Hi,
Anyone have any info on either of these domains?
I have seen several recent web sites that had an iframe
that pointed to clickbank.net and "interesting" / hidden
links to bundleway.com.
Haven't found much of use in a quick search of Google,
except for a few claims of fraud against them. I suspect
that they are some how related to affiliate programs?
TIA for anything you may be able to tell me!
Jon Kibler
Jon.Kibler@aset.com ("Jon R. Kibler") writes:
Anyone have any info on either of these domains?
I have seen several recent web sites that had an iframe
that pointed to clickbank.net and "interesting" / hidden
links to bundleway.com.Haven't found much of use in a quick search of Google,
except for a few claims of fraud against them. I suspect
that they are some how related to affiliate programs?TIA for anything you may be able to tell me!
the nameservers who answered questions about bundleway.com in the last ~150
days were:
216.129.109.1
66.117.40.198
205.234.154.1
205.234.170.165
63.219.151.3
216.49.92.249
the A RR is stable, no flux at all. the nameservers are stable, also no flux.
1198886670 an bundleway.com IN A 1800,64.40.117.19 216.129.109.1
1197752951 ns bundleway.com IN NS 1800,ns0.dnsmadeeasy.com \
1800,ns0.dnsmadeeasy.com.bundleway.com \
1800,ns1.dnsmadeeasy.com \
1800,ns1.dnsmadeeasy.com.bundleway.com \
1800,ns2.dnsmadeeasy.com \
1800,ns2.dnsmadeeasy.com.bundleway.com \
1800,ns3.dnsmadeeasy.com \
1800,ns3.dnsmadeeasy.com.bundleway.com \
1800,ns4.dnsmadeeasy.com \
1800,ns4.dnsmadeeasy.com.bundleway.com \
216.129.109.1
note that there are no actual ".dnsmadeeasy.com.bundleway.com" nameservers,
so i suspect that somebody somewhere forgot a trailing "." or had the wrong
$ORIGIN or something. this is in the zone, or at least, it's in all answers
from the zone's servers, it's consistent enough that i expect it's in-zone
rather than some kind of dns load balancing error.
most traffic seen under clickbank.net is A RR responses, here are the top 10
out of ~4600 or so:
roeib.4idiots.hop.clickbank.net
mediafire.noadware.hop.clickbank.net
mediafire.spywarebot.hop.clickbank.net
mediafire.regsmart.hop.clickbank.net
mediafire.adalert.hop.clickbank.net
mediafire.regcure.hop.clickbank.net
delusions.sharezone.hop.clickbank.net
rvrsephone.phonesrch.hop.clickbank.net
esearching.movies01.hop.clickbank.net
vvllc2.phonesrch.hop.clickbank.net
...
it's pretty damning stuff. the nameservers who produce these are, in order
by frequency (downward):
209.81.12.120
209.81.12.121
64.128.87.120
64.128.87.121
216.99.132.5
216.99.132.104
(no overlap with the dnsmadeeasy.com nameservers shown earlier.) the A RR's
given by these *.hop.clickbank.net answers are always one of these three:
900,209.81.12.132 900,209.81.12.133
900,64.128.87.132 900,64.128.87.133
900,209.81.12.134 900,209.81.12.135
that is, two A RRs in an RRset, TTL 900. the first two are overwhelmingly
more frequent than the third one. looks like some kind of load balancing.
there's a similar but less frequent pattern, *.pay.clickbank.net, whose A RRs
are always one of these two sets:
900,209.81.12.134 900,209.81.12.135
900,64.128.87.134 900,64.128.87.135
the MX RRs for clickbank.net are always
900,10,a-mx.coloc8.net 900,20,b-mx.coloc8.net
except one recent sighting of the following:
900,10,mx1.clickbank.net 900,10,mx2.clickbank.net
there are also A RRs for 3LDs hop, www, ssl, and zzz, plus a 2LD A RR.
i hope this helps. it's all courtesy of ISC SIE and our generous sensors,
of whom i would welcome more. if you run a recursive nameserver for some
population, and are willing to share your upstream server-to-server traffic
with ISC for use in security research and operations, plz send me e-mail.
This GoogleAd appeared while reading this thread:
$400k ClickBank Website - www.AffiliateSiteX.com - Get your very own ClickBank website And let me show you how to push it
Thanks, Google! (Link obviously redacted for security reasons.) Leads to www.affiliatesitex.com, which appears to be an alias for www.dollarmonitor.com…which Google is also carrying ads for.
Alex
Yes. clickbank.net are like a rash all over spammer domain lists.
I recommend blacklisting them permanently. While you're at it, deal
with these as well:
clickbank.com
keynetics.com
paytrack.com
because they're the same spammer/spamgang.
bundleway.com is new on my radar; however I note with interest that
they share an A record with
adwarexterminator.com
antiviruspremium.com
antivirusprotectionsite.com
antivirusprotector.com
spywarexp.com
and quite a few other similarly-named domains that are listed
in Snort's domain database as containing trojan/spyware threats.
Given the size of the database I'm referencing, and that no other
domains in it match, it's unlikely that this is a coincidence.
---Rsk
Clickbank is one of the larger affiliate networks around, sort of like Commission Junction except they also handle payment processing and have a lower threshold for the kinds of products they'll take (basically, pretty well almost any product can get onto clickbank)
Then all of those products have legions of affiliates trying to move them because Clickbank merchants typically sell "information" type products with large affiliate payouts.
The iframe to clickbank is most likely impression and conversion tracking. I can't speak for bundleway.
-mark
Jon R. Kibler wrote: