HomeMalware Attacks
July 14, 2010, 1:03PM

Spammers Moving to Disposable Domains

Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns.

Spammers for years have been buying domains in bulk and using them for both redirections to other, often malicious, sites and for locations to set up quick e-commerce sites for sales of pills, pirated software, fake watches or whatever goods they're pushing that day. Anti-spam services and email filters typically use static lists of known malicious domains or ones known to be used by spammers.

That approach worked well early on in the fight against spam, but as the spammers have analyzed the defenses deployed against them, their tactics have become much more devious and effective of late. New research by security firm M86 Security Labs shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less.

Recommended Reads

Get News by Email!

That's a major change from the days when large-scale spam operations would buy a couple of dozen random domains, set them up in a bulletproof hosting environment and use them for months at a time. The ease with which these groups can buy domains and move from one to another within a few minutes represents a serious challenge for law enforcement and anti-spam groups. There have been some successes in the fight against spam in recent years, specifically the takedown of McColo. But there are thousands and thousands of smaller operators around the world, making spam a very distributed problem.

As Internet threats go, spam is not exactly sexy. (OK, some of it is.) It's old, it's boring and it's really seen as more of a nuisance than a threat. And that's part of the current problem that spam presents: It is, in fact, a threat and it's being overlooked in favor or more buzzworthy attacks with three-letter acronyms.But spam volume remains high, accounting for roughly 88 percent of all email in the first half of 2010, according to the M86 report.

 
Featured Resource:
 

Spam continues to be a major mechanism for spreading malware and is also a key piece of the botnet puzzle. Most of the major botnets are used to deliver spam, especially pharmaceutical spam, and some of those messages also contain malware. That malware often is a copy of a bot program that will then turn the infected machine into a spam engine, perpetuating the cycle.

Shorten URL: Click to copy short URL. Click to copy to clipboard or post to Twitter

Comments

Submitted by Anonymous (not verified) on Wed, 07/14/2010 - 2:19pm.

This is *not* news. Spammers have been doing this for at least a year, quite possibly longer.

This not-even-remotely-new "disposable domain" phenomenon is spammers' reaction to the effectiveness of URI blacklists.

It is a sad commentary on spam "research" when it's this far behind the curve.

 

Submitted by Almafuerte (not verified) on Wed, 07/14/2010 - 3:21pm.

Ban windows, and botnets will disappear forever. It really is that simple. Force m$ to take security seriously, or shut them down and force people to migrate away from windows. 

Of course, none of those things are going to happen, since several industries, including security software, spam, and microsoft itself, are based on the fact that computers are awfully insecure. 

Submitted by Anonymous (not verified) on Wed, 07/14/2010 - 3:55pm.
There are mac and linux botnets. Linux botnets are very uncommon and are generally comprised of only 10-20 machines instead of the hundreds of thousands of windows bots in a single botnet, but then again those 10-20 machines commonly are high-performance servers with 100mB/s or 1gB/s connections. Mac botnets are also far from uncommon. This article is NOT news. Anyone who has had an email account since the early 2000's will tell you that this "research" is almost 10 years old.
Submitted by Anonymous (not verified) on Wed, 07/14/2010 - 4:14pm.
Ban windows and the windows USERS will migrate to another platform. It won't be long before there are calls to ban that platform because all those people are still stupid. Banning Windows will not ban Windows USERS. And they will fall for schemes because they won't know how to run the new platform securely either. Or they will answer the phone and willingly execute whatever commands the person on the other end suggests. Please describe the platform that can stand against this kind of attack, because this I got to hear.
Submitted by Anonymous (not verified) on Wed, 07/14/2010 - 4:19pm.

Its simple. Just add a new rule (which has to be coded) for SMTP to not except incoming emails from any domain if that domain is less than a month old. Obviously this number days/months, etc can be configurable.

Submitted by Banstis (not verified) on Wed, 07/14/2010 - 7:20pm.

I work for M86 security and its great to see all the comments, and we completely agree with the comments around this not being major news, and its not this has been happening for quite a while, this is only one very small statistic from our latest security update report we have published, see our security labs site.  The far more interesting opportunity to combat spam is not from hosting take downs or even disabling C&C of spambots, its tackling the affiliate programs, in this same report we state that 67% of all spam we track is promoting the Canadian Pharmacy affiliate program and the top 2 spambots pretty much exclusively, if we can address that we might finally have a longer lasting impact on spam volumes?

Submitted by Richard Pitt (not verified) on Wed, 07/14/2010 - 8:00pm.

OK - as the admin of a small but active E-mail forwarding service I'm thinking about doing a "whois" on domains (cache the answers) and not allowing connections from any that are not at least X days old - how does that sound?

Personally I think 365 days is a reasonable number for X

Submitted by Michael (not verified) on Thu, 07/15/2010 - 12:10am.
Isn't CDN pharm spam over ;) Running an Anti-Spam company is interesting, when I see the reports come across the desks.. still amazed that it is easier for a spammer to get /20 than it is for a legitimate ISP.. but as far as disposable domains, they are still pretty obvious, and it is also obvious that the hosting companies are allowing it to happen. Still seeing about 75% from trojans and bots, (on personal PC's) but those are pretty easy to detect.. 5% is leakage from the big freemail providers, rigtht now it is looking like orange.fr leads the pack, followed by aol, google, yahoo, hotmail, but it is the big 15% in the middle that comes from the guys who get a /27 or better, and move from place to place, or on hosting companies that let them operate with impunity.. that get my goat.. running out of IPv4 space? No wonder.. and when you talk to the head of abuse at a large Tier 1 provider who says.. 'We only worry about spammers if it gets our legitimate customers blocked', you see where this is going. If we make network operators accountable for what leaves their networks, who cares what domains they use. We monitor the activity at hundreds of ISP's across North America, and it is amazing how the patterns are so similar everywhere. One day, we will see that big class action suit from ISP's for the costs of dealing with spammers, and list business, against the psuedo CAN-SPAM compliant email marketing companies, and the operators who allow it to occur. A simple SMTP traffic monitor at the edge.. or just look at the reverse DNS of the IP blocks.. it is easy to see who is doing it, but it has got to the point where operators know that noone even bothers to report it anymore. When you see: #178.32.5.133: mail.laptimeroom.info #178.32.5.134: mail.laptimesale.info #178.32.5.135: mail.coulddiscover.info #178.32.5.136: mail.discoverdish.info #178.32.5.137: mail.discoverelf.info Using an old example, used to be listed as jaknewmedia, I see that 178.32.5.137 is now 178-32-5-137.kimsuifi.com, which doesn't have a working webpage ;) ARIN should take a role in this.. Are you going to 'filter' email coming from them? You would be amazed at how many companies, 'pretent' to be hosting companies, and are just a shill for spammers and email marketers..
Submitted by Michael (not verified) on Thu, 07/15/2010 - 12:18am.
hehehe.. I bet that the spam filters will expire that domain before the 365 days, but next year the spammers will use it again.
Submitted by Per (not verified) on Thu, 07/15/2010 - 2:48am.
I've seen spam runs exclusively using old domains just about to expire. This will make domain maturity checks useless. I guess some spammers have joined forces with the domain registry sharks (Domain Registry of America etc.) that send solicitations that look like bills (luring people to pay and thus transfer their domains to the rogue service) and trade in lists of domains just about to expire.
Submitted by WareZwolF (not verified) on Thu, 07/15/2010 - 9:03am.

I completely agree with you.

Post new comment

The content of this field is kept private and will not be shown publicly.

Kaspersky Lab Channel and Alliance Partners

 

 

Copyright © 2010 threatpost.com | Terms of Service | Privacy