Interesting spammer technique.. One of our researcher's tools tends to
find this guy every time he fires up.. In general, this guy comes and
goes in spurts..
(ask off list for sample domains, or more details than provided)
Generally, all his domains are registered about 15-20 days before his
spam run using NAMECHEAP, and he likes using various hosting companies,
known for more liberal policies.
He/They start off with a simple spam run, that looks like an affiliate
spammer, eg.. (paraphrase) you win something from a big brand retailer,
which sends the lure link.. That lure link uses a 'dynserv.org' URL,
which translates to a GoDaddy registered domain..
That gets translated to a domain that points to a OVH customer (one
which has a known history of spamming, share offlist), and the file that
is retrieved is a simple JS file link..
That link is hosted on a GoDaddy server..
host 68.178.244.182
182.244.178.68.in-addr.arpa domain name pointer
ip-68-178-244-182.ip.secureserver.net
Interesting, they use blank.com for this.. hits a 301, assume it
redirects based on the GEO of the victim, or other metric, to finally
load a page, which is simply a MAILCHIMP sign-up form..
Interesting way to gather 'opt-in' email addresses ;)
\<!-- Begin Mailchimp Signup Form -->
\<form
action="https://blankventures.us14.list-manage.com/subscribe/... .
I leave it to the reader to judge what is going on here..
Of course, without access to the actual servers involved, a little hard
to DOX the operator of this, or whether the 'blankventures' is really
involved, or simply a victim of a 'we get you subscribers' service, or
whether the redirect sends them over here just to hide their real
intentions if you were their target..
But of course, he burns IP space reputation really quickly.. note, the
hosting companies SHOULD be able to see this type of customer for what
they are, if they cared.. but giving them /29's all the time, doesn't
take long before all your IPs are dirty..
Hope you enjoyed the read..
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
