linodeobjects.com: badware

[lartingyou]

Prerequisites

• This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• I read and understand the policy about what is a valid filter issue.
• I verified that this issue is not a duplicate. (Search here to find out.)
• I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• I am not using uBlock Origin along with other content blockers.
• I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• I have verified that other extensions are not causing the issue.
• If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• I did not answer truthfully to ALL the above checkboxes.

URL(s) where the issue occurs.

https://ref6iausl8o2yxri.eu-central-1.linodeobjects.com/

(actually any *.linodeobjects.com domain, as it's a kind of whack-a-mole redirection operation).

I don't want to provide the complete URL (which is proof of the redirect chaining) for privacy reasons. It contains a base64-encoded key that potentially identifies the email address. Even the beginning of the URL (domain name) could be compromising my identity.

Description

I'm asking for an addition to uBO for all sites on linodeobjects.com.

For months (years) I get a spam a day on average that has a URL on linodeobjects.com that is the start of a redirect chain. The link sends people through 5+ redirects to finally a site that is usually a scam survey promoting a free product. In the end, one must put a credit card to "receive" the object. I'm not 100% sure it's a Phish site (reporting it to Google's safe site has never had any effect that I can tell).

I'm not sure what name there is for this scam, but I've reported it HUNDREDS of times to [email protected] via spamcop with NO RESULTS. Perhaps if uBO blocks this exploited domain, the people who try to access "legitimate" sites on linodeobjects.com will complain and the abuse will finally take action? I suspect the scammers want to keep the volume of complaints low to pass under the thresholds for AI-processed complaints.

Other extensions used

none

Screenshot(s)

Note: the screenshot is of the destination site <-- click at your own risk! (which is always different, as the linodeobjects.com page redirects sometimes 7 times). The spams always contain linodeobjects.com domain URIs as the start, however.

Screenshot(s)

Configuration

Details

uBlock Origin: 1.59.0
Chromium: 129
filterset (summary):
 network: 154625
 cosmetic: 119044
 scriptlet: 29581
 html: 0
listset (total-discarded, last-updated):
 added:
  adguard-cookies: 31908-41, now
  fanboy-cookiemonster: 52132-3999, now
  ublock-cookies-adguard: 1757-28, now
  ublock-cookies-easylist: 1757-1757, now
 default:
  user-filters: 24-3, never
  easylist: 85351-475, now
  easyprivacy: 53074-650, now
  plowe-0: 3550-1, now
  ublock-badware: 11271-6, now
  ublock-filters: 40216-384, now
  ublock-privacy: 1190-22, now
  ublock-quick-fixes: 147-0, now
  ublock-unbreak: 2464-0, now
  urlhaus-1: 25925-0, now
filterset (user): [array of 24 redacted]
trustedset:
 added: [array of 42 redacted]
hostRuleset:
 added: [array of 2 redacted]
userSettings:
 advancedUserEnabled: true
hiddenSettings: [none]
supportStats:
 allReadyAfter: 386 ms (selfie)
 maxAssetCacheWait: 278 ms
 cacheBackend: indexedDB
popupPanel:
 blocked: 1
 network:
  trk-consulatu.com: 1

[stephenhawk8054]

That domain is object storage domain and also used for other purposes. Blocking it will block many other non-malicious links like https://us-east-1.linodeobjects.com/theplayfulwyvernplayers/PLAY.html as well.

[lartingyou]

What about the frequent intermediate redirection domains used in the chain? Here's a typical result from the "redirect path" extension in chrome once you click the linodeobjects.com link (I redacted the URLs to not include full links):

https://airwheel.website/
https://www.settleworldcode.com/
https://www.route2content.com/
https://incredibletechgizmoz.com/

[lartingyou]

Just now, I had another (similar) scam link that starts with

https://8zetuizt254zzu2z5.s3.amazonaws.com/

but also has intermediate links to settleworldcode.com and others.

I guess the scammers aren't just using linodeobjects.com.

[stephenhawk8054]

I need exact links to reproduce the issue, otherwise I can't do much with just these information.