DDR Posted January 10, 2022 Share Posted January 10, 2022 It may be interesting to index the whois info on reply-to/links, to find multiple domains registered by a single company (or groups of companies...) I'm persistently seeing a lot of spam (10+ messages/day) that seems to be from a single source - some domains share registration info & the message text has patterns. The problem is, they use a nested structure: a disposable first layer, and second layer for privacy. (isn't that a Stephenson or Gibson idea, to have an AI setup & constantly modify the structure of deeply nested corporations for hiding/privacy/early-warning/deniability? - If someone calls you, you say -- I'm only a consultant for the board of Corporation 123...) The mail is sent from random(?) servers The text usually includes a postal address, and "This is an advertisement" (if their opt-out link worked, they would almost be can-spam compliant...) Links/images contain giant tracking IDs (88 characters) domain of the link forwarders & ReplyTo address is random There is no website at the domain root (only 404) Is always registered to one of several PO boxes (in Nevada) Is it possible to just ask for a PO box owner's name (over the phone?), since it is being used for business purposes? Contact email is at another "parent" domain The parent domains have whois privacy turned on The parent domains host a dummy website - they are all identical (and non-functional), except for the name and background image. The parent site is distributed: DNS, mail & webhost (possibly Cloudflare protected) are different providers and not directly linked to sending spam mail or links in the spam Some of the frontpage text: (search shows 20-30 sites with this text) Results driven digital advertising Working with us guarantees the best pairing between our clients’ ads and advertising channels. Our easy match traffic solutions target user segments and preferences generating top campaigns for each offer we contract. We use innovative algorithms to provide the best match between our partner’s campaigns and our user base allowing us to funnel ads based solely on user interests and platform use. They advertise a lot of scummy looking websites that are likely just phishing for bank info - but also some less(?) scummy big names: Warby Parker, The Farmer's Dog, Audiobooks.com, Liberty Mutual, Quicken Loans, Harry's, Sono Bello --some parent domains baremindsupport.com lotusvisionllc.com officewireconnection.com shiftstickinfo.com --some child domains www.rubypucker.com www.blownorra.com www.mahearth.com www.azulcapus.com www.randommang.com scornjoops.com litherink.com shakilyboy.com nosearth.com Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.