Hanco Posted December 20, 2022 Share Posted December 20, 2022 I get an email every week for this gummies junk. The domain of the spamvertized URL is always created the same day or very recently. the Nameserver in the domain registration WhoIs is usually also created the same day or very recently. The registrar is always Namecheap (usually for the nameserver and the spam URL) The emails always say they are from someone I know (the same name every time) but I don’t wanna block that name in case they do email me. I have to visit the link in a browser to find the target site. And the spam URL must be hosted somewhere? Why doesn’t SpamCop find it? This is the same in ALL the examples below. December 20 2022 Registered TODAY for spamming and fraudulent misrepresentation of email source/target: tjqpm.abmfamsh.com Target site for the fraudulent “friend/relative” emails: https://theproducttoday.com/us/ksic/acv-citad 23.19.58.21 arin@nobistech.net, admin@nobistech.net, abuse@nobistech.net Domain name: abmfamsh.com Registry Domain ID: 2745957851_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-12-20T15:07:37.00Z And the name server eieesedns.com registered yesterday: Domain name: eieesedns.com Registry Domain ID: 2745701280_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-12-19T08:44:57.00Z December 15 2022 Domain Name: TUIMYDU.COM Registry Domain ID: 2744905971_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 2022-12-15T15:30:17Z Creation Date: 2022-12-15T15:30:11Z AND THE DNS registration in that Whois lookup created 3 days prior: Domain Name: HHAWLSDNS.COM Registry Domain ID: 2744216125_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 2022-12-12T12:42:40Z Creation Date: 2022-12-12T12:36:19Z December 12 2022 agxiu.ktwrer.com Domain Name: KTWRER.COM Registry Domain ID: 2744230606_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2022-12-12T15:24:15Z Creation Date: 2022-12-12T15:24:11Z And Nameserver registration: Domain name: aooiaonhedns.com Registry Domain ID: 2744216142_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-12-12T12:36:27.00Z And GWHOIS says… (blocking the resolving of the host IP): Failed to resolve the following nameservers: ns1.aooiaonhedns.com, ns2.aooiaonhedns.com December 06 2022 lgfdc.niadag.com Domain Name: NIADAG.COM Registry Domain ID: 2742888200_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 2022-12-06T14:07:09Z Creation Date: 2022-12-06T14:07:04Z December 03 December 2022 Registered TODAY for spamming and fraudulent misrepresentation of email source/target: Domain name: edmawtr.com Registry Domain ID: 2742345059_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-12-03T15:24:47.00Z Received 23 November 2022 Registered today for spamming and fraudulent misrepresentation of who the email is from: wyky.oedeskr.com hosted at 179.60.149.119 info@vds4you.ru Domain name: oedeskr.com Registry Domain ID: 2740325849_DOMAIN_COM-VRSN Registrar URL: http://www.namecheap.com Updated Date: 0001-01-01T00:00:00.00Z Creation Date: 2022-11-23T15:09:58.00Z Received 11 November 2022mdqs.ntlilud.com created same day, to redirect spam traffic to thebesttipsway.com hosted at 205.185.120.177 : admin@frantech.caDomain name: thebesttipsway.com Registry Domain ID: 2727269186_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-09-23T14:16:37.00ZDomain name: ntlilud.comRegistry Domain ID: 2737885207_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-11-11T14:58:34.00ZReceived 7 November 2022oklb.ryoiit.com created same day, to target spam traffic to trywaytipstoday.com hosted at 209.141.53.16 fdias@frantech.caDomain name: trywaytipstoday.comRegistry Domain ID: 2727269193_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-09-23T14:16:42.00ZDomain name: ryoiit.comRegistry Domain ID: 2737018605_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-11-07T14:44:21.00ZReceived 1 November 2022icde.crikele.com - On 12 Nov this site is not found in browser Domain name: crikele.comRegistry Domain ID: 2735775930_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-11-01T14:39:24.00ZReceived 27 October 2022:crce.hraogani.com - on 12 Nov this redirects to thebesttipsway.com hosted at 205.185.120.177 : admin@frantech.caDomain name: hraogani.comRegistry Domain ID: 2734765324_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-10-27T14:17:53.00ZReceived 22 October 2022:mkxj.eeansu.comDomain name: eeansu.comRegistry Domain ID: 2733706599_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-10-22T14:25:13.00ZReceived 18 October 2022:ttdgn.sgckit.comDomain name: sgckit.comRegistry Domain ID: 2732810877_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-10-18T14:19:36.00ZReceived 13 October 2022:hzgk.ltdoeiv.comDomain Name: LTDOEIV.COMRegistry Domain ID: 2731777137_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 2022-10-13T14:34:38ZCreation Date: 2022-10-13T14:34:32ZReceived 08 October 2022:snpb.xuoatkaa.comDomain name: xuoatkaa.comRegistry Domain ID: 2730658186_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-10-08T13:58:37.00ZReceived 04 October 2022:ibel.aacnxoap.comDomain name: aacnxoap.comRegistry Domain ID: 2729728762_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-10-04T13:57:15.00ZReceived 29 September 2022:zzim.ylrrayo.comDomain name: ylrrayo.comRegistry Domain ID: 2728623480_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comUpdated Date: 0001-01-01T00:00:00.00ZCreation Date: 2022-09-29T13:57:53.00ZReceived 24 September 2022:aotv.ecncsee.comDomain name: ecncsee.comRegistry Domain ID: 2727479420_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comCreation Date: 2022-09-24T12:57:39.00ZReceived 20 September 2022:dvjd.eeopss.comDomain Name: EEOPSS.COMRegistry Domain ID: 2726582547_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comCreation Date: 2022-09-20T14:21:59ZReceived 14 September 2022:mkvl.eolhshev.comDomain name: eolhshev.comRegistry Domain ID: 2725237818_DOMAIN_COM-VRSNRegistrar URL: http://www.namecheap.comCreation Date: 2022-09-14T13:36:27.00ZReceived 21 May 2020:uxlt.aaansg.infoRegistry Domain ID: D503300001185489685-LRMSRegistrar URL: http://www.namecheap.comCreation Date: 2020-05-21T14:12:30.00ZReceived 19 May 2020:u2v.cetdnwr.infoDomain name: cetdnwr.infoRegistry Domain ID: D503300001185467624-LRMSRegistrar WHOIS Server: whois.namecheap.comCreation Date: 2020-05-19T15:59:25.00ZReceived 11 May 2020l5rp.solnxat.infoDomain name: solnxat.infoRegistry Domain ID: D503300001185368476-LRMSRegistrar URL: http://www.namecheap.comCreation Date: 2020-05-11T14:30:06.00ZReceived 29 April 2020cq2r.aofypgs.info Domain name: aofypgs.infoRegistry Domain ID: D503300001183967263-LRMSRegistrar URL: http://www.namecheap.comCreation Date: 2020-04-29T15:00:49.00ZAnd more before April 2020 Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted December 20, 2022 Share Posted December 20, 2022 Twenty years ago, they used to sign up like that to take advantage of the "free trial" period for domains. It also would allow them to get past the spam filters by having a new DNS name. Quote Link to comment Share on other sites More sharing options...
Hanco Posted December 20, 2022 Author Share Posted December 20, 2022 5 minutes ago, gnarlymarley said: Twenty years ago, they used to sign up like that to take advantage of the "free trial" period for domains. It also would allow them to get past the spam filters by having a new DNS name. Right! So how the hell are they able to do it 20 years later? Quote Link to comment Share on other sites More sharing options...
petzl Posted December 20, 2022 Share Posted December 20, 2022 (edited) 3 hours ago, Hanco said: I get an email every week for this gummies junk. The domain of the spamvertized URL is always created the same day or very recently. the Nameserver in the domain registration WhoIs is usually also created the same day or very recently. The registrar is always Namecheap (usually for the nameserver and the spam URL) Namecheap are a problem with their free domain spam. The major spam in this newsgroup (Fake drug's) points to them. Might be a good idea to also include namecheap's provider in spam complaint? abuse[AT]cloudflare[DOT]com? May make them sweat?https://en.wikipedia.org/wiki/Namecheap go to Namecheap to do your homework. https://www.namecheap.com The spam sites are never up long, but they should ask for a credit card they can do a zero/$1 charge look at card to see if it's valid. Found this out when Amazon gave my credit card details to some unheard of drongo that decided to give me a "free trail" that I never asked for . My bank SMS'ed my mobile phone straight away"Card ending in XXXX has an attempted transaction at 'CLIENTCONNECT.AI' for $0.00 at 7:49" Had to cancel card very reluctant to give Amazon new card details! Edited December 20, 2022 by petzl Quote Link to comment Share on other sites More sharing options...
petzl Posted December 20, 2022 Share Posted December 20, 2022 (edited) 2 hours ago, Hanco said: Right! So how the hell are they able to do it 20 years later? They think it works, It's not their problem it's yours/ours, Not that I bother even clicking. Don't know if it can be done but interested myselfCan I block sites from "domain provider" Namecheap would head my list. Edited December 20, 2022 by petzl Quote Link to comment Share on other sites More sharing options...
Hanco Posted January 24, 2023 Author Share Posted January 24, 2023 Ongoing… this one still cannot be found by Spamcop but is definitely live. I can ping the web address: Target URL for the emailed link in a mail pretending to be from a friend or relative: hkdps.piarliye.com Pings at 88.214.26.85 no response since 19 Jan from support@ip-interactive.de - trying them again. Quote Link to comment Share on other sites More sharing options...
petzl Posted January 24, 2023 Share Posted January 24, 2023 2 hours ago, Hanco said: hkdps.piarliye.com Pings at 88.214.26.85 My browser or ISP has the IP blocked? Sometimes it's a good idea to be smarter than the BOT SpamCop and send a report yourself Seems there are no websites running from that IP now?https://www.lookip.net/ip/88.214.26.85 Failed Domain Lookup. Hostname: hkdps.piarliye.com Domain: piarliye.com Querying root.rwhois.net:4321 for piarliye.com... Can not resolve host 'root.rwhois.net' Querying whois.crsnic.net for piarliye.com... Domain Name: PIARLIYE.COM Registry Domain ID: 2752432800_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2023-01-19T14:42:20Z Creation Date: 2023-01-19T14:42:15Z Registry Expiry Date: 2024-01-19T14:42:15Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: mailto:abuse[AT]namecheap[DOT]com Quote Link to comment Share on other sites More sharing options...
Hanco Posted January 30, 2023 Author Share Posted January 30, 2023 On 1/24/2023 at 4:20 PM, petzl said: My browser or ISP has the IP blocked? Failed Domain Lookup. Hostname: hkdps.piarliye.com Domain: piarliye.com Querying root.rwhois.net:4321 for piarliye.com... Can not resolve host 'root.rwhois.net' Isn’t it strange? I go to that site and it’s live. It redirects to https://great-tipsline.com/us/owiy/acvluxe-onl?bhu=spkfLVx74Uxzr6Jje713xZGdBSdmqafrfZKtn5 What does spamcop say ? SpamCop v 5.4.0 © 2023 Cisco Systems, Inc. All rights reserved. Parsing input: 88.214.26.85 No recent reports, no history availableRouting details for 88.214.26.85Report routing for 88.214.26.85: info@ip-interactive.deinfo@ip-interactive.de redirects to support@ip-interactive.desupport@ip-interactive.de bounces (19201 sent : 9601 bounces) Statistics: 88.214.26.85 not listed in bl.spamcop.netMore Information.88.214.26.85 not listed in cbl.abuseat.org88.214.26.85 not listed in dnsbl.sorbs.net Reporting addresses: (NONE) I found up-interactive.de is now Layer7.net I emailed Layer7 and they explained: 88.214.26.0/24 is hosted in a foreign ASN. We do not have any control there. To stop services we would have to pull back the whole /24 network. And we will not pull back the whole /24 because an anonymous 3rd party [me] will ask us to do so. AND 88.214.26.0/22 belong to our allocations. So its correct that it returned us at some point. We are the responsible LIR ( RIPE member -- like ARIN but for Europe/Middle-east ) for this IPs. So I looked in Domain Tools. 88.214.26.85 is the Layer7 customer, fivecloud.net so I’ll go to those guys (based in the Seychelles) about this site. CAN SPAMCOP UPDATE THEIR CONTACTS FOR THE IP? Looks like a range where they have ip-interactive.de that don’t respond as they are no longer the business. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.