Russian Spam Domains Increase After China Tightens Domain Registration Rules

Spammers have increasingly been moving their operations to Russian domains since China's domain regulator introduced tighter rules in 2009, security researchers say.

The CNNIC (China Internet Network Information Center) changed some of its domain registration rules so that applicants are required to submit a formal paper-based application to a registrar that includes, among other things, a photocopy of the registrant's identification. At the time, some security researchers predicted that the move would have the side effect of making Chinese domains less attractive for cyber-criminals seeking anonymity.

And in fact, spammers have increasingly migrated to the Russian .ru TLD (top-level domain) to register their domains, reported M86 Security. In August, one-third of all unique domains M86 observed in spam were .ru domains, with nearly all of those being registered through two registrars—Naunet and Reg.ru. "This is the highest proportion of any TLD," with .com coming in second with "just under one-third of spammed domains," Gavin Neale, an M86 security researcher, posted Sept. 22 on the company's Security Labs blog.

"Spammers generally advertise each domain for only a couple of hours and register new ones all the time," Gavin Neale wrote. "In the last month from spam alone we have seen over 4,000 .ru domains registered through Naunet. These are hosting a variety of spam Websites, including Ultimate Replica, Dr Maxman, online casinos, Via Grow and Eurosoft Software.

"We have also seen over 1,800 domains registered through Reg.ru in spam over the last month, all of which lead to Canadian pharmacy Websites," he continued. "Reg.ru actually has a feature to register up to 600 domains at once, pretty useful for a spammer."

The rules for domain registration in Russia are similar to other areas of the world, Bradley Anstis, vice president of technology strategy at M86, told eWEEK. The Internet community could do itself a favor and mandate what the rules should be, but the major issue is not the rules, but enforcement.

"China has been trying to clean up its act, and good on them, they have made a change, the change is for the spammers to go back to where they used to be, Russia," Anstis said. "They went to China because of very lax rules, or the complete lack of rules; also a lot of flexibility around automatically registering many domains at once, and doing it programmatically. As China tightened all this up and start actually enforcing these rules, this change has been the result.

"This is perhaps an issue that the overall Internet community should take up. We need a consistent set of rules, and accountability for the enforcement of those rules," he continued. "Another example of a rule or policy that is very lax in certain geographies is takedown requests to hosting companies or even registrars and answers to any questions on the activities of the same. 

"Think back a couple of weeks ago [to] the welcome news that Pushdo as a spamming botnet had been wounded with C&C server takedowns … but they were not able to take down 100 percent of the C&C servers, why? Because requests for action went unanswered to some hosting companies and registrars, and so they remained back online and the result is that Pushdo is back growing again."