Since the advent of .top, .stream, and .download domains there has been a plethora of new spam emails that are flooding the Internet. This result comes from cheap hosting accounts available from many providers. Hosting providers have no incentive, however, to stop this because they are making money from hosting questionable accounts, and there are technical and legal challenges to stopping spam.
Spotting the scam emails is pretty easy, they usually come from strange addresses ending in .top, .stream, or .download, but can be from other domains with entreaties to protect children, etc. Usually, but not always, the emails contain only images, and the links are very ephemeral. The most important thing you can do to protect yourself from these is to DISABLE REMOTE CONTENT (Google your specific email browser to get the information on how to do so). The next most important thing, other than marking them as spam and deleting them immediately, is to set filters that mark and delete email from .top, .stream, and .download domains.
By disabling remote content, the image that is usually enclosed in the spam email isn't downloaded. That prevents the compromised server these things redirect to from knowing that your email address is valid and being read. It can do so because as seen below, the embedded links in the email have a unique signature that is associated with your email address.
- From: Medical Alert Alarms <MedicalAlertAlarms@tennantly.stream> 10/3/2016 03:10 PM
Subject: Get The Protection Your Family Need (notice the incorrect grammar)
Email Link: http://www.tennantly.stream/l/lt9U29235X1227E/1428A7800LH42140XO1109G19…
Redirects to: <hidden link> http://www.tennantly.stream/tr9/14/29235/7800/42140/1109/195871823/inde…
Only works once because the link is ID encoded. After first use then you get Yahoo.com, or Youtube.com, etc., Pretty smart to prevent backhacking…
- From: Alaska Cruises <AlaskaCruises@vaudevilledj.stream> 10/3/2016 08:16 AM
Subject: Compare Amazing Alaska - Cruises - Deals.. (notice extra spaces, typos, incorrect grammar)
Email Link: http://www.vaudevilledj.stream/l/lt468D39418JN1832L/1879NO11928L241797I…
Redirects to: http://www.vaudevilledj.stream/tr13/9/39418/11928/241797/905/147850838/…
Another only works once link. Sends you to Lycos, Microsoft.com, etc., after first try.
- From: Harp-Approval-Partner <Harp-Approval-Partner@huugiol4.peadiao.top> 09/25/2016 09:47 AM
Subject: HARP Extended into 2016. Qualify To Save On Your Mortgage
Email Link: http://checkitout.peadiao.top/u/10116053
Redirect to: http://www.flowared.com/98cHPNJ8lNFIrRTYF47sK-s3oV7JTJEb3dX4L6tRXvY2gJ3…
IP Address: 188.8.131.52 Result: Page not found, already taken down.
As can be seen, from the link sent, you are uniquely identified…
- From: Private Jet Rentals Specials <Private.Jet.Rentals.Specials@efieu6a.ouchail.top> 09/17/2016 05:59 AM
Subject: Private Jet Rentals are more affordable than you thought
Email Link: http://checkitout.ouchail.top/clickhere IP: 184.108.40.206
Redirects to: http://privatejetrental.space/?acqsrc=MTk3MjgyMTM5ODYzODE4OO0kxjof%2Fya…
IP: 220.127.116.11 in Germany. Result: Error 400 Bad Request.
Again, uniquely identifies you…
- From: Making Children Safe <firstname.lastname@example.org> 10/3/2016 03:00 PM
Subject: Put this watch on your child's wrist and GPS track them with 2/way calling and alert if remove attempted.
Email Link: http://www.atechpk.com/ http://kids.atechpk.com/ IP: 18.104.22.168
Redirects to: http://decallium.com/0/0/0/b93d790c442809f00d8530ca129ff4a4/uh66
But Lynx won't follow those so we end here!
I'm waiting for my count of suspicious spam email to reach 100, then we're going to do some mapping to see who owns these sites and domains, who the hosting providers are, what the IP address and countries are, etc. There is a need to find out the commonalities between them to be able to effectively fight this scourge of the Internet. Safe emailing, folks!