Spammers Moving To Disposable Domains

Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."

Good, it's costing them money

[Anonymous Coward]

Assuming they're not "tasting" it's going to cost them about $10 a pop.

Re:Good, it's costing them money

[fifedrum]

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Re:Good, it's costing them money

[Ambiguous Puzuma]

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Not sure why parent is modded funny; there is likely a lot of truth to it. Sony Online Entertainment discovered this [gamasutra.com]:

It isn't just issues of game balance and gold farming, Smedley says. "We're seeing a lot of stolen credit cards. Say you buy gold from a service in China -- you may not know it's in China, but you give them your credit card and buy gold only once. They use these credit card numbers to set up new accounts in these games. They buy an EverQuest account key, farm for a month, and then charge it back to the stolen credit card."

And this isn't just damaging to the consumer. "What happens is that over time, as that rate of chargebacks rises, we start getting fined. We have been fined over a million dollars since June. That's not the chargebacks themselves -- just the chargeback fine. It's brutal; it's the dirty little secret of the industry."

These temporary accounts, paid for with stolen credit cards, are additionally used to spam in-game (although spam filtering has improved the situation significantly).

It would not surprise me in the least if this applied to temporary domain registration for spam/malware purposes as well.

Re:

[Monkeedude1212]

Probably just a miss-click. You'll notice Slashdot also gave him 40% Insightful, 30% Interesting and 30% Funny, yet somehow it shows up labelled as funny. Gotta love logic errors!

Re:

[icebraining]

If you're buying gold from a shady site with a real CC, you kind of deserve what coming to you.

Re:

[negRo_slim]

$10 for a .com TLD maybe but there are plenty of substantially cheaper options.

EOL?

[BrokenHalo]

Maybe this is a symptom of the beginning of the end for the professional spammer. If the whole thing ends up being more trouble than it's worth, maybe these asswipes will look for an alternative source of income.

Probably premature, I know, but we can hope...

Re:

[localman57]

If the whole thing ends up being more trouble than it's worth

Perhaps. But part of the problem is that a lot of these problems are originating from places where people's trouble (ie time and effort) isn't worth very much to begin with, because there aren't better paying options for employment. Think gold farming...

Re:

[mlts]

Be careful, spammers may move into other territory. There was a sense of victory when ISPs were successful at blacklisting spammers, then they went to bouncing IP addresses to duck blackholes.

I'd expect the next thing will be to find ways to compromise E-mail accounts en masse (hacking a server at a free E-mail provider and using accounts, or compromising a backbone SMTP server.) With the money spammers make, paying a blackhat with a 0-day would be small potatoes compared to the money rolling in.

Another t

Re:

[yuna49]

I'd expect the next thing will be to find ways to compromise E-mail accounts en masse (hacking a server at a free E-mail provider and using accounts, or compromising a backbone SMTP server.)

Just this week I've seen two spams that appear to have come from real accounts at AOL and Hotmail. I know for a fact that the first was a real account since it belonged to someone subscribed to a limited-membership listserver I manage. The second was from an account I knew nothing about, but it was essentially identica

Re:

[NormalVisual]

Both came from the mail providers' own SMTP servers.

And best of all, when you attempt to notify Hotmail of this kind of spam, they blow you off. They'll usually tell me "your headers were forged" when I can clearly see it's a genuine Hotmail server connecting to my SMTP box, and any general communication to the abuse address gets bounced because "in order to process your request, Hotmail Support needs a valid MSN/Hotmail hosted account".

As far as I'm concerned, Microsoft is directly contributing to

Re:

[WuphonsReach]

hacking a server at a free E-mail provider and using accounts

Already happens - mostly with Hotmail, Yahoo, and GMail accounts.

My Hotmail account hacked - all my contacts spammed !! How to avoid it happening to you. [gillmoorep...aphy.co.uk]

(just one of many such occurrences)

Re:

[Lennie]

When you look at the numbers, it's pretty close already. I think the last research suggests, the spammers sends 320 milion messages, he/she gets 28 responses. The email providers already filters out 90% to 98% of all mail (not all of it is spam, some of it is spyware, virus or phishing ofcourse).

Re:Good, it's costing them money

[socz]

You hit the nail on the head! Domains in bulk are a lot cheaper. I'm getting a decent deal with about 8-10 domains, but I know it could be better if I had more! So they're probably buying them up in 100's at a time (I would!).

But, what I suspect could be happening, is that they're actually working with a top level registrar who can get them at the cheapest price possible and probably gets a % back of what the spammer makes. Just a thought.

so a new rule for email filtering?

[TravisHein]

in addition to a commonly accepted practice of doing a reverse domain name lookup on who is sending you email, where by rejecting email from bogus domains, no domain, to now also have the mail server also do a whois lookup, and arbitrarily reject email from a domain that has been registered less than a few days ago?

Re:so a new rule for email filtering?

[2obvious4u]

Almost, they could have registered it weeks, months or even years earlier. You would need to see if it had X days of activity. I don't know how you would do that.

Re:so a new rule for email filtering?

[fifedrum]

there are email reputation providers out there who can tell you things like that. It may even be free (it is for us anyway)

Re:so a new rule for email filtering?

[fifedrum]

This is the way our reputation provider works: If the IP hasn't been seen delivering email before (no matter it's age), it has a 0 reputation. The more email that is processed the higher the reputation and the reputation is, of course, modified down by complaints. The more complaints,the lower the reputation. Think feedback loop, or where your email goes when you click "mark as junk."

If someone else wanted to get into the game, services like spamcop could be used (who knows, maybe can already be used?) to determine domain name reputation by keeping an independent database of domain names and keeping the ratio of good to bad email handy for rapid lookups, maybe in something like dnsrbld type lookup table. It's the same as IP reputation engines, just with text domain names.

Maybe someone alread does. I know our antispam provider keeps a level of spaminess for domain names, but those are for domains that already exist. You would have to determine by policy what to do with domains that don't have a reputation.

That and implementing tighter SPF and DKIM will help eliminate this stuff.

Re:

[XanC]

Can you explain how SPF would be of any help at all here?

Re:

[hedwards]

To prevent free riding on a known good domain name from somewhere else.

Re:

[Bert64]

Which isn't what they're doing, they are registering their own domains which means they can then create valid SPF and DKIM records for them.

Re:

[mikael_j]

Sure, they can create valid SPF records for their domains but if they're using their own machines (rented or owned) then that ISP is most likely shady and will end up getting on a few blacklists. If they're using botnets then overly broad SPF records could be filtered (since they can't control reverse DNS for the zombie machines they're using to send spam).

Re:

[Skapare]

Dealing with it is simple. Keep a database of domains with their date of first appearance and first successful acceptance. For each arriving email, look up the domain in the database. If its first appearance is less than 3 days ago, do a soft reject which will cause a normal mail server to re-queue it. If more than 3 days but less than 4 days, go ahead and accept it and record that it was accepted in the other date field. At any other time, if the record shows there was an email accepted between day 3

Re:

[Snowhare]

The problem with this is pretty much all of the whois servers rate limit requests. Make than a very small number of requests per day and they simply quit answering. What we need is basic whois info available like domain created dates via DNS queries.

Re:

[mikael_j]

The biggest problem with using reverse lookup is that it's a horrible method. Sure, ten or fifteen years ago it was a half-decent method for filtering but these days lots of companies have broken reverse DNS pointers, even big companies (one I've seen with many companies here in Sweden is that email from user@company.se from a server claiming to be mailhost.company.se is sent from xxx.xxx.xxx.xxx for which a reverse lookup gives mailhost.company.com or something like ext-12-sthlm.se.company.com).

Personally

Re:

[mikael_j]

I was thinking more along the lines of just "An ugly hack.". But then I've never had to resort to greylisting to deal with spam (but NAT is unfortunately necessary until we can get more people to start adopting IPv6).

Re:

[mikael_j]

I didn't say it wasn't effective, just that it's an ugly hack which, when improperly implemented, can be a serious annoyance (these days it's rare to see MTAs configured to cause hour-long delays but it wasn't long ago that this seemed to be more common than not when dealing with greylisting).

Re:

[gmack]

On my servers it generated a ton of complaints about time critical emails being delayed for hours.

In the end I had to shut off greylisting to avoid losing all of my paying customers.

Re:

[Lumpy]

Better yet, all domains are rejected unless it has been up for 1 week. If the server receives a single email from that domain, let it through, if it get's 20 ro more, bounce them all. All email servers treat all domains as suspect and let in 1 email from the domain an hour until it's proven to be good, then allows more. Instantly Blacklist any new domain heard that has more than 10 emails for the customer. Instant blacklist if any email from that domain during the probation triggers the spam filters.

C

Flag email that comes from new domains

[harmonise]

Score email higher that comes from newer domains. The older the domain, the lower the score. I'm thinking spamassassin scores here.

Re:

[Tom]

They'll just buy in bulk in advance, let it sit there for a year, then use it.

You can not solve the spam problem technologically. You have to reduce the opportunities and incentives on all fronts. That means making it harder (= more expensive) to spam, making spam less profitable (various methods like bringing credit card companies into responsibility have been discussed) and making it more dangerous (actually enforcing the law, and making the law less easy to exploit).

None of that on its own will solve the

A couple is less than 12

[tepples]

so i buy a few hundred domains today and sit on them for a couple months.

"A couple" is less than 12. I think the idea is to score e-mail from a domain spammier for the first year that the domain has existed, and score it less spammy if the domain's expiration is at least 2 years in the future (indicating a substantial prepayment).

Re:

[harmonise]

Exactly. And emails from your domains will still have a higher score than domains that are over a year old. It will also stop "domain tasting" or whatever it is called where spammers get domains for less than 24 hours without paying for them.

Filtering out new domains?

[HikingStick]

They obviously are making enough money to afford the registration fees. I wonder if there would be a way to greylist/blacklist new domains, though that simply might mean that spammers would sit on the domain for a period of weeks or months before using them. Still, would there be a way to flag young domains so that they end up with higher scores in various spam filters?

Re:

[hedwards]

Indeed, require them to disclose who they've contracted to and make them prove that the lists are clean. Fundamentally for such a simple to solve problem, it's taken a huge amount of time to actually fix. Sure you're not going to get smaller temporary stores shut, but there's an unacceptable number of spams for major retailers and brands out there.

Persistent little bastards...

[sixteenbitsamurai]

It's like an underground revolutionary movement, except selling male enhancement products.

been happening for years

[fifedrum]

As an SA at a hosted email provider I see this on a daily basis and could list several hundred domains just from the last few days' worth of reports. They hit the big registrars, attempt to automate as much as possible, create dozens of email accounts per domain, and turn on the spigot disposing of the domains immediately in the case of sending domains, and putting off the demise of the web domains as long as possible.

Fortunately, the activity levels of the greedy spammers far outstrips the activity levels of the normal user, that said, we still see occasional drip spammers.

Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

Re:

[phoenixwade]

Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

I'm going for a Barrett and a tall hill or tree, this will be fun. Although I would still be partial to a rocket launcher with rockets that have painted on Smiley faces on the nose....

Re:

[Locke2005]

(Please gentle viewer, let me have the M1) Sorry, you're ALL getting the aluminum bats -- much more entertaining to watch!

Re:been happening for years

[ajlitt]

Ah, the cluebat. An elegant weapon for a less civilized luser.

Re:

[Dancindan84]

Naw, just give them lots of viagra and steroids. More poetic. /Read a similar joke somewhere about how to deal with spammers. //Not Mencia, don't kill me. I'd give credit if I could remember where from.

Re:

[supercrisp]

M1 is a bit old school. There are a LOT of spammers, and you'd need a higher rate of fire. I'd suggest a Saiga 12. Or if you really want the retro look, an AK-47 is still hard to beat.

Re:

[Firethorn]

I think he's going for quality of kills over quantity.

Besides, I figure there are fewer than you might think. Remember, one spammer can send out millions of emails in less than a day, easy.

Re:

[fifedrum]

definitely going for style points. nothing gives you the chills quite like the "sproing!click!" of the M1 running out of ammo. The plan was to have a limited number of spammers on the island, maybe at a 1:1 ratio kind of like "Running Man" (not smit running man either)

This is a new technique?

[interval1066]

I could have sworn they have been using this one for a few years now.

It's not new.

[Jay L]

I left the field in 2001 and they were already doing it then. It's just cheaper now (cheaper with real money, and cheaper to buy stolen credit cards).

Validate domain ownership

[Animats]

When you buy a domain, you should be mailed a letter with an activation code, sent to the registrant address. No valid mailing address, no domain activation.

Re:Validate domain ownership

[fifedrum]

to which they'll use mules

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.

Re:

[BitZtream]

Mules at a known valid address are far easier to trace than stolen credit cards.

Re:

[guruevi]

Oh really? As in: they can make a couple of million and all they face is an extremely small chance that they get maybe 6 months in prison? Besides how do you get caught when there are no laws against it, no police force in the world cares (your company is not big enough to afford those laws) and you could be anywhere in the world, maybe in a small banana-republic where you can treat the police as your personal mercenaries for a couple of $100.

Re:

[fifedrum]

you are, of course, exactly right. There's nothing to be done but label them, put them on a list, and wait for them to step foot in a foreign land that has these controls in place.

Maybe we can declare a Fatwa against them, and any righteous sysadmin can achieve a greater score in mario brothers if they take the spammer out?

Re:

[DragonWriter]

really, there's no way around this that can't also be worked around by the spammers.

There's a fairly simple way around it on the client end (and which could easily be implemented by webmail providers); allow the user to designate "safe" domains, any mail that isn't from a known contact or a domain identified by the specific recipient as "safe" is shunted to an "unsolicited" box (or tagged "unsolicited"), essentially serving as a lower-probability "possible spam" box to a traditional Spam mailbox/tag.

Re:

[fifedrum]

that's whitelist-only and works great, actually. In our service, you put * in your blacklist, then *@dom in your whitelist (or of course, individual email addresses).

Re:

[DragonWriter]

that's whitelist-only and works great, actually.

Well, not quite. What I was really proposing is actually more like a three or four tiered system, with:

1. Stuff that is whitelisted: treated as most likely not spam and presented to user.
2. Stuff that is neither whitelist nor identified as probable spam by traditional spam filtering: treated/flagged as possible spam and presented to user.
3. Stuff that is caught as probable spam by traditional spam filtering, treated/flagged as probable spam and presented to us

Re:

[mlts]

The threat of jail isn't going to happen. A lot of spammers are in countries whose government doesn't give a rat's ass about computer crime, cannot afford to, or hates everyone else so much that they consider the spammers an income source for their nation.

Even in countries with computer crime laws, the good spammers will not be directly connected to machines, just like a good drug dealer is never near his stash when making transactions. They will be hiring script kiddies to do grunt work for them, or they

Re:

[fifedrum]

they already use raw IPs, but the vast majority of MX servers reject email that doesn't resolve in reverse DNS, or doesn't have a resolvable HELO hostname, or the from address is phony.

And they already use compromised clients, see it every day.

Re:

[mlts]

Correct. However, if other avenues of spammers dropping their spew is blocked, they will start focusing on trying to compromise legit machines, as opposed to just spraying and praying from IP ranges. Spammers have a lot of money behind them, so I'm sure a larger spam organization may end up spending their time compromising ISP servers just to get their stuff out.

At least if they do focus on compromising machines, a lot of zero days floating around will be found and squashed.

Re:

[fifedrum]

ah, gotcha, good point, looks like even more interesting times ahead for admins of all stripes.

Re:

[kvezach]

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.

How about the idea of proof-of-work with price discrimination [psu.edu]? Unknown domains start at a fairly high level, so it takes a long time to send mail. If the user or domain has sent a few good mails, it's "trusted" (but using a robust trust metric so that spammers can't just trust each other), and then sending mail is fast. If the

Re:

[NevarMore]

So when you want to register a domain for unpopular political, social, or religious activities you can be outed?

Re:

[Skapare]

What if I gave up using email long ago? Why should making oneself vulnerable to spam a requirement to participate in non-email internet stuff?

This is news???

[Eggplant62]

They've been doing this since 1999 from my personal memory aiding the antispam fight. What suddenly brings this back to the fore as if it were some stunning revelation? It's an old trick that Alan Ralsky used when he was scamming and spamming.

Can't say I'm surprised

[ITBurnout]

A fine match for their disposable e-mails. I have to give kudos to Gmail; my personal account has not seen a single unwanted spam message since its inception. Not one. I used to check the Spam folder to see if anything legit got trashed, but now I just mainly ignore it unless I really want to see anonymous scumbags' assessments about my lack of adequate manhood.

Re:

[Zemplar]

... assessments about my lack of adequate manhood.

So you're the one! I've got a bunch of email that must belong to you.

Re:

[negRo_slim]

A fine match for their disposable e-mails. I have to give kudos to Gmail; my personal account has not seen a single unwanted spam message since its inception. Not one. I used to check the Spam folder to see if anything legit got trashed, but now I just mainly ignore it unless I really want to see anonymous scumbags' assessments about my lack of adequate manhood.

Agreed. My spam folder has plenty of spam but what actually has made it to the inbox in all these years was been about 3 messages. And that's after being lambasted on a previous /. post in which I willingly gave out my email milsorgen@gmail.com. I think someone tried to sign me up for like 3 mailing lists, but other than that it was nothing but hubris.

I think the problem has been over exaggerated and we are too eager to cater to users too dumb to avoid being suckered.

I don't understand spam folders

[XanC]

This is why spam folders should be Considered Harmful. Effectively, it's a delivery failure without a notice. You should either accept mail or reject it, not pretend to accept it and then stash it someplace where nobody reads it.

Using a spam folder treats outright, obvious spam with more courtesy than the borderline stuff.

Re:

[Firethorn]

If I'm expecting an email from a new source, like I've signed up somewhere new, and the email doesn't show up, I'll check the spam filters.

If the new request is outright rejected, how am I supposed to get my confirmation email?

Re:

[XanC]

Does any email from a new source get put into a spam folder? You might want to fix that problem first.

Re:

[Firethorn]

Does any email from a new source get put into a spam folder?

No, but it's iffy on new signups for small forums and such.

Re:

[ArsenneLupin]

If the new request is outright rejected, how am I supposed to get my confirmation email?

The same thing would happen as in the situation where you wouldn't expect mail from that source: the sender would get the bounce, which would contain a reason why the mail was rejected (such and such keyword in mail, no text, ...), he then would change his mail to match, and try again.

And if he was unable to comply, he would use a different channel (i.e. phone) to communicate with you.

Re:

[Firethorn]

The same thing would happen as in the situation where you wouldn't expect mail from that source: the sender would get the bounce, which would contain a reason why the mail was rejected (such and such keyword in mail, no text, ...), he then would change his mail to match, and try again.

I'm not talking about an individual's mail; I'm talking about those new account confirmation emails many forums send out, that you have to acknowledge before you can post.

Odds are a rejection mail is going into the bitbucket.

The administrator, assuming he's paying attention and knows how, can't just 'change the email', because that's only a temporary fix - the spammers will just adapt to the NEW template.

And if he was unable to comply, he would use a different channel (i.e. phone) to communicate with you.

Like I want to give www.randomforum.com my phone number? Like they have an administrator that active?

I'

Re:

[ArsenneLupin]

I'm not talking about an individual's mail; I'm talking about those new account confirmation emails many forums send out, that you have to acknowledge before you can post.

Odds are a rejection mail is going into the bitbucket.

On a properly configured automailer, any error messages are supposed to go to the administrator. How else would he be made aware that something is amiss?

Like I want to give www.randomforum.com my phone number? Like they have an administrator that active?

In case of an automailer, if there is trouble, probability is that the trouble is related to the software they are using. If the administrator manually mails you using his normal MTA, chances are good that this time it succeeds.

And if the automailer is so badly set up that it can't set up a proper reply, are you really trusting that outfit that it handles

Re:

[Firethorn]

On a properly configured automailer, any error messages are supposed to go to the administrator. How else would he be made aware that something is amiss?

And he still has to care enough to fix the problem of MY mail server rejecting his notices.

And if the automailer is so badly set up that it can't set up a proper reply, are you really trusting that outfit that it handles all other aspects of the service well? (such as not communicating your e-mail to a spammer anyways...)

'set up a proper reply'? What does that mean?

My point would be that spammers have and will send out emails that are crafted to look like these confirmation emails. They're an attempt to get you to click on the link. As such, forums small enough to not end up on whitelists often get blocked.

You start sending reject messages with resubmission requirements to allow email through and the spammers will automate that pro

Re:

[mlts]

Rejections just allow them to keep trying E-mail addresses and/or keep trying to figure out what will jump past. However, just having a SMTP server blindly slurp all incoming mail at one end and blow it out the other may cause false positives, and maybe causing big problems with mail troubleshooting.

One needs to do both sanity checking during the E-mail transaction and post-receipt scanning. The SMTP server needs to outright rejects obvious crap, greylist suspect stuff, and tarpit mass entries that are ob

Re:

[XanC]

Post-receipt scanning is evil. Either accept the mail and deliver it, or reject it at SMTP time.

I reject your assertion that the spambot will employ machine learning and figure a way through after a rejection.

The correct solution is to employ massive delays on the SMTP transaction if an email is spam. This is a pseudo-tarpit. The mail is eventually rejected.

Re:

[XanC]

I think you're confused.

I'm not advocating going filterless. I'm saying that instead of putting "borderline" spam in a spam folder, simply reject it.

The "check-up" on the automatic system that you advocate would then be done by the sender, who gets notified that the mail didn't get delivered. If a message ends up in a spam folder, then it effectively hasn't been delivered, but nobody knows about it.

Re:

[XanC]

I misunderstood what you said. That isn't exactly the same as being confused.

Perfectly fair. I didn't mean it pejoratively.

imagine the fun nightmares that begin when a personal relation that the receiver doesn't care to offend starts sending them spam

Seems like a filter that rejects those mails is the perfect solution! The recipient can't be blamed, it's that dang filter. :-)

Re:

[XanC]

pfft, BS, 98% of spam is fire and forget. Mail should be either rejected at SMTP time or delivered. Anything else is breaking your mail system, and asking for mail to mysteriously disappear.

Re:

[hedwards]

Rarely do I get any spam in my Gmail inbox, that being said, it's tight enough that I do have to add things to my address book fairly often to make sure that it's not listed spam. But, the rate at which they mistakenly categorize something is impressively low.

Changing domains or changing servers?

[NevarMore]

Its pretty trivial to have 10000 domain names pointing to 10 servers.

It also seems trivial that when a domain name is flagged to also flag its server, then when a new domain name shows up that points to a flagged server rate it appropriately.

Its a clever trick, but hardly an unfightable step in the spam-arms-race.

Re:

[mlts]

Then a spammer will DoS a legit site by using the ISP they use for an attack. It may be useful, but can easily be used by blackhats to sully the name and reputation of a legit site, especially if the attacker does a joe job and sends E-mail from that site's normal outgoing server's SMTP server that is shared.

And spammers will do this. I have helped small businesses who got threatened with their domain contacts being the in the fake From: headers of a spammer, who threatened to send out spam in their name

Re:

[EdIII]

though I cannot think of a good reason not to dock major points for an e-mail sent by a mail server with a non-static IP to begin with.

I cannot think of a good reason to even start talking with a non-static IP to begin with. Spamhaus has a PBL [spamhaus.org] (Policy Block List) and if an IP address is on it I just terminate the connection.

I know some people will say, "but now you prevent the common man from running a mail server!". Correct. It is unfortunate to create such a barrier to entry, but I feel that if you wan

ahhh, but what are the resolved addresses?

[swschrad]

if, for instance, they keep coming from the block reserved by {scumpuppy.net}, for instance, you know who to blacklist by range.

One maybe bad aspect of IPv6?

[JSBiff]

This got me to thinking. In a world where IPv6 provides an astronomical number of subnet blocks, what's to keep spammers and malware distributors from jumping from IP block to IP block the way they jump from domain to domain?

Re:

[shentino]

To make a TCP connection both ends have to have routable addresses.

Sooner or later either they'll all have common subnets, or they'll cause a noticeable spike in routing traffic.

Mod parent (and GP) up.

[khasim]

IPv6 will cause a huge problem with existing blacklists.

It won't cause any problems with whitelists (which should be checked PRIOR to the blacklists).

But they're still going to have to go through routers. So we're going to have to work on hacks that identify the routers that the communication is traversing. Then you should be able to see the "gateways" to the spammy networks and adjust the scoring.

This reminds me of

[Anon-Admin]

This reminds me of the copyright protection on the Commodore 64 games and the game crackers.

No matter what you can come up with, the spammers will find a way around. RBL's, disposable domains, IP banning => IP Spoofing, the list goes on. This may not be a winnable fight.

I hate to say that because I have had my e-mail address for 10 years now and average 300 spam messages a day. Thanks to Spam assassin and a probability filter I can knock it down to only 3 or 4 a day getting through.

Maybe it is time to st

Re:

[Firethorn]

Maybe it is time to stop fighting the spammers and start training the users!

Consider, scammers have been using the same tactics for centuries, often simply updated to keep up with modern communication techniques.

'Male Enhancement'? Snake Oil, just no longer sold personally with the attendant risk of getting lynched.
Nigerian scheme? Fake ransom demands.

We've tried educating people; I think there are certain types of people more suseptable than others. Perhaps they need a financial guardian or something. Along with the compulsive gamblers and such. :(

It's not a bad idea, I try avo

Re:

[istartedi]

This may not be a winnable fight

For as long as the Internet has been public, it's been an arms race. The real winners in any arms race are the arms dealers. Of course, since this is a "cyber" war, the "arms" are software, hardware, and bandwidth.

Hey Timothy, Welcome to 1999

[BitZtream]

Really ... spammers are moving to disposable domains ...

All those fja3lgah12.com email addresses I've been seeing for the last 10 or so years have been bots on real domains then eh?

Seriously Tim, if you think something is new and exciting then you are experiencing one of two things, either its not really old and its actually common knowledge to everyone BUT you and the website your viewing ... or ... the website you're viewing is wrong.

Think that EVERY TIME you go to post stories to the front page and we'll

No!

[night_flyer]

Really? Are you serious? And this is news how?

Catch Them!

[b4upoo]

Since the usual idea of spam is to get people to send money somewhere why not send a cop to that point and grab the account holders. Fines plus prison time should discourage them.

Re:

[Joce640k]

The 'somewhere' is usually a place where cops can't (or don't) do that.

Levels of accountability

[aapold]

If a bar sells beer to an underage person, they get in trouble. Roll the layers back and put it on them to institute their own methods of verification or face consequences for not doing so. As it is, they practically have a vested business interest in continuing to sell them these domains.

Not Even Remotely New

[damn_registrars]

Anybody who has ever really looked at the spam they've received knows this has been going on for years. Spammers buying domains in bulk for quick switching is a very old game. Fortunately as this gets more attention we get a little bit closer to paying attention to something we can do something about (for a little while longer anyways):

Registrars. We have often pointed to the spammers, the ISPs, and the spamvertised domains as groups who make money off of spam. We have for various reasons frequently overlooked the registrars who are taking in a profit on the deal as well. There have been registrars in bed with spammers for almost as long as we have had spammers.

The big difference though is that we could do something about the registrars - if we really wanted to. The registrars are supposed to keep valid data on their customers, and are supposed to adhere to specific ICANN guidelines (at least for specific TLDs). If the registrars couldn't register anything in the TLDs they want, they would think twice about knowingly dealing with spammers.

The 'tasting' comments confirm, this is not new.

[rickb928]

I've been seeing this for at least five years. First, tasting was the preferred method. Now it seems some serious spammers have an 'in' with a registrar, where by the time I get to looking up the whois, the domain is gone and no longer registered. Not even the previous whois is available.

I can't imagine that allowing someone to register a domain for a few days or even less, and then deleting all trace of the registration, is permitted by ICANN, but they haven't been able to police registrars very well at all for a decade now. Between the obvious front-running, search scanning, and tasting scams, most registrars are just plain shady. A pox on them all. It's gotten to the point that when someone asks me to look up a domain to see if it's available, I tell them to make the decision, and I will try to register it for them. For a while now, EVERY domain I've checked on was available when I looked it up, and minutes later it was gone.

I'm not the dullest turnip to fall off the truck last night. Front-runnng is a scam. Disposable domains are not new. This article is at least 5-6 years late.

IPv6 doesn't suffer from this kind of spoofing

[crovira]

If your site IPv6 address is on the "naughty list" it doesn't matter what you spoofed the DNS to call the web site.

Its is also a lot faster to do a binary hash on a fixed bit length IP address rather than a variable length domain name.

Most of the current problems from miscreants and other forms of low-lifes will disappear, as will most script kiddies and pirate sharers out there when they realize that there is no more anonymity on the internet.

Most traffic will be point-to-point and one of the things it wil

Not that much of news

[dindi]

Maybe I worked sometimes around bad people, who chose bad advertising methods (I have never sent SPAM out, or worked SPAM machines), but this is just so old news, like saying:

"Robbers are now using stolen cars",
or
"thieves are stealing credit card numbers"

Either way, when it comes to spamming, the linked domain is mostly a throw-away one, and that is not even the problem. The problem is, the IP that sends the mail. At least for the weak/poor, who cannot build/pay for a botnet mailer. You can however always f

Axe in the face would stop it

[xiando]

A global law against spamming with punishment of death by axe in the face for proved involvement with spam e-mail would probably frighten many spammers enough to make them stop. Just a thought.

A simple answer to spamming

[whitroth]

In the US, doesn't can-spam act allow us to go after spammers? If so, who's the responsible party: the spammers... or the sites being advertised? *They* can't have disposable domains, and they're the ones who are paying the spammers.

            mark