Researchers at M86 Security note an increase in Russian spam domains since China changed its domain registration requirements in 2009.
Spammers have increasingly been moving their operations to Russian domains
domain regulator introduced tighter rules in 2009, security researchers say.
The CNNIC (China Internet
some of its domain registration rules so that applicants are required to
submit a formal paper-based application to a registrar that includes, among
other things, a photocopy of the registrant's identification. At the time, some
security researchers predicted that the move would have the side effect of
making Chinese domains less attractive for cyber-criminals seeking anonymity.
And in fact, spammers have increasingly migrated to the Russian .ru TLD
(top-level domain) to register their domains, reported M86 Security. In
August, one-third of all unique domains M86 observed in spam were .ru domains,
with nearly all of those being registered through two registrars-Naunet and
Reg.ru. "This is the highest proportion of any TLD,"
with .com coming in second with "just under one-third of spammed domains,"
Gavin Neale, an M86 security researcher, posted Sept. 22 on the company's
Security Labs blog.
each domain for only a couple of hours and register new
ones all the time," Gavin Neale wrote. "In the last month from spam
alone we have seen over 4,000 .ru domains registered through Naunet. These are
hosting a variety of spam Websites, including Ultimate Replica, Dr Maxman,
online casinos, Via Grow and Eurosoft Software.
"We have also seen over 1,800 domains registered through Reg.ru in spam
over the last month, all of which lead to Canadian pharmacy Websites," he
continued. "Reg.ru actually has a feature to register up to 600 domains at
once, pretty useful for a spammer."
The rules for domain registration in Russia
are similar to other areas of the world, Bradley Anstis, vice president of
technology strategy at M86, told eWEEK. The Internet community could do itself
a favor and mandate what the rules should be, but the major issue is not the
rules, but enforcement.
has been trying to clean up its act, and good on them, they have made a change,
the change is for the spammers to go back to where they used to be, Russia,"
Anstis said. "They went to China
because of very lax rules, or the complete lack of rules; also a lot of
flexibility around automatically registering many domains at once, and doing it
programmatically. As China
tightened all this up and start actually enforcing these rules, this change has
been the result.
"This is perhaps an issue that the overall Internet community should
take up. We need a consistent set of rules, and accountability for the
enforcement of those rules," he continued. "Another example of a rule
or policy that is very lax in certain geographies is takedown requests to
hosting companies or even registrars and answers to any questions on the
activities of the same.
"Think back a couple of weeks ago [to] the welcome news that Pushdo
as a spamming botnet
had been wounded with C&C server takedowns ... but
they were not able to take down 100 percent of the C&C servers, why? Because
requests for action went unanswered to some hosting companies and registrars,
and so they remained back online and the result is that Pushdo is back growing