Jump to content

twomarktrk.com


claudeo

Recommended Posts

Been receiving a whole slew of spam from this domain today. They brazenly use an [at]twomarktrk.com return address because they know it won't go anywhere, and they go right through my spamcop email account filter.

They're flying under the radar. Whois queries on twomarktrk.com return nothing, but they managed to get DNS because forward.twomarktrk.com, which is the address they use for clicks in their messages, does resolve. A ping of that finds a server that responds.

For example, report ID 1917846671 (I don't know whether you can see that -- I forgot to copy the links after filing the report in the web interface. But here is what looks like a full link:

http://www.spamcop.net/sc?id=z1062820437z9...14bac4790525b6z

Link to comment
Share on other sites

... They're flying under the radar. Whois queries on twomarktrk.com return nothing, but they managed to get DNS because forward.twomarktrk.com, which is the address they use for clicks in their messages, does resolve. A ping of that finds a server that responds.

For example, report ID 1917846671 (I don't know whether you can see that -- I forgot to copy the links after filing the report in the web interface. But here is what looks like a full link:

http://www.spamcop.net/sc?id=z1062820437z9...14bac4790525b6z

Hi claudeo - yes that link works. The parser results vary over time and that applies to your previous parses (the past "reports" are not static). I can't see the problem as it stands, we have resolution of the sender and the spamvertized links (the same provider, which spammers sometimes do to make them "agile"). I gather this was not happening before or do you disagree with the parser results as shown? - with
Cached whois for 64.1.215.4 : abuse[at]xo.com

Using best contacts abuse[at]algx.net

**********************************

Tracking link: <http://forward.twomarktrk.com/clients/pass.aspx?ident=osypwf9atvuufhlxufxexv1smcr2dqicvflfuftduzt7da0aw11u>

[report history]

Resolves to 64.1.215.4

Routing details for 64.1.215.4

[refresh/show] Cached whois for 64.1.215.4 : abuse[at]xo.com

Using best contacts abuse[at]algx.net

If that outfit continues to spam at the rate it is, it is certainly making the SCBL (and maybe others) as it goes. http://www.senderbase.org/?searchBy=ipaddr...ng=64.1.215.4 currently gives
Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 0.0 -100%

Last 30 days 1.3 236%

Average 0.8

which seems to show the run on that IP is over. The same outfit appears to be using IP 64.1.215.191 which is listed already. They have a heap of them (SenderBase shows 230), others of which may be already listed (you can feed them one at a time into the SenderBase lookup - or at least those with relatively big differences between the daily and monthly averages - as another way to see if they're blocked, and not just by SC). They probably rotate these things to keep the flow going (the agility thing). No wonder you have the impression you're getting nowhere. Keep at it is all I could advise (others will be reporting them too).

Ok yeah - that return email address is "responsive" http://www.dnsstuff.com/tools/mail.ch?doma...0twomarktrk.com which is not to say it exists, just that it is possible (it reaches a mail exchange server).

Link to comment
Share on other sites

... The same outfit appears to be using IP 64.1.215.191 which is listed already. They have a heap of them (SenderBase shows 230), others of which may be already listed (you can feed them one at a time into the SenderBase lookup - or at least those with relatively big differences between the daily and monthly averages - as another way to see if they're blocked, and not just by SC). ...
It would be remiss of me not to point out that the quick way is to look up that IP in the SCBL - http://www.spamcop.net/w3m?action=checkblo...ip=64.1.215.191 then just scroll down to "Other hosts in this "neighborhood" with spam reports" and see some 190 of the 230 listed there - reinforcing the rotation of IPs scenario. This outfit is a menace all right - but easily filtered as things stand. Their domain total - http://www.senderbase.org/search?searchBy=...ing=lso-snd.com shows
Volume Statistics for this Domain

Magnitude Vol Change vs. 30 Day

Last day 5.8 97%

Last 30 days 5.5

- say 1 million messages per day -

lonestaroffers.com

13423 Blanco Road

San Antonio

US

+1 210 635 9116

abuse[at]lonestaroffers.com

FWIW (very little, I suspect).

Link to comment
Share on other sites

Been receiving a whole slew of spam from this domain today. They brazenly use an [at]twomarktrk.com return address because they know it won't go anywhere, and they go right through my spamcop email account filter.

Reports regarding this spam have already been sent:

Re: 64.1.215.205 (Silent report about source of mail)

Reportid: 1917890340 To: mole[at]devnull.spamcop.net

Re: http://forward.twomarktrk.com/clients/clea...ftduzt7da0aw11u (Silent report about spamvertisement)

Reportid: 1917890344 To: mole[at]devnull.spamcop.net

Re: http://forward.twomarktrk.com/clients/pass...ftduzt7da0aw11u (Silent report about spamvertisement)

Reportid: 1917890346 To: mole[at]devnull.spamcop.net

Please be aware that s of the last public information, mole reporting has no value in getting IP addresses listed (and therefore blocked by the SCBL. Please look up the current definition in the FAQ here.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...