pariont.com & moles or affiliate?

[uwecboi21]

I've been reporting some of the pharmacy emails that come in with links to the domain in the title. Each link is followed by a long query string.

First, I'm surprised this domain doesn't show up more often here. In fact, I can not find a reference to this domain anywhere on the internet. It looks to be a gateway of some kind but I don't have the experience or expertise to know for sure.

The question is, does the query string identify the email of the recipient for the spammer? Is it possible that the long query string is for the spammers benefit to clean his list?

That would explain why this spammer does not seem to be widely reported if he removes all people who report after the first time.

I own a domain and my catch-all receives literally hundreds of these spams a day. Apparently someone decided they could 'make up' a list of emails on a domain with a catch-all and sell it spammers like this.

I'm concerned that I am helping this spammer clean their list by reporting. Since the query string is very, very long and appears to be unique in each email (though I have not verified that as it is a very, very long sequence), I wondered if maybe this spammer found a way to cull out reporters without actually receiving their email addresses.

After all, no query string is needed at all to be redirected from pariont.com to the spam site.

Any thoughts?

[uwecboi21]

It is also possible that these query strings direct the recipient to a different mirror - or both. When I report, spamcop follows these links to a variety of different servers.

That's also why I think this may be some kind of gateway to a variety of mirror sites.

[Farelf]

pariont com is appearing in the stats page Spamvertised Web Sites at the moment (11/101 listings). I think either or both of your conjectures might be correct. Trying to second guess the mind of a spammer is not something I'm particularly good at but listwashing and affliliate credit would both seem to make sense. Just uncheck the reports to spamvertized site admins if you are concerned. Or quick report (spamvertizing is ignored in QR).

[uwecboi21]

pariont com is appearing in the stats page Spamvertised Web Sites at the moment (11/101 listings).

I would hazard to guess those are all mine. I've reported nearly 200 since this 9 AM.

[rconner]

First, I'm surprised this domain doesn't show up more often here. In fact, I can not find a reference to this domain anywhere on the internet. It looks to be a gateway of some kind but I don't have the experience or expertise to know for sure.

pariont.com seems to be a very new domain (created last Thursday the 3rd at Joker, if Whois is accurate). That would explain why it does not show up on the internet or on this board.

Right now from where I sit, pariont.com seems to be hosted on a botnet. That means that a DNS lookup for pariont.com will return four or five (or more) different IP addresses in widely separated blocks, usually addresss belonging to retail internet providers and assigned to home users with virus-infected machines. The addresses will change every half-hour or so (if the TTLs returned by the dig command are to be believed). The site pariont.com appears to redirect to a Yambo spam site at iisko.hk, hosted for the moment at sancharnet.in.

The question is, does the query string identify the email of the recipient for the spammer? Is it possible that the long query string is for the spammers benefit to clean his list?

Could be. I don't have any proof one way or the other.

That would explain why this spammer does not seem to be widely reported if he removes all people who report after the first time.

I'd tend to think the opposite, that spammy would send MORE spam to the addresses that he detects are alive. Anyway, just because this domain is new does not mean that the spammer is new; your report has all the earmarks of the depressingly-prolific Yambo drug spam outfit.

I own a domain and my catch-all receives literally hundreds of these spams a day. Apparently someone decided they could 'make up' a list of emails on a domain with a catch-all and sell it spammers like this.

That is exactly what they do. They make up lists of addresses and pelt mail hosts with them, seeing which ones work. If they should strike pay dirt and find a domain covered by a catch-all address, then they will certainly take full advantage. If I were you, I would turn off the catchall unless you have a very specific business reason for retaining it. This will save you not only a lot of incoming spam, but will reduce the exposure of your domain to being forged into the from-addresses of future spam.

I'm concerned that I am helping this spammer clean their list by reporting. Since the query string is very, very long and appears to be unique in each email (though I have not verified that as it is a very, very long sequence), I wondered if maybe this spammer found a way to cull out reporters without actually receiving their email addresses.

As said, I don't really know what the numbers mean. They could be "pointers" into a database of e-mail addresses, so that the appearance of one of these numbers in an HTTPD log (or a spam complaint) can be checked against the list of addresses, Conceivably, the database could be renewed for each spam run (so that you get a different "serial number" in every spam). This number could even be some sort of randomly-assigned "session ID" (e.g., for making elements of the session persistent). It is probably a prudent precaution not to allow SpamCop to report these links.

-- rick

[Farelf]

I would hazard to guess those are all mine. I've reported nearly 200 since this 9 AM.

Very likely - not sure if that would register with the SURBL then - see FAQ Entry: How does SpamCop interface with SURBL? (being a "single source" and all). Anyway, the SURBL is another factor to take into account in thinking about whether you want to report that site or not - contributing to that block list does some good for the wider community. Put it another way, if they were listwashing you they're evidently not doing a very good job. If it's an affiliate thing then reporting does no harm because they don't pick up clicks from being reported. If its a botnet hosting thing reporting won't do a whole lot in terms of shutting it down but users of the SURBL may get some protection. Just some thoughts.

[Posted without seeing Rick's post]

[uwecboi21]

That is exactly what they do. They make up lists of addresses and pelt mail hosts with them, seeing which ones work. If they should strike pay dirt and find a domain covered by a catch-all address, then they will certainly take full advantage. If I were you, I would turn off the catchall unless you have a very specific business reason for retaining it. This will save you not only a lot of incoming spam, but will reduce the exposure of your domain to being forged into the from-addresses of future spam.

First, thanks for the very complete analysis.

In fact, that is what they had been doing to my domain for some time. I've owned this domain since 1997 but turned off the catch-all several years back. It is only recently that I turned the catch-all back on and, to my suprise, it is choked with spam and bounces every single day (1000+). I have not had a catch-all since 2001/2002 sometime but the problem seems to have gotten bigger, not smaller, in the interim.

I've even tried setting up this domain with an SPF/DKIM authentication thinking that that would eliminate many people from ever receiving this spam. Since most systems drop mail they can't authenticate, it appears there are many that still do not look for these records.

Also, I've forward complaints to the FTC and made use of the spam[at]uce.gov

Finally, I am reporting I do get diligently (and prolificly) to retard the spammers effectiveness.

I feel like the email for my domain has been hijacked. The fact that it is used by spammers disturbs me and makes it difficult for me to use the domain effectively (just one example - I would not want to assign a username for the domain that a spammer is already forging).

I am curious, though. Has no one thought of using the information available to forged sender domains to combat spam. One domain like that used by a spammer receives literally thousands of spams and bounces (with attached headers and spam) all in one place.

If I had the ability, I'd find a way for people with domains like mine that are used to forge email addresses to gather that information up and use it to combat their spam.

It is like a Honeypot that the spammer, themself, creates making it easy to track their relays, spamvertized web sites and patterns.

[uwecboi21]

pariont com is appearing in the stats page Spamvertised Web Sites at the moment (11/101 listings). I think either or both of your conjectures might be correct. Trying to second guess the mind of a spammer is not something I'm particularly good at but listwashing and affliliate credit would both seem to make sense. Just uncheck the reports to spamvertized site admins if you are concerned. Or quick report (spamvertizing is ignored in QR).

You know, maybe we're overthinking this. Perhaps the only goal of the query string to evade spam scanners by making each message 'appear' to have a different link? I mean, several thousand messages that are identical (or with identical links) would be detected easily. And misspelling words turns off potential customers.

Of course, it could be all three...like you say, it's all conjecture.

I don't suppose on the spammers who, I am certain, reads this forum would volunteer to explain the meaning? lol

[rconner]

You know, maybe we're overthinking this. Perhaps the only goal of the query string to evade spam scanners by making each message 'appear' to have a different link? I mean, several thousand messages that are identical (or with identical links) would be detected easily. And misspelling words turns off potential customers.

I wonder also about these strings and what they represent.

What you are describing in the quote is what used to be known as a "hashbuster;" spammers would drop weird strings into the subject lines or bodies of their messages, and then permute these every so often so that each batch would look different to an outgoing mail host that did a simple hash (message digest) computation on the messages to detect bulk mail. Nowadays, very few spammers (that I see) use open relays or conventional MTAs anymore, finding it easier instead to transmit via botnets of infected home computers where hashing isn't an issue. So, the original purpose of the hashbuster has been obsolesced.

I'm not sure that a "hashbusting" URL would help the spammers get past web-link-based block lists like SURBL, since I think these work only on the host or domain portion of the URL and not "query data" attached to the end.

Nevertheless, it is certainly possible that randomizing URLs could provide some benefit (unknown to me) to the spammer.

-- rick

[uwecboi21]

So, what you're saying is, the only thing we know for certain is that they likely have *some* purpose.

I see I got no takers from any spammers who might be reading this. Big suprise