Jump to content

Not hosted but there is a spamvertized site

Hanco

By Hanco
in Routing / Report Address Issues

 Share

Recommended Posts

Hanco Advanced Member

Hanco

Posted
Posted

I get an email every week for this gummies junk.

The domain of the spamvertized URL is always created the same day or very recently.

the Nameserver in the domain registration WhoIs is usually also created the same day or very recently.

The registrar is always Namecheap (usually for the nameserver and the spam URL)

The emails always say they are from someone I know (the same name every time) but I don’t wanna block that name in case they do email me.

I have to visit the link in a browser to find the target site. And the spam URL must be hosted somewhere? Why doesn’t SpamCop find it? This is the same in ALL the examples below.

December 20 2022
Registered TODAY for spamming and fraudulent misrepresentation of email source/target:
tjqpm.abmfamsh.com
Target site for the fraudulent “friend/relative” emails:
23.19.58.21
arin@nobistech.netadmin@nobistech.net, abuse@nobistech.net
 
Domain name: abmfamsh.com
Registry Domain ID: 2745957851_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-12-20T15:07:37.00Z
And the name server eieesedns.com registered yesterday:
Domain name: eieesedns.com
Registry Domain ID: 2745701280_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-12-19T08:44:57.00Z
 
December 15 2022
Domain Name: TUIMYDU.COM
Registry Domain ID: 2744905971_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 2022-12-15T15:30:17Z
Creation Date: 2022-12-15T15:30:11Z
AND THE DNS registration in that Whois lookup created 3 days prior:
Domain Name: HHAWLSDNS.COM
Registry Domain ID: 2744216125_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 2022-12-12T12:42:40Z
Creation Date: 2022-12-12T12:36:19Z
 
December 12 2022
agxiu.ktwrer.com
Domain Name: KTWRER.COM
Registry Domain ID: 2744230606_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2022-12-12T15:24:15Z
Creation Date: 2022-12-12T15:24:11Z
And Nameserver registration:
Domain name: aooiaonhedns.com
Registry Domain ID: 2744216142_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-12-12T12:36:27.00Z
And GWHOIS says… (blocking the resolving of the host IP):
Failed to resolve the following nameservers: ns1.aooiaonhedns.comns2.aooiaonhedns.com
 
December 06 2022
lgfdc.niadag.com
Domain Name: NIADAG.COM
Registry Domain ID: 2742888200_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 2022-12-06T14:07:09Z
Creation Date: 2022-12-06T14:07:04Z
 
December 03 December 2022
Registered TODAY for spamming and fraudulent misrepresentation of email source/target:
Domain name: edmawtr.com
Registry Domain ID: 2742345059_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-12-03T15:24:47.00Z
 
Received 23 November 2022
Registered today for spamming and fraudulent misrepresentation of who the email is from:
wyky.oedeskr.com hosted at 179.60.149.119 info@vds4you.ru
Domain name: oedeskr.com
Registry Domain ID: 2740325849_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-11-23T15:09:58.00Z
 
Received 11 November 2022
mdqs.ntlilud.com created same day, to redirect spam traffic to thebesttipsway.com hosted at 205.185.120.177 : admin@frantech.ca
Domain name: thebesttipsway.com 
Registry Domain ID: 2727269186_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-09-23T14:16:37.00Z
Domain name: ntlilud.com
Registry Domain ID: 2737885207_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-11-11T14:58:34.00Z

Received 7 November 2022
oklb.ryoiit.com created same day, to target spam traffic to trywaytipstoday.com hosted at 209.141.53.16 fdias@frantech.ca
Domain name: trywaytipstoday.com
Registry Domain ID: 2727269193_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-09-23T14:16:42.00Z
Domain name: ryoiit.com
Registry Domain ID: 2737018605_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-11-07T14:44:21.00Z

Received 1 November 2022
icde.crikele.com - On 12 Nov this site is not found in browser 
Domain name: crikele.com
Registry Domain ID: 2735775930_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-11-01T14:39:24.00Z

Received 27 October 2022:
crce.hraogani.com - on 12 Nov this redirects to thebesttipsway.com hosted at 205.185.120.177 : admin@frantech.ca
Domain name: hraogani.com
Registry Domain ID: 2734765324_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-27T14:17:53.00Z

Received 22 October 2022:
mkxj.eeansu.com
Domain name: eeansu.com
Registry Domain ID: 2733706599_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-22T14:25:13.00Z

Received 18 October 2022:
ttdgn.sgckit.com
Domain name: sgckit.com
Registry Domain ID: 2732810877_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-18T14:19:36.00Z

Received 13 October 2022:
hzgk.ltdoeiv.com
Domain Name: LTDOEIV.COM
Registry Domain ID: 2731777137_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 2022-10-13T14:34:38Z
Creation Date: 2022-10-13T14:34:32Z

Received 08 October 2022:
snpb.xuoatkaa.com
Domain name: xuoatkaa.com
Registry Domain ID: 2730658186_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-08T13:58:37.00Z

Received 04 October 2022:
ibel.aacnxoap.com
Domain name: aacnxoap.com
Registry Domain ID: 2729728762_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-10-04T13:57:15.00Z

Received 29 September 2022:
zzim.ylrrayo.com
Domain name: ylrrayo.com
Registry Domain ID: 2728623480_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2022-09-29T13:57:53.00Z

Received 24 September 2022:
aotv.ecncsee.com
Domain name: ecncsee.com
Registry Domain ID: 2727479420_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Creation Date: 2022-09-24T12:57:39.00Z

Received 20 September 2022:
dvjd.eeopss.com
Domain Name: EEOPSS.COM
Registry Domain ID: 2726582547_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Creation Date: 2022-09-20T14:21:59Z

Received 14 September 2022:
mkvl.eolhshev.com
Domain name: eolhshev.com
Registry Domain ID: 2725237818_DOMAIN_COM-VRSN
Registrar URL: http://www.namecheap.com
Creation Date: 2022-09-14T13:36:27.00Z

Received 21 May 2020:
uxlt.aaansg.info
Registry Domain ID: D503300001185489685-LRMS
Registrar URL: http://www.namecheap.com
Creation Date: 2020-05-21T14:12:30.00Z

Received 19 May 2020:
u2v.cetdnwr.info
Domain name: cetdnwr.info
Registry Domain ID: D503300001185467624-LRMS
Registrar WHOIS Server: whois.namecheap.com
Creation Date: 2020-05-19T15:59:25.00Z

Received 11 May 2020
l5rp.solnxat.info
Domain name: solnxat.info
Registry Domain ID: D503300001185368476-LRMS
Registrar URL: http://www.namecheap.com
Creation Date: 2020-05-11T14:30:06.00Z

Received 29 April 2020
cq2r.aofypgs.info 
Domain name: aofypgs.info
Registry Domain ID: D503300001183967263-LRMS
Registrar URL: http://www.namecheap.com
Creation Date: 2020-04-29T15:00:49.00Z

And more before April 2020
Link to comment
Share on other sites
Hanco Advanced Member

Hanco

Posted
  • Author
Posted
5 minutes ago, gnarlymarley said:

Twenty years ago, they used to sign up like that to take advantage of the "free trial" period for domains. It also would allow them to get past the spam filters by having a new DNS name.

Right! So how the hell are they able to do it 20 years later?

Link to comment
Share on other sites
petzl Been There

petzl

Posted
Posted (edited)
3 hours ago, Hanco said:

I get an email every week for this gummies junk.

The domain of the spamvertized URL is always created the same day or very recently.

the Nameserver in the domain registration WhoIs is usually also created the same day or very recently.

The registrar is always Namecheap (usually for the nameserver and the spam URL)

Namecheap are a problem with their free domain spam. The major spam in this newsgroup (Fake drug's) points to them.
Might be a good idea to also include namecheap's provider in spam complaint? abuse[AT]cloudflare[DOT]com?
May make them sweat?
https://en.wikipedia.org/wiki/Namecheap
go to Namecheap to do your homework. 
https://www.namecheap.com 
The spam sites are never up long, but they should ask for a credit card they can do a zero/$1 charge look at card to see if it's valid.
Found this out when Amazon gave my credit card details to some unheard of drongo that decided to give me a "free trail" that I never asked for .
My bank SMS'ed my mobile phone straight away
"Card ending in XXXX has an attempted transaction at 'CLIENTCONNECT.AI' for $0.00 at 7:49" 
 Had to cancel card very reluctant to give Amazon new card details!

Edited by petzl
Link to comment
Share on other sites
petzl Been There

petzl

Posted
Posted (edited)
2 hours ago, Hanco said:

Right! So how the hell are they able to do it 20 years later?

They think it works, It's not their problem it's yours/ours, Not that I bother even clicking.
Don't know if it can be done but interested myself
Can I block sites from "domain provider" Namecheap would head my list.

Edited by petzl
Link to comment
Share on other sites
  • 1 month later...
Hanco Advanced Member

Hanco

Posted
  • Author
Posted

Ongoing… this one still cannot be found by Spamcop but is definitely live. I can ping the web address:

Target URL for the emailed link in a mail pretending to be from a friend or relative:
hkdps.piarliye.com 
Pings at 88.214.26.85

no response since 19 Jan from support@ip-interactive.de - trying them again.

Link to comment
Share on other sites
petzl Been There

petzl

Posted
Posted
2 hours ago, Hanco said:

hkdps.piarliye.com 
Pings at 88.214.26.85

My browser or ISP has the IP blocked?
Sometimes it's a good idea to be smarter than the BOT SpamCop and send a report yourself
Seems there are no websites running from that IP now?
https://www.lookip.net/ip/88.214.26.85

Failed Domain Lookup.
Hostname:    hkdps.piarliye.com
Domain:    piarliye.com

Querying root.rwhois.net:4321 for piarliye.com...
Can not resolve host 'root.rwhois.net'

Querying whois.crsnic.net for piarliye.com...
   Domain Name: PIARLIYE.COM
   Registry Domain ID: 2752432800_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2023-01-19T14:42:20Z
   Creation Date: 2023-01-19T14:42:15Z
   Registry Expiry Date: 2024-01-19T14:42:15Z
   Registrar: NameCheap, Inc.
   Registrar IANA ID: 1068
   Registrar Abuse Contact Email:  mailto:abuse[AT]namecheap[DOT]com
 

Link to comment
Share on other sites
Hanco Advanced Member

Hanco

Posted
  • Author
Posted
On 1/24/2023 at 4:20 PM, petzl said:

My browser or ISP has the IP blocked?

Failed Domain Lookup.
Hostname:    hkdps.piarliye.com
Domain:    piarliye.com

Querying root.rwhois.net:4321 for piarliye.com...
Can not resolve host 'root.rwhois.net'

Isn’t it strange?

I go to that site and it’s live. It redirects to https://great-tipsline.com/us/owiy/acvluxe-onl?bhu=spkfLVx74Uxzr6Jje713xZGdBSdmqafrfZKtn5

What does spamcop say ?

SpamCop v 5.4.0 © 2023 Cisco Systems, Inc. All rights reserved.

Parsing input: 88.214.26.85

No recent reports, no history available
Routing details for 88.214.26.85
Report routing for 88.214.26.85: info@ip-interactive.de
info@ip-interactive.de redirects to support@ip-interactive.de
support@ip-interactive.de bounces (19201 sent : 9601 bounces)

Statistics:

88.214.26.85 not listed in bl.spamcop.net
More Information.
88.214.26.85 not listed in cbl.abuseat.org
88.214.26.85 not listed in dnsbl.sorbs.net

Reporting addresses: (NONE)

 

I found up-interactive.de is now Layer7.net

I emailed Layer7 and they explained:

88.214.26.0/24 is hosted in a foreign ASN.
We do not have any control there. To stop services we would have to pull back the whole /24 network.
And we will not pull back the whole /24 because an anonymous 3rd party [me] will ask us to do so.
AND
88.214.26.0/22 belong to our allocations.  So its correct that it returned us at some point.  We are the responsible LIR ( RIPE member -- like ARIN but for Europe/Middle-east ) for this IPs.
So I looked in Domain Tools. 88.214.26.85 is the Layer7 customer, fivecloud.net so I’ll go to those guys (based in the Seychelles) about this site.

CAN SPAMCOP UPDATE THEIR CONTACTS FOR THE IP?
Looks like a range where they have ip-interactive.de that don’t respond as they are no longer the business.
 
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...