3 clues to spotting a spam scam

The notice looked real at first -- but turned out to be an obvious scam. Unraveling its origins offered an object lesson in how not to get suckered

3 clues to spotting a spam scam

I received the following “domain abuse notice” for one of my inactive registered domains last week:

domain abuse notice

Those of us who have dealt with falsely blacklisted domains in the past have seen notices like this before. It’s usually from an antispam vendor or service letting you know that your domain has been used in a spam attack—and they’re going to put you on one or more mailing blacklists until you resolve the problem.

I hate spam blacklists. Although well intentioned, they tend to be reports on false positives rather than domains used to send spam. Lately, antispam services and products have become quite good, and it’s a rarity for me to get these types of reports, false or not. Plus, I bought this particular name a few months ago, and it has remained completely inactive in that time.

Still, I wasn’t sure whether this was a malicious email or an overly aggressive sales tactic. To add to my confusion, I had received junk mail last week in the name of the same inactive domain. Although I didn’t expect unsolicited junk mail, my name and personal home address can be found through any domain lookup service. Many companies and services look for newly registered domains and start sending spam or junk mail from there. Most domain registrars allow anyone to register pseudo-anonymously for that reason, though they usually charge an additional fee.

I have to say, at least for a few seconds, I mostly believed the claims when I first read the email. The domain name, domaincop.net, sounds legit enough. The complaint is familiar. Initially I wondered how the spammer started using my domain name to send spam—and why this particular service didn’t pick up on the fact that my domain lacked a mail exchange DNS record.

I even briefly contemplated letting the domain stay blacklisted—I wasn’t using it, and I could always start unblacklisting it if I changed my mind. But I decided that taking care of it now would make my life easier than letting whatever damage it caused stay and spread over time. Blacklisting, if legitimate, can be a real pain to clean up.

I needed to find out if the service and email was real or a scam. I first looked at the country code of the telephone number provided in the email that supposedly led to domaincop.net. A quick internet search revealed that the country code did not exist. That’s a big ding against a potentially legitimate service and almost certainly, by itself, disqualifies the email. But who knows? Perhaps the “139” was a telephone area code instead of a country code. I kept exploring.

Next, I placed my cursor over the two links listed in the email. I love that most desktop browsers (though not all mobile browsers) will show the real link underlying the reported text before you commit to clicking on it. As you can see below, the link reported back to www.domaincop.net, but it ended in “kerouac-judgments.”

abuse report scam

The name of a famous Beat poet and novelist did not bode well. Randomly picking words from an English dictionary is a common tactic used by phishers and spammers to bypass antiphishing and antispamming software and services. More than likely, those two randomly chosen English words were unique for my copy of the spam email and would help identify that my email address was valid if I clicked on it, which would lead to more spam and phishing emails.

Next, I typed domaincop.net into a Whois query. It returned the following information:

whois spam scam

The Whois return is full of red flags, including the “clientHold” status and the fact that the domain was created on the same day as the email was sent to me. The clientHold status is not common on legitimate domains and essentially means enough people have complained that this domain was put on ice. That’s enough evidence to officially call this email bogus.

I did more internet searches on the domaincop.net email and came up with plenty of people who got similar messages. After doing some research, I reached the same conclusion. The malicious domain was put up and taken down in a few hours—gotta love the internet.

Check out these related reports. The latter link contains dozens of useful links for doing your own investigations.

As an additional precaution, I called my domain registrar to inform them of the ongoing spam campaign. They already knew what I was talking about and were on top of it.

Lessons learned

What did I learn? Maybe the additional privacy services during domain registration are worthwhile.

Also, I’m glad my first personal experience with this sort of domain phishing was so easy to detect. If the phisher had created a more authentic-looking email with fewer red flags, I might have fallen for it—although had I clicked on the link, it would have likely tried to get me to download malicious files, which I never would have done.

You should always do a little investigating before blindly clicking on any email that claims to be helping you. I’m glad I did.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)