Spammers Moving To Disposable Domains

Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."

Good, it's costing them money

Assuming they're not "tasting" it's going to cost them about $10 a pop.

Re:Good, it's costing them money

[fifedrum]

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Re:Good, it's costing them money

[negRo_slim]

$10 for a .com TLD maybe but there are plenty of substantially cheaper options.

Re:Good, it's costing them money

A .com only costs around $6 each using GoDaddy and coupon codes. Buying in bulk I'm sure they could even find a cheaper price.

Re:Good, it's costing them money

[Ambiguous+Puzuma]

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Not sure why parent is modded funny; there is likely a lot of truth to it. Sony Online Entertainment discovered this:

It isn't just issues of game balance and gold farming, Smedley says. "We're seeing a lot of stolen credit cards. Say you buy gold from a service in China -- you may not know it's in China, but you give them your credit card and buy gold only once. They use these credit card numbers to set up new accounts in these games. They buy an EverQuest account key, farm for a month, and then charge it back to the stolen credit card."

And this isn't just damaging to the consumer. "What happens is that over time, as that rate of chargebacks rises, we start getting fined. We have been fined over a million dollars since June. That's not the chargebacks themselves -- just the chargeback fine. It's brutal; it's the dirty little secret of the industry."

These temporary accounts, paid for with stolen credit cards, are additionally used to spam in-game (although spam filtering has improved the situation significantly).

It would not surprise me in the least if this applied to temporary domain registration for spam/malware purposes as well.

Re:Good, it's costing them money

[Monkeedude1212]

Probably just a miss-click. You'll notice Slashdot also gave him 40% Insightful, 30% Interesting and 30% Funny, yet somehow it shows up labelled as funny. Gotta love logic errors!

Re:Good, it's costing them money

[GrumpySteen]

Slashdot would rather be funny than insightful

Re:Good, it's costing them money

[icebraining]

If you're buying gold from a shady site with a real CC, you kind of deserve what coming to you.

Re:Good, it's costing them money

[socz]

You hit the nail on the head! Domains in bulk are a lot cheaper. I'm getting a decent deal with about 8-10 domains, but I know it could be better if I had more! So they're probably buying them up in 100's at a time (I would!).

But, what I suspect could be happening, is that they're actually working with a top level registrar who can get them at the cheapest price possible and probably gets a % back of what the spammer makes. Just a thought.

Re:Good, it's costing them money

[BriGal]

They really aren't buying in bulk, though. I work for a registrar, and I go through accounts and domains randomly to suspend anything that looks fraudulent. Most of the domains are between 1-3 per customer account, and rarely more than 10.

so a new rule for email filtering?

[TravisHein]

in addition to a commonly accepted practice of doing a reverse domain name lookup on who is sending you email, where by rejecting email from bogus domains, no domain, to now also have the mail server also do a whois lookup, and arbitrarily reject email from a domain that has been registered less than a few days ago?

Re:so a new rule for email filtering?

[2obvious4u]

Almost, they could have registered it weeks, months or even years earlier. You would need to see if it had X days of activity. I don't know how you would do that.

Re:so a new rule for email filtering?

[Snowhare]

The problem with this is pretty much all of the whois servers rate limit requests. Make than a very small number of requests per day and they simply quit answering. What we need is basic whois info available like domain created dates via DNS queries.

Re:so a new rule for email filtering?

[fifedrum]

there are email reputation providers out there who can tell you things like that. It may even be free (it is for us anyway)

Re:so a new rule for email filtering?

[fifedrum]

This is the way our reputation provider works: If the IP hasn't been seen delivering email before (no matter it's age), it has a 0 reputation. The more email that is processed the higher the reputation and the reputation is, of course, modified down by complaints. The more complaints,the lower the reputation. Think feedback loop, or where your email goes when you click "mark as junk."

If someone else wanted to get into the game, services like spamcop could be used (who knows, maybe can already be used?) to determine domain name reputation by keeping an independent database of domain names and keeping the ratio of good to bad email handy for rapid lookups, maybe in something like dnsrbld type lookup table. It's the same as IP reputation engines, just with text domain names.

Maybe someone alread does. I know our antispam provider keeps a level of spaminess for domain names, but those are for domains that already exist. You would have to determine by policy what to do with domains that don't have a reputation.

That and implementing tighter SPF and DKIM will help eliminate this stuff.

Re:so a new rule for email filtering?

[XanC]

Can you explain how SPF would be of any help at all here?

Re:so a new rule for email filtering?

[hedwards]

To prevent free riding on a known good domain name from somewhere else.

Re:so a new rule for email filtering?

[Bert64]

Which isn't what they're doing, they are registering their own domains which means they can then create valid SPF and DKIM records for them.

Re:so a new rule for email filtering?

[mikael_j]

The biggest problem with using reverse lookup is that it's a horrible method. Sure, ten or fifteen years ago it was a half-decent method for filtering but these days lots of companies have broken reverse DNS pointers, even big companies (one I've seen with many companies here in Sweden is that email from user@company.se from a server claiming to be mailhost.company.se is sent from xxx.xxx.xxx.xxx for which a reverse lookup gives mailhost.company.com or something like ext-12-sthlm.se.company.com).

Personally I prefer relying on SpamAssassin to sort out the spam, it works quite well as long as you keep everything updated. Also, since july 1st I've noticed a sharp drop in the amount of spam hitting my personal mail server (down to about 25% of what it used to be).

Then there's SPF which would also seriously help if more sysadmins would just get around to implementing it.

Re:so a new rule for email filtering?

[Snowhare]

Greylisting is to SMTP as NAT is to IPv4

An ugly hack that is required in practice to keep the net from collapsing?

Re:so a new rule for email filtering?

[mikael_j]

Sure, they can create valid SPF records for their domains but if they're using their own machines (rented or owned) then that ISP is most likely shady and will end up getting on a few blacklists. If they're using botnets then overly broad SPF records could be filtered (since they can't control reverse DNS for the zombie machines they're using to send spam).

Re:so a new rule for email filtering?

[mikael_j]

I was thinking more along the lines of just "An ugly hack.". But then I've never had to resort to greylisting to deal with spam (but NAT is unfortunately necessary until we can get more people to start adopting IPv6).

Re:so a new rule for email filtering?

[Codeyman]

Most of the reputation providers update the data often(order of minutes), paid ones even more so than free ones. surbl, spamhaus, spamcop are some well known free reputation checks. Mailshell, Symantec etc have paid ones..

Re:so a new rule for email filtering?

You mean like using the Day-Old-Bread RBL, which was set up to do exactly this four years ago?

Re:so a new rule for email filtering?

[Lumpy]

Better yet, all domains are rejected unless it has been up for 1 week. If the server receives a single email from that domain, let it through, if it get's 20 ro more, bounce them all. All email servers treat all domains as suspect and let in 1 email from the domain an hour until it's proven to be good, then allows more. Instantly Blacklist any new domain heard that has more than 10 emails for the customer. Instant blacklist if any email from that domain during the probation triggers the spam filters.

Come on guys it's not that hard to stop this crap.

Re:so a new rule for email filtering?

[Snowhare]

On my servers, at one point, 99% of attempted spam mailings were being rejected via greylisting at the edge MXs (I'm talking order of 200K mail attempts per day - it vastly outnumbered legitimate emails). If you are big enough, it is a very important tool. It is less effective today than it was but is still is an important first layer spambot screen: Yesterday, it stopped around 3000 attempts to spam us and let through about 1000 mails. Stopping 75% of spam with *one* technique is nothing to be sneezed at.

Re:so a new rule for email filtering?

[Snowhare]

Addendum: Checking my logs, the 3000 greylist stopped spam emails were what were left after *other* filters stopped an additional 156,000 spam attempts. Yes - it really has reached the point where *less than* 1% of email is legitimate.

Re:so a new rule for email filtering?

[mikael_j]

I didn't say it wasn't effective, just that it's an ugly hack which, when improperly implemented, can be a serious annoyance (these days it's rare to see MTAs configured to cause hour-long delays but it wasn't long ago that this seemed to be more common than not when dealing with greylisting).

Re:so a new rule for email filtering?

[gmack]

On my servers it generated a ton of complaints about time critical emails being delayed for hours.

In the end I had to shut off greylisting to avoid losing all of my paying customers.

Re:so a new rule for email filtering?

[Skapare]

Dealing with it is simple. Keep a database of domains with their date of first appearance and first successful acceptance. For each arriving email, look up the domain in the database. If its first appearance is less than 3 days ago, do a soft reject which will cause a normal mail server to re-queue it. If more than 3 days but less than 4 days, go ahead and accept it and record that it was accepted in the other date field. At any other time, if the record shows there was an email accepted between day 3 and 4, accept future email for this domain. Note that "accept" here only means that this test passes. Other tests can still flag it as spam. The 3 days gives a chance for other means to block this domain to become established, or the domain to be shut down, or for spam filters to learn from other sources how to detect this as spam, if it is. Domains you've dealt with before would be in this database as fully acceptable.

Re:so a new rule for email filtering?

[ResidentSourcerer]

If you are a large mail provider you could simply flag messages for X hours after you saw a new source domain.

Combine that with a filter that looks at the number of recipients.

New domain + large recipients list - known mailing lists = hold.

Create an index of the number of unique words you expect to see from 1000 email messages that come from individuals, and
compare that to the number of unique words you get from this domain. If this index shows that messages are too similar, drop, block, and publish.

If outfits like gmail, hotmail, and yahoo did this, then smaller ISPs could piggyback on the published lists.

The net result would be that spammers could use a new domain for only a few hundred messages.

Or that spammers would only send to small mail service providers.

Small providers in practice could do the same thing by running the indexer on the messages, forwarding the index data to one of the big companies. This in effect pools the small providers data. It would make them a bit slower.

And why would google and the like do this? If they can make spam more difficult, they reduce the number of servers they have to use for filtering.

Re:so a new rule for email filtering?

This is the way our reputation provider works: If the IP hasn't been seen delivering email before (no matter it's age), it has a 0 reputation.

Depends on the reputation provider. The one we use effectively assigns a reputation of NULL to IPs which haven't been seen sending mail. That is, it makes a distinction between a neutral reputation and no reputation at all. We actually assess a slight penalty on hosts with no reputation at all, since there's a good chance it's a spambot coming to life. The penalty is enough to slow down a spewing spambot, but usually doesn't bother new, legitimate mail servers which tend to slip in under the penalty.

Flag email that comes from new domains

[harmonise]

Score email higher that comes from newer domains. The older the domain, the lower the score. I'm thinking spamassassin scores here.

Re:Flag email that comes from new domains

so i buy a few hundred domains today and sit on them for a couple months. Next week, I buy a few hundred more, and sit on them for a couple months plus one week. This is actually close to what they're doing now.

Re:Flag email that comes from new domains

[harmonise]

Exactly. And emails from your domains will still have a higher score than domains that are over a year old. It will also stop "domain tasting" or whatever it is called where spammers get domains for less than 24 hours without paying for them.

Re:Flag email that comes from new domains

[Tom]

They'll just buy in bulk in advance, let it sit there for a year, then use it.

You can not solve the spam problem technologically. You have to reduce the opportunities and incentives on all fronts. That means making it harder (= more expensive) to spam, making spam less profitable (various methods like bringing credit card companies into responsibility have been discussed) and making it more dangerous (actually enforcing the law, and making the law less easy to exploit).

None of that on its own will solve the problem. All of it combined stands a chance.

My personal favourite, though, is to shoot both the spammers and the fucktard idiot fools who buy from them. You can't jail them - we don't have enough jail space to start filling it with idiots. Too many idiots.

Filtering out new domains?

[HikingStick]

They obviously are making enough money to afford the registration fees. I wonder if there would be a way to greylist/blacklist new domains, though that simply might mean that spammers would sit on the domain for a period of weeks or months before using them. Still, would there be a way to flag young domains so that they end up with higher scores in various spam filters?

Persistent little bastards...

[sixteenbitsamurai]

It's like an underground revolutionary movement, except selling male enhancement products.

been happening for years

[fifedrum]

As an SA at a hosted email provider I see this on a daily basis and could list several hundred domains just from the last few days' worth of reports. They hit the big registrars, attempt to automate as much as possible, create dozens of email accounts per domain, and turn on the spigot disposing of the domains immediately in the case of sending domains, and putting off the demise of the web domains as long as possible.

Fortunately, the activity levels of the greedy spammers far outstrips the activity levels of the normal user, that said, we still see occasional drip spammers.

Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

Re:been happening for years

[phoenixwade]

Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

I'm going for a Barrett and a tall hill or tree, this will be fun. Although I would still be partial to a rocket launcher with rockets that have painted on Smiley faces on the nose....

Re:been happening for years

[Locke2005]

(Please gentle viewer, let me have the M1) Sorry, you're ALL getting the aluminum bats -- much more entertaining to watch!

Re:been happening for years

[ajlitt]

Ah, the cluebat. An elegant weapon for a less civilized luser.

Re:been happening for years

[Dancindan84]

Naw, just give them lots of viagra and steroids. More poetic. /Read a similar joke somewhere about how to deal with spammers. //Not Mencia, don't kill me. I'd give credit if I could remember where from.

Re:been happening for years

[morgan_greywolf]

Um, have you ever seen a pudgy, pasty-faced sysadmin with an aluminum bat? Think the beginning of "Bad News Bear....

Oh, I see what you did here...

Re:been happening for years

Just treat it like a Zombie Invasion, give them lawnmowers.

Re:been happening for years

[oldspewey]

I'll give you a big stockpile of cans of spam, plus your choice of either a big kickass slingshot, or a small trebouchet.

Re:been happening for years

[supercrisp]

M1 is a bit old school. There are a LOT of spammers, and you'd need a higher rate of fire. I'd suggest a Saiga 12. Or if you really want the retro look, an AK-47 is still hard to beat.

Re:been happening for years

[Firethorn]

I think he's going for quality of kills over quantity.

Besides, I figure there are fewer than you might think. Remember, one spammer can send out millions of emails in less than a day, easy.

Re:been happening for years

There's no rules against multiple bullets per spammer, is there?

Rate of fire is still king in such a scenario, especially when the pasty faced admins can't aim too well. Six bullets in the upper legs still beat one in the chest, for sheer entertainment value.

Re:been happening for years

[fifedrum]

definitely going for style points. nothing gives you the chills quite like the "sproing!click!" of the M1 running out of ammo. The plan was to have a limited number of spammers on the island, maybe at a 1:1 ratio kind of like "Running Man" (not smit running man either)

Re:been happening for years

In other words, ICANN is enabling spam, which enables fraud, identity theft, kidnap, etc. Thus ICANN is a criminal organization that must be stopped!

Re:been happening for years

Meh, just nuke 'em from orbit.....only way to be sure.

This is a new technique?

[interval1066]

I could have sworn they have been using this one for a few years now.

Re:This is a new technique?

It appears that the spammers are a few years ahead of the analysts at Kaspersky Labs.

Validate domain ownership

[Animats]

When you buy a domain, you should be mailed a letter with an activation code, sent to the registrant address. No valid mailing address, no domain activation.

Re:Validate domain ownership

[fifedrum]

to which they'll use mules

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.

Re:Validate domain ownership

[BitZtream]

Mules at a known valid address are far easier to trace than stolen credit cards.

Re:Validate domain ownership

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion.

So you're saying that we should give up?

The only thing that works is jail time.

That would require us to know who to jail first.

Re:Validate domain ownership

[guruevi]

Oh really? As in: they can make a couple of million and all they face is an extremely small chance that they get maybe 6 months in prison? Besides how do you get caught when there are no laws against it, no police force in the world cares (your company is not big enough to afford those laws) and you could be anywhere in the world, maybe in a small banana-republic where you can treat the police as your personal mercenaries for a couple of $100.

Re:Validate domain ownership

[NevarMore]

So when you want to register a domain for unpopular political, social, or religious activities you can be outed?

Re:Validate domain ownership

[DragonWriter]

really, there's no way around this that can't also be worked around by the spammers.

There's a fairly simple way around it on the client end (and which could easily be implemented by webmail providers); allow the user to designate "safe" domains, any mail that isn't from a known contact or a domain identified by the specific recipient as "safe" is shunted to an "unsolicited" box (or tagged "unsolicited"), essentially serving as a lower-probability "possible spam" box to a traditional Spam mailbox/tag.

Re:Validate domain ownership

[mlts]

The threat of jail isn't going to happen. A lot of spammers are in countries whose government doesn't give a rat's ass about computer crime, cannot afford to, or hates everyone else so much that they consider the spammers an income source for their nation.

Even in countries with computer crime laws, the good spammers will not be directly connected to machines, just like a good drug dealer is never near his stash when making transactions. They will be hiring script kiddies to do grunt work for them, or they will be using cracked wireless networks (very few home wireless networks log anything at all, perhaps at most a MAC) and will be able to do their activities without any way of being caught.

I'm sure once domain registrations become harder to get in mass quantities, we will be seeing spams from raw IP addresses, or we will see more compromised clients. Spammers have a lot of resources, so it wouldn't be far-fetched to see them trying to attack registrars, and since there are a ton out there, one will end up getting compromised and allow a lot of fake domains to appear with ease.

Re:Validate domain ownership

[fifedrum]

they already use raw IPs, but the vast majority of MX servers reject email that doesn't resolve in reverse DNS, or doesn't have a resolvable HELO hostname, or the from address is phony.

And they already use compromised clients, see it every day.

Re:Validate domain ownership

[fifedrum]

that's whitelist-only and works great, actually. In our service, you put * in your blacklist, then *@dom in your whitelist (or of course, individual email addresses).

Re:Validate domain ownership

[fifedrum]

you are, of course, exactly right. There's nothing to be done but label them, put them on a list, and wait for them to step foot in a foreign land that has these controls in place.

Maybe we can declare a Fatwa against them, and any righteous sysadmin can achieve a greater score in mario brothers if they take the spammer out?

Re:Validate domain ownership

[mlts]

Correct. However, if other avenues of spammers dropping their spew is blocked, they will start focusing on trying to compromise legit machines, as opposed to just spraying and praying from IP ranges. Spammers have a lot of money behind them, so I'm sure a larger spam organization may end up spending their time compromising ISP servers just to get their stuff out.

At least if they do focus on compromising machines, a lot of zero days floating around will be found and squashed.

Re:Validate domain ownership

[fifedrum]

ah, gotcha, good point, looks like even more interesting times ahead for admins of all stripes.

Re:Validate domain ownership

[DragonWriter]

that's whitelist-only and works great, actually.

Well, not quite. What I was really proposing is actually more like a three or four tiered system, with:

1. Stuff that is whitelisted: treated as most likely not spam and presented to user.
2. Stuff that is neither whitelist nor identified as probable spam by traditional spam filtering: treated/flagged as possible spam and presented to user.
3. Stuff that is caught as probable spam by traditional spam filtering, treated/flagged as probable spam and presented to user.
4. Stuff that is caught as near-certain spam or clearly dangerous by existing filtering: blocked entirely and not delivered to user.

(3 and 4 can be separate, or only one of those treatments can be applied to both categories.)

Re:Validate domain ownership

[Skapare]

What if I gave up using email long ago? Why should making oneself vulnerable to spam a requirement to participate in non-email internet stuff?

Re:Validate domain ownership

[kvezach]

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.

How about the idea of proof-of-work with price discrimination? Unknown domains start at a fairly high level, so it takes a long time to send mail. If the user or domain has sent a few good mails, it's "trusted" (but using a robust trust metric so that spammers can't just trust each other), and then sending mail is fast. If the user gets compromised, he drops on the trust network and suddenly it's expensive to send mail again.

It's kinda a hack because you're explicitly wasting processing (or memory access) power to limit something that's otherwise unlimited, but it could work. That is, it could work once someone waves his wand and establishes that distributed trust network.

Botnets would initially circumvent this, but the zombies would get their trust degraded and so would send spam very slowly, making them unsuitable. Thus the spammers would have to ever chase new hosts. The delay function can be structured so that "stop and go" (send some spam until at worst trust, then let the user get back to good trust, then send more spam) doesn't work.

Re:Validate domain ownership

to which they'll use mules

really, there's no way around this that can't also be worked around by the spammers.

Not if you snail-mail it to the billing address of the credit card.

This is news???

[Eggplant62]

They've been doing this since 1999 from my personal memory aiding the antispam fight. What suddenly brings this back to the fore as if it were some stunning revelation? It's an old trick that Alan Ralsky used when he was scamming and spamming.

Can't say I'm surprised

[ITBurnout]

A fine match for their disposable e-mails. I have to give kudos to Gmail; my personal account has not seen a single unwanted spam message since its inception. Not one. I used to check the Spam folder to see if anything legit got trashed, but now I just mainly ignore it unless I really want to see anonymous scumbags' assessments about my lack of adequate manhood.

Re:Can't say I'm surprised

[Zemplar]

... assessments about my lack of adequate manhood.

So you're the one! I've got a bunch of email that must belong to you.

Re:Can't say I'm surprised

[negRo_slim]

A fine match for their disposable e-mails. I have to give kudos to Gmail; my personal account has not seen a single unwanted spam message since its inception. Not one. I used to check the Spam folder to see if anything legit got trashed, but now I just mainly ignore it unless I really want to see anonymous scumbags' assessments about my lack of adequate manhood.

Agreed. My spam folder has plenty of spam but what actually has made it to the inbox in all these years was been about 3 messages. And that's after being lambasted on a previous /. post in which I willingly gave out my email milsorgen@gmail.com. I think someone tried to sign me up for like 3 mailing lists, but other than that it was nothing but hubris.

I think the problem has been over exaggerated and we are too eager to cater to users too dumb to avoid being suckered.

Re:Can't say I'm surprised

[ITBurnout]

Oops, I mean *incorrectly supposed* lack of adequate manhood. False assumptions based on zero evidence and a drive for profit. Weak, limp, flaccid assumptions.

Re:Can't say I'm surprised

[hedwards]

Rarely do I get any spam in my Gmail inbox, that being said, it's tight enough that I do have to add things to my address book fairly often to make sure that it's not listed spam. But, the rate at which they mistakenly categorize something is impressively low.

Making money from those buying their services

The spammers are making money from those buying their services, people who don't know how to measure increased sales from spam so there's no need to click through and buy, people who don't CARE if it's illegal because they're being paid by their company to advertise, so they don't mind if there's 0% hit rate: they've been paid and you can't prove NOBODY bought because of this (as you can't with any marketing).

They're making money from "legitimate" companies buying these spammer services.

Kill these "legitimate" companies and you kill the spammers. And, unlike the spammers, it's hard to start another company big enough to pay for these services to make the spammers' work worthwhile.

Re:Making money from those buying their services

[hedwards]

Indeed, require them to disclose who they've contracted to and make them prove that the lists are clean. Fundamentally for such a simple to solve problem, it's taken a huge amount of time to actually fix. Sure you're not going to get smaller temporary stores shut, but there's an unacceptable number of spams for major retailers and brands out there.

Changing domains or changing servers?

[NevarMore]

Its pretty trivial to have 10000 domain names pointing to 10 servers.

It also seems trivial that when a domain name is flagged to also flag its server, then when a new domain name shows up that points to a flagged server rate it appropriately.

Its a clever trick, but hardly an unfightable step in the spam-arms-race.

Re:Changing domains or changing servers?

You mean they don't need a separate mail server for each domain name? What kind of sorcery do these spammers wield?

Re:Changing domains or changing servers?

[amentajo]

No, they don't. There's nothing remotely resembling sorcery involved.

If you're being sarcastic... GP post is an appropriate response to this story, as the story seems to overlook the point that NevarMore is making: blocking spam by domain name is not the only way to do it.

However, when you combine this with non-static IP addresses, it can be an effective way to avoid filtering by source... though I cannot think of a good reason not to dock major points for an e-mail sent by a mail server with a non-static IP to begin with.

Re:Changing domains or changing servers?

[mlts]

Then a spammer will DoS a legit site by using the ISP they use for an attack. It may be useful, but can easily be used by blackhats to sully the name and reputation of a legit site, especially if the attacker does a joe job and sends E-mail from that site's normal outgoing server's SMTP server that is shared.

And spammers will do this. I have helped small businesses who got threatened with their domain contacts being the in the fake From: headers of a spammer, who threatened to send out spam in their name unless they paid a sum via e-gold. I would bet a spammer would love access to a machine that other legit domains send from, just to sully their name as part of a extortion racket.

Re:Changing domains or changing servers?

[EdIII]

though I cannot think of a good reason not to dock major points for an e-mail sent by a mail server with a non-static IP to begin with.

I cannot think of a good reason to even start talking with a non-static IP to begin with. Spamhaus has a PBL (Policy Block List) and if an IP address is on it I just terminate the connection.

I know some people will say, "but now you prevent the common man from running a mail server!". Correct. It is unfortunate to create such a barrier to entry, but I feel that if you want to operate a mail server responsibly you will use a static IP. Spammers suck, and they have forced us to make it pretty difficult to deliver legitimate email. My own personal mail server is operating in a datacenter, but I pay $5 for a static IP address at home. I could be running a mail server there if I wanted to as well.

To expand upon NevarMore's point, domain names are only a small piece. I use several RBL's to determine if I even want to start a conversation with another mail server. Afterwards, it is all about the weight, or as you said, "points".

I believe what the article refers to is Spammer's attempts to mitigate the points being assigned to their emails from the message level domain checks. That can remove some of the negative points against their spam, but does nothing against the IP address checks that can be performed as well on the mail server, and even on the IP address lookups for those domains.

IMO, the spammers are just looking to get a little more spam through, and don't think this is a way to defeat anything. Just a higher success rate of getting their spam to the Inbox. Awful lot of work, effort, and money being spent to do it too. Which is why I am convinced it is not advertising dollars from the companies marketing the products, but attempts at hijacking machines motivating them instead. Using them to conduct more serious crime such as identity theft and stealing financial information is a lot more profitable then some two-bit Viagra company paying them to deliver the spam.

ahhh, but what are the resolved addresses?

[swschrad]

if, for instance, they keep coming from the block reserved by {scumpuppy.net}, for instance, you know who to blacklist by range.

One maybe bad aspect of IPv6?

[JSBiff]

This got me to thinking. In a world where IPv6 provides an astronomical number of subnet blocks, what's to keep spammers and malware distributors from jumping from IP block to IP block the way they jump from domain to domain?

Re:One maybe bad aspect of IPv6?

[shentino]

To make a TCP connection both ends have to have routable addresses.

Sooner or later either they'll all have common subnets, or they'll cause a noticeable spike in routing traffic.

Doh, just block by IP.

Who in their right mind looks at DNS info?

This reminds me of

[Anon-Admin]

This reminds me of the copyright protection on the Commodore 64 games and the game crackers.

No matter what you can come up with, the spammers will find a way around. RBL's, disposable domains, IP banning => IP Spoofing, the list goes on. This may not be a winnable fight.

I hate to say that because I have had my e-mail address for 10 years now and average 300 spam messages a day. Thanks to Spam assassin and a probability filter I can knock it down to only 3 or 4 a day getting through.

Maybe it is time to stop fighting the spammers and start training the users!

Re:This reminds me of

[Firethorn]

Maybe it is time to stop fighting the spammers and start training the users!

Consider, scammers have been using the same tactics for centuries, often simply updated to keep up with modern communication techniques.

'Male Enhancement'? Snake Oil, just no longer sold personally with the attendant risk of getting lynched.
Nigerian scheme? Fake ransom demands.

We've tried educating people; I think there are certain types of people more suseptable than others. Perhaps they need a financial guardian or something. Along with the compulsive gamblers and such. :(

It's not a bad idea, I try avoiding scam training; it's at least partially effective. Still, I think that one one approach will fix this.

Ergo:
1. Train Users
2. Some sort of domain/server blacklist
3. Automatic spam filters
4. domain/server authentication
5. Lawsuits; jail time
6. Hitmen, reopen gladiator games featuring spammers, etc...

Should keep the spam problem under control.

Re:This reminds me of

[vlueboy]

Some of my early-day mistakes were to sign up on innocent-sounding sites for joke e-mails, IQ tests, and free-greeting-card sites ... and my e-mail during warranty registration to legit companies that later sold my address to shady partners. I even signed up for email "news" at an anime site even though they promised all content was pending as they were "still awaiting delivery of our giant robots." I realized I'd been had, but they did put up a legit page 5 years later, and I'm sure they sold my email addy many times over in those five years, even if their promise for news was never fulfilled.

A quick web search for my email address surprised me with a single site cloning my [defunct Geocities] page where I naively used it a decade ago. It's good to see from your post that I don't get as much SPAM as I deserve for my paranoia-free Windows 98 days :)

Re:This reminds me of

[istartedi]

This may not be a winnable fight

For as long as the Internet has been public, it's been an arms race. The real winners in any arms race are the arms dealers. Of course, since this is a "cyber" war, the "arms" are software, hardware, and bandwidth.

I don't understand spam folders

[XanC]

This is why spam folders should be Considered Harmful. Effectively, it's a delivery failure without a notice. You should either accept mail or reject it, not pretend to accept it and then stash it someplace where nobody reads it.

Using a spam folder treats outright, obvious spam with more courtesy than the borderline stuff.

Re:I don't understand spam folders

Rejecting it is a feedback loop to the spammer to allow them to mutate the payload and retry in real time.

Re:I don't understand spam folders

[Firethorn]

If I'm expecting an email from a new source, like I've signed up somewhere new, and the email doesn't show up, I'll check the spam filters.

If the new request is outright rejected, how am I supposed to get my confirmation email?

Re:I don't understand spam folders

[mlts]

Rejections just allow them to keep trying E-mail addresses and/or keep trying to figure out what will jump past. However, just having a SMTP server blindly slurp all incoming mail at one end and blow it out the other may cause false positives, and maybe causing big problems with mail troubleshooting.

One needs to do both sanity checking during the E-mail transaction and post-receipt scanning. The SMTP server needs to outright rejects obvious crap, greylist suspect stuff, and tarpit mass entries that are obviously not mailing lists. So, if an attacker is trying to guess E-mail addresses, there will be a delay of 20-30 seconds after the first 3-4 attempts. If a domain is blackholed, the connection should be immediately dropped without ever getting a chance to communicate with the SMTP server. If a domain keeps trying to connect after it gets dropped, the machine should drop a DENY acl in for 10-20 minutes to minimize CPU cycles wasted.

Of course, once the E-mail makes it into an incoming spool, it should go at least through an antivirus pass. UNIX systems, this isn't an issue [1] other than to perhaps catch some obvious UNIX Trojans, but for Windows machines which will happily gobble down malformed code, this is a critical security step.

[1]: I've seen plenty of Trojan horses for UNIX, but true viruses are really rare.

Re:I don't understand spam folders

[maxume]

People want fast, easy access to most of their real mail with the ability to easily check-up on the automated system some of the time.

Not having a spam system at all defeats the fast and easy parts of accessing the real mail, and I'm not sure there is an easier way to check-up on the system than to examine the messages that it classifies as spam.

You are correct that this occasionally moves a legitimate email into the spam folder, but apparently the typical person would rather put up with this than constantly deal with each and every spam message.

Re:I don't understand spam folders

[XanC]

I think you're confused.

I'm not advocating going filterless. I'm saying that instead of putting "borderline" spam in a spam folder, simply reject it.

The "check-up" on the automatic system that you advocate would then be done by the sender, who gets notified that the mail didn't get delivered. If a message ends up in a spam folder, then it effectively hasn't been delivered, but nobody knows about it.

Re:I don't understand spam folders

[XanC]

Does any email from a new source get put into a spam folder? You might want to fix that problem first.

Re:I don't understand spam folders

[XanC]

Post-receipt scanning is evil. Either accept the mail and deliver it, or reject it at SMTP time.

I reject your assertion that the spambot will employ machine learning and figure a way through after a rejection.

The correct solution is to employ massive delays on the SMTP transaction if an email is spam. This is a pseudo-tarpit. The mail is eventually rejected.

Re:I don't understand spam folders

[maxume]

I misunderstood what you said. That isn't exactly the same as being confused.

I would respond to your clarification by saying that most receivers would probably rather be able to check up on the filter than they would trust the sender to fix the problem (for instance, imagine the fun nightmares that begin when a personal relation that the receiver doesn't care to offend starts sending them spam).

Re:I don't understand spam folders

[XanC]

I misunderstood what you said. That isn't exactly the same as being confused.

Perfectly fair. I didn't mean it pejoratively.

imagine the fun nightmares that begin when a personal relation that the receiver doesn't care to offend starts sending them spam

Seems like a filter that rejects those mails is the perfect solution! The recipient can't be blamed, it's that dang filter. :-)

Re:I don't understand spam folders

[Firethorn]

Does any email from a new source get put into a spam folder?

No, but it's iffy on new signups for small forums and such.

Re:I don't understand spam folders

> This is why spam folders should be Considered Harmful. Effectively, it's a delivery
> failure without a notice. You should either accept mail or reject it, not pretend
> to accept it and then stash it someplace where nobody reads it.

The reason we do that, is that if we send a delivery failure it will tell spammers about how to bypass our spam filter.

If for some spams we tell them that the account doesn't exist at the SMTP account, and they are accepted when they can bypass the spamfilter, it gives too much useful information to the spammer to improve his spam campaign.

That's it.

Re:I don't understand spam folders

[XanC]

pfft, BS, 98% of spam is fire and forget. Mail should be either rejected at SMTP time or delivered. Anything else is breaking your mail system, and asking for mail to mysteriously disappear.

Re:I don't understand spam folders

Unfortunately, signaling delivery failure due to spamminess allows the spammers to determine exactly how your spam filters work and what they can do to avoid detection. Accepting and then stashing spam is unfortunately necessary.

Re:I don't understand spam folders

[ArsenneLupin]

If the new request is outright rejected, how am I supposed to get my confirmation email?

The same thing would happen as in the situation where you wouldn't expect mail from that source: the sender would get the bounce, which would contain a reason why the mail was rejected (such and such keyword in mail, no text, ...), he then would change his mail to match, and try again.

And if he was unable to comply, he would use a different channel (i.e. phone) to communicate with you.

Re:I don't understand spam folders

[Firethorn]

The same thing would happen as in the situation where you wouldn't expect mail from that source: the sender would get the bounce, which would contain a reason why the mail was rejected (such and such keyword in mail, no text, ...), he then would change his mail to match, and try again.

I'm not talking about an individual's mail; I'm talking about those new account confirmation emails many forums send out, that you have to acknowledge before you can post.

Odds are a rejection mail is going into the bitbucket.

The administrator, assuming he's paying attention and knows how, can't just 'change the email', because that's only a temporary fix - the spammers will just adapt to the NEW template.

And if he was unable to comply, he would use a different channel (i.e. phone) to communicate with you.

Like I want to give www.randomforum.com my phone number? Like they have an administrator that active?

I'd rather just check the spam folder so I can retrieve the occasional false-positive.

Re:I don't understand spam folders

[ArsenneLupin]

I'm not talking about an individual's mail; I'm talking about those new account confirmation emails many forums send out, that you have to acknowledge before you can post.

Odds are a rejection mail is going into the bitbucket.

On a properly configured automailer, any error messages are supposed to go to the administrator. How else would he be made aware that something is amiss?

Like I want to give www.randomforum.com my phone number? Like they have an administrator that active?

In case of an automailer, if there is trouble, probability is that the trouble is related to the software they are using. If the administrator manually mails you using his normal MTA, chances are good that this time it succeeds.

And if the automailer is so badly set up that it can't set up a proper reply, are you really trusting that outfit that it handles all other aspects of the service well? (such as not communicating your e-mail to a spammer anyways...)

Re:I don't understand spam folders

[Firethorn]

On a properly configured automailer, any error messages are supposed to go to the administrator. How else would he be made aware that something is amiss?

And he still has to care enough to fix the problem of MY mail server rejecting his notices.

And if the automailer is so badly set up that it can't set up a proper reply, are you really trusting that outfit that it handles all other aspects of the service well? (such as not communicating your e-mail to a spammer anyways...)

'set up a proper reply'? What does that mean?

My point would be that spammers have and will send out emails that are crafted to look like these confirmation emails. They're an attempt to get you to click on the link. As such, forums small enough to not end up on whitelists often get blocked.

You start sending reject messages with resubmission requirements to allow email through and the spammers will automate that process faster than many lazy forum administrators will process the handful of rejects they may get a week.

Not to mention that the whole reason for the confirmation emails is/was an attempt to cut down on spamming from their end, not increase their workload.

Hey Timothy, Welcome to 1999

[BitZtream]

Really ... spammers are moving to disposable domains ...

All those fja3lgah12.com email addresses I've been seeing for the last 10 or so years have been bots on real domains then eh?

Seriously Tim, if you think something is new and exciting then you are experiencing one of two things, either its not really old and its actually common knowledge to everyone BUT you and the website your viewing ... or ... the website you're viewing is wrong.

Think that EVERY TIME you go to post stories to the front page and we'll do a lot better. I'll make it simplier, just based on your history as an editor ... when you think a story is good to post, you're wrong.

Domain Age

[Bert64]

Surely spam filters can just check for domains which are less than a few days old...

EOL?

[BrokenHalo]

Maybe this is a symptom of the beginning of the end for the professional spammer. If the whole thing ends up being more trouble than it's worth, maybe these asswipes will look for an alternative source of income.

Probably premature, I know, but we can hope...

Re:EOL?

[localman57]

If the whole thing ends up being more trouble than it's worth

Perhaps. But part of the problem is that a lot of these problems are originating from places where people's trouble (ie time and effort) isn't worth very much to begin with, because there aren't better paying options for employment. Think gold farming...

Re:EOL?

[mlts]

Be careful, spammers may move into other territory. There was a sense of victory when ISPs were successful at blacklisting spammers, then they went to bouncing IP addresses to duck blackholes.

I'd expect the next thing will be to find ways to compromise E-mail accounts en masse (hacking a server at a free E-mail provider and using accounts, or compromising a backbone SMTP server.) With the money spammers make, paying a blackhat with a 0-day would be small potatoes compared to the money rolling in.

Another thing might be resources spent for another generation of botnets, improving the subtlety aspect and perhaps only sending a limited amount of mail at a time, through hijacked accounts.

Re:EOL?

[yuna49]

I'd expect the next thing will be to find ways to compromise E-mail accounts en masse (hacking a server at a free E-mail provider and using accounts, or compromising a backbone SMTP server.)

Just this week I've seen two spams that appear to have come from real accounts at AOL and Hotmail. I know for a fact that the first was a real account since it belonged to someone subscribed to a limited-membership listserver I manage. The second was from an account I knew nothing about, but it was essentially identical in content to the first. Both came from the mail providers' own SMTP servers. They also both have a X- header identifying the originator of the message, and both came from an IP in 115.48/12 described as "China Unicom Henan province network."

Re:EOL?

This is becoming commonplace. Both spams like what you have received, as well as scams of "OMG, I am arrested, please send $500/$1000/$2000" are increasing by large numbers.

Facebook is getting broken into, as well as other sites.

My recommendation to end users: It sucks, but consider moving to OS X, Linux, BSD, or another OS. At least UNIX systems don't open the keys to the city if there is a Flash exploit. Since MS apparently gave the Windows source code to the blackhats in China and Russia (while whitehats and people whose livelyhood and security depends on this source have no access), it is no wonder that that OS is being hit hard by zero day exploits. Follow Google's lead and change platforms.

Re:EOL?

[Lennie]

When you look at the numbers, it's pretty close already. I think the last research suggests, the spammers sends 320 milion messages, he/she gets 28 responses. The email providers already filters out 90% to 98% of all mail (not all of it is spam, some of it is spyware, virus or phishing ofcourse).

Re:EOL?

[NormalVisual]

Both came from the mail providers' own SMTP servers.

And best of all, when you attempt to notify Hotmail of this kind of spam, they blow you off. They'll usually tell me "your headers were forged" when I can clearly see it's a genuine Hotmail server connecting to my SMTP box, and any general communication to the abuse address gets bounced because "in order to process your request, Hotmail Support needs a valid MSN/Hotmail hosted account".

As far as I'm concerned, Microsoft is directly contributing to the spam problem with such policies.

Re:EOL?

[WuphonsReach]

hacking a server at a free E-mail provider and using accounts

Already happens - mostly with Hotmail, Yahoo, and GMail accounts.

My Hotmail account hacked - all my contacts spammed !! How to avoid it happening to you.

(just one of many such occurrences)

No!

[night_flyer]

Really? Are you serious? And this is news how?

Catch Them!

[b4upoo]

Since the usual idea of spam is to get people to send money somewhere why not send a cop to that point and grab the account holders. Fines plus prison time should discourage them.

Re: Catch Them!

[Joce640k]

The 'somewhere' is usually a place where cops can't (or don't) do that.

Levels of accountability

[aapold]

If a bar sells beer to an underage person, they get in trouble. Roll the layers back and put it on them to institute their own methods of verification or face consequences for not doing so. As it is, they practically have a vested business interest in continuing to sell them these domains.

surprise

[xmousex]

What is this??? Slashdot news from the late 90s??? Also the matrix is a good movie, i hope the sequels are just as good.

Re:surprise

Also the matrix is a good movie, i hope the sequels are just as good.

But everybody knows they never made any sequels.

It's not new.

[Jay+L]

I left the field in 2001 and they were already doing it then. It's just cheaper now (cheaper with real money, and cheaper to buy stolen credit cards).

Basically sockpuppetry with domains

Just like trolls and vandals create accounts that are going to be banned anyway so they don't care what they do with them.

I create plenty of of them on Wikipedia everyday to harass admins and stewards. Just click on create account and make an account with a stupid name and then immediately log out and create another one up to six a day until your IP range gets check user blocked. I go the whole of T-Mobile blocked from editing Wikipedia.

Mod parent (and GP) up.

[khasim]

IPv6 will cause a huge problem with existing blacklists.

It won't cause any problems with whitelists (which should be checked PRIOR to the blacklists).

But they're still going to have to go through routers. So we're going to have to work on hacks that identify the routers that the communication is traversing. Then you should be able to see the "gateways" to the spammy networks and adjust the scoring.

A couple is less than 12

[tepples]

so i buy a few hundred domains today and sit on them for a couple months.

"A couple" is less than 12. I think the idea is to score e-mail from a domain spammier for the first year that the domain has existed, and score it less spammy if the domain's expiration is at least 2 years in the future (indicating a substantial prepayment).

Not Even Remotely New

[damn_registrars]

Anybody who has ever really looked at the spam they've received knows this has been going on for years. Spammers buying domains in bulk for quick switching is a very old game. Fortunately as this gets more attention we get a little bit closer to paying attention to something we can do something about (for a little while longer anyways):

Registrars. We have often pointed to the spammers, the ISPs, and the spamvertised domains as groups who make money off of spam. We have for various reasons frequently overlooked the registrars who are taking in a profit on the deal as well. There have been registrars in bed with spammers for almost as long as we have had spammers.

The big difference though is that we could do something about the registrars - if we really wanted to. The registrars are supposed to keep valid data on their customers, and are supposed to adhere to specific ICANN guidelines (at least for specific TLDs). If the registrars couldn't register anything in the TLDs they want, they would think twice about knowingly dealing with spammers.

Anonymous Coward

Its simple. Just add a new rule (which has to be coded) for SMTP to not except incoming emails from any domain if that domain is less than a month old. Obviously this number days/months, etc can be configurable.

The 'tasting' comments confirm, this is not new.

[rickb928]

I've been seeing this for at least five years. First, tasting was the preferred method. Now it seems some serious spammers have an 'in' with a registrar, where by the time I get to looking up the whois, the domain is gone and no longer registered. Not even the previous whois is available.

I can't imagine that allowing someone to register a domain for a few days or even less, and then deleting all trace of the registration, is permitted by ICANN, but they haven't been able to police registrars very well at all for a decade now. Between the obvious front-running, search scanning, and tasting scams, most registrars are just plain shady. A pox on them all. It's gotten to the point that when someone asks me to look up a domain to see if it's available, I tell them to make the decision, and I will try to register it for them. For a while now, EVERY domain I've checked on was available when I looked it up, and minutes later it was gone.

I'm not the dullest turnip to fall off the truck last night. Front-runnng is a scam. Disposable domains are not new. This article is at least 5-6 years late.

Email is the problem

[wagonlips]

Let's just stop using it.

IPv6 doesn't suffer from this kind of spoofing

[crovira]

If your site IPv6 address is on the "naughty list" it doesn't matter what you spoofed the DNS to call the web site.

Its is also a lot faster to do a binary hash on a fixed bit length IP address rather than a variable length domain name.

Most of the current problems from miscreants and other forms of low-lifes will disappear, as will most script kiddies and pirate sharers out there when they realize that there is no more anonymity on the internet.

Most traffic will be point-to-point and one of the things it will be pointing is ... your machine.

Hee Hee...

Re:IPv6 doesn't suffer from this kind of spoofing

[BitZtream]

Uhm, IPv6 and IPv4 are not really any different from a practical perspective of DNS.

You won't see IPs floating around anymore with ipv6 than you do now, people will still use domains.

My mail servers are already blocking based on ipv4 addresses, as well as domain names.

You really don't understand what ipv6 is.

One Word

Whitelist.

<people around look at Anonymous Coward in a peculiar manner>
<rope sounds can be heard>

Huh, no, I did not mean that way. I'm not racist... I swe...

<noose tightens, gagging can be heard, but only for a little while>

If Only There Were Some Sort of Agency

What the United States needs to protect itself from the criminals who steal hundreds of millions of dollars every year from businesses and individuals with their 419 scams, cons, ripoffs, mortgage scams, and theft of people's time and resources is some sort of Cyber Command agency run by the military. It probably wouldn't help if we had one though; they'd get distracted by all the fearmongering and go off chasing nonexistant threats like Al Quiaaaida Uber Elite Hackers that might take down the nation's power plants or cause all the traffic lights to go green at once or cause all the air traffic control screens to go black or any other ridiculously implausable scenarios that are dwarfed by the all the actual criminal spam hurting us, badly, right now.

How does this influence the available namespace?

[isomer1]

A lot of the responses are focusing on (A) is this a new method and (B) how it can/can't be easily dealt with. But personally I'm more interested in how this affects the available namespace. Surely many on slashdot have their own domains /projects out there and are familiar with how difficult it is to find a catchy/marketable domain name that isn't taken. These spam tactics would seem to both further limit the available namespace in the short term and poison the well in the long term if those names stay on RBLs etc long after the spammer lets the registration lapse. Anybody have thoughts/experience with this?

Not that much of news

[dindi]

Maybe I worked sometimes around bad people, who chose bad advertising methods (I have never sent SPAM out, or worked SPAM machines), but this is just so old news, like saying:

"Robbers are now using stolen cars",
or
"thieves are stealing credit card numbers"

Either way, when it comes to spamming, the linked domain is mostly a throw-away one, and that is not even the problem. The problem is, the IP that sends the mail. At least for the weak/poor, who cannot build/pay for a botnet mailer. You can however always find a provider with a set of Foreign IPs (the last spam haven I heard of was Romania). Machine hosted in the US, port 80 for the legit site (after the spam "promo site") is a US IP, the spam goes out from Romanian IPs, and the throw-away address points there too. Complain comes, domain is thrown, new IP, new domain, main site claims, the spam was from an advertiser, and their account is gone.

SOOO EASY ... and so impossible to do anything with.

FYI I do not work on/with anything like this, near this or for this.

Axe in the face would stop it

[xiando]

A global law against spamming with punishment of death by axe in the face for proved involvement with spam e-mail would probably frighten many spammers enough to make them stop. Just a thought.

Re:Axe in the face would stop it

[slriv]

A global law against spamming with punishment of death by axe in the face for proved involvement with spam e-mail would probably frighten many spammers enough to make them stop. Just a thought.

Agreed, however your mom would end up getting axed cuz she sent one of those damn emails with a ton of pictures and a billion forwarding headers and some lame thing about jesus or how obama is turning the country into a socialist state.

spam-in-a-can-can-spam-law

This is not new, in fact its such outdated info its not even relevant. Having enough money to buy white listing is
how we get past the spam filters. spamhaus's current going rate to buy your way off there black list is $40,000.

A simple answer to spamming

[whitroth]

In the US, doesn't can-spam act allow us to go after spammers? If so, who's the responsible party: the spammers... or the sites being advertised? *They* can't have disposable domains, and they're the ones who are paying the spammers.

            mark

Who looks at the domain anyhow?

[daringone]

It's been 3 years or so since I've been in the business of killing spam, but I recall never EVER caring about the domain name that is so easily forged anyhow. I only ever cared about IP addresses. I even wrote some nifty stuff to analyze my SA logs that once an IP had sent me a configurable amount of spam over a configurable score, that I added the IP to my blocklist and wouldn't allow it to even connect to my server. If I saw enough junk from the same subnet, the whole subnet would eventually be blocked. There was also a timeout on these entries, but they became progressively longer the each time they were re-added to the list.