New Top Level Domain Spam

Scammer Security Spammer

In recent years the Internet has had a growth in new Top Level Domains(TLDs) coming out such as .science, .link, and many others. I find that many if not most of these new TLDs actually generate a large amount of spam and malicious content.

Watching the trend of some of these growing number of TLDs, I see some disturbing things taking place. Domains such as .science for ONE, I have yet to see ONE legitimate .science email and all of them so far are 100% spam. Within this SPAM I have seen about 70% of these emails being as malicious and typically contains links to a Trojans, Botnet Software, or Malware which are stored on a Hacked or Fake website, and the other 30% are usually Scareware, which are Emails made to Scare & Frighten you with Threats of some sort. Typically you will find Bitcoin Addresses for payment. This makes me laugh as they target people who are not tech savvy and yet these morons think that they would know how to use Bitcoin.

I started to write this today because I got an email that really stood out to be fraudulent with many red flags. Yet it mimicked some of the signs of the .science and some other erroneous TLDs that are scams. This is an example of one email that is Fraudulent as well as related to these new TLDs and the problems I find growing.

************************************************************************

Below is the email Captured.

FromMercedesbenzworld@lotterywin.com
To***@*************.***
Reply-Tobarr.charlesconroy@yahoo.com
Date

Congratulations Winner!!,

We are pleased to announced that your E-mail Address has been selected among the winners of the Mercedes Benz International Online Lottery Draw for “2019” Valentine Season Of Love promo!. You are now a winner of a Brand New “2019 Mercedes-Benz GLE 450” and the Grand prize of $2,500,000.00 USD.( Two Million Five Hundred Thousand Dollars)


For easy claim and delivery of your winnings, you are simply advice to contact our Regional Claim Agent 
“Agent Barr Charles Conroy”
Phoenix Arizona USA.
Email:(barr.charlesconroy@yahoo.com)
Tel:(518) 241-3489


Please reply with your necessary information below for rightful claim, this information enable us to process your winning 

documents legally and also deliver your winnings to your locations 
BENEFICIARY FULL NAME:
CONTACT EMAIL ADDRESS:
OFFICE ADDRESS:
HOME ADDRESS:
PHONE NUMBER:
OCCUPATIONS


All Legal process in claiming and delivery your winnings will be treated by our claim agent once contacted by you.

Your Mercedes Benz Online Lottery Draw Reference Claim Code:(W70902039).


Signed

Mercedes Benz Inc.

************************************************************************

  1. Now first of all, It is typical of spammers and fraudsters to use fake return email addresses or someone else’s email address to make it look legit. This is also why they usually use a REPLY TO email address and most of the time I find that these accounts are made on a FREE email service such as Gmail, Yahoo, Hotmail, or are hacked email accounts.
  2. Another Red Flag is having two separate email addresses, One FROM: and one that is a REPLY TO:, which make note are very different. This is not common for Legitimate Business. Why is this moron using a personal FREE email address? Is he giving away money through a business or organization? Is he looking to steal part of the money I’m supposedly getting and not using the organization email so he can skim his own profits or is it just all FAKE?
  3. Further research into the email headers show: Received: from 210-10-234-251.cust.static-ipl.aapt.com.au ([210.10.234.251] helo=lotterywin.com) – Very Interesting it comes from some subscriber in Australia with a static IP ADDRESS. Can this user or business have been hacked or is it some scammers home? We shall look into this more.
  4. Let’s take a look at the Domain Lotterywin.com and see what we find.

54.240.96.64.in-addr.arpa NS (Nameserver) ns2.uniregistrymarket.link
54.240.96.64.in-addr.arpa NS (Nameserver) ns1.uniregistrymarket.link
54.240.96.64.in-addr.arpa A (Address) 69.172.201.153
54.240.96.64.in-addr.arpa SOA (Zone of Authority)
Primary NS: ns1.uniregistrymarket.link
Responsible person: hostmaster@hostingnet.com
serial:1549383494
refresh:10800s (3 hours)
retry:3600s (60 minutes)
expire:604800s (7 days)
minimum-ttl:86400s (24 hours)
ns2.uniregistrymarket.link NS (Nameserver) ns2.uniregistrymarket.link
ns2.uniregistrymarket.link NS (Nameserver) ns1.uniregistrymarket.link
ns2.uniregistrymarket.link A (Address) 69.172.201.153
ns1.uniregistrymarket.link NS (Nameserver) ns2.uniregistrymarket.link
ns1.uniregistrymarket.link NS (Nameserver) ns1.uniregistrymarket.link
ns1.uniregistrymarket.link A (Address) 69.172.201.153
I find it very interesting that no EMAIL Server Configurations Exists here for this domain, but yet it is sending email. So now we know that the email address Mercedesbenzworld@lotterywin.com is completely FAKE!!! I also find it interesting that this all goes back to a domain registry ending in .link, Which I have yet to see anything legitimate attached to this TLD as well. The .link TLD sends 100% Junk and Scam Emails….

5. When I do a WHOIS Domain query on lotterywin.com I get.

lotterywin.com is available! This premium* domain is up for resale. It may be purchased immediately for $27,300 NOW THIS IS INTERESTING and also showing that this scammers domain was shutdown or it was another persons domain and they never renewed, However other research shows this domain doesn’t expire till 2020. I find this as a RED FLAG!! I’m betting this Domain was shut down for Fraud.

5. Research the phone number and many sites list this phone number as Fraudulent.

QUICK BREAK DOWN

A) The email comes from a static IP address that does not accept incoming email, however they run a email server which is setup using the domain name lotterywin.com. PROOF – Received: from 210-10-234-251.cust.static-ipl.aapt.com.au ([210.10.234.251] helo=lotterywin.com) The helo is from the fake email server and I would also say this is at the Fraudsters Home, or fake place of business. Specially since looking into the IP Address deeper I also find that this is not the first domain they have used to SCAM people with.

B) The domain does not have any configurations for allowing incoming email. MAJOR RED FLAG!!

C) I find info that the domain existed at 216.6.90.14 & 69.172.201.153. This domain was shut down for hosting expired or Fraud. The domain does not expire till 2020 and yet is up for sale. I’m leaning towards FRAUD being the reason this was shutdown.

D) Now we get into the REPLY TO Email Address which is a YAHOO email. With all the information that I have found I can pretty much guarantee 100% that this is a SCAM!!! The domain this email comes from doesn’t exist and these fraudsters are still using it and have a email server configured personally to use this domain from their location in Australia and why they use a Public email address from YAHOO which also most likely contains fraudulent user information. I find it interesting that this person has not been shut down yet and the IP ADDRESS has been Black Listed and still running this scam. Most of all I find it disturbing that No Authorities in Australia have done a thing to stop this and this scam has been operating on multiple levels.

BACK TO TLDs

Unfortunately SCAMS & SPAN appears to be the trend for these new erroneous TLDs. .science will not be related to anything legitimately science based as it was supposed to be. as well as some of these other TLDs with spam and malicious activities will never be what they intended to be. I am assuming that the people maintaining these TLDs don’t really care who they sell these to as long as they make money. It’s very sad when a TLD allows so much malicious activity to occur and poison their own waters(Destroy their own business). What will happen and is already happening is that many of these new TLDs are being completely blacklisted from email systems to prevent spam and malicious content from getting into their networks.

It is my opinion this will also be the demise of some of these TLDs that do not have policies in place to protect their TLD from corruption(Misuse) and abuse. In the long run I foresee that they will be worthless as many people will ignore or just block all emails and access to these TLDs and this demise will only be the fault of these companies who have dirtied their own waters from their mismanagement of these TLDs.

Two examples of TLDs that control and maintain their TLD with proper management, policies to protect and maintain TLD credibility.

  1. If you are not a School or Education System, Then your unable to get a .edu
  2. If you are not a Government Entity then your unable to get a .gov

In my opinion if your TLD is .science then everyone using this TLD should be related to science in some form and not related to Lottery Scams for one. When we start getting into detailed TLDs I feel strict policies should be in place for these TLDs to make sure they serve the content that the TLD was meant for. This also leads into larger frauds that can happen if these new TLDs don’t get their act together.

For example what if we had TLD .doctor – You sure would hope everyone your dealing with would be Real Doctors and not some scam artist pretending to be a doctor. You would also hope that the TLD maintainer would also put policies in place to make sure that it was real doctors or medical facilities using this .doctor TLD to protect their reputation as a TLD for one and maintain respect and trust for such a TLD operator.

  These TLDs I consider worthless & destroyed their own Reputation. I suggest all internet users Block & Not Trust these TLDs

  1. .info
  2. .science
  3. .top


Leave a Reply