A forensic timeline of SSL certs, WHOIS manipulation, DNS chains, paid trust scores, and the email that proves a billion-dollar company changed their behavior because of one article.

Before we begin — a note on methodology.

When I published Part 1, I labeled this operation a scam based on the evidence available at the time. After 18 days of forensic follow-up, the picture is more nuanced. This article is not a retraction. It is an upgrade — more data, better conclusions, harder questions.

Everything here is reproducible. Every command is included. Every timestamp is documented. The security community can verify independently.

The 18-Day Forensic Timeline

Apr  5, 2026  → SSL certificate issued: infunease.youdaoads.com
Apr 11, 2026  → Mass cold outreach ([email protected])
               → curl -I infunease.youdaoads.com = 403 Forbidden
               → Scam Detector score: 28.8/100
               → Article published on dev.to
               → Google AI indexes and begins citing article
Apr 14, 2026  → WHOIS record updated (3 days post-publication)
Apr 28, 2026  → Takedown email received ([email protected])
               → Public comment on dev.to article (@YoudaoAds)
               → curl -I infunease.youdaoads.com = 200 OK (same day)
               → Scam Detector drops further: 15/100
               → Formal documentation request sent - no response
Apr 29, 2026  → ScamAdviser score: 100/100 "Very Likely Safe"
               → New outreach email ([email protected])
               → Professional NetEase 網易 branding
               → Every red flag from Part 1 - addressed

Let’s go through each entry.

Entry 1: The Original Email — Red Flags Documented

On April 11, this arrived:

From: [email protected]
Subject: Don't scroll past 【Youdao Ads】– a paid collab 
         that's actually your vibe 😉
💰 Budget's ready – just name your rate
⏳ Spots are filling up – other creators are already 
   looking at them
[Youdao Ads] [Discord] [WhatsApp group invite]

Authentication results:

dkim=pass   [email protected]
spf=pass    [email protected]
dmarc=pass  (p=NONE sp=NONE dis=NONE)
Received: from corp-front01-corp.i.nease.net [1.95.22.228]
X-Originating-IP: [115.236.116.73]
X-Mailer: Coremail Webmail Server XT6.0.5

Every authentication check passed. The email genuinely came from NetEase corporate servers.

This is the first lesson of this investigation: email authentication tells you origin, not intent.

The site linked in the email:

$ curl -I https://infunease.youdaoads.com
HTTP/1.1 403 Forbidden
x-deny-reason: host_not_allowed
server: envoy

A platform sending mass creator outreach while its own site returns Forbidden.

Entry 2: SSL Certificate — Infrastructure Built Before the Campaign

$ echo | openssl s_client \
  -servername infunease.youdaoads.com \
  -connect infunease.youdaoads.com:443 2>/dev/null \
  | openssl x509 -noout -dates
notBefore=Apr  5 00:00:00 2026 GMT
notAfter=Jul  4 23:59:59 2026 GMT

Certificate issued April 5–6 days before the emails went out. 90-day certificate — automated issuance, short-term deployment pattern.

The infrastructure was being assembled in the week immediately preceding the mass outreach campaign.

Entry 3: WHOIS — The Record That Updated After Publication

$ whois youdaoads.com
Domain Name:    YOUDAOADS.COM
Creation Date:  2021-05-25T11:15:53Z   ← 5 years old
Updated Date:   2026-04-14T05:35:38Z   ← 3 days post-article
Registrar:      Alibaba Cloud Computing (Beijing) Co., Ltd.
Registrant:     bei jing, CN
Name Servers:   REM1.YODAO.COM / REM2.YODAO.COM / REM3.YODAO.COM
DNSSEC:         unsigned

The domain is legitimate and 5 years old. That’s important context.

But the record updated April 14–3 days after the article.

$ whois infunease.youdaoads.com
No match for "INFUNEASE.YOUDAOADS.COM".

The subdomain returns no WHOIS data.

Entry 4: DNS Chain — Following the Infrastructure

$ dig infunease.youdaoads.com +short
youdaoads.youdao.com.
ead.alb.ntes53.netease.com.
hk-g1-hz.alb.ntes53.netease.com.
156.225.180.151
156.225.180.152

Resolution chain:

infunease.youdaoads.com
        ↓ CNAME
youdaoads.youdao.com
        ↓ CNAME
ead.alb.ntes53.netease.com       ← NetEase Load Balancer
        ↓ CNAME
hk-g1-hz.alb.ntes53.netease.com  ← Hong Kong Cluster
        ↓ A Records
156.225.180.151 / 156.225.180.152

$ whois 156.225.180.151
inetnum:  156.225.180.0 - 156.225.180.255
netname:  HongKong_NetEase_Interactive_Entertainment_Limited
descr:    HongKong NetEase Interactive Entertainment Limited
country:  HK

This is genuine NetEase infrastructure. Hong Kong datacenter. Enterprise load balancers. Not a rented VPS.

Entry 5: April 28 — The Site Comes Alive

On the exact same day the takedown request arrived:

# April 11 — time of original article
$ curl -I https://infunease.youdaoads.com
HTTP/1.1 403 Forbidden
x-deny-reason: host_not_allowed
server: envoy
# April 28 - day of takedown request
$ curl -I https://infunease.youdaoads.com
HTTP/2 200
server: YDWS
x-powered-by: Next.js
content-length: 374476
x-nextjs-cache: HIT
cache-control: s-maxage=31536000, stale-while-revalidate

A full Next.js production deployment. Live. On the same day they asked me to take down the article.

Entry 6: The Takedown Request

From: [email protected]
Subject: Clarification regarding your recent article
The misunderstandings in your article are currently 
influencing Google's AI summaries, which is causing 
severe and unearned damage to our brand.
We kindly request that you consider removing the post.
Domain Status: We have confirmed our domain is not 
blocked by major security infrastructures.
NetEase Emails: Youdao Ads is a business division 
of NetEase Youdao. The emails came from NetEase 
internal servers because they are genuine official 
communications.

Note the sender domain: rd.netease.com — NetEase R&D division. Original outreach: corp.netease.com — corporate division.

Two different NetEase subdomains used for the same operation. Never explained.

Simultaneously, a dev.to account named “Youdao Ads” posted publicly on my article:

“We have thoroughly verified our domain and technical infrastructure. It is fully operational, passes mainstream security protocols, and is not being blocked by any standard security infrastructures.”

My public response requested five items of documentation. None were provided.

Entry 7: The Trust Score Divergence

Scam Detector (independent, no business plans):

April 11: 28.8/100 — "Risky. Dubious. Perilous."
April 28: 15/100  — continued decline post-publication

ScamAdviser (offers paid business verification plans):

April 29: 100/100 — "Very Likely Safe"
Last Update: 3 weeks ago

Two independent platforms. Same domain. 15/100 vs 100/100.

ScamAdviser offers business subscription plans that allow companies to submit documentation and improve their trust ratings. This is disclosed in their business model.

The Scam Detector score — which does not offer paid improvement plans — continued declining.

Entry 8: Network Analysis — Behavioral Tracking on Login Page

DevTools analysis of the login page:

Session 1: 16 requests

16/24 requests
POST → https://k.clarity.ms/collect
Status: 204 No Content
Remote Address: 172.175.38.6:443

Session 2 (after continued analysis): 47 requests

47/63 requests
62.5 kB transferred
Server: YDWS

Microsoft Clarity captures on every visit from page load:

• Full mouse movement recording
• Click and scroll behavior
• Session duration and depth
• Browser and device fingerprint
• Rage clicks, dead clicks

Active before any signup or consent interaction.

A second endpoint revealed the origin:

GET https://overseacdn.ydstatic.com/overseacdn/
    advertising_platform/static/intl/zh-CN.json
    ?v=2760e8bced
Server: YDWS
Content-Type: application/json
Akamai-Mon-lucid-Del: 1273563

ydstatic.com — Youdao Static CDN. zh-CN.json — Chinese Simplified localization. Akamai CDN headers — enterprise-grade infrastructure.

This platform was originally built for the Chinese market.

Note: Clarity automatically masks password and email input fields. Credentials are not captured. Full behavioral profiling is active regardless.

Entry 9: The Email That Changes Everything

April 29. One day after the takedown request.

From: [email protected]
Subject: Official Collaboration Invite for Creators | 
         Youdao Ads by NetEase Youdao
mailed-by:  corp.netease.com
signed-by:  corp.netease.com
⭐ Important according to Google

Body:

This email is from Youdao Ads — the official influencer 
marketing platform of NetEase Youdao, a subsidiary of 
NetEase.
Why partner with Youdao Ads?
▸ Exclusive opportunities with top global brands
▸ Guaranteed paid campaigns, no upfront fees, 
  on-time secure payments
▸ Full dedicated support from onboarding to 
  payment settlement
[NetEase 網易 | youdao Ads]
Global leading influencer marketing platform
[email protected]

The Before/After: A Direct Comparison

This is the finding that makes this investigation significant.

April 11 — Original Outreach:

Subject:  "Don't scroll past – a paid collab 
           that's actually your vibe 😉"
Content:
❌ Emoji-heavy throughout
❌ "Budget's ready – just name your rate"
❌ "Spots are filling up" (artificial urgency)
❌ WhatsApp group invite links
❌ Discord community links
❌ Zero company branding
❌ Generic "your vibe" personalization
❌ No official email for support

April 29 — Post-Article Outreach:

Subject:  "Official Collaboration Invite for Creators | 
           Youdao Ads by NetEase Youdao"
Content:
✅ Zero emojis
✅ "No upfront fees" ← Part 1 raised payment concerns
✅ "No pressure to sign up immediately" ← Part 1 raised urgency concern
✅ "Transparent pricing" ← Part 1 raised opacity concern
✅ Official NetEase 網易 logo from line 1
✅ Official support email: [email protected]
✅ Zero WhatsApp links
✅ Zero Discord spam
✅ Clear company identification

Every documented red flag from Part 1. Addressed in the next outreach email. The timing is not coincidental.

Analysis: What the Evidence Supports

Confirmed:

The infrastructure is genuine NetEase. DNS chain, IP WHOIS, email authentication, CDN — all resolve to NetEase Hong Kong. This is not spoofed.

The domain has 5 years of history. Registered May 2021. Legitimate age, legitimate registrar.

The outreach behavior changed after public scrutiny. The before/after email comparison documents this directly.

Reputation management was deployed. ScamAdviser showing 100/100 the day after the takedown request, while Scam Detector continues at 15/100, suggests active reputation management through paid platforms.

Not confirmed:

Why was the site returning 403 during the active email campaign? You do not send mass creator outreach from a platform that returns Forbidden to visitors.

Why did the WHOIS record update 3 days after publication? Domain records do not update without deliberate action.

Why did the site go live on the same day as the takedown request? This correlation is documented. Causation is not established.

Why the subdomain switching? corp.netease.com → rd.netease.com → corp.netease.com. Three different senders. No explanation provided.

Why does Scam Detector still show 15/100? No documentation addressing this was ever provided.

Most likely explanation:

A legitimate NetEase subsidiary operating with immature, spam-adjacent outreach practices — possibly a team that grew quickly and prioritized reach over compliance. Public scrutiny forced an internal correction.

This is not a vindication. This is a more accurate conclusion.

Security Lessons for the Community

1. Email authentication is necessary, not sufficient

DKIM: pass ✅
SPF:  pass ✅
DMARC: pass ✅
Intent: unknown ❌

Authentication confirms origin. It does not confirm legitimacy of purpose.

2. Infrastructure legitimacy ≠ operational legitimacy

Enterprise CDN, real IPs, genuine corporate email — none of this guarantees the outreach practices are acceptable.

3. Trust score platforms are not equal

Some platforms offer paid business plans that allow score improvement. Others do not. Understanding the business model of the platform you’re citing matters in security research.

4. Timeline documentation is the methodology

# Every finding in this article is reproducible
$ dig infunease.youdaoads.com +short
$ echo | openssl s_client -servername infunease.youdaoads.com \
  -connect infunease.youdaoads.com:443 2>/dev/null \
  | openssl x509 -noout -dates
$ whois youdaoads.com
$ curl -I https://infunease.youdaoads.com

Public record data. Standard OSINT methodology. Anyone can verify.

5. Public research creates accountability

One technical article, properly documented and indexed, changed the outreach behavior of a subsidiary of a multi-billion dollar company within 18 days.

This is why transparent security research matters.

What Remains Open

I formally requested the following on April 28. No response received as of publication:

1. Official business registration documents for Youdao Ads
2. NetEase Youdao official statement authorizing the outreach campaign
3. Verified creator partnership examples with creator consent
4. Explanation of security vendor scores and remediation steps
5. Clarification on subdomain switching across communications

This article updates publicly and prominently when documentation arrives.

Conclusion

This started as a scam analysis. It became something more useful: a documented case study in how public technical scrutiny can change corporate behavior, the limitations of email authentication as a trust signal, and the importance of understanding the business models behind reputation platforms.

The infrastructure is real. The company is real. The outreach tactics were unacceptable. The response to scrutiny was managed and calculated.

Draw your own conclusions.

If you have received emails from Youdao Ads — as a creator, agency, or brand — your experience is relevant to this investigation. Share it in the responses.

Technical Reference

All commands used in this investigation:

# DNS Resolution
$ dig infunease.youdaoads.com +short
# SSL Certificate Dates
$ echo | openssl s_client \
  -servername infunease.youdaoads.com \
  -connect infunease.youdaoads.com:443 2>/dev/null \
  | openssl x509 -noout -dates
# WHOIS Domain
$ whois youdaoads.com
$ whois infunease.youdaoads.com
# IP WHOIS
$ whois 156.225.180.151
# HTTP Headers
$ curl -I https://infunease.youdaoads.com

Reporting channels:

• APWG: [email protected]
• Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish/
• NetEase Security: [email protected]

Originally published on dev.to/freerave

All findings are based on public record data and standard OSINT methodology. Timestamps and commands are included verbatim for independent verification.