I’m still watching over spam. The latest trend are spam campaigns which have a few characteristics in common perhaps the most interesting of which is that the domains have all been registered at enom.com.
Some other things in common. These recent campaigns fell into two main categories. One set uses domains which are semi-pronounceable. The other are domains which incorporate sensible english words. Both categories have these other features in common.
– brevity (no HTML, for instance)
– valid SPF records (!)
– domains were used for spam almost immediately after having been registered (new domains)
From: Patriot Survival Plan <Patriot_Survival_Plan@best-survival-plan-types.com> To: <firstname.lastname@example.org> Date: 05/22/2014 04:22 AM Subject: REVEALED: The Coming Collapse -------------------------------------------------------------------------------- email@example.com Since I exposed this I'm getting a lot of comments. People are terrified and they are asking me to spread the word even more... So don't miss this because it might be too late for you and your family! Obama's done a lot of stupid things so far, but this one will freeze the blood in your veins! He's been trying hard to keep this from American Patriots... but now his betrayal has finally come to light. And he'll have to pay through the nose for this. But here's a Warning: the effects of Obama's actions will hit you and your family by the end of this year. And they'll hit you like nothing you've ever seen before... So watch this revealing video to know what to expect... and how to protect against it. -> Watch Blacklisted video now, before it's too late --> http://check.best-survival-plan-types.com No_longer_receive_this _Warning : http://exit.best-survival-plan-types.com Patriot Survival Plan _405 W. Fairmont Dr. _Tempe, AZ 85282 First off, there's nothing special 22409526 in the Ironbound. Food in quantity, 22409526not quality. It's amazing how many people 22409526 rate these establishments as excellent. This said, I've always had fun going to these places, 22409526 as long as your dining expectations are gauged accordingly. Therefore, 22409526 my rating reflects those reduced expectations. :) Being a steakhouse, 22409526 one would expect a thorough steak menu such as those at Gallagher's, Luger's, or even Del Frisco's. However, you're not getting true steakhouse fare here; 22409526 it's the Ironbound after all. So, you're getting a less than Prime cut of beef, 22409526 sometimes cooked to your liking.
Whois lookup of best-survival-plan-types.com shows this:
Domain Name: BEST-SURVIVAL-PLAN-TYPES.COM Registry Domain ID: 1859701370_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.enom.com Registrar URL: www.enom.com Updated Date: 2014-05-21 17:26:19Z Creation Date: 2014-05-22 00:26:00Z Registrar Registration Expiration Date: 2015-05-22 00:26:00Z Registrar: ENOM, INC. Registrar IANA ID: 48 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1.4252744500 Reseller: NAMECHEAP.COM Domain Status: clientTransferProhibited Registry Registrant ID: Registrant Name: DONI FOSTER Registrant Organization: NONE Registrant Street: 841-4 SPARKLEBERRY LN Registrant City: COLUMBIA Registrant State/Province: SC Registrant Postal Code: 29229 Registrant Country: US Registrant Phone: +1.8037886966 Registrant Phone Ext: Registrant Fax: +1.5555555555 Registrant Fax Ext: Registrant Email: DONIFOSTER73@GMAIL.COM Registry Admin ID: Admin Name: DONI FOSTER Admin Organization: NONE Admin Street: 841-4 SPARKLEBERRY LN Admin City: COLUMBIA Admin State/Province: SC Admin Postal Code: 29229 Admin Country: US Admin Phone: +1.8037886966 Admin Phone Ext: Admin Fax: +1.5555555555 Admin Fax Ext: Admin Email: DONIFOSTER73@GMAIL.COM Registry Tech ID: Tech Name: DONI FOSTER Tech Organization: NONE Tech Street: 841-4 SPARKLEBERRY LN Tech City: COLUMBIA Tech State/Province: SC Tech Postal Code: 29229 Tech Country: US Tech Phone: +1.8037886966 Tech Phone Ext: Tech Fax: +1.5555555555 Tech Fax Ext: Tech Email: DONIFOSTER73@GMAIL.COM Name Server: DNS1.REGISTRAR-SERVERS.COM Name Server: DNS2.REGISTRAR-SERVERS.COM Name Server: DNS3.REGISTRAR-SERVERS.COM Name Server: DNS4.REGISTRAR-SERVERS.COM Name Server: DNS5.REGISTRAR-SERVERS.COM
See 1) that it was registered yesterday at 17:26:19 Universal Time, and 2) that the registrar is enom?
And the SPF record:
> dig +short txt best-survival-plan-types.com
"v=spf1 a mx ptr ~all"
Actually this domain is a small aberration insofar as it does not have a SPF record with a -all at the end – the others I checked do.
What to do, what to do
Well, I reported the spam to Postini, but I don’t think that has any effect as they are winding down their business.
I am pinning greater hopes on filling out enom’s abuse form. Of course I have no idea what actions, if any, they take. But they claim to take abuse seriously so I am willing to give them their chance to prove that.
I don’t feel enom is complicit in this spam. I’m not even sure they can easily stop these rogue operators. But they have to try. Their reputation is at stake. On the Internet there are complaints like this from years ago, that enom domains are spamming.
Every one that comes across my desk I am reporting to them. The time it takes for me to report any individual one isn’t worth the effort compared to the ease of hitting DELETE, but I am hoping to help lead enom to find a pattern in all these goings-on so they can stop these registrations before new ones cause harm – that is why I feel my actions are for the greater good.
Other recently deployed enom domains
|Domain||First spam seen||First registered|
|etc – there are plenty more!|
Finally we hear back
Weeks later, on June 14th, I finally received a formal response concerning only-survival-plan.com and local-vehicle-clearance.us.
From: email@example.com Subject: [~OOQ-128-23745]: FW: eNom - Report Abuse - Reference #ABUSE-11116 Hello, Thank you for your email. While the domain name(s) reported is registered with Namecheap, it is hosted with another company. So we cannot check the logs for the domain(s) and confirm if it is involved in sending unsolicited bulk emails. We can only take an action if a report is confirmed by blacklists of trusted anti-spam organizations like SpamHaus or SURBL. Thus, we have initiated a case regarding the following domain(s) blacklisted by trusted anti-spam organizations: only-survival-plan.com In case the listing is not removed, the domain(s) will be suspended. The following domain(s) has already been suspended: local-vehicle-clearance.us Let us also suggest you addressing the issue to the hosting company which servers were involved in email transmission for help with investigating the incident of spam. You may find their IP address in the headers. To find their contact details, please whois this IP address. You may use any public Whois tool like https://www.domaintools.com/ Kindly let us know if you have any question. ------------------------------- Regards, Alexander XXX. Legal & Abuse Department Namecheap Group http://www.namecheapgroup.com
Analysis of their response
Reading between the lines, here’s my analysis. There’s some not-well-documented relationship between enom and namecheap.com. I reported the abuse to enom and got a response from namecheap.com. I kind of agree that suspending a domain is a BIG DEAL and a registrar has to be on firm footing to do so. As I write this one Jun 16th, the domains do not yet appear to be suspended. Are you really going to trust Spamhaus to render your judgement? That’s basically one of those extortionist enterprises purportedly offering a take-it-or-leave-it service. If the author of that email was a lawyer, well, their English isn’t the best. That doesn’t provide a lot of confidence in their handling of the matter. And wasn’t my complaint by itself good enough for them to initiate action? I do have to concede the point that the sending of the spam was probably out of their control and probably did come from another hosting company. But it is glib advice to suppose it is that easy to track them down the way they describe. Since they are part of the problem and have the evidence why don’t they follow up with the hosting provider themselves?? There was no mention of my other eight or so formal complaints. So this still seems to be getting an ad hoc one-by-one case treatment and not the, Whoa, we got a problem on our hands and there’s something systemically wrong with what we’re doing here reaction I had hoped to provoke.
Actually I got two responses but with slightly different wording. So they were crafted by hand from some boilerplate text, and yet the person stitching together the boilerplate was sufficiently mindless of the task as to forget they had already just sent me the first email??
So their response is better than a blackhole, but perhaps could be characterized as close to the bare minimum.
I have gotten several other responses from some of my other complaints as well, all saying pretty much the same thing. In August the responses started to look different however.
Here’s one I received this morning about woodsurface.com, 19 days after my initial complaint:
Hello, This is to inform you that woodsurface.com domain was suspended. It is now pointed to non-resolving nameservers and will be nullrouted once the propagation is over. The domain is locked for modifications in our system. Thank you for letting us know about the issue. ------------------ Regards, Alexander T. Legal & Abuse Department Namecheap.com
I hope my actions spur enom into some action of their own in figuring out where there domain registration requirements are too lax that spammers are taking wholesale advantage of the situation and sullying their reputation.
June, 2014 Update
The storm of spam from enom has subsided. I’m basically not seeing any. Oops. Spoke too soon! New enom-registered domains popped up and created more spam storms (documented in the table above), but not as severe as in the past. I don’t know if our anti-spam filter got better or enom stepped up to the plate and improved their scrutiny of domain registrants. If another spam storm hits us I’ll report back…
enom-generated spam is back!