Shortest spam run ever – domaincop.org Domain Abuse Notice Spam

Woke up this morning and found two emails from domaincorp.org in my Inbox stating my domains are being used for spamming and spreading malwares recently. Subject line contained “Domain Abuse Notice” which looked serious.

I mean WOHA! I do write about ‘stuff’ but doesn’t mean I send out emails to anyone. I don’t even respond to my emails half the time cause I don’t really need another SEO expert, another advertiser, another promoter or a globally acclaimed graphics designer to design ‘tings’!

But then again, you read about all these reports that explains how malware and virus’s are served via Advertisement etc. So I decided to carefully examine the email and it’s contents in an attempt to find out more information. Before I even opened the actual email, I checked it’s header and Domain Whois. I always do this, specially Whois because you are unlikely to receive an abuse notice email from any domain that was registered few weeks back. Most abuse notice emails are served by large organizations and domains that has been around for years and built enough reputation for everyone to take them seriously.

Whois information

I checked their whois from https://who.is/whois/domaincop.org

Shortest spam run ever - domaincop.org Domain Abuse Notice Spam - domaincorp whois - blackMORE Ops - 1

Nice, Registered On 2016-11-22, Updated On 2016-11-22 and today is 2016-11-23. I mean duh, it’s still 22nd of November is some parts of the world. They also has PrivacyGuard enabled which means you cannot see the real owners name or details like darodar.com referrer spam.

Inspect URL and it’s content

The next obvious thing was to check the URL that was sent to me to view the abuse my domains has inflicted. erm, do I use a browser? Perhaps not, I decided to use cURL.

Shortest spam run ever - domaincop.org Domain Abuse Notice Spam - curl URL - blackMORE Ops - 2

root@kali:~# curl -kv http://www.domaincop.org/<removed>
* Could not resolve host: www.domaincop.org
* Closing connection 0
curl: (6) Could not resolve host: www.domaincop.org

hang on, the domain seems to have no DNS response. Let’s double-check that with dig command

root@kali:~# dig www.domaincop.org

; <<>> DiG 9.10.3-P4-Debian <<>> www.domaincop.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64018
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.domaincop.org.        IN    A

;; AUTHORITY SECTION:
org.            704    IN    SOA    a0.org.afilias-nst.info. noc.afilias-nst.info. 2012251969 1800 900 604800 86400

;; Query time: 1 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Wed Nov 23 10:42:53 AEDT 2016
;; MSG SIZE  rcvd: 109

dig returned NXDOMAIN response which means the domain doesn’t exists. It seems either they’ve disabled their domain and/or Cloudflare banned/removed them. In any case, there is no way to inspect that URL for me now. ‘sad panda’

Sample email

Here’s one of emails I received from  “Imogen Murray” <imogen_murray@domaincop.org>; (the other email was from “Isaac Wright” <isaac-wright@domaincop.org>; ) with exactly same content:

Dear Domain Owner,

Our system has detected that your domain:<removed>.com is being used for spamming and spreading malware recently.

You can download the detailed abuse report of your domain along with date/time of incidents.
Click Here<link-removed>

We have also provided detailed instruction on how to delist your domain from our blacklisting.

Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

There is also possibility of legal action depend on severity and persistence of your abuse case.

Three Simple Steps:

1. Download your abuse report.

2. Check your domain abuse incidents along with date and time.

3. Take few simple steps for prevention and to avoid domain suspension.

Click Here to Download your Report<link-removed>

Please look into it and contact us.

Best Regards,

Domain Abuse Admin

DomainCop Inc.

Tel.: (139) 722-66-56

Conclusion

Not sure what this email was about, but in case you ever get these type of emails, here’s what you always do:

  1. Check Domain Whois
  2. Check the URL without actually going into it (cURL it)
  3. Use online scanners to check the links
  4. Check dig/nslookup info
  5. Search in Google
  6. If you must visit the URL, do it from a command line tool or from a VM.

In short, you are unlikely to get such emails from multiple senders from a domain that was setup yesterday, got banned today and has people around the world talking about it being a scam. Another way is to check spammy links is by using reputed providers online site review tools. Here’s a list of them:

Real Time Scanners:

  1. Comodo Web Inspector: Examines the URL in real-time
  2. Joe Sandbox URL Analyzer: Examines the URL in real time
  3. Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists
  4. IsItPhishing: Assesses the specified URL in real-time
  5. Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
  6. Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

Historical Reputation data:

  1. AVG Website Safety Reports: Provides historical reputation data about the site
  2. Blue Coat WebPulse Site Review: Looks up the website in BlueCoat’s database
  3. BrightCloud URL/IP Lookup: Presents historical reputation data about the website
  4. Cisco SenderBase: Presents historical reputation data about the website
  5. Cymon: Presents data from various threat intel feeds
  6. Deepviz: Offers historical threat intel data about IPs, domains, etc.
  7. FortiGuard lookup: Displays the URL’s history and category
  8. IBM X-Force Exchange: Provides historical data about IPs, URLs, etc.
  9. Intel/McAfee: : Presents historical reputation data about the website
  10. KnownSec: Presents historical reputation data about the website; Chinese language only
  11. PhishTank: Looks up the URL in its database of known phishing websites
  12. Malware Domain List: Looks up recently-reported malicious websites
  13. MalwareURL: Looks up the URL in its historical list of malicious websites
  14. McAfee Site Advisor: Presents historical reputation data about the website
  15. MxToolbox: Queries multiple reputational sources for information about the IP or domain
  16. Norton Safe Web: Presents historical reputation data about the website
  17. Open Threat Exchange: Presents diverse threat intelligence data from AlienVault
  18. PassiveTotal: Presents passive DNS and other threat intelligence data
  19. Quttera ThreatSign: Scans the specified URL for the presence of malware
  20. Reputation Authority: Shows reputational data on specified domain or IP address
  21. Trend Micro: Presents historical reputation data about the website
  22. Unmask Parasites: Looks up the URL in the Google Safe Browsing database
  23. URL Blacklist: Looks up the URL in its database of suspicious sites
  24. URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
  25. URLVoid and IPVoid: Looks up the URL or IP in several blacklisting services
  26. VirusTotal: Looks up the URL in several databases of malicious sites
  27. vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
  28. ThreatMiner: Presents diverse threat intelligence data

These are industry leaders for checking and categorizing Domains/URL’s and marking them accordingly. For new domains, use the Live scanners; for older domains, use the historical reputation scanners. In any case, stay safe and happy browsing.

Check Also

The 10 Worst Spammers in the World - blackMORE Ops - 1

The 10 Worst Spammers in the World

I always thought that most of the large spammers/gangs are from Africa or Eastern European region (no offense guys - clearly mainline-media portrays it that way). Looking at this list and their location was more of a revelation. Anywho, detailed records on each spammer or spam gang listed can be viewed by clicking on the names.

Three effective solutions for Google Analytics Referral spam - blackMORE Ops - 5

Three effective solutions for Google Analytics Referral spam

I opened my Analytics account yesterday cause I saw 25% traffic increase from Facebook, Twitter and many random sources and 83% increase on the root ("/") of the server. Well, 25% is nothing, it can happen due to a post going viral. But this wasn't the case this time as 83% increase was specific to the root ("/") of the server It seems, our 'beloved' 'Vitaly Popov' has started a new stream of referral spam. He's got more crafty as I predicted in my original post. He's now actually using Facebook, Twitter as referrals including some new domains.

14 comments

  1. Many thanx for the grat list of links!!!
    Greetings from Berlin, Germany

  2. I also got this stupid email. Thx for your analysis

  3. I got one to. We need a place to report things like this

  4. Today they are using ‘domaincops.net’ as domain.

  5. Got it too, it was garbage. Checked all my dns settings and such – nope, its not an open relay. I will be applying SPF now.

  6. I Got same Email from joshua.thompson@domaincops.net

    Dear Domain Owner,

    Our system has detected that your domain: Keralapscpro.com is being used for spamming and spreading malware recently.
    You can view the detailed abuse report of your domain along with date/time of incidents. Click Here

    We have also provided detailed instruction on how to delist your domain from our blacklisting.

    Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

    There is also possibility of legal action depend on severity and persistence of your abuse case.

    Three Simple Steps:
    1. Download your abuse report from Here: Click Here
    2. Check your domain abuse incidents along with date and time.
    3. Take few simple steps for prevention and to avoid domain suspension.

    Click Here to view your Report

    Please look into it and contact us.

    Best Regards,
    Domain Abuse Admin
    DomainCop Inc.
    Tel.: (139) 719-51-12

  7. Got one just now.
    Here I replaced my domain with “my-site” to show a line from the mail headers (the return path):

    Return-Path: samuel-cooper-admin=mysite.com@domaincop247.com

    The mail headers are good, the DKIM passes. But notice the originating domain is now “domaincop247”.

    Plus, how likely is it that a “real” domain cop would bother with a return address from y domain?

    And who is going to write such a demanding letter, threatening suspension, on a first offence? Heck I wish this folks were real, maybe they could stop some this horsepuckey.

    Ah well. Back to work.

    Thanks for posting. Saved me wasting further effort. Bastidos !!

  8. A buddy of mine got one of these today. His too was the newer ( Nov 30th registered ) domaincop247.com. I was able to do some sleuthing and found that the URL performs as follows:

    1: Redirects to a javascript payload
    2: Javascript payload is obfuscated, but once decoded turns out to try to download a ‘file.exe’ 3 different times, from the two following domains:
    ggjghhfhfh [dot] com
    cleanmsgs [dot] com
    3: File.exe once retrieved is of course executed and is a nullsoft installer.
    — Hexedit shows it placing icons in the quicklaunch area via a Registry Edit

    I didn’t go any further as attempts to extract the nullsoft installer failed from my linux box. I’m pretty sure it’s not going to be a good outcome if you fall prey to this and run the file.

  9. Received a few of these this morning. As I run a file host, I was concerned that it was legitimate until I realised that they spammed another one of my non-associated domains.

  10. Hi,

    I have received one as well. As Michael J. Kidd mentioned the sender email and link URL point to the domain domaincop247.com which does not show any details (WHOISGUARD PROTECTED).

    The DNS servers point to Cloudflare as well. But this time the url is still active.

    I did not dig as deep as Michael J. Kidd but I can acknowledge that the links will point to a JavaScript which is obfuscated and contains an encoded payload.

  11. Got the same from report.icann-monitor.org

  12. Got one too, but from icann-monitor.org domain (registered yesterday, lol!)

  13. We just got one from icann-monitor.org (domain Creation Date: 2016-12-28T20:19:57Z, according to domaintools.com)
    Make sure you don’t click on those links!

Leave a Reply. (Anonymous comments allowed). Use WP, Twitter, FaceBook or Google+ for faster responses.