Jump to content

Spammers using web "middleman" URLS (tb42trk.com)

jprogram

By jprogram
in SpamCop Lounge

 Share

Recommended Posts

jprogram Member

jprogram

Posted
Posted

Since April 20, 2020, spammers are now using some kind of web middleware to redirect one URL to a "middleman" URL to reach the destination URL. This trickery is bypassing the e-mail provider's spam filter.

Here are those "middleman" URLs:

  • tb42trk.com
  • bx55trk.com
  • ks20trk.com
  • mrm30trk.com
  • ds62trk.com

Apparently, those are all owned by Google. So how do they work and what are those sites called?

Link to comment
Share on other sites
petzl T-shirt wearing out

petzl

Posted
Posted (edited)
8 hours ago, jprogram said:

Apparently, those are all owned by Google. So how do they work and what are those sites called?

The redirection is immediately stopped if a Gmail user reports the spam as phishing just requires a click to do this.
To save redirection to Google Cloud is done by anyone with a Gmail account which are free.
A SpamCop tracking URL is always more helpful 
SpamCop will report it to Google but not sure how quick Google react on reports?

Edited by petzl
Link to comment
Share on other sites
gnarlymarley Advanced Member

gnarlymarley

Posted
Posted
6 hours ago, jprogram said:

Apparently, those are all owned by Google. So how do they work and what are those sites called?

I believe they are called URL shorteners.  How they work, is a person can type/paste in a URL into the shorteners site and get a shortened link.  Visiting the shortened link passes a 302 or a 301 redirect and your browser will be redirected directly to the longer URL.  During the redirect, the shortener tracks the usage.  Shorteners were started because links (such as forum post) can be  quite long.

http://forum.spamcop.net/topic/11594-my-url-shortener-website-is-spamvertised-what-to-do/

http://forum.spamcop.net/topic/10541-resolve-redirections-of-url-shrinking-url-redirection-services/

Link to comment
Share on other sites
jprogram Member

jprogram

Posted
  • Author
Posted

I'll use this spam as an example...
https://www.spamcop.net/sc?id=z6642853265z193d6fb05ee9b701404ec2d508af48b0z

If you use the domain name and add either "www", "ww1", or "web" prefixes -- the directory names doesn't matter, they'll redirect you the same way.

Here is the chain of redirects (blocking out some details)
http://www.uhcphysicianfinder.com/main.html/z9zIiTTp
https://www.ks20trk.com/7BZ2W/6JHXF/?sub1=*****
https://youmeasurewellness.com/?__ef_tid=442cc3002bca40b3871fef7afecd72d4&oid=4&affid=5

In this case, ks20trk.com was used. It really does not look like a URL shortener -- not saying it's not per se.

Who do I go after from the chain? All of them? DNS severs too?

Link to comment
Share on other sites
petzl T-shirt wearing out

petzl

Posted
Posted (edited)
2 hours ago, jprogram said:

Who do I go after from the chain? All of them? DNS severs too?

Looks like OVH are dead at the wheel in handling abuse. might try their website
https://www.ovh.com/world/abuse/
put in notes something like
Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS
The site I was redirected to is listed a malicious
https://www.virustotal.com/gui/url/2bbb53811e2da7a35cd8dc638edd7e454176d41684005599247f4459df39a497/detection

Edited by petzl
Link to comment
Share on other sites
petzl T-shirt wearing out

petzl

Posted
Posted
3 hours ago, jprogram said:

That URL is one of many. You can see the list here...

https://urlscan.io/ip/45.55.121.131

Not all of those sites are marked malicuous. Maybe rhe one for youmeasurewellness is a false negative?

Initially I would try to get OVH to act could be  spam blackmailing innocent websites?
They did have a Paypal link which seemed legit

Link to comment
Share on other sites
jprogram Member

jprogram

Posted
  • Author
Posted
8 hours ago, petzl said:

Initially I would try to get OVH to act

OHV makes up about half of the website links in the message.

I certainly have tons of work on relorting to the following:

#1. e-mail server; #2. web server (based on e-mail's domain name); #3. Google (**trk.com); #4. DigitalOcean (end-of-the-redirect-chain website); #5. Whoever is hosting bogus unsubscribe forms.... Then you got the DNS providers for each server.

Link to comment
Share on other sites
petzl T-shirt wearing out

petzl

Posted
Posted (edited)
7 hours ago, jprogram said:

OHV makes up about half of the website links in the message.

I certainly have tons of work on relorting to the following:

#1. e-mail server; #2. web server (based on e-mail's domain name); #3. Google (**trk.com); #4. DigitalOcean (end-of-the-redirect-chain website); #5. Whoever is hosting bogus unsubscribe forms.... Then you got the DNS providers for each server.

Don't do them all just a few to website the rest via SpamCop
handling abuse try their website
https://www.ovh.com/world/abuse/
put in notes something like
Criminal phishing, bogus reply address, bogus unsubscribe (NEVER subscribed), DDoS

In windows to find registar  of websiteI use this freeware program
http://www.gena01.com/win32whois/

http://www.uhcphysicianfinder.com/main.html/z9zIiTTp
65.181.123.252  support[AT]dedicatednow[DOT]com
Registrar Abuse Contact Email:  mailto:abuse[AT]nameking[DOT]com

Edited by petzl
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...