Today I received an email claiming to contain a link to child porn. I did not click on the link because I do not want to see what it is. Whatever it is it is probably malicious. In my experience when someone declares himself to be a sex offender you take his word for it. Part of the message with the URL redacted reads as follows can be seen in the screenshot uploaded with this article. I am not including any of the copy from the email in the text of this page for obvious reasons. Beyond just keeping people from finding the URL I believe that the phrases are considered poison by search engines. A sign of malicious content that search engines don't want to send their users to, so just look at the screenshot and you will see what I am talking about.
As you can clearly see this individual is advertising child pornography. If this advertising is in fact true then this person is committing a very serious crime. It does not matter where they are because every country has laws against child molestation, exploitation, and pornography. Unfortunately for society this person or group is using a Tor node to distribute their malicious spam.
This message was received via a contact form on a website created using WPForms at https://tncopwatch.com/contact-us/ after a bot spammed the form. A common form of spamming is to program bots to find contact forms on websites, fill them out, and submit it.
The message header contained the following partially redacted information:
To: *********[at]tncopwatch.com
Subject: New Entry: Simple Contact Form
X-PHP-Script: tncopwatch.com/index.php for 212.21.66.6
X-PHP-Originating-Script: 1004:class-phpmailer.php
Date: Mon, 27 Apr 2020 19:30:11 +0000
From: The National Cop Watch Report *********[at]tncopwatch.com
Reply-To: normanht11akio6610.yuji46.gleella.buzz
Message-ID: df812ffa88b0543a170bd37820859f80tncopwatch.com
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
The IP address 212.21.66.6 from the X-PHP-Script header is the only information that can be found about the source. If you do a background check on the IP address (see the offsite link titled "IP Address Background Check" above this article below the location) you will find the following:
Details for 212.21.66.6
IP: 212.21.66.6
Decimal: 3558162950
Hostname: tor-exit-4.all.de
ASN: 44716
ISP: D-hosting die Rackspace & Connectivity GmbH
Organization: D-hosting die Rackspace & Connectivity GmbH
Services: Confirmed proxy server
Tor exit node
Recently reported forum spam source. (1118)
Type:Corporate
Assignment:Likely Static IP
User feedback about this IP address includes the following:
Multiple failed login attempts to our Wordpress site. - 2015-10-14
usual hacker stuff - 2015-12-16
suspicious activity every morning - 2016-03-11
Yes, they are hacking or sending very obscene emails to everybody. It's a very miserable. - 2016-03-24
SQL Injection hack attempts on 3/30/16 - 2016-03-30
Registered with italian obscene name on my site. - 2016-05-13
Magento hacker - 2017-01-26
Hacker - too many bad login attempts - 2017-04-05
SQL injection attempted - 2018-07-15
Like one user said they are "sending very obscene email to everybody. It's very miserable." Judging by that comment it appears that someone must have clicked on the link and found something awful.
The WhoIs information for the domain in the link is as follows:
Whois Record for ************.com
How does this work?
Domain Profile
Registrant: DANESCO TRADING LTD
Registrant: OrgDANESCO TRADING LTD.
Registrant: Countrycy
Registrar: DANESCO TRADING LTD Danesco Trading Ltd.
IANA ID: 1418
URL: https://danesconames.com/,http://www.danesconames.com
Whois Server: whois.danesconames.com
(p)
Registrar Status: clientDeleteProhibited, clientTransferProhibited
Dates: 527 days old
Created on 2018-11-18
Expires on 2020-11-18
Updated on 2019-11-03
Name Servers: CHERYL.NS.CLOUDFLARE.COM (has 22,059,459 domains)
LEE.NS.CLOUDFLARE.COM (has 22,059,459 domains)
Tech ContactDANESCO TRADING LTD
DANESCO TRADING LTD.
157, Archbishop Makarios Ave, office 1,
Limassol, 3026, cy
(p) (f)
IP Address: 104.24.126.43 - 569 other sites hosted on this server
IP Location: United States Of America - Texas - Dallas - Cloudflare Inc.
ASN: United States Of America AS13335 (registered Jul 14, 2010)
Domain Status: Registered And Active Website
IP History5 changes on 5 unique IP addresses over 2 years
Registrar History1 registrar
Hosting History1 change on 2 unique name servers over 2 years
Website
Website Title Watch Best Porn Videos online for free
Server Typecloudflare
Response Code200
Terms906 (Unique: 367, Linked: 882)
Images4 (Alt tags missing: 4)
Links364 (Internal: 364, Outbound: 0)
---End of Record--
Since that domain is registered in the United States I'm now thinking someone must be abusing that site to distribute child porn. I forwarded the email to the domain contact address but have not gotten a response.