Spammers Moving To Disposable Domains

Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."

Flag email that comes from new domains

[harmonise]

Score email higher that comes from newer domains. The older the domain, the lower the score. I'm thinking spamassassin scores here.

Re:so a new rule for email filtering?

[2obvious4u]

Almost, they could have registered it weeks, months or even years earlier. You would need to see if it had X days of activity. I don't know how you would do that.

This is a new technique?

[interval1066]

I could have sworn they have been using this one for a few years now.

Re:Good, it's costing them money

[fifedrum]

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Re:Validate domain ownership

[fifedrum]

to which they'll use mules

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.

Changing domains or changing servers?

[NevarMore]

Its pretty trivial to have 10000 domain names pointing to 10 servers.

It also seems trivial that when a domain name is flagged to also flag its server, then when a new domain name shows up that points to a flagged server rate it appropriately.

Its a clever trick, but hardly an unfightable step in the spam-arms-race.

ahhh, but what are the resolved addresses?

[swschrad]

if, for instance, they keep coming from the block reserved by {scumpuppy.net}, for instance, you know who to blacklist by range.

One maybe bad aspect of IPv6?

[JSBiff]

This got me to thinking. In a world where IPv6 provides an astronomical number of subnet blocks, what's to keep spammers and malware distributors from jumping from IP block to IP block the way they jump from domain to domain?

Re:Validate domain ownership

[BitZtream]

Mules at a known valid address are far easier to trace than stolen credit cards.

EOL?

[BrokenHalo]

Maybe this is a symptom of the beginning of the end for the professional spammer. If the whole thing ends up being more trouble than it's worth, maybe these asswipes will look for an alternative source of income.

Probably premature, I know, but we can hope...

Levels of accountability

[aapold]

If a bar sells beer to an underage person, they get in trouble. Roll the layers back and put it on them to institute their own methods of verification or face consequences for not doing so. As it is, they practically have a vested business interest in continuing to sell them these domains.

Re:Good, it's costing them money

[Ambiguous Puzuma]

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Not sure why parent is modded funny; there is likely a lot of truth to it. Sony Online Entertainment discovered this [gamasutra.com]:

It isn't just issues of game balance and gold farming, Smedley says. "We're seeing a lot of stolen credit cards. Say you buy gold from a service in China -- you may not know it's in China, but you give them your credit card and buy gold only once. They use these credit card numbers to set up new accounts in these games. They buy an EverQuest account key, farm for a month, and then charge it back to the stolen credit card."

And this isn't just damaging to the consumer. "What happens is that over time, as that rate of chargebacks rises, we start getting fined. We have been fined over a million dollars since June. That's not the chargebacks themselves -- just the chargeback fine. It's brutal; it's the dirty little secret of the industry."

These temporary accounts, paid for with stolen credit cards, are additionally used to spam in-game (although spam filtering has improved the situation significantly).

It would not surprise me in the least if this applied to temporary domain registration for spam/malware purposes as well.

Mod parent (and GP) up.

[khasim]

IPv6 will cause a huge problem with existing blacklists.

It won't cause any problems with whitelists (which should be checked PRIOR to the blacklists).

But they're still going to have to go through routers. So we're going to have to work on hacks that identify the routers that the communication is traversing. Then you should be able to see the "gateways" to the spammy networks and adjust the scoring.

Not Even Remotely New

[damn_registrars]

Anybody who has ever really looked at the spam they've received knows this has been going on for years. Spammers buying domains in bulk for quick switching is a very old game. Fortunately as this gets more attention we get a little bit closer to paying attention to something we can do something about (for a little while longer anyways):

Registrars. We have often pointed to the spammers, the ISPs, and the spamvertised domains as groups who make money off of spam. We have for various reasons frequently overlooked the registrars who are taking in a profit on the deal as well. There have been registrars in bed with spammers for almost as long as we have had spammers.

The big difference though is that we could do something about the registrars - if we really wanted to. The registrars are supposed to keep valid data on their customers, and are supposed to adhere to specific ICANN guidelines (at least for specific TLDs). If the registrars couldn't register anything in the TLDs they want, they would think twice about knowingly dealing with spammers.