18 days after exposing Youdao Ads, they sent a takedown request, their trust score dropped from 28.8 to 15, their dead site came back to life, and they rewrote their entire outreach from scratch. A full forensic timeline with SSL certs, WHOIS data, DNS chains, and the email that proves everything.
📌 This is Part 2 of an ongoing investigation.
Part 1: EXPOSED: The Youdao Ads Influencer Marketing Scam — Technical Analysis & Red Flags
I want to be upfront about something before we start.
When I published Part 1, I called this operation a scam. After 18 days of forensic follow-up, the picture is more complex — and significantly more interesting.
This is not a retraction. This is an upgrade.
The 18-Day Timeline That Changes Everything
Apr 5, 2026 → SSL certificate issued for infunease.youdaoads.com
Apr 11, 2026 → Mass cold outreach emails sent (anjiaqi06@corp.netease.com)
→ infunease.youdaoads.com returns 403 Forbidden
→ Scam Detector score: 28.8/100
→ Article published
Apr 14, 2026 → WHOIS record updated (3 days post-article)
Apr 28, 2026 → Takedown email received (youdaoads@rd.netease.com)
→ Public comment posted on my article (@YoudaoAds on dev.to)
→ infunease.youdaoads.com returns 200 OK (same day)
→ Scam Detector score drops further: 15/100
→ No documentation provided despite formal request
Apr 29, 2026 → NEW email arrives (tangxi03@corp.netease.com)
→ Subject: "Official Collaboration Invite for Creators"
→ Professional NetEase 網易 branding
→ Zero emojis. Zero urgency. Zero WhatsApp spam.
→ Every single concern from my article — addressed.
That last entry. That's what this article is about.
Part 1 Recap: What I Found
On April 11, I received this email:
From: anjiaqi06@corp.netease.com
Subject: Don't scroll past 【Youdao Ads】– a paid collab
that's actually your vibe 😉
💰 Budget's ready – just name your rate
⏳ Spots are filling up – a few other creators in your
space are already looking at them
[Youdao Ads Link] [Discord] [WhatsApp]
Technical analysis showed:
$ curl -I https://infunease.youdaoads.com
HTTP/1.1 403 Forbidden
x-deny-reason: host_not_allowed
server: envoy
Third-party security score: 28.8/100 — "Risky. Dubious. Perilous."
The article went live. Google indexed it. Google AI started citing it.
Then came the reaction.
April 28: The Reaction
Exactly 17 days after publication, two messages arrived on the same day.
Message 1: The Takedown Email
From: youdaoads@rd.netease.com
Subject: Clarification regarding your recent article on Youdao Ads
The misunderstandings in your article are currently
influencing Google's AI summaries, which is causing
severe and unearned damage to our brand.
We kindly request that you consider removing the post.
Note the sender: rd.netease.com — NetEase's R&D subdomain.
The original email came from corp.netease.com — corporate division.
Two different NetEase subdomains. Never explained.
Message 2: The Public Comment
Simultaneously, a dev.to account named "Youdao Ads" commented directly on my article:
"We have thoroughly verified our domain and technical infrastructure. It is fully operational, passes mainstream security protocols, and is not being blocked by any standard security infrastructures. Any localized access issue may be due to temporary network configurations, not a systemic block."
April 28: The Infrastructure Comes Alive
On the exact same day as the takedown request:
# April 11 — time of original article
$ curl -I https://infunease.youdaoads.com
HTTP/1.1 403 Forbidden
x-deny-reason: host_not_allowed
server: envoy
# April 28 — day of takedown request
$ curl -I https://infunease.youdaoads.com
HTTP/2 200
server: YDWS
x-powered-by: Next.js
content-length: 374476
x-nextjs-cache: HIT
cache-control: s-maxage=31536000, stale-while-revalidate
etag: "rcngvqns1y801t"
A full Next.js production deployment. Live. Professional.
On the same day they asked me to remove my article.
The SSL Certificate: Timing Is Evidence
$ echo | openssl s_client \
-servername infunease.youdaoads.com \
-connect infunease.youdaoads.com:443 2>/dev/null \
| openssl x509 -noout -dates
notBefore=Apr 5 00:00:00 2026 GMT
notAfter=Jul 4 23:59:59 2026 GMT
Certificate issued: April 5 — 6 days before the mass email campaign.
90-day certificate — short-term, automated issuance.
The infrastructure was being built in the week before the emails went out.
WHOIS: The Record That Updated After My Article
$ whois youdaoads.com
Domain Name: YOUDAOADS.COM
Creation Date: 2021-05-25T11:15:53Z ← 5 years old
Updated Date: 2026-04-14T05:35:38Z ← 3 days after my article
Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
Registrant: bei jing, CN
Name Servers: REM1.YODAO.COM
REM2.YODAO.COM
REM3.YODAO.COM
DNSSEC: unsigned
The domain is legitimate and 5 years old.
But the record was updated April 14 — 3 days after the article.
$ whois infunease.youdaoads.com
No match for "INFUNEASE.YOUDAOADS.COM".
The subdomain returns no WHOIS data at all.
DNS Chain: Following the Infrastructure
$ dig infunease.youdaoads.com +short
youdaoads.youdao.com.
ead.alb.ntes53.netease.com.
hk-g1-hz.alb.ntes53.netease.com.
156.225.180.151
156.225.180.152
Full resolution chain:
infunease.youdaoads.com
↓ CNAME
youdaoads.youdao.com
↓ CNAME
ead.alb.ntes53.netease.com ← NetEase Load Balancer
↓ CNAME
hk-g1-hz.alb.ntes53.netease.com ← Hong Kong Cluster
↓ A Records
156.225.180.151
156.225.180.152
$ whois 156.225.180.151
inetnum: 156.225.180.0 - 156.225.180.255
netname: HongKong_NetEase_Interactive_Entertainment_Limited
descr: HongKong NetEase Interactive Entertainment Limited
country: HK
This is 100% genuine NetEase infrastructure.
Hong Kong datacenter. Enterprise load balancers. The real thing.
The Trust Scores: Watching the Algorithm React in Real-Time
This is perhaps the most fascinating part of the investigation. Watch how the independent automated trust score (Scam Detector) reacted to their infrastructure changes:
- April 11: Score 28.8 / 100. (The site is returning 403 Forbidden).
- April 28 (Morning): Score drops to 15 / 100. (Community starts flagging the emails).
- April 28 (Evening): I receive the takedown request. The site goes live (200 OK).
- April 29 (Today): Score jumps to 60.8 / 100. (Active. Medium-Risk).
Why the sudden jump? Because automated security scanners rely heavily on HTTP responses. When the site was a dead 403 Forbidden sending mass cold emails, it looked like a classic hit-and-run scam.
The moment they deployed their Next.js application (to prove they are legitimate after my article exposed them), the scanners re-evaluated them as an "Active" website and bumped their score.
The takeaway for the infosec community:
Trust scores don't measure operational ethics; they measure infrastructure configuration. They didn't become a "better" company overnight — they just finally turned their servers on because they were forced to.
⚠️ UPDATE — April 29, 2026: The Trust Score Discrepancy
ScamAdviser now shows the root domain (youdaoads.com) as "Very Likely Safe" with a score of 100/100.
However, context is everything in OSINT:
- The evaluation says: "Last Update: 3 weeks ago" (This is an old scan of the root domain, conducted well before the mass outreach campaign).
- The Business Model: Unlike fully independent scanners, ScamAdviser offers paid "Business Plans" that allow companies to actively manage their trust profiles and dispute negative signals.
Two platforms. Same domain.
Scam Detector (Strictly community & algorithm-driven): 15/100 — "Risky. Dubious. Perilous."
ScamAdviser (Commercial platform offering reputation management): 100/100 — "Very Likely Safe."Moral of the story: A 100/100 automated score on a 5-year-old root domain doesn't legitimize the shady tactics of a 3-week-old subdomain.
Draw your own conclusions.
The Network Analysis: You're Being Watched
Opening DevTools on the login page:
Visit 1: 16 Requests
16 / 24 requests
POST → https://k.clarity.ms/collect
Status: 204 No Content
Host: k.clarity.ms
Origin: https://infunease.youdaoads.com
After a Few Minutes of Analysis: 47 Requests
47 / 63 requests
62.5 kB / 63.5 kB transferred
Server: YDWS
Every action generated a Clarity batch:
✓ Page load
✓ Mouse movement
✓ DevTools opened
✓ Network tab clicked
✓ Header inspection
✓ Page scroll
✓ Every click
The Second Endpoint — Origin Revealed
Request URL: https://overseacdn.ydstatic.com/overseacdn/
advertising_platform/static/intl/zh-CN.json
?v=2760e8bced
Remote Address: 23.48.214.94:443
Server: YDWS
Last-Modified: Fri, 24 Apr 2026 06:28:08 GMT
Content-Type: application/json
Akamai-Mon-lucid-Del: 1273563
overseacdn.ydstatic.com — Youdao Static CDN.
zh-CN.json — Chinese Simplified localization file.
This platform was built for the Chinese market and localized outward.
The Akamai headers confirm enterprise-grade CDN infrastructure — not a small operation.
What Their Clarity Dashboard Saw
While I was analyzing their headers, their session recording showed:
📍 Location: Egypt 🇪🇬
🖥️ Browser: Chromium 147
⏱️ Duration: 6+ minutes
🖱️ Behavior: DevTools open
Network tab active
63 requests triggered
Headers under inspection
They were watching me watch them.
Important: Clarity masks passwords and email inputs automatically.
What it captures from page load — before any signup — is full behavioral profiling.
April 29: The Email That Proves Everything
One day after the takedown request. One day after the site went live.
A third email arrived.
From: tangxi03@corp.netease.com
Subject: Official Collaboration Invite for Creators |
Youdao Ads by NetEase Youdao
Date: Apr 29, 2026, 6:01 AM
mailed-by: corp.netease.com
signed-by: corp.netease.com
⭐ Important according to Google
The body:
This email is from Youdao Ads — the official influencer
marketing platform of NetEase Youdao, a subsidiary of
the leading global technology and entertainment company
NetEase.
Why partner with Youdao Ads?
▸ Exclusive opportunities with top global brands
▸ Guaranteed paid campaigns with transparent pricing,
no upfront fees, and on-time secure payments
▸ Full dedicated support through every step of your
collaboration, from onboarding to payment settlement
Please note that this is an automated notification
email, and we are unable to respond to direct replies.
Best regards,
Youdao Ads
[NetEase 網易 | youdao Ads logo]
Global leading influencer marketing platform
The Before & After: My Article Changed Their Outreach
This is the most significant finding in this entire investigation.
April 11 Email (Before Article):
❌ Subject: "Don't scroll past – a paid collab that's
actually your vibe 😉"
❌ Emoji-heavy, casual, unprofessional
❌ "Budget's ready – just name your rate"
❌ "Spots are filling up" (artificial urgency)
❌ WhatsApp group links
❌ Discord community invites
❌ Zero company branding
❌ Generic "your vibe" personalization
❌ Contact: WhatsApp only
April 29 Email (After Article):
✅ Subject: "Official Collaboration Invite for Creators |
Youdao Ads by NetEase Youdao"
✅ Professional tone, zero emojis
✅ "No upfront fees" ← directly addresses concern I raised
✅ "No pressure to sign up immediately" ← addresses urgency concern
✅ "Transparent pricing" ← addresses opacity concern
✅ Official NetEase 網易 logo and branding
✅ "Official service mailbox: ydcommunity@service.netease.com"
✅ Zero WhatsApp group links
✅ Zero Discord spam
✅ Proper company identification from line 1
Every single red flag I documented in Part 1.
Addressed. One by one. In the next outreach email.
What This Means: The Definitive Analysis
After 18 days of forensic investigation, here is where the evidence leads:
What is confirmed:
The infrastructure is 100% genuine NetEase.
DNS chain, IP ownership, email authentication, CDN — all resolve to NetEase Hong Kong.
The domain is 5 years old.
youdaoads.com was registered May 2021. This is not a freshly created phishing domain.
LinkedIn confirms the entity.
Youdao Ads has a LinkedIn presence identifying as a NetEase Youdao subsidiary.
My article changed their behavior.
The before/after comparison of outreach emails is not coincidental. The timing, the specific changes, the direct addressing of documented concerns — this is a response to public scrutiny.
What remains unexplained:
Why was the site returning 403 during the email campaign?
You don't send mass creator outreach from a platform that returns Forbidden.
Why did the WHOIS record update 3 days after the article?
Domain records don't update themselves.
Why did the site go live on the same day as the takedown request?
Correlation is not causation. But this correlation is hard to ignore.
Why the subdomain switch?
corp.netease.com → rd.netease.com → back to corp.netease.com.
Three different senders. Never explained.
Why 15/100 on independent security vendors?
No documentation addressing this was ever provided despite formal request.
The most likely explanation:
This is a legitimate NetEase subsidiary operating with immature outreach practices — possibly a team that grew fast, prioritized reach over compliance, and got caught using spam-adjacent tactics that don't match the scale and legitimacy of their parent company.
My article forced an internal correction.
That's not a vindication. That's a more nuanced conclusion backed by evidence.
What I Requested — Still Open
On April 28, I formally requested via email and public comment:
- Official business registration documents for Youdao Ads
- NetEase Youdao's official PR statement authorizing the outreach campaign
- Verified creator partnership examples with creator consent
- Explanation of security vendor scores and remediation steps
- Clarification on the use of multiple NetEase subdomains
As of publication: no documentation received.
The April 29 email did not address these requests.
This article will be updated prominently if documentation is provided.
For the Security Community: What This Case Teaches
1. Email Authentication ≠ Legitimacy
DKIM, SPF, DMARC all passed on the original email. The infrastructure was real.
Authentication tells you where an email came from.
It tells you nothing about intent or operational standards.
2. Infrastructure Legitimacy ≠ Operational Legitimacy
Real servers. Real domain. Real CDN. Real company.
None of this guarantees the outreach practices meet acceptable standards.
3. Public Scrutiny Works
A single technical article, published and indexed, changed the outreach behavior of a subsidiary of a billion-dollar company.
This is why security research and transparency matter.
4. Timeline Documentation Is Everything
Every data point in this investigation is timestamped and reproducible:
# Reproduce the DNS chain
$ dig infunease.youdaoads.com +short
# Reproduce the SSL timing
$ echo | openssl s_client -servername infunease.youdaoads.com \
-connect infunease.youdaoads.com:443 2>/dev/null \
| openssl x509 -noout -dates
# Reproduce the WHOIS
$ whois youdaoads.com
Any developer can verify these findings independently.
Conclusion: The Investigation Is Open, Not Closed
I published Part 1 calling this a scam. The full picture is more complex.
What I can say with confidence after 18 days:
The operation is real. NetEase infrastructure, 5-year-old domain, LinkedIn presence.
The original tactics were unacceptable. Emoji spam, artificial urgency, WhatsApp groups — regardless of the company behind it.
My article caused a documented change. The before/after email comparison is the clearest evidence of this.
Unanswered questions remain. The 403 timing, the WHOIS update, the subdomain switching, the trust scores.
I will continue monitoring. If documentation arrives, this gets updated publicly and prominently.
If you've interacted with Youdao Ads — as a creator, brand, or agency — your experience is relevant. Share it in the comments.
Resources
Security Analysis:
Reporting:
- Anti-Phishing Working Group: reportphishing@apwg.org
- Google Safe Browsing: safebrowsing.google.com/safebrowsing/report_phish/
- NetEase Security: security@netease.com
Technical Verification:
All commands in this article are reproducible. Infrastructure data is public record.
WHOIS, DNS, SSL certificate dates — independently verifiable by anyone.
Part 1: EXPOSED: The Youdao Ads Influencer Marketing Scam
Have you received emails from Youdao Ads? Share your experience below.
All technical findings are based on public record data and standard OSINT methodology. Commands and outputs are included verbatim for independent verification.
Top comments (0)