[clamav-users] clamav-users Digest, Vol 150, Issue 19

Paul Kosinski clamav-users at iment.com
Fri Jun 2 02:53:47 UTC 2017 

I, too, get very annoyed by companies that use more than one domain at
the first level: it seems that relatively few companies do it the "way
it was intended", via a subdomain. Even Google (who ought to know
better) has several extra first level domains, like gstatic.com,
1e100.net (ha, ha) etc., and 1e100.com is *not* Google (remember
whitehouse.com?).

The only reason I can see as being valid for having more than one
primary domain is where one organization absorbs another, and they both
were too well known to discontinue either domain. Perhaps domains are
dictated by marketing people, rather than security conscious network
experts?

(Even in the case of huge organizations like Google, I think having
a sufficient number of name-servers avoids any DNS overload issues.)


On Thu, 1 Jun 2017 09:01:17 -0700
Dennis Peterson <dennispe at inetnw.com> wrote:

> If I were to have gotten a suspicious message notice from 
> epl.paypal-communication.com and gone through a whois, nslookup,
> whois (ip address), dig txt paypal-communication.com, dig mx
> paypal-communication.com, dig mx epl.paypal-communication.com routine
> I would have found a very suspicious pedigree and I would add the IP
> and domain name to my blacklist. And that is exactly what I did.
> Businesses that send email that is indistinguishable from
> spam/phishing/obfuscation/cloaking/tracking don't deserve space in my
> systems. And because I'll not remember long that I did all this
> forensic investigation and was dissatisfied with the results, I go
> with the least-effort option of blocking. It is your problem to fix.
> Be obvious or be blocked. There's too much at risk.
> 
> And including a link to a one-pixel (spacer1.gif) image, obviously a
> tracking beacon, in already suspect messages always looks more
> suspicious yet.
> 
> dp
> 
> On 6/1/17 1:19 AM, Outreach at epsilon.com wrote:
> > Hi Reindl and Al,
> >
> > Thank you for your feedback.
> >
> > The domain https://epl.paypal-communication.com is used by Paypal
> > for link tracking purposes in their emails. Their sending domains
> > are for example: mail.paypal.com, mail.paypal.co.uk, mail.paypal.fr
> > etc.
> >
> > To clarify, I work for Epsilon which is a major Email Service
> > Provider (www.epsilon.com) and Paypal use our platform to deploy
> > their emails, hence me contacting you about this delivery issue.
> >
> > I will pass back your feedback to Paypal so they can make a
> > decision on whether or not they will want to make any changes to
> > their emails moving forward.
> >
> > Best regards,
> >
> >
> > Anne-Sophie Marsh, Sr Email Deliverability Manager EMEA
> >   T   +44 2086143219   M +44 7469352383   Epsilon, 67 Broad Street,
> > Teddington TW11 8QZ, UK  epsilon.com
> >
> >
> >
> > -----Original Message-----
> > From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net]
> > On Behalf Of Reindl Harald Sent: 01 June 2017 07:24
> > To: clamav-users at lists.clamav.net
> > Subject: Re: [clamav-users] clamav-users Digest, Vol 150, Issue 19
> >
> >
> >
> > Am 01.06.2017 um 03:04 schrieb Al Varnell:
> >> I made an attempt to determine whether
> >> epl.paypal-communication.com was a legitimate domain owned by
> >> PayPal with very mixed results.
> >>
> >> No WhoIs service could identify it directly
> > and here is stop to read - let me guess you entered
> > "epl.paypal-communication.com" including the subdomain and/or used
> > some obsucre website doing whois requests
> >
> >
> > [harry at srv-rhsoft:~]$ whois paypal-communication.com
> >
> > Whois Server Version 2.0
> >
> > Domain names in the .com and .net domains can now be registered
> > with many different competing registrars. Go to
> > http://www.internic.net for detailed information.
> >
> >      Domain Name: PAYPAL-COMMUNICATION.COM
> >      Registrar: MARKMONITOR INC.
> >      Sponsoring Registrar IANA ID: 292
> >      Whois Server: whois.markmonitor.com
> >      Referral URL: http://www.markmonitor.com
> >      Name Server: NS1.P57.DYNECT.NET
> >      Name Server: NS2.P57.DYNECT.NET
> >      Name Server: PDNS100.ULTRADNS.COM
> >      Name Server: PDNS100.ULTRADNS.NET
> >      Status: clientDeleteProhibited
> > https://icann.org/epp#clientDeleteProhibited
> >      Status: clientTransferProhibited
> > https://icann.org/epp#clientTransferProhibited
> >      Status: clientUpdateProhibited
> > https://icann.org/epp#clientUpdateProhibited
> >      Updated Date: 05-mar-2017
> >      Creation Date: 06-apr-2011
> >      Expiration Date: 06-apr-2018
> >
> >   >>> Last update of whois database: Thu, 01 Jun 2017 06:20:04 GMT
> >   >>> <<<
> >
> > For more information on Whois status codes, please visit
> > https://icann.org/epp
> >
> > NOTICE: The expiration date displayed in this record is the date
> > the registrar's sponsorship of the domain name registration in the
> > registry is currently set to expire. This date does not necessarily
> > reflect the expiration date of the domain name registrant's
> > agreement with the sponsoring registrar.  Users may consult the
> > sponsoring registrar's Whois database to view the registrar's
> > reported date of expiration for this registration.
> >
> > Domain Name: paypal-communication.com
> > Registry Domain ID: 1649488607_DOMAIN_COM-VRSN Registrar WHOIS
> > Server: whois.markmonitor.com Registrar URL:
> > http://www.markmonitor.com Updated Date: 2017-03-05T02:14:48-0800
> > Creation Date: 2011-04-06T05:23:32-0700 
> >
> > Registrar Registration Expiration Date: 2018-04-06T00:00:00-0700
> >   
> >
> > Registrar: MarkMonitor, Inc.
> >   
> >
> > Registrar IANA ID: 292
> >   
> >
> > Registrar Abuse Contact Email: abusecomplaints at markmonitor.com
> >   
> >
> > Registrar Abuse Contact Phone: +1.2083895740
> >   
> >
> > Domain Status: clientUpdateProhibited
> > (https://www.icann.org/epp#clientUpdateProhibited)
> >   
> >
> > Domain Status: clientTransferProhibited
> > (https://www.icann.org/epp#clientTransferProhibited)
> >   
> >
> > Domain Status: clientDeleteProhibited
> > (https://www.icann.org/epp#clientDeleteProhibited)
> > Domain Status: serverUpdateProhibited
> > (https://www.icann.org/epp#serverUpdateProhibited)
> > Domain Status: serverTransferProhibited
> > (https://www.icann.org/epp#serverTransferProhibited)
> > Domain Status: serverDeleteProhibited
> > (https://www.icann.org/epp#serverDeleteProhibited)
> > Registry Registrant ID:
> > Registrant Name: Domain Administrator
> > Registrant Organization: PayPal Inc.
> > Registrant Street: 2211 North First Street,
> > Registrant City: San Jose
> > Registrant State/Province: CA
> > Registrant Postal Code: 95131
> > Registrant Country: US
> > Registrant Phone: +1.8882211161
> > Registrant Phone Ext:
> > Registrant Fax: +1.4025375774
> > Registrant Fax Ext:
> > Registrant Email: hostmaster at paypal.com
> > Registry Admin ID:
> > Admin Name: Domain Administrator
> > Admin Organization: PayPal Inc.
> > Admin Street: 2211 North First Street,
> > Admin City: San Jose
> > Admin State/Province: CA
> > Admin Postal Code: 95131
> > Admin Country: US
> > Admin Phone: +1.8882211161
> > Admin Phone Ext:
> > Admin Fax: +1.4025375774
> > Admin Fax Ext:
> > Admin Email: hostmaster at paypal.com
> > Registry Tech ID:
> > Tech Name: Domain Administrator
> > Tech Organization: PayPal Inc.
> > Tech Street: 2211 North First Street,
> > Tech City: San Jose
> > Tech State/Province: CA
> > Tech Postal Code: 95131
> > Tech Country: US
> > Tech Phone: +1.8882211161
> > Tech Phone Ext:
> > Tech Fax: +1.4025375774
> > Tech Fax Ext:
> > Tech Email: hostmaster at paypal.com
> > Name Server: ns2.p57.dynect.net
> > Name Server: pdns100.ultradns.com.
> > Name Server: ns1.p57.dynect.net
> > Name Server: pdns100.ultradns.net.
> > DNSSEC: signedDelegation
> > URL of the ICANN WHOIS Data Problem Reporting System:
> > http://wdprs.internic.net/
> >   >>> Last update of WHOIS database: 2017-05-31T23:20:11-0700 <<<
> > _______________________________________________

More information about the clamav-users mailing list