Cyberbullying Report
Anti-Bullying and Internet Safety Services
Stop Letting Them Get Away with It!

Child Porn Link Spam Emails From Bots via WPForms

Child Porn Link Spam Emails From Bots via WPForms
Child Porn Link Spam Emails From Bots via WPForms
Report #: 5467 - 0 Comments
Date Reported: Tuesday, April 28, 2020
Status: Active and Ongoing
Severity: Low - Private Harassment
Primary Weapon: Email
Specific Location: Stromstrae 5
City/Local Area: Berlin
State/Territory: Germany
Region: Europe

Today I received an email claiming to contain a link to child porn. I did not click on the link because I do not want to see what it is. Whatever it is it is probably malicious. In my experience when someone declares himself to be a sex offender you take his word for it. Part of the message with the URL redacted reads as follows can be seen in the screenshot uploaded with this article. I am not including any of the copy from the email in the text of this page for obvious reasons. Beyond just keeping people from finding the URL I believe that the phrases are considered poison by search engines. A sign of malicious content that search engines don't want to send their users to, so just look at the screenshot and you will see what I am talking about.


As you can clearly see this individual is advertising child pornography. If this advertising is in fact true then this person is committing a very serious crime. It does not matter where they are because every country has laws against child molestation, exploitation, and pornography. Unfortunately for society this person or group is using a Tor node to distribute their malicious spam.


This message was received via a contact form on a website created using WPForms at https://tncopwatch.com/contact-us/ after a bot spammed the form. A common form of spamming is to program bots to find contact forms on websites, fill them out, and submit it.


The message header contained the following partially redacted information:


To: *********[at]tncopwatch.com

Subject: New Entry: Simple Contact Form

X-PHP-Script: tncopwatch.com/index.php for 212.21.66.6

X-PHP-Originating-Script: 1004:class-phpmailer.php

Date: Mon, 27 Apr 2020 19:30:11 +0000

From: The National Cop Watch Report *********[at]tncopwatch.com

Reply-To: normanht11akio6610.yuji46.gleella.buzz

Message-ID: df812ffa88b0543a170bd37820859f80tncopwatch.com

X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)


The IP address 212.21.66.6 from the X-PHP-Script header is the only information that can be found about the source. If you do a background check on the IP address (see the offsite link titled "IP Address Background Check" above this article below the location) you will find the following:


Details for 212.21.66.6

IP: 212.21.66.6

Decimal: 3558162950

Hostname: tor-exit-4.all.de

ASN: 44716

ISP: D-hosting die Rackspace & Connectivity GmbH

Organization: D-hosting die Rackspace & Connectivity GmbH

Services: Confirmed proxy server

Tor exit node

Recently reported forum spam source. (1118)

Type:Corporate

Assignment:Likely Static IP


User feedback about this IP address includes the following:


Multiple failed login attempts to our Wordpress site. - 2015-10-14

usual hacker stuff - 2015-12-16

suspicious activity every morning - 2016-03-11

Yes, they are hacking or sending very obscene emails to everybody. It's a very miserable. - 2016-03-24

SQL Injection hack attempts on 3/30/16 - 2016-03-30

Registered with italian obscene name on my site. - 2016-05-13

Magento hacker - 2017-01-26

Hacker - too many bad login attempts - 2017-04-05

SQL injection attempted - 2018-07-15


Like one user said they are "sending very obscene email to everybody. It's very miserable." Judging by that comment it appears that someone must have clicked on the link and found something awful.


The WhoIs information for the domain in the link is as follows:


Whois Record for ************.com

How does this work?

Domain Profile

Registrant: DANESCO TRADING LTD

Registrant: OrgDANESCO TRADING LTD.

Registrant: Countrycy

Registrar: DANESCO TRADING LTD Danesco Trading Ltd.

IANA ID: 1418

URL: https://danesconames.com/,http://www.danesconames.com

Whois Server: whois.danesconames.com


(p)

Registrar Status: clientDeleteProhibited, clientTransferProhibited

Dates: 527 days old

Created on 2018-11-18

Expires on 2020-11-18

Updated on 2019-11-03

Name Servers: CHERYL.NS.CLOUDFLARE.COM (has 22,059,459 domains)

LEE.NS.CLOUDFLARE.COM (has 22,059,459 domains)

Tech ContactDANESCO TRADING LTD

DANESCO TRADING LTD.

157, Archbishop Makarios Ave, office 1,

Limassol, 3026, cy


(p) (f)

IP Address: 104.24.126.43 - 569 other sites hosted on this server

IP Location: United States Of America - Texas - Dallas - Cloudflare Inc.

ASN: United States Of America AS13335 (registered Jul 14, 2010)

Domain Status: Registered And Active Website

IP History5 changes on 5 unique IP addresses over 2 years

Registrar History1 registrar

Hosting History1 change on 2 unique name servers over 2 years

Website

Website Title Watch Best Porn Videos online for free

Server Typecloudflare

Response Code200

Terms906 (Unique: 367, Linked: 882)

Images4 (Alt tags missing: 4)

Links364 (Internal: 364, Outbound: 0)



---End of Record--


Since that domain is registered in the United States I'm now thinking someone must be abusing that site to distribute child porn. I forwarded the email to the domain contact address but have not gotten a response.


There Are 0 Comments

Login to Comment
 
 

Insert Loader
Your Data is Uploading...