Tuesday, August 31, 2010

"Bindaas Spaces" Spam from India

For years I have been tracking an India-based spam operation which I'll call "Bindaas Spaces" (based on one of its primary domains).  Very little information about this spam ring has been published online to date; most of the information you'll find comes from my reports on McAfee SiteAdvisor and Web of Trust.  The organization has been spamming since October 2007 if not earlier.  Their unsubscribe request pages are not functional, meaning once you've been added to their list, there's no way to opt out.  Their primary domain registrar, Net 4 India, has completely ignored all spam and abuse reports that I have submitted.

I intend to update this blog post in the future whenever I discover new domains related to this spam ring.  If you have been spammed by this group, please see the "How to Report Spam from This Organization" section below.

Affiliated Domains

Following is a list of all the domains I'm aware of that this organization has linked or advertised in their spam.  I've included some relevant links to McAfee SiteAdvisor, Web of Trust, DNS-BH, Threat Log, and/or URLVoid reports for these domains.  Many of the domains listed below are (or have previously been) classified as "Red" or "Yellow" by McAfee due to "suspicious behavior," potential security risks, spam, and/or excessive popups:
  • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow because "[McAfee's] analysis found that this site may be promoted through spammy e-mail." - listed on DNS-BH as "malspam" - currently listed as a Spam threat on Threat Log - also listed on SpamCop:
    • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow for pop-ups - listed on DNS-BH as "malspam" - currently listed as a Spam threat on Threat Log - also on Joe Wein's spam blacklist:
      • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow for pop-ups - listed on DNS-BH as "malspam" - also currently listed as a Spam threat on Threat Log:
        • mysnapfish .info (McAfee SiteAdvisor, Web of Trust, DNS-BH, Threat Log, URLVoid; note the unethical and deceptive use of HP trademark "Snapfish"; I reported this trademark violation and the domain was shut down, but it has since been registered by a different person/organization who now operates the site)
        • Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - listed on DNS-BH as "malspam" - also currently listed as a Spam threat on Threat Log:
          • Currently listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution." - also currently listed as a Spam threat on Threat Log:
            • Currently listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
              • bombaytimes .info (McAfee SiteAdvisor; domain expired 27 Aug 2010 and is no longer registered as of 12 Oct 2010)
              • Currently listed as a Spam threat on Threat Log - currently listed as Yellow by McAfee: "When we browsed this site we received several pop-ups." - also previously listed as Yellow because "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
                  • Currently listed as a Spam threat on Threat Log - also formerly listed as Red by McAfee: "extremely high number of pop-ups": 
                        • Currently listed as Yellow by McAfee: "When we browsed this site we received several pop-ups." - also previously listed as Yellow because "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
                            • Formerly listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":
                                  • Other domains (no known record of poor ratings or user reports aside from my own):
                                    • abhinavinst .com (Web of Trust; advertised via bindaasspaces affiliate spam on 22 June 2012)
                                    • click4offers .co.in (Web of Trust; advertised via bindaasspaces affiliate spam on 22 June 2012)
                                    • go4fun .co.in (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 24 March 2011)
                                    • ckick2join .co.in (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 24 February and 5 March 2011)
                                    • bestforyou .co.in (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 16 February 2011)
                                    • foodconnect .co.in (McAfee SiteAdvisor; advertised via bindaasspaces affiliate spam on 7 February 2011)
                                    • fashnvia .com (McAfee SiteAdvisor; advertised via bindaasworld affiliate spam on 20 January 2011)
                                    • fashionnglamour .com (McAfee SiteAdvisor; advertised via bindaasplanet affiliate spam on 7 January 2011)
                                    • taamjhaam .co.in (McAfee SiteAdvisor; advertised via bindaasworld affiliate spam on 15 December 2010)
                                    • fropper .com (McAfee SiteAdvisor, URLVoid; advertised via bindaaspoll affiliate spam on 12 October 2010)
                                    • clubmahindra .com (McAfee SiteAdvisor, URLVoid; note that this domain currently has a Light Green rating on the community-operated Web of Trust site, which may indicate that a few people might feel that the site is legitimate in spite of having been affiliated with a spam ring)
                                    • bindaasindya .com (McAfee SiteAdvisor)
                                    • experiencechange .co.in (McAfee SiteAdvisor; domain was pending deletion as of 31 Aug 2010 and is no longer registered as of 12 Oct 2010)
                                    • pehechankaun .com (McAfee SiteAdvisor; domain expired 19 Jul 2010)
                                    • chouwmouw .com (McAfee SiteAdvisor; domain expired 3 Jul 2010)
                                    • meragang .org (McAfee SiteAdvisor; domain is no longer registered)
                                  How to Report Spam from This Organization

                                  Please report this spam to the domain registrar by forwarding unsolicited e-mails that either contain links to or are sent from these domains (or redirect to/through one of these domains) to the registrar's abuse address. The most common registrar for these domains is Net 4 India Limited, whose abuse addresses are abuse@net4.in, abuse@net4domains.com, and abuse@net4india.net.  So far all of my reports to Net 4 India have been ignored.  I have also begun including CERT-In (the Indian Computer Emergency Response Team, info@cert-in.org.in) in the recipients list to inform them about the spam problem and Net 4 India's lack of response, providing a link to this article for reference.

                                  These spammers violate CAN-SPAM by sending unsolicited commercial e-mail that does not contain functional opt-out instructions, does not clearly state that it's an advertisement, and never contains a postal mailing address. United States residents who receive any junk mail in violation of the CAN-SPAM Act should forward the e-mail to spam@uce.gov.

                                  Please report spam to the anti-spam site KnujOn by forwarding the spam to nonregistered@coldrain.net.

                                  If you receive spam that links to one of these domains through a bit.ly redirect URL, please forward the spam to abuse@bit.ly.  Thankfully, bit.ly takes spam reports seriously and will often put up an interstitial warning page when users click on a spammed bit.ly URL.  However, so far bit.ly hasn't shut down the spam group's bit.ly account; their account page with a list of several of their links can be found here: https://bit.ly/u/funnyjoke — note that a couple of their spammed links have gotten more than 100,000 clicks, and several others have had tens of thousands of clicks.

                                  If you receive spam that links to one of these domains through a tiny.cc redirect URL, please e-mail tinylink@gmail.com and be sure to paste the offending tiny.cc links and a description of the spam in question.  Be aware that since tiny.cc uses Gmail, forwarding spam to their address may result in your e-mail being delivered to their spam folder and automatically deleted after 1 month; previously I assumed that reports to tiny.cc were being ignored, but the site owner finally made contact with me on 11 January 2011 and removed all of the previously reported tiny.cc URLs.

                                  Also, please add a comment to this post if you have been spammed by the Bindaas Spaces operation, and share any affiliated domains you've seen linked in their spam (don't link to them, just paste the domain in plain text).

                                  UPDATE, 13 Oct 2010: Added fropper .com, Threat Log and DNS-BH listings, updated McAfee classifications, etc.
                                  UPDATE, 18 Oct 2010: Added timesjobs .com.
                                  UPDATE, 15 Dec 2010: Added taamjhaam .co.in and updated McAfee classification for eazeejob .com.
                                  UPDATE, 10 Jan 2011: Added fashionnglamour .com and changed all SiteAdvisor, WOT, and bit.ly URLs to HTTPS.
                                  UPDATE, 31 Mar 2011: Added fashnvia .com, foodconnect .co.in, bestforyou .co.in, ckick2join .co.in, and go4fun .co.in, and clarified how to properly report spammed tiny.cc links.
                                  UPDATE, 1 Jul 2012: Added click4offers .co.in and abhinavinst .com. Fixed Threat Log URLs.


                                  For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.