Jump to content

[Resolved] Do you know these ads^H^H^Hspams ?


fritz2cat

Recommended Posts

Hello,

I have several hosts that connect several times a day, all targeting one single user hosted in my server.

They have in common:

- they are using dedicated hosts

- they set-up correctly their host name, and reverse, their MX and even their SPF

- their hostname is named ssl.*

- they send from an address within their domain. Didn't check whether the user part in the address is valid.

- they send thru real MTA's, that defeat greylisting

- the message itself is either in plaintext, html, or both (multipart/alternative)

- all the links contain tracking data

- usually, they have an unsubscribe link which is highly suspect.

Here is the lists of hosts seen in the last 7 days:

ssl.moinchtail.com [208.110.69.190]

ssl.amazillypretty.info [64.187.120.83]

ssl.arcfinal.info [64.187.120.85]

ssl.armsideways.com [64.187.120.87]

ssl.waspinger.com [64.187.120.89]

ssl.asponnilia.com [64.187.120.91]

ssl.buyournest.com [64.187.126.156]

ssl.bullish-commerce.com [64.187.127.72]

ssl.svcsources.info [64.187.127.73]

ssl.illetrades.info [64.187.127.74]

ssl.theboatsail.biz [64.187.127.79]

ssl.rebollo.biz [64.187.127.80]

ssl.deacorntrail.com [64.187.127.85]

ssl.undrawnera.com [64.187.127.89]

ssl.bumaspring.com [66.63.168.130]

ssl.onlinesequoiatypes.com [66.63.168.98]

ssl.rush-trades-now.com [66.63.188.167]

ssl.scarduaconsulting.com [67.205.113.241]

ssl.thebecksourcer.com [67.205.113.244]

ssl.thebacksorter.com [67.205.113.248]

ssl.autoprofilesearch.info [67.205.113.249]

ssl.bagthorr.com [67.205.113.250]

ssl.bailtired.com [67.205.113.251]

ssl.bakerwildy.com [67.205.113.252]

ssl.fardilla.com [69.42.97.17]

ssl.warayson.com [69.42.97.18]

ssl.suarkovery.com [69.42.97.19]

ssl.benger16.com [69.42.97.25]

Some are operating since months ago. 67.205.64.0/18 (hosted by iWeb) is blocked here since 4 months...

Here is the e-mail addresses they have used (in the RFC_2821 envelope) , also during the 7 last days

123Inkjets[at]amazillypretty.info

123Inkjets[at]onlinesequoiatypes.com

24HourSaleonprinter_inkcartridges[at]amazillypretty.info

24HourSaleonprinter_inkcartridges[at]svcsources.info

AbRocket[at]armsideways.com

AbRocket[at]theboatsail.biz

BusinessCards[at]bagthorr.com

CashFinder[at]bakerwildy.com

CashFinder[at]fardilla.com

CherylTiegs[at]amazillypretty.info

CherylTiegs[at]fardilla.com

CherylTiegs[at]undrawnera.com

ChurchDating[at]arcfinal.info

ChurchDating[at]bumaspring.com

Clarisonic[at]theboatsail.biz

Collectiblestoday[at]arcfinal.info

Collectiblestoday[at]bumaspring.com

CreditReportSpecialists[at]amazillypretty.info

DIRECTSatelliteTV[at]arcfinal.info

Dollars4Gold.com[at]bullish-commerce.com

Dollars4Gold.com[at]onlinesequoiatypes.com

EndurRxSpecialOffer[at]autoprofilesearch.info

EndurRxSpecialOffer[at]deacorntrail.com

ENSupport[at]armsideways.com

ENSupport[at]buyournest.com

ENSupport[at]theboatsail.biz

FederalGrantAdvisors[at]buyournest.com

FoodSampleSurvey[at]bumaspring.com

FoodSampleSurvey[at]moinchtail.com

GiftDepotDirect[at]bumaspring.com

Glycogone[at]benger16.com

Glycogone[at]deacorntrail.com

Glycogone[at]illetrades.info

GrantsOnline[at]amazillypretty.info

GrantsOnline[at]buyournest.com

GrantsOnline[at]fardilla.com

GrassSeed[at]asponnilia.com

GrassSeed[at]benger16.com

GrassSeed[at]buyournest.com

GrassSeed[at]svcsources.info

GroceryCoupons[at]rush-trades-now.com

HealthyCredit[at]armsideways.com

HealthyLegs[at]theboatsail.biz

HomeownersInsurance[at]theboatsail.biz

HumanResources[at]bakerwildy.com

HumanResources[at]bumaspring.com

HumanResources[at]fardilla.com

InsuranceCompany[at]fardilla.com

InsuranceCompany[at]rush-trades-now.com

JohnCummuta[at]autoprofilesearch.info

JohnCummuta[at]thebecksourcer.com

MightyPutty[at]arcfinal.info

Moneyisavailable[at]autoprofilesearch.info

Moneyisavailable[at]deacorntrail.com

noreply[at]amazillypretty.info

noreply[at]arcfinal.info

noreply[at]armsideways.com

noreply[at]autoprofilesearch.info

noreply[at]bailtired.com

noreply[at]bakerwildy.com

noreply[at]benger16.com

noreply[at]bumaspring.com

noreply[at]buyournest.com

noreply[at]deacorntrail.com

noreply[at]fardilla.com

noreply[at]illetrades.info

noreply[at]moinchtail.com

noreply[at]onlinesequoiatypes.com

noreply[at]rush-trades-now.com

noreply[at]svcsources.info

noreply[at]thebecksourcer.com

noreply[at]theboatsail.biz

noreply[at]undrawnera.com

noreply[at]warayson.com

noreply[at]waspinger.com

ParkRoyalCancun[at]autoprofilesearch.info

ParkRoyalCancun[at]deacorntrail.com

PCServiceNews[at]armsideways.com

PCServiceNews[at]bakerwildy.com

PCServiceNews[at]illetrades.info

PCServiceNews[at]undrawnera.com

PDFSolution[at]amazillypretty.info

PDFSolution[at]svcsources.info

PerfectSmile[at]armsideways.com

PerfectSmile[at]bakerwildy.com

quotes[at]armsideways.com

quotes[at]theboatsail.biz

RobertAllen[at]deacorntrail.com

RobertAllen[at]illetrades.info

RobertAllen[at]undrawnera.com

SellTimeshare[at]amazillypretty.info

SellTimeshare[at]buyournest.com

SellTimeshare[at]fardilla.com

SmokeFreeIn30Days[at]svcsources.info

SmokeFreeIn30Days[at]theboatsail.biz

StopForeclosureOption[at]illetrades.info

SuperFoodsRxMessage[at]illetrades.info

SuperGreenTeaPatch[at]bailtired.com

SuperGreenTeaPatch[at]fardilla.com

SuperGreenTeaPatch[at]theboatsail.biz

swimmingpoolquotes[at]amazillypretty.info

swimmingpoolquotes.com[at]bagthorr.com

swimmingpoolquotes.com[at]waspinger.com

TimeshareCash[at]armsideways.com

TimeshareCash[at]bakerwildy.com

Trade-In[at]amazillypretty.info

Trade-In[at]onlinesequoiatypes.com

UnlimitedInternetMovieDownloadCenter[at]arcfinal.info

UnlimitedInternetMovieDownloadCenter[at]thebecksourcer.com

Vegas4Free[at]illetrades.info

Vegas4Free[at]warayson.com

Victoria[at]moinchtail.com

Victoria[at]waspinger.com

VitalAcai[at]autoprofilesearch.info

Weightloss[at]autoprofilesearch.info

WorldSeriesOfPokerSeatOpportunity[at]arcfinal.info

WorldSeriesOfPokerSeatOpportunity[at]thebecksourcer.com

WRF[at]svcsources.info

WRF[at]thebacksorter.com

YourDebtSource[at]benger16.com

YourDebtSource[at]onlinesequoiatypes.com

Most of these messages bear a postal address, e.g.

Entertainment Publications, Inc.,

1414 East Maple Road,

Troy, MI 48083

1-866-826-1619

Pedi Paws is located at P.O Box 600991 San Diego, CA 92160

6965 El Camino Real

Suite 105 - 698

La Costa, CA 92009

Consumer Service 9-334 Queen Street South, Suite 200, Bolton, Ontario, Canada L7E-2N9

Technical Support

30 East 23 rd. St. New York, NY 10010

Pure Play, 660 4TH Street, Ste 294, San Francisco, CA 94107

Sorry for this long post. But I would be glad to have your advice.

Frédéric

Link to comment
Share on other sites

I have several hosts that connect several times a day, all targeting one single user hosted in my server.

Taking a stab at providing something ...???? If it was me, I'd suspect the user of doing something a bit silly. However, that statement made on very little actual/specific data.

Link to comment
Share on other sites

...

I have several hosts that connect several times a day, all targeting one single user hosted in my server.

They have in common:

- they are using dedicated hosts

- they set-up correctly their host name, and reverse, their MX and even their SPF

- their hostname is named ssl.*

- they send from an address within their domain. Didn't check whether the user part in the address is valid.

- they send thru real MTA's, that defeat greylisting

- the message itself is either in plaintext, html, or both (multipart/alternative)

- all the links contain tracking data

- usually, they have an unsubscribe link which is highly suspect.

Here is the lists of hosts seen in the last 7 days:

ssl.moinchtail.com [208.110.69.190]
ssl.amazillypretty.info [64.187.120.83]
ssl.arcfinal.info [64.187.120.85]
ssl.armsideways.com [64.187.120.87]
ssl.waspinger.com [64.187.120.89]
ssl.asponnilia.com [64.187.120.91]
ssl.buyournest.com [64.187.126.156]
ssl.bullish-commerce.com [64.187.127.72]
ssl.svcsources.info [64.187.127.73]
ssl.illetrades.info [64.187.127.74]
ssl.theboatsail.biz [64.187.127.79]
ssl.rebollo.biz [64.187.127.80]
ssl.deacorntrail.com [64.187.127.85]
ssl.undrawnera.com [64.187.127.89]
ssl.bumaspring.com [66.63.168.130]
ssl.onlinesequoiatypes.com [66.63.168.98]
ssl.rush-trades-now.com [66.63.188.167]
ssl.scarduaconsulting.com [67.205.113.241]
ssl.thebecksourcer.com [67.205.113.244]
ssl.thebacksorter.com [67.205.113.248]
ssl.autoprofilesearch.info [67.205.113.249]
ssl.bagthorr.com [67.205.113.250]
ssl.bailtired.com [67.205.113.251]
ssl.bakerwildy.com [67.205.113.252]
ssl.fardilla.com [69.42.97.17]
ssl.warayson.com [69.42.97.18]
ssl.suarkovery.com [69.42.97.19]
ssl.benger16.com [69.42.97.25]

...

Hi Frédéric - another point of similarity sems to be that the registrants of the above domains are using Protected Domain Services (protecteddomainservices.com) for anonymity (not that I checked them all). They don't look very promising:

Protected Domain Services

125 Rampart Way

Suite 300

Denver

CO

80230

US

(... which is the same address as *their* registrar domainsite.com/Spot Domain LLC). Sometimes complaints work - see http://forum.spamcop.net/forums/index.php?showtopic=9613 and I suppose it wouldn't hurt to try with domainsite.com. But the website for protecteddomainservices.com seems to have gone into hibernation (who knows what AUP/TOS/CRA provisions there might be) and I see no specific grounds for service termination for spamming in www.domainsite.com/registration_agreement.php.

It is fair to say you seem to have tagged a substantial spam group - that is the sort of stuff that might be a better fit for CastleCops and/or Spamhaus than it is for SpamCop. But it is of more than passing interest 'here' if they routinely evade the SCbl.

And on the 'unsubscribe link which is highly suspect' - yes they (almost) always are but unfortunately 'the law' will always assume otherwise unless it is actually proven to be unproductive or exploitative and the 'why unsubscribe to something I didn't subscribe to?' common sense is *too* common sense to have legal weight. Just anticipating the usual 'but we're CAN-ЅРАМ compliant' justification when complaints are made.

Link to comment
Share on other sites

Taking a stab at providing something ...???? If it was me, I'd suspect the user of doing something a bit silly. However, that statement made on very little actual/specific data.

Hello Wazoo,

No, this person does as much as possible for keeping this address clean, he always uses other throw-away addresses when possible. I can trust him. But, as Farelf suggests, we may be in the presence of a spam gang operating in the "grey zone", barely legal...

...Did I miss your question? I did not see one.

Dear turetzsr, the question was more in the subject of the thread: Do you know these ads^H^H^Hspams ?

Have a nice week-end !

Frédéric

Link to comment
Share on other sites

  • 4 weeks later...

:) Problem solved.

I sent couple of mails to their colo hosting services. I warned these people that I would start reporting all offending items to Spamcop the next day. So I did, messages processed in realtime.

Those reported messages contained plenty of tracking data, so they obviously knew who was complaining.

Two days later, all these hosts were then quiet. [but the reporting filter is still monitoring, and ready to shoot an extra ball]

Frédéric

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...