Spam/scam email from DomainCop.net targeting domain name and website owners

I received today a new spam/scam email that I personally haven’t seen before. The email directed to one of my domains is obviously targeting domain name owners that have active websites and use email with the domain name.

The email obviously tries to scare the website owner into going to the domaincop.net and downloading some infected files.

The domain name and website owner is accused for spamming and spreading malware (something that the email sender is actually doing!) and even threatens with legal action. I new immediately that is fake as the domain name in question is parked and hasn’t send a single email message in over 10 years.

The domain name domaincop.net was registered today(!) at Namesilo.com and is behind whois privacy.

The spammer/scammer is most probably harvesting domain name whois records for email addresses.

The headers from the email below point to a mail server in Hanau am Main, Hessen, Germany from an ISP named velia.net Internetdienste GmbH. This could be a hijacked mail server.

Received:
  • from mail.domaincop.net (domaincop.net [37.61.222.140]) by ****** (Postfix) with ESMTP id ***** for <*******>; Tue, 22 Nov 2016 10:47:59 -0500 (EST)
  • by mail.domaincop.net id ***** for <******>; Tue, 22 Nov 2016 10:39:19 -0500 (envelope-from <isla-davis-**********@domaincop.net>)

Here is the complete email spam / scam message received:

From: Isla Davis <isla-davis@domaincop.net>
To: **********.org <**************>
Subject: Domain Abuse Notice: ********.org

Dear Domain Owner,

Our system has detected that your domain: *********.org is being used for spamming and spreading malware recently.
You can download the detailed abuse report of your domain along with date/time of incidents. Click Here*

We have also provided detailed instruction on how to delist your domain from our blacklisting.

Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

There is also possibility of legal action depend on severity and persistence of your abuse case.

Three Simple Steps:
1. Download your abuse report.
2. Check your domain abuse incidents along with date and time.
3. Take few simple steps for prevention and to avoid domain suspension.

Click Here to Download your Report*

Please look into it and contact us.

Best Regards,
Domain Abuse Admin
DomainCop Inc.
Tel.: (139) 719-51-12

(*I have removed the links taking me to a long address inside domaincop.net because it might contain malware, etc.)

UPDATE #1:

The spam/scam seems to be using a new domain name now: DOMAINCORP.NET. (Also used domaincop.org for a while.)
The DOMAINCORP.NET domain name was registered on November 10th at Name.com.

Owner seems to be Ronald Miranda from the Dominican Republic using this email address: ronald.miranda@genstylehost.com.

Genstylehost.com was registered by Ronald Miranda at ascio.com on October 31st using the email address ronald.miranda@genstyledesigns.xyz.

genstyledesigns.xyz was registered at 1und1.de on October 1st using this address: info@servicioempresarial.net.

servicioempresarial.net was registered in 2012 by Ronald Miranda again using this email address: semsadr@gmail.com.

UPDATE #2:

Spammers are now using domaincops.net registered at Enom.com. They keep changing domain names and registrars.

UPDATE #3:

New domain is domaincop247.com registered at Enom.com on the 30th of November 2016 behind privacy whois. See comments for more details.

UPDATE #4 (29th of December 2016):

New domain name sending the spam is icann-monitor.org registered at Enom.com yesterday the 28th of December 2016. The scammers also registered the domain name icannmonitor.org so more spam emails might come from this domain name when the first one gets blacklisted or suspended.

Sold.Domains

About Konstantinos Zournas

Konstantinos studied Computer Engineering and Computer Science in London and lives in Athens, Greece. He works on domain names, websites and software development. Has been online since 1995 & domaining since 2002.

49 comments

  1. Hello. I am with NameSilo and I wanted to let everyone know that the domain has been suspended as you will note by seeing the “clientHold” status in WHOIS.

  2. Well done namesilo, godaddy does jack all with all the spammers, and scammers working out of there

  3. We have got the same email today … it was immediately labelled as spam by our system and directly sent to junk bin … 😀
    Namesilo is very efficient indeed, congrats guys.

  4. Wow this very amazing, I just got one of those emails from domaincop.net for a domain I have parked. But I decided before I call my host provider or file an abuse report with Namesilo I would do search for domain and see what came up.
    Found this post.
    Email marked as spam.
    Peace is restored.

  5. Online/internet spam and scam are likes deceases that are has zero cures; infinite virus.

  6. Wow! Good timing w/ this article! My client received this email today about one of their parked domains…

  7. Great timing with this article – I received the same email this morning! Relieved to see how quickly NameSilo have jumped on it.

  8. Great timing, thanks for this post, i got this email, did a lookup on google and found this post!
    WOW!

  9. They use the .ORG as well.

  10. It is important to not confuse domaincop.net and domaincop.org with domcop.com that is a real service and domaincop.com that is a domain registered in 2006. These both have nothing to do with this scam.

  11. Thank you for sharing Konstantinos,

    I like to read these types of emails to make sure I don’t fall for something like this in the future.

  12. I had the same email yesterday in relation to a parked domain, so thank you for posting this and putting my mind at rest !

    I now receive at least a couple of scam emails (..usually with zipped attachments) every day, always from different sources. Now seriously thinking of changing my email addresses and making all of my domains private as this issue seems to be getting worse.

  13. I have also received the similar email today from dylan.hall@domaincop.org. It looked very strange, so I went googling that domain. Thank you for your post, it confirmed my suspicions.

  14. Thanks for confirming what I suspected.

    We just got one of these today for a domain we don’t use for sending email. It immediately went to our junk email but was interesting enough for me to have a look at.

    Whois shows domaincorp.net was registered this month in South America. There is an older domaincorp.com that seems likely legitimate so I suspect that is why these people picked this .net name.

    [Querying whois.verisign-grs.com]
    [Redirected to whois.name.com]
    [Querying whois.name.com]
    [whois.name.com]
    Domain Name: DOMAINCORP.NET
    Registry Domain ID: 2073182641_DOMAIN_NET-VRSN
    Registrar WHOIS Server: whois.name.com
    Registrar URL: http://www.name.com
    Updated Date: 2016-11-10T22:23:24Z
    Creation Date: 2016-11-10T22:23:23Z
    Registrar Registration Expiration Date: 2017-11-10T22:23:23Z
    Registrar: Name.com, Inc.
    Registrar IANA ID: 625
    Reseller:
    Domain Status: clientTransferProhibited
    Registry Registrant ID:
    Registrant Name: Ronald Miranda
    Registrant Organization:
    Registrant Street: Cerros de buena vista 2da
    Registrant City: Santo Domingo
    Registrant State/Province: Santo Domingo
    Registrant Postal Code: 11201
    Registrant Country: DO
    Registrant Phone: +1.8296410339
    Registrant Email: ronald.miranda@genstylehost.com
    Registry Admin ID:
    Admin Name: Ronald Miranda
    Admin Organization:
    Admin Street: Cerros de buena vista 2da
    Admin City: Santo Domingo
    Admin State/Province: Santo Domingo
    Admin Postal Code: 11201
    Admin Country: DO
    Admin Phone: +1.8296410339
    Admin Email: ronald.miranda@genstylehost.com
    Registry Tech ID:
    Tech Name: Ronald Miranda
    Tech Organization:
    Tech Street: Cerros de buena vista 2da
    Tech City: Santo Domingo
    Tech State/Province: Santo Domingo
    Tech Postal Code: 11201
    Tech Country: DO
    Tech Phone: +1.8296410339
    Tech Email: ronald.miranda@genstylehost.com
    Name Server: ns1gmz.name.com
    Name Server: ns2qvz.name.com
    Name Server: ns3jmt.name.com
    Name Server: ns4cgs.name.com
    DNSSEC: Unsigned Delegation
    Registrar Abuse Contact Email: abuse@name.com
    Registrar Abuse Contact Phone: +1 7203101849
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
    >>> Last update of WHOIS database: 2016-11-23T08:25:54-07:00 <<<

  15. The spam/scam seems to be using a new domain name now: DOMAINCORP.NET.
    This domain was registered on November 10th at Name.com.

    Owner seems to be Ronald Miranda from the Dominican Republic using this email address: ronald.miranda@genstylehost.com.

    Genstylehost.com was registered by Ronald Miranda at ascio.com on October 31st using the email address ronald.miranda@genstyledesigns.xyz.

    genstyledesigns.xyz was registered at 1und1.de on October 1st using this address: info@servicioempresarial.net.

    servicioempresarial.net was registered in 2012 by Ronald Miranda again using this email address: semsadr@gmail.com.

  16. I have one From: Isaac Wright
    (abusemonitor247.com [37.61.222.143]) by atl4mhib64.myregisteredsite.com. Located in Germany.

  17. You can simply mark those messages as spam and spam filters will learn to block such messages in the future. Filters can remember domaincorp word (specially when spammers use similar subject fields or info in the letter) and simply put the message in the spam/junk folder. Or you can add the domain to the blacklist (I guess possible at google, spamassasin and spamdrain).
    Of course, it’s better to cut them down at the DNS level 🙂

  18. “Bad boy, bad boy;” whatcha gonna do when they come getcha. ?

  19. I got another via domaincops.net just half an hour ago. It is still active.

  20. Today they are using ‘domaincops.net’

  21. They’re back at it again, this time from domaincops.net.

    Received: from mail.domaincops.net (domaincops.net [198.175.127.112])

  22. I’ve received two of these exact same emails recently – and the email comes from mia-griffiths@domaincops.net but the signature says
    Best Regards,
    Domain Abuse Admin
    DomainCop Inc.
    Tel.: (139) 769-56-01

    I didn’t click any of the links because I figured this was spam. Glad I saw your article to confirm it.

  23. There is massive protest against that domain, we own some over 1300 domains and receive that email for all domains we have! Why someone donćt stop this?? Or they must probably stop registrar domain “name.com”?

    Registrar URL of that domain is http://www.name.com

  24. Received an email today from “noah.evans@domaincops.net”, mail server: 198.175.127.112/mail.domaincops.net.

    Maybe we should create a list of domains used for this scam?

  25. Just got the same from domaincops.net the links looked spammy and we dont use that domain.

    Domain Name: DOMAINCOPS.NET
    Registry Domain ID: 2077983480_DOMAIN_NET-VRSN
    Registrar WHOIS Server: whois.enom.com
    Registrar URL: http://www.enom.com
    Updated Date: 2016-11-30T05:06:51.00Z
    Creation Date: 2016-11-30T13:06:00.00Z
    Registrar Registration Expiration Date: 2017-11-30T13:06:00.00Z
    Registrar: ENOM, INC.
    Registrar IANA ID: 48
    Reseller: NAMECHEAP.COM
    Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
    Registry Registrant ID:
    Registrant Name: WHOISGUARD PROTECTED
    Registrant Organization: WHOISGUARD, INC.
    Registrant Street: P.O. BOX 0823-03411
    Registrant City: PANAMA
    Registrant State/Province: PANAMA
    Registrant Postal Code: 0
    Registrant Country: PA
    Registrant Phone: +507.8365503
    Registrant Phone Ext:
    Registrant Fax: +51.17057182
    Registrant Fax Ext:
    Registrant Email: 4164442B0C7846A8B4605A4526207344.PROTECT@WHOISGUARD.COM
    Registry Admin ID:
    Admin Name: WHOISGUARD PROTECTED
    Admin Organization: WHOISGUARD, INC.
    Admin Street: P.O. BOX 0823-03411
    Admin City: PANAMA
    Admin State/Province: PANAMA
    Admin Postal Code: 0
    Admin Country: PA
    Admin Phone: +507.8365503
    Admin Phone Ext:
    Admin Fax: +51.17057182
    Admin Fax Ext:
    Admin Email: 4164442B0C7846A8B4605A4526207344.PROTECT@WHOISGUARD.COM
    Registry Tech ID:
    Tech Name: WHOISGUARD PROTECTED
    Tech Organization: WHOISGUARD, INC.
    Tech Street: P.O. BOX 0823-03411
    Tech City: PANAMA
    Tech State/Province: PANAMA
    Tech Postal Code: 0
    Tech Country: PA
    Tech Phone: +507.8365503
    Tech Phone Ext:
    Tech Fax: +51.17057182
    Tech Fax Ext:
    Tech Email: 4164442B0C7846A8B4605A4526207344.PROTECT@WHOISGUARD.COM
    Name Server: DARL.NS.CLOUDFLARE.COM
    Name Server: TESS.NS.CLOUDFLARE.COM
    DNSSEC: unSigned
    Registrar Abuse Contact Email: abuse@enom.com
    Registrar Abuse Contact Phone: +1.4252982646
    URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

    • Just an update from the registrars:

      -snip-
      However, as we can see the domain name is listed in both SpamHaus DBL and SURBL blacklists. Since we consider SpamHaus and SURBL to be trusted organizations, we opened a case regarding the domain name. Please allow about 48 hours for our further investigation.
      -snip-

      The hope being cost and effort will make the guy quit. 🙂

  26. I got spam from domaincop.net this morning, Dec. 1, 2016.

    As a web designer for others, it is obvious to me that people are using the WhoIs to collect domain names, and people’s addresses and other things.

    Until we go after the criminals instead of just having to pay out more and more for protection, this problem will only get worse! Let’s hope the new regime here in America will catch on.

    These hacking minds could be used for good instead of evil!

  27. This seems to be happening again. I just got one today.

  28. I just received a new email like that from: amelia.bailey@domaincops.net

    Thanks to put this online. It looked spammy, but I wanted to check obviously, I run a small hosting company, and I don’t want to be marked as spam!

    Thanks for your work!

  29. New domain, same scammers serving malware: viewinvoice (dot) online

    Sample:

    “Dear Client, Your Invoice is overdue for [domain].com. Please pay within 24 hours to avoid service suspension. Click Here to View Invoice. Thanks “

  30. Thank you for deep information sir,It will help us to be safe from Scam.

  31. New domain used by those phucksticks: domaincop247.com

  32. New Domain, same scam: domaincop247.com

  33. Just received the same type email. Now using another new domain: domaincop247.com

    arthur-young@domaincop247.com

    Domain Name: DOMAINCOP247.COM
    Registry Domain ID: 2077983479_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.enom.com
    Registrar URL: http://www.enom.com
    Updated Date: 2016-11-30T05:06:51.00Z
    Creation Date: 2016-11-30T13:06:50.00Z
    Registrar Registration Expiration Date: 2017-11-30T13:06:50.00Z
    Registrar: ENOM, INC.
    Registrar IANA ID: 48
    Reseller: NAMECHEAP.COM
    Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
    Registry Registrant ID:
    Registrant Name: WHOISGUARD PROTECTED
    Registrant Organization: WHOISGUARD, INC.
    Registrant Street: P.O. BOX 0823-03411
    Registrant City: PANAMA
    Registrant State/Province: PANAMA
    Registrant Postal Code: 0
    Registrant Country: PA
    Registrant Phone: +507.8365503
    Registrant Phone Ext:
    Registrant Fax: +51.17057182
    Registrant Fax Ext:
    Registrant Email: 058663C020C0421E871BA1FDA21E24E8.PROTECT@WHOISGUARD.COM
    Registry Admin ID:
    Admin Name: WHOISGUARD PROTECTED
    Admin Organization: WHOISGUARD, INC.
    Admin Street: P.O. BOX 0823-03411
    Admin City: PANAMA
    Admin State/Province: PANAMA
    Admin Postal Code: 0
    Admin Country: PA
    Admin Phone: +507.8365503
    Admin Phone Ext:
    Admin Fax: +51.17057182
    Admin Fax Ext:
    Admin Email: 058663C020C0421E871BA1FDA21E24E8.PROTECT@WHOISGUARD.COM
    Registry Tech ID:
    Tech Name: WHOISGUARD PROTECTED
    Tech Organization: WHOISGUARD, INC.
    Tech Street: P.O. BOX 0823-03411
    Tech City: PANAMA
    Tech State/Province: PANAMA
    Tech Postal Code: 0
    Tech Country: PA
    Tech Phone: +507.8365503
    Tech Phone Ext:
    Tech Fax: +51.17057182
    Tech Fax Ext:
    Tech Email: 058663C020C0421E871BA1FDA21E24E8.PROTECT@WHOISGUARD.COM
    Name Server: DARL.NS.CLOUDFLARE.COM
    Name Server: TESS.NS.CLOUDFLARE.COM

  34. Just got it too. New domain is domaincop247.com registered at Enom.com on the 30th of November 2016 behind privacy whois.
    Here is the email from William Wilson william_wilson@domaincop247.com:
    Subject : Final Domain Abuse Notice: *****.com

    Dear Domain Owner,

    Our system has again detected that your domain: ***.com is being repeatedly used for spamming and spreading malware recently.
    You can download the detailed abuse report of your domain along with date/time of incidents. Click Here

    We have also provided detailed instruction on how to delist your domain from our blacklisting.

    Please download the report immediately and take proper action within 24 hours otherwise your domain will be suspended permanently.

    There is also possibility of legal action depend on severity and persistence of your abuse case.

    Three Simple Steps to fix this issue:
    1. Download your abuse report.
    2. Check your domain abuse incidents along with date and time.
    3. Take few simple steps for prevention and to avoid domain suspension.

    Click Here to Download your Report

    Note: This is final notice. Please fix this issue immediatly or we have to suspend your domain after 24 hours.

    Best Regards,
    Domain Abuse Admin
    DomainCop Inc.
    Tel.: (139) 711-96-01

  35. How about CCNOTICE.net?

    Dear Client,

    Your Invoice is overdue for ***.com. Please pay within 24 hours to avoid service suspension. Click here to view Invoice.

    Thanks .

  36. Hello Konstantinos,

    Very useful information.
    Received mail from “ellie-knight@domaincop247.com”. Immediately mark it as spam.
    They are creating new domains. Keep updating the list of domains.

  37. OMG. My site in .UZ zone and not resolved from another domain, only in Uzbekistan.
    But I also received a similar letter. All be carefull…

  38. Just got the same from icann-monitor.org

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.