Franklin Veaux (tacit) wrote,
Franklin Veaux
tacit

  • Mood:

eAffiliate Marketing Spam: How It Works

A short while ago, I blogged about why I'm moving off Namecheap as my domain registrar. In the past six or seven months, I've received a tidal wave of spam advertising domains hosted on Namecheap, and their abuse team has proven to be remarkably incompetent at dealing with the problem.

The flood continues unabated. Diet pills, life insurance quotes, ultra-right-wing conspiracy sites, Home Depot windows...everything and anything you can imagine getting spam for, all of it advertising Namecheap-hosted sites.

I've been logging all the spam, and doing a bit of digging. The Namecheap domains are being registered at a fantastic clip, scores a day, each one used in spam runs for perhaps 24 to 48 hours before being rotated to a new one. And, interestingly, the domains are all registered in the clear rather than through a privacy service, so the registrant information is plainly visible.

These domains--scores and scores and scores of them--all have the same information:

whois healthybodynewletter.us
Domain Name: HEALTHYBODYNEWLETTER.US
Domain ID: D49677935-US
Sponsoring Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Registrar URL (registration services): whois.enom.com
Domain Status: clientTransferProhibited
Variant: HEALTHYBODYNEWLETTER.US
Registrant ID: 377EE235E374635C
Registrant Name: Coloplatinum Hosting Coloplatinum Hosting
Registrant Organization: Coloplatinum Hosting
Registrant Address1: PO Box 96503
Registrant City: Washington
Registrant State/Province: DC
Registrant Postal Code: 20090
Registrant Country: United States

A quick Google search for "Coloplatinum Hosting" turns up this page on Spamhaus. Coloplatinum Hosting is one of many business names used by a well-known and extremely prolific spammer named Mike Boehm.

I kept digging, using programs like wget to visit the Spamvertised domains. The links in the spam emails lead to domains hosted by Namecheap Hosting, which redirect to click-trackers hosted by various affiliate marketing companies, which in turn redirect to the actual spam sites--and there are zillions of them. Mike Boehm is a busy guy, and he will spamvertise anything. Amazon and Walmart gift cards. Laissez Faire Books, a right-wing Libertarian book store. Fundamentalist end-of-days Web sites. Quack "medicine" sites offering to cure diabetes, make you slim, and protect you from heart attacks. Woodworking sites. There is, it seems, just about nothing he won't spam.

I spent some time mapping out his spam network. It looks something like this:



I've received tons of spam from him in the past, using domains hosted all over the place. These days, he has chosen Namecheap as his registrar and host of choice; all the spam I'm receiving from him is currently hosted by Namecheap.

He is using three affiliate advertising tracking companies: Flex Marketing Group, Clickbank, and Clickbooth.

I've reached out to all three companies with spam reports. Clickbank has generally been pretty good about shutting down his affiliate codes, but they're not good at being proactive; in two or three days, he spamvertises more domains with fresh new Clickbank affiliate IDs.

Flex Marketing Group has what is on paper a very tough anti-spam policy. In practice, it's totally bogus. They have responded to email spam complaints by blocking me on social media, but haven't done anything else.

Clickbooth appears to be a "listwasher"--a company that assists spammers by removing the email addresses of people who complain about spam. Legitimate companies don't support spammers. Listwashers support spammers, permit spam, and assist the spammers in removing email addresses of people who are likely to complain about spam:



EDIT: The day after this post went live, I received the following email from Clickbooth:

Dear Franklin,

Thank you for your email. Please be advised that adding email addresses to suppression lists is only one of the actions taken in response to spam complaints. In the case referenced in your recent complaint, additional action was taken and the affiliate account was terminated. If you have additional questions about Clickbooth compliance our full set of guidelines may be found here: http://support.clickbooth.com/support/solutions/folders/146482.


So it appears Clickbooth is indeed proactive about dealing with spammers. Score one for the good guys!


The affiliate marketing companies then redirect to the actual sites, and in the process generate money for the spammer.

The flow of money looks like this:



Namecheap appears to be getting a reputation for supporting spammers. I looked at their Wikipedia entry, and it has this line (and no, I didn't write it; I don't even have a Wikipedia account):



It's not hard to see why. Mike Boehm spends a lot of money on domain registrations, buying them by the dozens. Each one is used in one or two spam runs. Namecheap eventually shuts them down, sometimes, after weeks or months have gone by, but in the meantime he's registered way more. Based on the number of spam emails I'm receiving, typically 16-22 per day 5 days a week, and the type of registration (.us domains are currently his favorite), Namecheap is making at least $24,000 a year from him. That's a conservative estimate; I probably don't personally receive examples of every one of his spam runs.

So it's no surprise that Namecheap is slow to close his domains, and reluctant to do so. They consistently find all kinds of excuses not to disable all the spam domains he uses. Here are some emails I've received from Namecheap, typically a month or so after I file a spam report:



Well, yes, he isn't sending the spam emails themselves from the spamvertised domains; almost no spammers do that.



Apparently, Namecheap waits for anti-spam services to blacklist a domain before they'll suspend it...by which time the spammer has long since moved on to advertising the next domain.




This spam system depends on the cooperation of a number of different people and organizations, some of whom are actively or tacitly complicit, others of whom are likely completely ignorant.

Companies like Walmart, T-Mobile, Amazon, Home Depot, and others probably don't know they're supporting a spammer. They set up affiliate programs with affiliate network companies they believe to be reputable, and naively don't pay close attention to how those affiliate programs are run.

Companies like Flex Marketing are more actively complicit. They receive money for every click or every purchase from the affiliate marketers--you get a spam email advertising new windows from Home Depot or offering life insurance quotes from Fidelity Life, click the link, and those companies pay money to Flex Marketing or Clickbooth or Clickbank. Flex Marketing, Clickbooth or Clickbank then pay some of that money to Mike Boehm for the referral.

The affiliate marketing companies--Flex Marketing, Clickbooth and Clickbank--are aware of what's going on, but take action only after spam is reported (Clickbank) or not at all (Flex Marketing).

Of course, the less reputable sites--the ones selling fake heart attack medications, phony diabetes cures, videos about the coming Apocalypse, books on how the US government is planning to kill all the Christians, gambling sites, and so on--are absolutely aware they're being advertised by spam, and they don't care. (The fact that companies like Flex Marketing, Clickbooth and Clickbank accept them as customers is pretty telling.)

So Namecheap hosts spam sites, affiliate marketing companies monetize the clicks on spam emails, some of that money goes to the spammer, and some of that money is retained by the affiliate marketing companies. The money ultimately comes from legitimate businesses such as Home Depot and T-Mobile or fringe sites selling fake medications or online gambling, who get it from people who sign up for their services or buy their products.

I have reached out to the companies who support this particular spammer by email and social networking and invite their comments on this entry.
Tags: computer security
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 8 comments