Is powercomm.com a spammer domain?

[MyNameHere]

I don't know if you've seen these, but for several months I've been getting sales pitches for fake watches. The distinguishing feature is they usually don't have a direct link to the spamvertized website--instead, there is an image with the URL the user can type into the browser.

Initially to see what would happen, I started parsing those URLs and reporting them along with the spam, but what I've noticed is that the various URLs always show security [at] powercomm.com as the reporting address. I've never before run into a spammer that always uses the same host. Usually, the spamvertized sites are scattered all over the place, and the reporting addresses vary widely.

So does that mean this spammer is hosting its own websites? If so, reporting to powercomm would be a real waste.

Looking it up on Google, powercomm.com kind of looks like an LG (electronics company) domain, but I really don't think it is.

I tried parsing www.powercomm.com and got a series of reporting addresses that looked familiar, including bora.net and kisa.or.kr. Would it be meaningful to report powercomm to those addresses as a persistent host of spamvertized sites?

???

[SpamCopAdmin]

>- I started parsing those URLs and reporting them along with the spam

Argh! Not cool!

We can't add anything to the spam for SpamCop to "find" and report.

If the URL is only contained in an image (which SpamCop can't read) we can't do anything about it. We can't type it into the spam so the parse can see it.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

[turetzsr]

Hi, Don,

...Aren't we allowed to do that to prepare a manual report, then cancel the parse so that SpamCop does not send the complaint? If not: uh-oh, I'm sorry! <g>

[MyNameHere]

Hey, guys, I'm not modifying the spam. I just open another reporting window and type the URL in there and parse it. Then I add the reporting address to the original spam report where it indicates "User notification" and I explain it in the "Additional notes" text box. I usually type "This unsolicited email referred to URL _____ in an image."

[Farelf]

In my understanding that is all okay (certainly would appreciate any advice to the contrary). But perhaps another approach, with some potential leverage, might be to open an account with URIBL and request listing. I have no idea about their "quality control"/assurance and dispute resolution but they've been around a long while and always looked pretty competent to me. SURBL actually takes some feed from SpamCop (resolved URIs) but I'm not aware of any way to "manually" report to it.

I don't think image spam is all that effective in terms of return on effort for the spammer/client but it certainly persists so must be worth tackling for those with the inclination.

[petzl]

Hey, guys, I'm not modifying the spam. I just open another reporting window and type the URL in there and parse it. Then I add the reporting address to the original spam report where it indicates "User notification" and I explain it in the "Additional notes" text box. I usually type "This unsolicited email referred to URL _____ in an image."

I think what you do is excellent as long as original spam is not modified (which it's not)

I too add in "notes" if IP is an attack site with links to CBL for proof

[MyNameHere]

I wonder if anyone has any thoughts on the original question: whether powercomm.com is itself a spammer domain and sending reports to it is essentially reporting the spammers to themselves?

Thanks!

[Farelf]

Not seeing the URIs that have security [at] powercomm.com as the reporting address but abuse[at]bora.net and (if a compromise is suspected) security[at]bora.net certainly represent the "upstream" for powercomm.com and, to the extent that bora.net is responsive, adding appropriate reports to those might be productive (some doubts expressed in these pages about that in the past I think - search the forum for detail/opinion).

The registrar is MEGAZONE CORP. (hosting.kr), registrant lguplus.co.kr and the registrar at least is another avenue for complaint if the domain is involved in illicit activity. Anyway, I think it is terribly unfair to label huge providers like bora.net (or powercomm.com for that matter) as "spammers" when/if a small part of their capacity is abused by such misbegotten miscreants but can't argue with the POV that is the way they present to our little corner of concern. And "Life's unfair," to paraphrase LG.

Actually, talking about URIs/domains and their address IPs, it is hard to know what percentage of the total are spammy. Maybe there's the equivalent of SC's e-mail "Browseable map of IPv4 netspace" for web hosting somewhere but I don't know of it. Doesn't really matter - spam is spam, whether a fleck of faecency on the hem of the internet or a blessed great blob of it on the bodice.

I had a look at robtex, also centralops.net's DomainDossier for powercomm.com and my brain hurts. There are at least 116 domains (and presumably associated URIs) "sharing" 210.124.165.161 with/through that domain. I have no idea of their reputations off-hand - looking up web reputations for powercomm.com might be a starting point, most seem to be directly related to powercomm.com. But I don't think any of those will be the ones you are seeing (report routing to bora.net, not powercomm.com). So, after some examination and much thought, I really don't know the straight answer to your question. You really should offer up some of those URIs that you are seeing (but NO LIVE LINKS, thanks).

[MyNameHere]

I can post a couple of recent web addresses that have come up with these spam messages:

www.smoothersecond.com, www.trulytime.com

[Farelf]

Well, that is bizarre - different registrars (in different, somewhat desperate places, the Ukraine and Indonesia), same nameservers (Russian), different alleged registrants (in different, somewhat desperate places, the USA and Fiji). We know registration details can be problematical - so follow the money and one wouldn't like the chances of extracting dues for domain registration - nameservice from either registrant. Neither domain currently supporting services. BUT, same network record (112.145.157.70 - allocated LG Powercomm and presumably paying any bills for network allocation at least).

Robtex has more information - https://ip.robtex.com/112.145.157.70.html showing "at least" 14 domains on that same IP address (and of course there might be other IP addresses within the same allocation). Either powecomm is a spammer or their resources are being abused. Either way, there doesn't seem much point in further reporting to them IMO - if they're being abused/have been compromised then it is up to them to do something about it. You've already given them a "heads up" and they are better able than you or I to do the research on the scope, methodology and recovery from such a (supposed) incursion, having access to the same tools and much more besides, if they have the will.

Just my opinion, there may be other interpretations.

[Farelf]

FWIW I'e started getting a light dusting of spam with websites in the same range (though not in image form) and uncheck security [at] powercomm.com reporting on the basis of what we've discussed here (but added abuse [at] bora.net and security [at] bora.net in this case):

http://www.spamcop.net/sc?id=z5620127093z1...4d830cdbe7a169z

Another domain hosted at 112.145.157.70. There is no evidence (AFAICT) that bora.net has, now or ever, anything to do with that netblock allocation so the alternative report addressing is probably futile (or worse) in retrospect - only person/role addresses seen in the records are powercomm.com and lguplus.co.kr (the same), then there are the change addresses (presumably reflecting just the clerical function) for apnic.net, nic.or.kr and nida.or.kr. Guess I will stop all reporting on those spamvertized websites if it persists. Complainterator is probably a better tool than SC to use for those.