While I always loved that show, like any teen geek growing up, I mean what teen age male would not like to build a perfect g/f, however today’s blog is about the abuse of .science domains. Like many of the new top level domains, the reason they are so attractive for spamming is that they are so cheap to buy, use once, and then throw away.
However, it also means hosting companies must be turning a blind eye to such obvious spammers, and when you see many different ranges all start spamming on the same day, it also makes you suspicious that it might all be part of the same group.
And now that the holidays are over, they are back hard at work at this.
184.108.40.206 9 tested.jiygxba.science 220.127.116.11 11 proof.kxaolpo.science 18.104.22.168 10 tandem.tianmian.science 22.214.171.124 10 traces.bozhongzhi.science 126.96.36.199 8 shawl.hongzhijian.science 188.8.131.52 11 brawny.hongzhi.science 184.108.40.206 7 tangerine.xingjiangjiu.science 220.127.116.11 7 spoon.bitmulti.science 18.104.22.168 75 material.basarabu.science 22.214.171.124 75 julian.plastico.science 126.96.36.199 76 distance.vwabu.science 188.8.131.52 4 origin.abutian.science 184.108.40.206 7 gratuity.zhiling.science 220.127.116.11 (M) 35 change.400aicom.science 18.104.22.168 (M) 3 header.as9521tk.science 22.214.171.124 (M) 2 jump.pybsmto.science 126.96.36.199 (M) 3 tears.vyat.science 188.8.131.52 (M) 2 lover.uwbuwhgj.science 184.108.40.206 (M) 2 minutes.hdjvg.science 220.127.116.11 (M) 2 friend.doxkt.science 18.104.22.168 (M) 2 confirm.777nacom.science 22.214.171.124 (M) 3 child.ctpdqjf.science 126.96.36.199 (M) 3 spring.iqnfekdo.science 188.8.131.52 (M) 27 hosting.ggsyi.science 184.108.40.206 (M) 28 swine.xqdfye.science 220.127.116.11 (M,RN) 24 scout.vkzonckt.science 18.104.22.168 (M) 28 police.yoywi.science 22.214.171.124 (M,RN) 27 prospect.700iicom.science 126.96.36.199 (M) 21 imagine.111kfccom.science
Now you would think this would raise alarm bells with the hosting provider, and the obvious throwaway domains should be something that the registrar is also looking at, however lets quickly look at who registered those domains.
Registrant Name: Boyles Sermons Registrant Name: Amina Korhonen
The first block is owned by one ‘person’ and the second two by another ‘person’, however interestingly enough, all registered on the same day.
Yet, they seem to be on IP(s) registered to different people. Unfortunately, ‘Rapid Switch’ does not appear to operate an ‘rwhois’ server for their range.. However, ServerYou upholds better best practices in this regard.
Customer: TanQiong (C03386035) 188.8.131.52/27 Customer: LangBang (C04453655) 184.108.40.206/26
Still, the behavior is exactly the same, so something is fishy.. Either it is several individuals colluding, or some of the registration information may not be correct. Just to give an idea how harmful this can be in just a few hours….
220.127.116.11 74 tested.jiygxba.science 18.104.22.168 72 proof.kxaolpo.science 22.214.171.124 74 tandem.tianmian.science 126.96.36.199 73 traces.bozhongzhi.science 188.8.131.52 74 shawl.hongzhijian.science 184.108.40.206 74 brawny.hongzhi.science 220.127.116.11 73 tangerine.xingjiangjiu.science 18.104.22.168 74 spoon.bitmulti.science 22.214.171.124 102 material.basarabu.science 126.96.36.199 100 julian.plastico.science 188.8.131.52 102 distance.vwabu.science 184.108.40.206 57 origin.abutian.science 220.127.116.11 60 gratuity.zhiling.science
The number in the second column is how many ISP’s and Telco’s reported this over the same few hour time span. That kind of volume should be detectable at the source as well, it would be interesting to know how these individuals get away with this, without the registrar or the hosting companies appearing to notice.