Jump to content

Recommended Posts

Posted

Hi

Example: the domain below was created today with Namecheap). Spamcop does not find it hosted, neither do other tools I have tried.

However, browsing to it finds it and redirects to the scam website (domain created in September with Namecheap)

The actual target today is very similar to all of them TryWayTipsToday.com (Namecheap domain registration 23 Sept and hosted at 209.141.53.16 fdias@frantech.ca)

The sender of the spam makes the email look like it was from a friend or relative. It tends to say there are photographs I will find interesting so I should click the link…

A long history of this going back YEARS, but only recently became so regular and hard to actually report without clicking the link:


Received 7 November 2022
oklb.ryoiit.com
Domain name: ryoiit.com
Registry Domain ID: 2737018605_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-11-07T14:44:21.00Z

Received 1 November 2022
icde.crikele.com
Domain name: crikele.com
Registry Domain ID: 2735775930_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-11-01T14:39:24.00Z

Received 27 October 2022:
crce.hraogani.com
Domain name: hraogani.com
Registry Domain ID: 2734765324_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-27T14:17:53.00Z

Received 22 October 2022:
mkxj.eeansu.com
Domain name: eeansu.com
Registry Domain ID: 2733706599_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-22T14:25:13.00Z

Received 18 October 2022:
ttdgn.sgckit.com
Domain name: sgckit.com
Registry Domain ID: 2732810877_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-18T14:19:36.00Z

Received 13 October 2022:
hzgk.ltdoeiv.com
Domain Name: LTDOEIV.COM
Registry Domain ID: 2731777137_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 2022-10-13T14:34:38Z
Creation Date: 2022-10-13T14:34:32Z

Received 08 October 2022:
snpb.xuoatkaa.com
Domain name: xuoatkaa.com
Registry Domain ID: 2730658186_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-08T13:58:37.00Z

Received 04 October 2022:
ibel.aacnxoap.com
Domain name: aacnxoap.com
Registry Domain ID: 2729728762_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-04T13:57:15.00Z

Received 29 September 2022:
zzim.ylrrayo.com
Domain name: ylrrayo.com
Registry Domain ID: 2728623480_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-09-29T13:57:53.00Z

Received 24 September 2022:
aotv.ecncsee.com
Domain name: ecncsee.com
Registry Domain ID: 2727479420_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Creation Date: 2022-09-24T12:57:39.00Z

Received 20 September 2022:
dvjd.eeopss.com
Domain Name: EEOPSS.COM
Registry Domain ID: 2726582547_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Creation Date: 2022-09-20T14:21:59Z

Received 14 September 2022:
mkvl.eolhshev.com
Domain name: eolhshev.com
Registry Domain ID: 2725237818_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Creation Date: 2022-09-14T13:36:27.00Z

Received 21 May 2020:
uxlt.aaansg.info
Registry Domain ID: D503300001185489685-LRMS
Registrar URL: http://www.namecheap.com
Creation Date: 2020-05-21T14:12:30.00Z

Received 19 May 2020:
u2v.cetdnwr.info
Domain name: cetdnwr.info
Registry Domain ID: D503300001185467624-LRMS
Registrar WHOIS Server: whois.namecheap.com
Creation Date: 2020-05-19T15:59:25.00Z

Received 11 May 2020
l5rp.solnxat.info
Domain name: solnxat.info
Registry Domain ID: D503300001185368476-LRMS
Registrar URL: http://www.namecheap.com
Creation Date: 2020-05-11T14:30:06.00Z

Received 29 April 2020
cq2r.aofypgs.info 
Domain name: aofypgs.info
Registry Domain ID: D503300001183967263-LRMS
Registrar URL: http://www.namecheap.com
Creation Date: 2020-04-29T15:00:49.00Z
 

Any ideas how the spammer is doing this so effectively to make it hard to report?

Posted
The trick that some of the spammers use is to have a invalid DNS server in their list. Then the results are intermittently returned. I have found that I could just reload the tracking URL and it would usually pick up the address.

C:>dig snpb.xuoatkaa.com

; <<>> DiG 9.7.3 <<>> snpb.xuoatkaa.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9848
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;snpb.xuoatkaa.com. IN A

;; Query time: 128 msec
;; SERVER: 179.60.149.119#53(179.60.149.119)
;; WHEN: Mon Nov 07 11:28:35 2022
;; MSG SIZE rcvd: 35


C:>
Posted (edited)

Thanks - I need to learn a bit more about DNS I think

This one is VERY effective. None of the above could be reported over the recent months (Spamcop can’t handle this DNS issue)
 

Edited by Hanco
Posted

New today

http:// www. mdqs. ntlilud. com/

Spamcop says it’s a fake, not found, no reporting address.

Browse to it though… it answers, it redirects like all the others did/do.

What are they doing? Why can’t SpamCop see them?

Posted (edited)
31 minutes ago, Hanco said:

New today

http:// www. mdqs. ntlilud. com/

I can't get it to open?
Whois
Failed Domain Lookup.
Hostname:     www. mdqs. ntlilud. com/
Don't know which Top Level Domain this server belongs to!
Please contact me with the domain name so I can fix this.
Falling back to the default server.
Domain:     www. mdqs. ntlilud. com/
OK there are spaces in link 
 

Failed Domain Lookup.
Hostname:    www.mdqs.ntlilud.com
Domain:    ntlilud.com

Querying root.rwhois.net:4321 for ntlilud.com...
Can not resolve host 'root.rwhois.net'

Querying whois.crsnic.net for ntlilud.com...
   Domain Name: NTLILUD.COM
   Registry Domain ID: 2737885207_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2022-11-11T14:58:39Z
   Creation Date: 2022-11-11T14:58:34Z
   Registry Expiry Date: 2023-11-11T14:58:34Z
   Registrar: NameCheap, Inc.
   Registrar IANA ID: 1068
   Registrar Abuse Contact Email:  mailto:abuse[AT]namecheap[DOT]com
 

Edited by petzl
Posted
When you see the "IP not found" and "discarded as fake", but it shows up with a nslookup or a dig then you can just refresh the page before you report it and most of the time SpamCop will see the IP address.

I will try an quick explanation. It is suggested for a group to setup multiple DNS servers, especially to get around outages. DNS can have a few responses, such as good domain (you get the internet address), timeout (no reply in allotted time), or bad domain (NXDOMAIN). Each DNS lookup is expected to rotate between servers.

The timeout for one server can cause an attempt to look up the domain on an alternate server.

The NXDOMAIN will cause the lookup to immediately to stop and not try other servers. This is when SpamCop reports the "IP not found". If the spammers know the IP address where the SpamCop lookup attempt is coming from, then they can turn off the responses to cause SpamCop to think it is a bad address.
Posted
On 11/11/2022 at 5:08 PM, petzl said:

I can't get it to open?
Whois
Failed Domain Lookup.
Hostname:     www. mdqs. ntlilud. com/
Don't know which Top Level Domain this server belongs to!
Please contact me with the domain name so I can fix this.
Falling back to the default server.
Domain:     www. mdqs. ntlilud. com/
OK there are spaces in link 
 

Failed Domain Lookup.
Hostname:    www.mdqs.ntlilud.com
Domain:    ntlilud.com

Querying root.rwhois.net:4321 for ntlilud.com...
Can not resolve host 'root.rwhois.net'

Querying whois.crsnic.net for ntlilud.com...
   Domain Name: NTLILUD.COM
   Registry Domain ID: 2737885207_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2022-11-11T14:58:39Z
   Creation Date: 2022-11-11T14:58:34Z
   Registry Expiry Date: 2023-11-11T14:58:34Z
   Registrar: NameCheap, Inc.
   Registrar IANA ID: 1068
   Registrar Abuse Contact Email:  mailto:abuse[AT]namecheap[DOT]com
 

Yeah, Namecheap has been getting these regularly for weeks, with a growing length of history!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...