Shortest spam run ever – domaincop.org Domain Abuse Notice Spam

Woke up this morning and found two emails from domaincorp.org in my Inbox stating my domains are being used for spamming and spreading malwares recently. Subject line contained “Domain Abuse Notice” which looked serious.

I mean WOHA! I do write about ‘stuff’ but doesn’t mean I send out emails to anyone. I don’t even respond to my emails half the time cause I don’t really need another SEO expert, another advertiser, another promoter or a globally acclaimed graphics designer to design ‘tings’!

But then again, you read about all these reports that explains how malware and virus’s are served via Advertisement etc. So I decided to carefully examine the email and it’s contents in an attempt to find out more information. Before I even opened the actual email, I checked it’s header and Domain Whois. I always do this, specially Whois because you are unlikely to receive an abuse notice email from any domain that was registered few weeks back. Most abuse notice emails are served by large organizations and domains that has been around for years and built enough reputation for everyone to take them seriously.

Whois information

I checked their whois from https://who.is/whois/domaincop.org

Nice, Registered On 2016-11-22, Updated On 2016-11-22 and today is 2016-11-23. I mean duh, it’s still 22nd of November is some parts of the world. They also has PrivacyGuard enabled which means you cannot see the real owners name or details like darodar.com referrer spam.

Inspect URL and it’s content

The next obvious thing was to check the URL that was sent to me to view the abuse my domains has inflicted. erm, do I use a browser? Perhaps not, I decided to use cURL.

root@kali:~# curl -kv http://www.domaincop.org/<removed>
* Could not resolve host: www.domaincop.org
* Closing connection 0
curl: (6) Could not resolve host: www.domaincop.org

hang on, the domain seems to have no DNS response. Let’s double-check that with dig command

root@kali:~# dig www.domaincop.org

; <<>> DiG 9.10.3-P4-Debian <<>> www.domaincop.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64018
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.domaincop.org.        IN    A

;; AUTHORITY SECTION:
org.            704    IN    SOA    a0.org.afilias-nst.info. noc.afilias-nst.info. 2012251969 1800 900 604800 86400

;; Query time: 1 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Wed Nov 23 10:42:53 AEDT 2016
;; MSG SIZE  rcvd: 109

dig returned NXDOMAIN response which means the domain doesn’t exists. It seems either they’ve disabled their domain and/or Cloudflare banned/removed them. In any case, there is no way to inspect that URL for me now. ‘sad panda’

Sample email

Here’s one of emails I received from  “Imogen Murray” <imogen_murray@domaincop.org>; (the other email was from “Isaac Wright” <isaac-wright@domaincop.org>; ) with exactly same content:

Dear Domain Owner,

Our system has detected that your domain:<removed>.com is being used for spamming and spreading malware recently.

You can download the detailed abuse report of your domain along with date/time of incidents.
Click Here<link-removed>

We have also provided detailed instruction on how to delist your domain from our blacklisting.

Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

There is also possibility of legal action depend on severity and persistence of your abuse case.

Three Simple Steps:

1. Download your abuse report.

2. Check your domain abuse incidents along with date and time.

3. Take few simple steps for prevention and to avoid domain suspension.

Click Here to Download your Report<link-removed>

Please look into it and contact us.

Best Regards,

Domain Abuse Admin

DomainCop Inc.

Tel.: (139) 722-66-56

Conclusion

Not sure what this email was about, but in case you ever get these type of emails, here’s what you always do:

1. Check Domain Whois
2. Check the URL without actually going into it (cURL it)
3. Use online scanners to check the links
4. Check dig/nslookup info
5. Search in Google
6. If you must visit the URL, do it from a command line tool or from a VM.

In short, you are unlikely to get such emails from multiple senders from a domain that was setup yesterday, got banned today and has people around the world talking about it being a scam. Another way is to check spammy links is by using reputed providers online site review tools. Here’s a list of them:

Real Time Scanners:

1. Comodo Web Inspector: Examines the URL in real-time
2. Joe Sandbox URL Analyzer: Examines the URL in real time
3. Is It Hacked: Performs several of its own checks of the URL in real time and consults some blacklists
4. IsItPhishing: Assesses the specified URL in real-time
5. Sucuri SiteCheck: Scans the URL for malware in real time and looks it up in several blacklists
6. Zscaler Zulu URL Risk Analyzer: Examines the URL using real-time and historical techniques

Historical Reputation data:

1. AVG Website Safety Reports: Provides historical reputation data about the site
2. Blue Coat WebPulse Site Review: Looks up the website in BlueCoat’s database
3. BrightCloud URL/IP Lookup: Presents historical reputation data about the website
4. Cisco SenderBase: Presents historical reputation data about the website
5. Cymon: Presents data from various threat intel feeds
6. Deepviz: Offers historical threat intel data about IPs, domains, etc.
7. FortiGuard lookup: Displays the URL’s history and category
8. IBM X-Force Exchange: Provides historical data about IPs, URLs, etc.
9. Intel/McAfee: : Presents historical reputation data about the website
10. KnownSec: Presents historical reputation data about the website; Chinese language only
11. PhishTank: Looks up the URL in its database of known phishing websites
12. Malware Domain List: Looks up recently-reported malicious websites
13. MalwareURL: Looks up the URL in its historical list of malicious websites
14. McAfee Site Advisor: Presents historical reputation data about the website
15. MxToolbox: Queries multiple reputational sources for information about the IP or domain
16. Norton Safe Web: Presents historical reputation data about the website
17. Open Threat Exchange: Presents diverse threat intelligence data from AlienVault
18. PassiveTotal: Presents passive DNS and other threat intelligence data
19. Quttera ThreatSign: Scans the specified URL for the presence of malware
20. Reputation Authority: Shows reputational data on specified domain or IP address
21. Trend Micro: Presents historical reputation data about the website
22. Unmask Parasites: Looks up the URL in the Google Safe Browsing database
23. URL Blacklist: Looks up the URL in its database of suspicious sites
24. URL Query: Looks up the URL in its database of suspicious sites and examines the site’s content
25. URLVoid and IPVoid: Looks up the URL or IP in several blacklisting services
26. VirusTotal: Looks up the URL in several databases of malicious sites
27. vURL: Retrieves and displays the source code of the page; looks up its status in several blocklists
28. ThreatMiner: Presents diverse threat intelligence data

These are industry leaders for checking and categorizing Domains/URL’s and marking them accordingly. For new domains, use the Live scanners; for older domains, use the historical reputation scanners. In any case, stay safe and happy browsing.