Weird Science

While I always loved that show, like any teen geek growing up, I mean what teen age male would not like to build a perfect g/f, however today’s blog is about the abuse of .science domains. Like many of the new top level domains, the reason they are so attractive for spamming is that they are so cheap to buy, use once, and then throw away.

However, it also means hosting companies must be turning a blind eye to such obvious spammers, and when you see many different ranges all start spamming on the same day, it also makes you suspicious that it might all be part of the same group.

And now that the holidays are over, they are back hard at work at this. 9 11 10 10 8 11 7 7 75 75 76 4 7 (M) 35 (M) 3 (M) 2 (M) 3 (M) 2 (M) 2 (M) 2 (M) 2 (M) 3 (M) 3 (M) 27 (M) 28 (M,RN) 24 (M) 28 (M,RN) 27 (M) 21

Now you would think this would raise alarm bells with the hosting provider, and the obvious throwaway domains should be something that the registrar is also looking at, however lets quickly look at who registered those domains.

Registrant Name: Boyles Sermons
Registrant Name: Amina Korhonen

The first block is owned by one ‘person’ and the second two by another ‘person’, however interestingly enough, all registered on the same day.

Yet, they seem to be on IP(s) registered to different people. Unfortunately, ‘Rapid Switch’ does not appear to operate an ‘rwhois’ server for their range.. However, ServerYou upholds better best practices in this regard.

Customer: TanQiong (C03386035)
Customer: LangBang (C04453655)

Still, the behavior is exactly the same, so something is fishy.. Either it is several individuals colluding, or some of the registration information may not be correct.  Just to give an idea how harmful this can be in just a few hours….                    74                 72                 74                 73                 74                 74                 73                 74                102                100                102                 57                 60

The number in the second column is how many ISP’s and Telco’s reported this over the same few hour time span.  That kind of volume should be detectable at the source as well, it would be interesting to know how these individuals get away with this, without the registrar or the hosting companies appearing to notice.


This entry was posted in Informative and tagged , , , , . Bookmark the permalink.

Leave a Reply