While I always loved that show, like any teen geek growing up, I mean what teen age male would not like to build a perfect g/f, however today’s blog is about the abuse of .science domains. Like many of the new top level domains, the reason they are so attractive for spamming is that they are so cheap to buy, use once, and then throw away.
However, it also means hosting companies must be turning a blind eye to such obvious spammers, and when you see many different ranges all start spamming on the same day, it also makes you suspicious that it might all be part of the same group.
And now that the holidays are over, they are back hard at work at this.
78.129.138.64 9 tested.jiygxba.science 78.129.138.65 11 proof.kxaolpo.science 78.129.138.66 10 tandem.tianmian.science 78.129.138.67 10 traces.bozhongzhi.science 78.129.138.68 8 shawl.hongzhijian.science 78.129.138.69 11 brawny.hongzhi.science 78.129.138.70 7 tangerine.xingjiangjiu.science 78.129.138.71 7 spoon.bitmulti.science 78.129.138.72 75 material.basarabu.science 78.129.138.73 75 julian.plastico.science 78.129.138.74 76 distance.vwabu.science 78.129.138.75 4 origin.abutian.science 78.129.138.76 7 gratuity.zhiling.science 198.1.131.50 (M) 35 change.400aicom.science 198.1.131.51 (M) 3 header.as9521tk.science 198.1.131.52 (M) 2 jump.pybsmto.science 198.1.131.53 (M) 3 tears.vyat.science 198.1.131.54 (M) 2 lover.uwbuwhgj.science 198.15.171.66 (M) 2 minutes.hdjvg.science 198.15.171.67 (M) 2 friend.doxkt.science 198.15.171.68 (M) 2 confirm.777nacom.science 198.15.171.69 (M) 3 child.ctpdqjf.science 198.15.171.70 (M) 3 spring.iqnfekdo.science 198.15.171.71 (M) 27 hosting.ggsyi.science 198.15.171.72 (M) 28 swine.xqdfye.science 198.15.171.73 (M,RN) 24 scout.vkzonckt.science 198.15.171.74 (M) 28 police.yoywi.science 198.15.171.75 (M,RN) 27 prospect.700iicom.science 198.15.171.77 (M) 21 imagine.111kfccom.science
Now you would think this would raise alarm bells with the hosting provider, and the obvious throwaway domains should be something that the registrar is also looking at, however lets quickly look at who registered those domains.
Registrant Name: Boyles Sermons Registrant Name: Amina Korhonen
The first block is owned by one ‘person’ and the second two by another ‘person’, however interestingly enough, all registered on the same day.
Yet, they seem to be on IP(s) registered to different people. Unfortunately, ‘Rapid Switch’ does not appear to operate an ‘rwhois’ server for their range.. However, ServerYou upholds better best practices in this regard.
Customer: TanQiong (C03386035) 198.1.131.32/27 Customer: LangBang (C04453655) 198.15.171.64/26
Still, the behavior is exactly the same, so something is fishy.. Either it is several individuals colluding, or some of the registration information may not be correct. Just to give an idea how harmful this can be in just a few hours….
78.129.138.64 74 tested.jiygxba.science 78.129.138.65 72 proof.kxaolpo.science 78.129.138.66 74 tandem.tianmian.science 78.129.138.67 73 traces.bozhongzhi.science 78.129.138.68 74 shawl.hongzhijian.science 78.129.138.69 74 brawny.hongzhi.science 78.129.138.70 73 tangerine.xingjiangjiu.science 78.129.138.71 74 spoon.bitmulti.science 78.129.138.72 102 material.basarabu.science 78.129.138.73 100 julian.plastico.science 78.129.138.74 102 distance.vwabu.science 78.129.138.75 57 origin.abutian.science 78.129.138.76 60 gratuity.zhiling.science
The number in the second column is how many ISP’s and Telco’s reported this over the same few hour time span. That kind of volume should be detectable at the source as well, it would be interesting to know how these individuals get away with this, without the registrar or the hosting companies appearing to notice.