Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Moving To Disposable Domains

Posted by timothy on from the filling-up-our-landfills dept.

Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."

13 of 147 comments (clear)

  1. so a new rule for email filtering? by TravisHein · · Score: 4, Interesting

    in addition to a commonly accepted practice of doing a reverse domain name lookup on who is sending you email, where by rejecting email from bogus domains, no domain, to now also have the mail server also do a whois lookup, and arbitrarily reject email from a domain that has been registered less than a few days ago?

    1. Re:so a new rule for email filtering? by 2obvious4u · · Score: 4, Insightful

      Almost, they could have registered it weeks, months or even years earlier. You would need to see if it had X days of activity. I don't know how you would do that.

    2. Re:so a new rule for email filtering? by fifedrum · · Score: 5, Informative

      This is the way our reputation provider works: If the IP hasn't been seen delivering email before (no matter it's age), it has a 0 reputation. The more email that is processed the higher the reputation and the reputation is, of course, modified down by complaints. The more complaints,the lower the reputation. Think feedback loop, or where your email goes when you click "mark as junk."

      If someone else wanted to get into the game, services like spamcop could be used (who knows, maybe can already be used?) to determine domain name reputation by keeping an independent database of domain names and keeping the ratio of good to bad email handy for rapid lookups, maybe in something like dnsrbld type lookup table. It's the same as IP reputation engines, just with text domain names.

      Maybe someone alread does. I know our antispam provider keeps a level of spaminess for domain names, but those are for domains that already exist. You would have to determine by policy what to do with domains that don't have a reputation.

      That and implementing tighter SPF and DKIM will help eliminate this stuff.

  2. Flag email that comes from new domains by harmonise · · Score: 4, Insightful

    Score email higher that comes from newer domains. The older the domain, the lower the score. I'm thinking spamassassin scores here.

    --
    Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
  3. Persistent little bastards... by sixteenbitsamurai · · Score: 5, Funny

    It's like an underground revolutionary movement, except selling male enhancement products.

    --
    Yeah, that just happened.
  4. been happening for years by fifedrum · · Score: 5, Funny

    As an SA at a hosted email provider I see this on a daily basis and could list several hundred domains just from the last few days' worth of reports. They hit the big registrars, attempt to automate as much as possible, create dozens of email accounts per domain, and turn on the spigot disposing of the domains immediately in the case of sending domains, and putting off the demise of the web domains as long as possible.

    Fortunately, the activity levels of the greedy spammers far outstrips the activity levels of the normal user, that said, we still see occasional drip spammers.

    Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

    1. Re:been happening for years by ajlitt · · Score: 4, Funny

      Ah, the cluebat. An elegant weapon for a less civilized luser.

  5. Re:Good, it's costing them money by fifedrum · · Score: 5, Insightful

    except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

  6. Validate domain ownership by Animats · · Score: 4, Interesting

    When you buy a domain, you should be mailed a letter with an activation code, sent to the registrant address. No valid mailing address, no domain activation.

  7. Changing domains or changing servers? by NevarMore · · Score: 4, Insightful

    Its pretty trivial to have 10000 domain names pointing to 10 servers.

    It also seems trivial that when a domain name is flagged to also flag its server, then when a new domain name shows up that points to a flagged server rate it appropriately.

    Its a clever trick, but hardly an unfightable step in the spam-arms-race.

  8. One maybe bad aspect of IPv6? by JSBiff · · Score: 4, Insightful

    This got me to thinking. In a world where IPv6 provides an astronomical number of subnet blocks, what's to keep spammers and malware distributors from jumping from IP block to IP block the way they jump from domain to domain?

  9. Re:Good, it's costing them money by Ambiguous+Puzuma · · Score: 4, Insightful

    except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

    Not sure why parent is modded funny; there is likely a lot of truth to it. Sony Online Entertainment discovered this:

    It isn't just issues of game balance and gold farming, Smedley says. "We're seeing a lot of stolen credit cards. Say you buy gold from a service in China -- you may not know it's in China, but you give them your credit card and buy gold only once. They use these credit card numbers to set up new accounts in these games. They buy an EverQuest account key, farm for a month, and then charge it back to the stolen credit card."

    And this isn't just damaging to the consumer. "What happens is that over time, as that rate of chargebacks rises, we start getting fined. We have been fined over a million dollars since June. That's not the chargebacks themselves -- just the chargeback fine. It's brutal; it's the dirty little secret of the industry."

    These temporary accounts, paid for with stolen credit cards, are additionally used to spam in-game (although spam filtering has improved the situation significantly).

    It would not surprise me in the least if this applied to temporary domain registration for spam/malware purposes as well.

  10. Not Even Remotely New by damn_registrars · · Score: 4, Insightful

    Anybody who has ever really looked at the spam they've received knows this has been going on for years. Spammers buying domains in bulk for quick switching is a very old game. Fortunately as this gets more attention we get a little bit closer to paying attention to something we can do something about (for a little while longer anyways):

    Registrars. We have often pointed to the spammers, the ISPs, and the spamvertised domains as groups who make money off of spam. We have for various reasons frequently overlooked the registrars who are taking in a profit on the deal as well. There have been registrars in bed with spammers for almost as long as we have had spammers.

    The big difference though is that we could do something about the registrars - if we really wanted to. The registrars are supposed to keep valid data on their customers, and are supposed to adhere to specific ICANN guidelines (at least for specific TLDs). If the registrars couldn't register anything in the TLDs they want, they would think twice about knowingly dealing with spammers.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.