Jump to content

index multi-level spam domain structure


Recommended Posts

It may be interesting to index the whois info on reply-to/links, to find multiple domains registered by a single company (or groups of companies...)

I'm persistently seeing a lot of spam (10+ messages/day) that seems to be from a single source - some domains share registration info & the message text has patterns.

The problem is, they use a nested structure: a disposable first layer, and second layer for privacy.
(isn't that a Stephenson or Gibson idea, to have an AI setup & constantly modify the structure of deeply nested corporations for hiding/privacy/early-warning/deniability? - If someone calls you, you say -- I'm only a consultant for the board of Corporation 123...)

  • The mail is sent from random(?) servers
  • The text usually includes a postal address, and "This is an advertisement" (if their opt-out link worked, they would almost be can-spam compliant...)
  • Links/images contain giant tracking IDs (88 characters)
  • domain of the link forwarders & ReplyTo address is random
    • There is no website at the domain root (only 404)
    • Is always registered to one of several PO boxes (in Nevada)
      • Is it possible to just ask for a PO box owner's name (over the phone?), since it is being used for business purposes?
    • Contact email is at another "parent" domain
      • The parent domains have whois privacy turned on
      • The parent domains host a dummy website - they are all identical (and non-functional), except for the name and background image.
      • The parent site is distributed: DNS, mail & webhost (possibly Cloudflare protected) are different providers and not directly linked to sending spam mail or links in the spam
      • Some of the frontpage text: (search shows 20-30 sites with this text)
        Results driven digital advertising
        Working with us guarantees the best pairing between our clients’ ads and advertising channels. Our easy match traffic solutions target user segments and preferences generating top campaigns for each offer we contract. We use innovative algorithms to provide the best match between our partner’s campaigns and our user base allowing us to funnel ads based solely on user interests and platform use.
  • They advertise a lot of scummy looking websites that are likely just phishing for bank info - but also some less(?) scummy big names: Warby Parker, The Farmer's Dog, Audiobooks.com, Liberty Mutual, Quicken Loans, Harry's, Sono Bello

--some parent domains

--some child domains

Link to comment
Share on other sites

On 1/10/2022 at 5:52 PM, DDR said:

It may be interesting to index the whois info on reply-to/links, to find multiple domains registered by a single company (or groups of companies...)

Seem to be this one? a SpamCop track would give more info.

Link to comment
Share on other sites

  • 3 weeks later...

 I've tried contacting EuroDNS (the dns host for the parent domains), but those domains are (technically) not (directly) sending or linked to in the spam, so they won't do anything without "blatant proofs".

Any suggestions for what I should try to assemble as proof?


However, please know that EuroDNS SA is solely the domain name registrar for these domain names.
We are not the owner of these domain names and are not offering hosting or email services to them.
As a result, we have no means to investigate it and in any case could not suspend domain names without receiving blatant proofs of an illegal use of our services.

I've contacted the other domain registrar (namecheap) a few times with dozens of domain links from the spam -- they remove reported domains -- but they obviously haven't blocked the spammer from registering new domains with them.  The registrar may not be able to block the spammer, because they can infinitely spin up a new website/email and PO box and look like a new customer.

Other interesting things:

  • I've tried to alert several "advertised" business that look legit -- I've gotten one reply that said they would take action and demonetize those referrals.
  • These spam have all switched to mime encoding (was previously plain text, which was easier for me to extract links/domains) -- but SpamCop does decode and extract the links.
  • Some of these spam domains were registered 6 months ago.  Does Domain tasting always show up as will expire after 1 year?

For example: from today

--Bare Mind    baremindsupport.com    9620 S Las Vegas Blvd Suite E4 #1003
--Hook Advantage    hookadvcomp.com    7181 N. Hualapai Way Suite 130 - 924
--Powerful Business    officepowerfullbusiness@gmail.com    2540 S Maryland Pkwy, Unit #5024
--Tech Everest    officetecheverest@gmail.com    8635 W Sahara Ave, Unit #4036
--Cyclone Pure    cyclonepure.com    8635 W Sahara Ave Unit #4016
--Gaggle Nectar    gagglecontact.com    6130 West Flamingo Road Unit #3001


Link to comment
Share on other sites

  • 1 month later...
On 1/28/2022 at 7:37 PM, DDR said:

 I've tried contacting EuroDNS (the dns host for the parent domains), but those domains are (technically) not (directly) sending or linked to in the spam, so they won't do anything without "blatant proofs".

The problem with links in the body is that they can be added by a malicious spammer.  The only item that you can trust as coming from the spammer is the IP address they used to contact your border email server.  Everything else in the email could be intentionally added to damage a third party.

Link to comment
Share on other sites

  • 3 weeks later...

I'm not trying to close businesses, just spammers & their links.  Stopping the spam helps business to not be associated with spam against their knowledge.
Also, this is spam... I've only seen about 2-3 legitimate businesses (and lately, maybe 0) out of hundreds to thousands of spam messages (they repeat a lot). (unless we're counting spammers as pillars of industry: brokering the untapped potential of unpatched servers and a captive audience - building a market for premium mail filtering)

You have to assume it's all malicious - but I think spammers are less focused on link revenge and more on making money: maybe sliding in a few "legitimate" businesses to normalize their spam style / get paid for purchases through affiliate links, selling lists of live addresses, selling nonexistent products from layered babooshka businesses through a legitimate payment processor, phishing the banking details of the unwary... 

Alerting a hacked server is probably the best action -- delisting one DNS entry or getting one image/redirect closed do almost nothing, the spammer expects limited-use and has near-infinite options...
But buying all those domains (and hidden whois records) can't be cheap?
And if they impersonate a real business - real businesses have lawyers.

It seems that poking around inconvenienced my spammer for about a week.  They seem significantly less diversified now...  I've gotten replies that I've alerted a few servcies to intruders sending spam (It would be nice to get spam bounties...)
It looks like they've switched to: mostly sending from Russian servers, private whois records, mostly free image hosting and link redirectors (like imgur.com), unicode subject lines "Y𝕠𝕦'𝕣𝕖 A𝕡𝕡𝕣𝕠𝕧𝕖𝕕".  No more "This is an advertisement" text.

Sites are similar: random names, guid links for tracking and forwarding, basically (and sometimes literally) lorem-ipsum text.
eg. sleeveplot.com; responstvview.store; dreammediainfo.com; datalari.org.uk; mrliving.org.uk

Link to comment
Share on other sites

On 3/19/2022 at 12:38 PM, DDR said:

Alerting a hacked server is probably the best action

I have found a few hacked cameras and routers.  And sometimes the business doesn't believe the spam came from their camera.  Once the find it and fix it, it is better for us all.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...