Hanco Posted November 7, 2022 Posted November 7, 2022 Hi Example: the domain below was created today with Namecheap). Spamcop does not find it hosted, neither do other tools I have tried. However, browsing to it finds it and redirects to the scam website (domain created in September with Namecheap) The actual target today is very similar to all of them TryWayTipsToday.com (Namecheap domain registration 23 Sept and hosted at 209.141.53.16 fdias@frantech.ca) The sender of the spam makes the email look like it was from a friend or relative. It tends to say there are photographs I will find interesting so I should click the link… A long history of this going back YEARS, but only recently became so regular and hard to actually report without clicking the link: Received 7 November 2022 oklb.ryoiit.com Domain name: ryoiit.com Registry Domain ID: 2737018605_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-11-07T14:44:21.00Z Received 1 November 2022 icde.crikele.com Domain name: crikele.com Registry Domain ID: 2735775930_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-11-01T14:39:24.00Z Received 27 October 2022: crce.hraogani.com Domain name: hraogani.com Registry Domain ID: 2734765324_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-10-27T14:17:53.00Z Received 22 October 2022: mkxj.eeansu.com Domain name: eeansu.com Registry Domain ID: 2733706599_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-10-22T14:25:13.00Z Received 18 October 2022: ttdgn.sgckit.com Domain name: sgckit.com Registry Domain ID: 2732810877_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-10-18T14:19:36.00Z Received 13 October 2022: hzgk.ltdoeiv.com Domain Name: LTDOEIV.COM Registry Domain ID: 2731777137_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 2022-10-13T14:34:38Z Creation Date: 2022-10-13T14:34:32Z Received 08 October 2022: snpb.xuoatkaa.com Domain name: xuoatkaa.com Registry Domain ID: 2730658186_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-10-08T13:58:37.00Z Received 04 October 2022: ibel.aacnxoap.com Domain name: aacnxoap.com Registry Domain ID: 2729728762_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-10-04T13:57:15.00Z Received 29 September 2022: zzim.ylrrayo.com Domain name: ylrrayo.com Registry Domain ID: 2728623480_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-09-29T13:57:53.00Z Received 24 September 2022: aotv.ecncsee.com Domain name: ecncsee.com Registry Domain ID: 2727479420_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Creation Date: 2022-09-24T12:57:39.00Z Received 20 September 2022: dvjd.eeopss.com Domain Name: EEOPSS.COM Registry Domain ID: 2726582547_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Creation Date: 2022-09-20T14:21:59Z Received 14 September 2022: mkvl.eolhshev.com Domain name: eolhshev.com Registry Domain ID: 2725237818_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Creation Date: 2022-09-14T13:36:27.00Z Received 21 May 2020: uxlt.aaansg.info Registry Domain ID: D503300001185489685-LRMS Registrar URL: http://www.namecheap.com Creation Date: 2020-05-21T14:12:30.00Z Received 19 May 2020: u2v.cetdnwr.info Domain name: cetdnwr.info Registry Domain ID: D503300001185467624-LRMS Registrar WHOIS Server: whois.namecheap.com Creation Date: 2020-05-19T15:59:25.00Z Received 11 May 2020 l5rp.solnxat.info Domain name: solnxat.info Registry Domain ID: D503300001185368476-LRMS Registrar URL: http://www.namecheap.com Creation Date: 2020-05-11T14:30:06.00Z Received 29 April 2020 cq2r.aofypgs.info Domain name: aofypgs.info Registry Domain ID: D503300001183967263-LRMS Registrar URL: http://www.namecheap.com Creation Date: 2020-04-29T15:00:49.00Z Any ideas how the spammer is doing this so effectively to make it hard to report? Quote
gnarlymarley Posted November 7, 2022 Posted November 7, 2022 The trick that some of the spammers use is to have a invalid DNS server in their list. Then the results are intermittently returned. I have found that I could just reload the tracking URL and it would usually pick up the address. C:>dig snpb.xuoatkaa.com ; <<>> DiG 9.7.3 <<>> snpb.xuoatkaa.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9848 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;snpb.xuoatkaa.com. IN A ;; Query time: 128 msec ;; SERVER: 179.60.149.119#53(179.60.149.119) ;; WHEN: Mon Nov 07 11:28:35 2022 ;; MSG SIZE rcvd: 35 C:> Quote
Hanco Posted November 7, 2022 Author Posted November 7, 2022 (edited) Thanks - I need to learn a bit more about DNS I think This one is VERY effective. None of the above could be reported over the recent months (Spamcop can’t handle this DNS issue) Edited November 7, 2022 by Hanco Quote
Hanco Posted November 11, 2022 Author Posted November 11, 2022 New today http:// www. mdqs. ntlilud. com/ Spamcop says it’s a fake, not found, no reporting address. Browse to it though… it answers, it redirects like all the others did/do. What are they doing? Why can’t SpamCop see them? Quote
petzl Posted November 11, 2022 Posted November 11, 2022 (edited) 31 minutes ago, Hanco said: New today http:// www. mdqs. ntlilud. com/ I can't get it to open? Whois Failed Domain Lookup. Hostname: www. mdqs. ntlilud. com/ Don't know which Top Level Domain this server belongs to! Please contact me with the domain name so I can fix this. Falling back to the default server. Domain: www. mdqs. ntlilud. com/ OK there are spaces in link Failed Domain Lookup. Hostname: www.mdqs.ntlilud.com Domain: ntlilud.com Querying root.rwhois.net:4321 for ntlilud.com... Can not resolve host 'root.rwhois.net' Querying whois.crsnic.net for ntlilud.com... Domain Name: NTLILUD.COM Registry Domain ID: 2737885207_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-11-11T14:58:39Z Creation Date: 2022-11-11T14:58:34Z Registry Expiry Date: 2023-11-11T14:58:34Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: mailto:abuse[AT]namecheap[DOT]com Edited November 11, 2022 by petzl Quote
gnarlymarley Posted November 12, 2022 Posted November 12, 2022 When you see the "IP not found" and "discarded as fake", but it shows up with a nslookup or a dig then you can just refresh the page before you report it and most of the time SpamCop will see the IP address. I will try an quick explanation. It is suggested for a group to setup multiple DNS servers, especially to get around outages. DNS can have a few responses, such as good domain (you get the internet address), timeout (no reply in allotted time), or bad domain (NXDOMAIN). Each DNS lookup is expected to rotate between servers. The timeout for one server can cause an attempt to look up the domain on an alternate server. The NXDOMAIN will cause the lookup to immediately to stop and not try other servers. This is when SpamCop reports the "IP not found". If the spammers know the IP address where the SpamCop lookup attempt is coming from, then they can turn off the responses to cause SpamCop to think it is a bad address. Quote
Hanco Posted November 13, 2022 Author Posted November 13, 2022 On 11/11/2022 at 5:08 PM, petzl said: I can't get it to open? Whois Failed Domain Lookup. Hostname: www. mdqs. ntlilud. com/ Don't know which Top Level Domain this server belongs to! Please contact me with the domain name so I can fix this. Falling back to the default server. Domain: www. mdqs. ntlilud. com/ OK there are spaces in link Failed Domain Lookup. Hostname: www.mdqs.ntlilud.com Domain: ntlilud.com Querying root.rwhois.net:4321 for ntlilud.com... Can not resolve host 'root.rwhois.net' Querying whois.crsnic.net for ntlilud.com... Domain Name: NTLILUD.COM Registry Domain ID: 2737885207_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-11-11T14:58:39Z Creation Date: 2022-11-11T14:58:34Z Registry Expiry Date: 2023-11-11T14:58:34Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: mailto:abuse[AT]namecheap[DOT]com Yeah, Namecheap has been getting these regularly for weeks, with a growing length of history! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.