Jump to content

index multi-level spam domain structure


DDR
 Share

Recommended Posts

It may be interesting to index the whois info on reply-to/links, to find multiple domains registered by a single company (or groups of companies...)

I'm persistently seeing a lot of spam (10+ messages/day) that seems to be from a single source - some domains share registration info & the message text has patterns.

The problem is, they use a nested structure: a disposable first layer, and second layer for privacy.
(isn't that a Stephenson or Gibson idea, to have an AI setup & constantly modify the structure of deeply nested corporations for hiding/privacy/early-warning/deniability? - If someone calls you, you say -- I'm only a consultant for the board of Corporation 123...)

  • The mail is sent from random(?) servers
  • The text usually includes a postal address, and "This is an advertisement" (if their opt-out link worked, they would almost be can-spam compliant...)
  • Links/images contain giant tracking IDs (88 characters)
  • domain of the link forwarders & ReplyTo address is random
    • There is no website at the domain root (only 404)
    • Is always registered to one of several PO boxes (in Nevada)
      • Is it possible to just ask for a PO box owner's name (over the phone?), since it is being used for business purposes?
    • Contact email is at another "parent" domain
      • The parent domains have whois privacy turned on
      • The parent domains host a dummy website - they are all identical (and non-functional), except for the name and background image.
      • The parent site is distributed: DNS, mail & webhost (possibly Cloudflare protected) are different providers and not directly linked to sending spam mail or links in the spam
      • Some of the frontpage text: (search shows 20-30 sites with this text)
        Results driven digital advertising
        Working with us guarantees the best pairing between our clients’ ads and advertising channels. Our easy match traffic solutions target user segments and preferences generating top campaigns for each offer we contract. We use innovative algorithms to provide the best match between our partner’s campaigns and our user base allowing us to funnel ads based solely on user interests and platform use.
  • They advertise a lot of scummy looking websites that are likely just phishing for bank info - but also some less(?) scummy big names: Warby Parker, The Farmer's Dog, Audiobooks.com, Liberty Mutual, Quicken Loans, Harry's, Sono Bello

--some parent domains
baremindsupport.com
lotusvisionllc.com
officewireconnection.com
shiftstickinfo.com

--some child domains
www.rubypucker.com
www.blownorra.com
www.mahearth.com
www.azulcapus.com
www.randommang.com
scornjoops.com
litherink.com
shakilyboy.com
nosearth.com

Link to comment
Share on other sites

On 1/10/2022 at 5:52 PM, DDR said:

It may be interesting to index the whois info on reply-to/links, to find multiple domains registered by a single company (or groups of companies...)

Seem to be this one? a SpamCop track would give more info.
http://www.EuroDNS.com
:legalservices[AT]eurodns[DOT]com

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...