being used for business purposes? Contact email is at another "parent" domain The parent domains have whois privacy turned on The parent domains host a dummy website - they are all identical (and non-functional), except for the name and background image. The parent site is distributed: DNS, mail & webhost (possibly Cloudflare protected) are different providers and not directly linked to sending spam mail or links in the spam Some of the frontpage text: (search shows 20-30 sites with this text) Results driven digital advertising Working with us guarantees the best pairing between our clientsโ€™ ads and advertising channels. Our easy match traffic solutions target user segments and preferences generating top campaigns for each offer we contract. We use innovative algorithms to provide the best match between our partnerโ€™s campaigns and our user base allowing us to funnel ads based solely on user interests and platform use. They advertise a lot of scummy looking websites that are likely just phishing for bank info - but also some less(?) scummy big names: Warby Parker, The Farmer's Dog, Audiobooks.com, Liberty Mutual, Quicken Loans, Harry's, Sono Bello --some parent domains baremindsupport.com lotusvisionllc.com officewireconnection.com shiftstickinfo.com --some child domains www.rubypucker.com www.blownorra.com www.mahearth.com www.azulcapus.com www.randommang.com scornjoops.com litherink.com shakilyboy.com nosearth.com
×
×
  • Create New...