The domain expansionus.com houses the final payload for gift card fraud spams that are making the rounds in SMS. We have verified that the content is as expected and that the payload remains up and available at the time of making these six SBL listings.
This is redirected to from fireplacecoffee.com (SBL495886 et al) at the present time. SBL495886 et al are also not eligible for removal because the redirection continues to work. Both domains have DNS services from CloudFlare and must be taken down completely.
$ host burots.expansionus.com
burots.expansionus.com has address 18.104.22.168
burots.expansionus.com has address 22.214.171.124
burots.expansionus.com has address 126.96.36.199
burots.expansionus.com has IPv6 address 2606:4700:3034::6818:76c2
burots.expansionus.com has IPv6 address 2606:4700:3033::6818:77c2
burots.expansionus.com has IPv6 address 2606:4700:3035::ac43:9793
$ host www.fireplacecoffee.com
www.fireplacecoffee.com has address 188.8.131.52
www.fireplacecoffee.com has address 184.108.40.206
www.fireplacecoffee.com has address 220.127.116.11
www.fireplacecoffee.com has IPv6 address 2606:4700:3033::ac43:9b2a
www.fireplacecoffee.com has IPv6 address 2606:4700:3036::681c:9ea
www.fireplacecoffee.com has IPv6 address 2606:4700:3031::681c:8ea
Cloudflare, kindly take the domains down. Looking at the front page is not going to produce any useful answers, the redirections are deeper down. The domains were registered for malicious purposes only and serve no useful purpose.