I received today a new spam/scam email that I personally haven’t seen before. The email directed to one of my domains is obviously targeting domain name owners that have active websites and use email with the domain name.
The email obviously tries to scare the website owner into going to the domaincop.net and downloading some infected files.
The domain name and website owner is accused for spamming and spreading malware (something that the email sender is actually doing!) and even threatens with legal action. I new immediately that is fake as the domain name in question is parked and hasn’t send a single email message in over 10 years.
The domain name domaincop.net was registered today(!) at Namesilo.com and is behind whois privacy.
The spammer/scammer is most probably harvesting domain name whois records for email addresses.
The headers from the email below point to a mail server in Hanau am Main, Hessen, Germany from an ISP named velia.net Internetdienste GmbH. This could be a hijacked mail server.
Here is the complete email spam / scam message received:
|From:||Isla Davis <firstname.lastname@example.org>|
|Subject:||Domain Abuse Notice: ********.org|
Dear Domain Owner,
Our system has detected that your domain: *********.org is being used for spamming and spreading malware recently.
You can download the detailed abuse report of your domain along with date/time of incidents. Click Here*
We have also provided detailed instruction on how to delist your domain from our blacklisting.
Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.
There is also possibility of legal action depend on severity and persistence of your abuse case.
Three Simple Steps:
1. Download your abuse report.
2. Check your domain abuse incidents along with date and time.
3. Take few simple steps for prevention and to avoid domain suspension.
Click Here to Download your Report*
Please look into it and contact us.
Domain Abuse Admin
Tel.: (139) 719-51-12
(*I have removed the links taking me to a long address inside domaincop.net because it might contain malware, etc.)
The spam/scam seems to be using a new domain name now: DOMAINCORP.NET. (Also used domaincop.org for a while.)
The DOMAINCORP.NET domain name was registered on November 10th at Name.com.
Owner seems to be Ronald Miranda from the Dominican Republic using this email address: email@example.com.
Genstylehost.com was registered by Ronald Miranda at ascio.com on October 31st using the email address firstname.lastname@example.org.
genstyledesigns.xyz was registered at 1und1.de on October 1st using this address: email@example.com.
servicioempresarial.net was registered in 2012 by Ronald Miranda again using this email address: firstname.lastname@example.org.
New domain is domaincop247.com registered at Enom.com on the 30th of November 2016 behind privacy whois. See comments for more details.
UPDATE #4 (29th of December 2016):
New domain name sending the spam is icann-monitor.org registered at Enom.com yesterday the 28th of December 2016. The scammers also registered the domain name icannmonitor.org so more spam emails might come from this domain name when the first one gets blacklisted or suspended.