Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Moving To Disposable Domains

Posted by timothy on from the filling-up-our-landfills dept.

Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."

30 of 147 comments (clear)

  1. Good, it's costing them money by Anonymous Coward · · Score: 2, Interesting

    Assuming they're not "tasting" it's going to cost them about $10 a pop.

    1. Re:Good, it's costing them money by fifedrum · · Score: 5, Insightful

      except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

    2. Re:Good, it's costing them money by Ambiguous+Puzuma · · Score: 4, Insightful

      except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

      Not sure why parent is modded funny; there is likely a lot of truth to it. Sony Online Entertainment discovered this:

      It isn't just issues of game balance and gold farming, Smedley says. "We're seeing a lot of stolen credit cards. Say you buy gold from a service in China -- you may not know it's in China, but you give them your credit card and buy gold only once. They use these credit card numbers to set up new accounts in these games. They buy an EverQuest account key, farm for a month, and then charge it back to the stolen credit card."

      And this isn't just damaging to the consumer. "What happens is that over time, as that rate of chargebacks rises, we start getting fined. We have been fined over a million dollars since June. That's not the chargebacks themselves -- just the chargeback fine. It's brutal; it's the dirty little secret of the industry."

      These temporary accounts, paid for with stolen credit cards, are additionally used to spam in-game (although spam filtering has improved the situation significantly).

      It would not surprise me in the least if this applied to temporary domain registration for spam/malware purposes as well.

    3. Re:Good, it's costing them money by socz · · Score: 3, Interesting

      You hit the nail on the head! Domains in bulk are a lot cheaper. I'm getting a decent deal with about 8-10 domains, but I know it could be better if I had more! So they're probably buying them up in 100's at a time (I would!).

      But, what I suspect could be happening, is that they're actually working with a top level registrar who can get them at the cheapest price possible and probably gets a % back of what the spammer makes. Just a thought.

      --
      My abilities are only limited by my imagination
  2. so a new rule for email filtering? by TravisHein · · Score: 4, Interesting

    in addition to a commonly accepted practice of doing a reverse domain name lookup on who is sending you email, where by rejecting email from bogus domains, no domain, to now also have the mail server also do a whois lookup, and arbitrarily reject email from a domain that has been registered less than a few days ago?

    1. Re:so a new rule for email filtering? by 2obvious4u · · Score: 4, Insightful

      Almost, they could have registered it weeks, months or even years earlier. You would need to see if it had X days of activity. I don't know how you would do that.

    2. Re:so a new rule for email filtering? by fifedrum · · Score: 3, Interesting

      there are email reputation providers out there who can tell you things like that. It may even be free (it is for us anyway)

    3. Re:so a new rule for email filtering? by fifedrum · · Score: 5, Informative

      This is the way our reputation provider works: If the IP hasn't been seen delivering email before (no matter it's age), it has a 0 reputation. The more email that is processed the higher the reputation and the reputation is, of course, modified down by complaints. The more complaints,the lower the reputation. Think feedback loop, or where your email goes when you click "mark as junk."

      If someone else wanted to get into the game, services like spamcop could be used (who knows, maybe can already be used?) to determine domain name reputation by keeping an independent database of domain names and keeping the ratio of good to bad email handy for rapid lookups, maybe in something like dnsrbld type lookup table. It's the same as IP reputation engines, just with text domain names.

      Maybe someone alread does. I know our antispam provider keeps a level of spaminess for domain names, but those are for domains that already exist. You would have to determine by policy what to do with domains that don't have a reputation.

      That and implementing tighter SPF and DKIM will help eliminate this stuff.

  3. Flag email that comes from new domains by harmonise · · Score: 4, Insightful

    Score email higher that comes from newer domains. The older the domain, the lower the score. I'm thinking spamassassin scores here.

    --
    Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
  4. Filtering out new domains? by HikingStick · · Score: 2, Interesting

    They obviously are making enough money to afford the registration fees. I wonder if there would be a way to greylist/blacklist new domains, though that simply might mean that spammers would sit on the domain for a period of weeks or months before using them. Still, would there be a way to flag young domains so that they end up with higher scores in various spam filters?

    --
    I use irony whenever I can, but my shirts are still wrinkled...
  5. Persistent little bastards... by sixteenbitsamurai · · Score: 5, Funny

    It's like an underground revolutionary movement, except selling male enhancement products.

    --
    Yeah, that just happened.
  6. been happening for years by fifedrum · · Score: 5, Funny

    As an SA at a hosted email provider I see this on a daily basis and could list several hundred domains just from the last few days' worth of reports. They hit the big registrars, attempt to automate as much as possible, create dozens of email accounts per domain, and turn on the spigot disposing of the domains immediately in the case of sending domains, and putting off the demise of the web domains as long as possible.

    Fortunately, the activity levels of the greedy spammers far outstrips the activity levels of the normal user, that said, we still see occasional drip spammers.

    Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

    1. Re:been happening for years by ajlitt · · Score: 4, Funny

      Ah, the cluebat. An elegant weapon for a less civilized luser.

  7. This is a new technique? by interval1066 · · Score: 3, Insightful

    I could have sworn they have been using this one for a few years now.

    --
    Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
  8. Validate domain ownership by Animats · · Score: 4, Interesting

    When you buy a domain, you should be mailed a letter with an activation code, sent to the registrant address. No valid mailing address, no domain activation.

    1. Re:Validate domain ownership by fifedrum · · Score: 3, Insightful

      to which they'll use mules

      really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.

    2. Re:Validate domain ownership by BitZtream · · Score: 2, Insightful

      Mules at a known valid address are far easier to trace than stolen credit cards.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  9. This is news??? by Eggplant62 · · Score: 3, Informative

    They've been doing this since 1999 from my personal memory aiding the antispam fight. What suddenly brings this back to the fore as if it were some stunning revelation? It's an old trick that Alan Ralsky used when he was scamming and spamming.

  10. Changing domains or changing servers? by NevarMore · · Score: 4, Insightful

    Its pretty trivial to have 10000 domain names pointing to 10 servers.

    It also seems trivial that when a domain name is flagged to also flag its server, then when a new domain name shows up that points to a flagged server rate it appropriately.

    Its a clever trick, but hardly an unfightable step in the spam-arms-race.

  11. ahhh, but what are the resolved addresses? by swschrad · · Score: 2, Insightful

    if, for instance, they keep coming from the block reserved by {scumpuppy.net}, for instance, you know who to blacklist by range.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  12. One maybe bad aspect of IPv6? by JSBiff · · Score: 4, Insightful

    This got me to thinking. In a world where IPv6 provides an astronomical number of subnet blocks, what's to keep spammers and malware distributors from jumping from IP block to IP block the way they jump from domain to domain?

    1. Re:One maybe bad aspect of IPv6? by shentino · · Score: 2, Interesting

      To make a TCP connection both ends have to have routable addresses.

      Sooner or later either they'll all have common subnets, or they'll cause a noticeable spike in routing traffic.

  13. Re:Can't say I'm surprised by Zemplar · · Score: 2, Funny

    ... assessments about my lack of adequate manhood.

    So you're the one! I've got a bunch of email that must belong to you.

  14. I don't understand spam folders by XanC · · Score: 3, Interesting

    This is why spam folders should be Considered Harmful. Effectively, it's a delivery failure without a notice. You should either accept mail or reject it, not pretend to accept it and then stash it someplace where nobody reads it.

    Using a spam folder treats outright, obvious spam with more courtesy than the borderline stuff.

  15. EOL? by BrokenHalo · · Score: 3, Insightful

    Maybe this is a symptom of the beginning of the end for the professional spammer. If the whole thing ends up being more trouble than it's worth, maybe these asswipes will look for an alternative source of income.

    Probably premature, I know, but we can hope...

  16. No! by night_flyer · · Score: 2, Funny

    Really? Are you serious? And this is news how?

    --


    Thanks to file sharing, I purchase more CDs
    Thanks to the RIAA, I buy them used...
  17. Levels of accountability by aapold · · Score: 3, Insightful

    If a bar sells beer to an underage person, they get in trouble. Roll the layers back and put it on them to institute their own methods of verification or face consequences for not doing so. As it is, they practically have a vested business interest in continuing to sell them these domains.

    --
    "Waste not one watt!" - CZ
  18. Mod parent (and GP) up. by khasim · · Score: 2, Insightful

    IPv6 will cause a huge problem with existing blacklists.

    It won't cause any problems with whitelists (which should be checked PRIOR to the blacklists).

    But they're still going to have to go through routers. So we're going to have to work on hacks that identify the routers that the communication is traversing. Then you should be able to see the "gateways" to the spammy networks and adjust the scoring.

  19. Not Even Remotely New by damn_registrars · · Score: 4, Insightful

    Anybody who has ever really looked at the spam they've received knows this has been going on for years. Spammers buying domains in bulk for quick switching is a very old game. Fortunately as this gets more attention we get a little bit closer to paying attention to something we can do something about (for a little while longer anyways):

    Registrars. We have often pointed to the spammers, the ISPs, and the spamvertised domains as groups who make money off of spam. We have for various reasons frequently overlooked the registrars who are taking in a profit on the deal as well. There have been registrars in bed with spammers for almost as long as we have had spammers.

    The big difference though is that we could do something about the registrars - if we really wanted to. The registrars are supposed to keep valid data on their customers, and are supposed to adhere to specific ICANN guidelines (at least for specific TLDs). If the registrars couldn't register anything in the TLDs they want, they would think twice about knowingly dealing with spammers.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  20. The 'tasting' comments confirm, this is not new. by rickb928 · · Score: 2, Interesting

    I've been seeing this for at least five years. First, tasting was the preferred method. Now it seems some serious spammers have an 'in' with a registrar, where by the time I get to looking up the whois, the domain is gone and no longer registered. Not even the previous whois is available.

    I can't imagine that allowing someone to register a domain for a few days or even less, and then deleting all trace of the registration, is permitted by ICANN, but they haven't been able to police registrars very well at all for a decade now. Between the obvious front-running, search scanning, and tasting scams, most registrars are just plain shady. A pox on them all. It's gotten to the point that when someone asks me to look up a domain to see if it's available, I tell them to make the decision, and I will try to register it for them. For a while now, EVERY domain I've checked on was available when I looked it up, and minutes later it was gone.

    I'm not the dullest turnip to fall off the truck last night. Front-runnng is a scam. Disposable domains are not new. This article is at least 5-6 years late.

    --
    deleting the extra space after periods so i can stay relevant, yeah.