Hi Michael,
We're taking a look at this regarding the signup form. I've found a couple
accounts related to that "blankventures" subdomain which we'll investigate, but
if you could share the full form URL with me off-list that would help our
investigation efforts.
Thanks,
Matt Gilbert
Deliverability Engineer
matthew.gilb...@mailchimp.com
> On Jul 26, 2022, at 5:21 PM, Michael Peddemors via mailop
> wrote:
>
> Interesting spammer technique.. One of our researcher's tools tends to find
> this guy every time he fires up.. In general, this guy comes and goes in
> spurts..
>
> (ask off list for sample domains, or more details than provided)
>
> Generally, all his domains are registered about 15-20 days before his spam
> run using NAMECHEAP, and he likes using various hosting companies, known for
> more liberal policies.
>
> He/They start off with a simple spam run, that looks like an affiliate
> spammer, eg.. (paraphrase) you win something from a big brand retailer, which
> sends the lure link.. That lure link uses a 'dynserv.org' URL, which
> translates to a GoDaddy registered domain..
>
> That gets translated to a domain that points to a OVH customer (one which has
> a known history of spamming, share offlist), and the file that is retrieved
> is a simple JS file link..
>
> That link is hosted on a GoDaddy server..
>
> host 68.178.244.182
> 182.244.178.68.in-addr.arpa domain name pointer
> ip-68-178-244-182.ip.secureserver.net
>
> Interesting, they use blank.com for this.. hits a 301, assume it redirects
> based on the GEO of the victim, or other metric, to finally load a page,
> which is simply a MAILCHIMP sign-up form..
>
> Interesting way to gather 'opt-in' email addresses ;)
>
> \
>\ action="https://blankventures.us14.list-manage.com/subscribe/... .
>
>
> I leave it to the reader to judge what is going on here..
>
> Of course, without access to the actual servers involved, a little hard to
> DOX the operator of this, or whether the 'blankventures' is really involved,
> or simply a victim of a 'we get you subscribers' service, or whether the
> redirect sends them over here just to hide their real intentions if you were
> their target..
>
> But of course, he burns IP space reputation really quickly.. note, the
> hosting companies SHOULD be able to see this type of customer for what they
> are, if they cared.. but giving them /29's all the time, doesn't take long
> before all your IPs are dirty..
>
> Hope you enjoyed the read..
>
> --
> "Catch the Magic of Linux..."
>
> Michael Peddemors, President/CEO LinuxMagic Inc.
> Visit us at http://www.linuxmagic.com @linuxmagic
> A Wizard IT Company - For More Info http://www.wizard.ca
> "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
>
> 604-682-0300 Beautiful British Columbia, Canada
>
> This email and any electronic data contained are confidential and intended
> solely for the use of the individual or entity to which they are addressed.
> Please note that any views or opinions presented in this email are solely
> those of the author and are not intended to represent those of the company.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop