Spammers Moving To Disposable Domains 147
Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."
Flag email that comes from new domains (Score:5, Insightful)
Score email higher that comes from newer domains. The older the domain, the lower the score. I'm thinking spamassassin scores here.
Re:so a new rule for email filtering? (Score:5, Insightful)
This is a new technique? (Score:4, Insightful)
Re:Good, it's costing them money (Score:5, Insightful)
except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.
Re:Validate domain ownership (Score:4, Insightful)
to which they'll use mules
really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.
Changing domains or changing servers? (Score:5, Insightful)
Its pretty trivial to have 10000 domain names pointing to 10 servers.
It also seems trivial that when a domain name is flagged to also flag its server, then when a new domain name shows up that points to a flagged server rate it appropriately.
Its a clever trick, but hardly an unfightable step in the spam-arms-race.
ahhh, but what are the resolved addresses? (Score:3, Insightful)
if, for instance, they keep coming from the block reserved by {scumpuppy.net}, for instance, you know who to blacklist by range.
One maybe bad aspect of IPv6? (Score:5, Insightful)
This got me to thinking. In a world where IPv6 provides an astronomical number of subnet blocks, what's to keep spammers and malware distributors from jumping from IP block to IP block the way they jump from domain to domain?
Re:Validate domain ownership (Score:3, Insightful)
Mules at a known valid address are far easier to trace than stolen credit cards.
EOL? (Score:3, Insightful)
Probably premature, I know, but we can hope...
Levels of accountability (Score:4, Insightful)
Re:Good, it's costing them money (Score:5, Insightful)
Not sure why parent is modded funny; there is likely a lot of truth to it. Sony Online Entertainment discovered this [gamasutra.com]:
These temporary accounts, paid for with stolen credit cards, are additionally used to spam in-game (although spam filtering has improved the situation significantly).
It would not surprise me in the least if this applied to temporary domain registration for spam/malware purposes as well.
Mod parent (and GP) up. (Score:3, Insightful)
IPv6 will cause a huge problem with existing blacklists.
It won't cause any problems with whitelists (which should be checked PRIOR to the blacklists).
But they're still going to have to go through routers. So we're going to have to work on hacks that identify the routers that the communication is traversing. Then you should be able to see the "gateways" to the spammy networks and adjust the scoring.
Not Even Remotely New (Score:5, Insightful)
Registrars. We have often pointed to the spammers, the ISPs, and the spamvertised domains as groups who make money off of spam. We have for various reasons frequently overlooked the registrars who are taking in a profit on the deal as well. There have been registrars in bed with spammers for almost as long as we have had spammers.
The big difference though is that we could do something about the registrars - if we really wanted to. The registrars are supposed to keep valid data on their customers, and are supposed to adhere to specific ICANN guidelines (at least for specific TLDs). If the registrars couldn't register anything in the TLDs they want, they would think twice about knowingly dealing with spammers.