jprogram Posted July 20, 2020 Share Posted July 20, 2020 Since April 20, 2020, spammers are now using some kind of web middleware to redirect one URL to a "middleman" URL to reach the destination URL. This trickery is bypassing the e-mail provider's spam filter. Here are those "middleman" URLs: tb42trk.com bx55trk.com ks20trk.com mrm30trk.com ds62trk.com Apparently, those are all owned by Google. So how do they work and what are those sites called? Quote Link to comment Share on other sites More sharing options...
petzl Posted July 20, 2020 Share Posted July 20, 2020 (edited) 8 hours ago, jprogram said: Apparently, those are all owned by Google. So how do they work and what are those sites called? The redirection is immediately stopped if a Gmail user reports the spam as phishing just requires a click to do this. To save redirection to Google Cloud is done by anyone with a Gmail account which are free. A SpamCop tracking URL is always more helpful SpamCop will report it to Google but not sure how quick Google react on reports? Edited July 21, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted July 20, 2020 Share Posted July 20, 2020 6 hours ago, jprogram said: Apparently, those are all owned by Google. So how do they work and what are those sites called? I believe they are called URL shorteners. How they work, is a person can type/paste in a URL into the shorteners site and get a shortened link. Visiting the shortened link passes a 302 or a 301 redirect and your browser will be redirected directly to the longer URL. During the redirect, the shortener tracks the usage. Shorteners were started because links (such as forum post) can be quite long. http://forum.spamcop.net/topic/11594-my-url-shortener-website-is-spamvertised-what-to-do/ http://forum.spamcop.net/topic/10541-resolve-redirections-of-url-shrinking-url-redirection-services/ Quote Link to comment Share on other sites More sharing options...
jprogram Posted July 21, 2020 Author Share Posted July 21, 2020 I'll use this spam as an example...https://www.spamcop.net/sc?id=z6642853265z193d6fb05ee9b701404ec2d508af48b0z If you use the domain name and add either "www", "ww1", or "web" prefixes -- the directory names doesn't matter, they'll redirect you the same way. Here is the chain of redirects (blocking out some details)http://www.uhcphysicianfinder.com/main.html/z9zIiTTphttps://www.ks20trk.com/7BZ2W/6JHXF/?sub1=*****https://youmeasurewellness.com/?__ef_tid=442cc3002bca40b3871fef7afecd72d4&oid=4&affid=5 In this case, ks20trk.com was used. It really does not look like a URL shortener -- not saying it's not per se. Who do I go after from the chain? All of them? DNS severs too? Quote Link to comment Share on other sites More sharing options...
petzl Posted July 22, 2020 Share Posted July 22, 2020 (edited) 2 hours ago, jprogram said: Who do I go after from the chain? All of them? DNS severs too? Looks like OVH are dead at the wheel in handling abuse. might try their websitehttps://www.ovh.com/world/abuse/ put in notes something likeCriminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS The site I was redirected to is listed a malicioushttps://www.virustotal.com/gui/url/2bbb53811e2da7a35cd8dc638edd7e454176d41684005599247f4459df39a497/detection Edited July 22, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
jprogram Posted July 22, 2020 Author Share Posted July 22, 2020 2 hours ago, petzl said: The site I was redirected to is listed a malicious That URL is one of many. You can see the list here... https://urlscan.io/ip/45.55.121.131 Not all of those sites are marked malicuous. Maybe rhe one for youmeasurewellness is a false negative? Quote Link to comment Share on other sites More sharing options...
petzl Posted July 22, 2020 Share Posted July 22, 2020 3 hours ago, jprogram said: That URL is one of many. You can see the list here... https://urlscan.io/ip/45.55.121.131 Not all of those sites are marked malicuous. Maybe rhe one for youmeasurewellness is a false negative? Initially I would try to get OVH to act could be spam blackmailing innocent websites? They did have a Paypal link which seemed legit Quote Link to comment Share on other sites More sharing options...
jprogram Posted July 22, 2020 Author Share Posted July 22, 2020 8 hours ago, petzl said: Initially I would try to get OVH to act OHV makes up about half of the website links in the message. I certainly have tons of work on relorting to the following: #1. e-mail server; #2. web server (based on e-mail's domain name); #3. Google (**trk.com); #4. DigitalOcean (end-of-the-redirect-chain website); #5. Whoever is hosting bogus unsubscribe forms.... Then you got the DNS providers for each server. Quote Link to comment Share on other sites More sharing options...
petzl Posted July 22, 2020 Share Posted July 22, 2020 (edited) 7 hours ago, jprogram said: OHV makes up about half of the website links in the message. I certainly have tons of work on relorting to the following: #1. e-mail server; #2. web server (based on e-mail's domain name); #3. Google (**trk.com); #4. DigitalOcean (end-of-the-redirect-chain website); #5. Whoever is hosting bogus unsubscribe forms.... Then you got the DNS providers for each server. Don't do them all just a few to website the rest via SpamCop handling abuse try their websitehttps://www.ovh.com/world/abuse/ put in notes something like Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS In windows to find registar of websiteI use this freeware programhttp://www.gena01.com/win32whois/http://www.uhcphysicianfinder.com/main.html/z9zIiTTp 65.181.123.252 support[AT]dedicatednow[DOT]com Registrar Abuse Contact Email: mailto:abuse[AT]nameking[DOT]com Edited July 22, 2020 by petzl Quote Link to comment Share on other sites More sharing options...
jprogram Posted July 24, 2020 Author Share Posted July 24, 2020 On 7/21/2020 at 8:29 PM, petzl said: Looks like OVH are dead at the wheel in handling abuse. might try their websitehttps://www.ovh.com/world/abuse/ Does OVH own other servers? Example: velia.net How can I tell if they run under OVH? Quote Link to comment Share on other sites More sharing options...
petzl Posted July 24, 2020 Share Posted July 24, 2020 5 hours ago, jprogram said: Does OVH own other servers? Example: velia.net How can I tell if they run under OVH? look at the abuse address Windows Freeware Whois program below, http://www.nirsoft.net/utils/ipnetinfo.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.