Trends in Networks: Spam #1

This is the beginning of a recurring article where I’ll be reviewing patterns in spam activity. I’ll start with something easily overlooked but surprisingly still prevalent in the spam landscape.

Freenom TLDs (Top Level Domains)

Freenom is a service that provides free domain registrations from a specific list of TLDs. While providing free domains to those who lack the resources is a noble purpose, domains registered through Freenom are notorious when it comes to spam. Spammers love to save a buck, unfortunately resulting in Freenom domains being heavily abused.

Freenom domains are domains that end in .tk, .ml, .ga, .cf, or .gq. When it comes to the free registrations, the WHOIS record for that domain will not include the registrant information. Furthermore, even the registration date for the domain is not present. This limits the data that researchers have, making it harder to distinguish between good and bad actors.

Networks Abused by Freenom TLD Spammers

You would think that with the readily available information on how heavily abused Freenom TLDs are, it shouldn’t even be a problem right? Providers should be able to easily detect and prevent these 5 TLDs from abusing their networks. The end, problem solved…

Aug3-2020	x2	x4	x2	x3	x10

Aug4-2020	x10	x1	x3	x2	x2	x3	x1	x2	x1	x1	x15	x3	x4	x2	x2	x2	x3	x7	x4	x9

Aug5-2020	x3	x7	x1	x5	x3	x1	x2	x4	x3	x2	x1	x6	x4	x10	x6	x1	x14	x2

Aug6-2020	x7	x3	x5	x8	x13	x6	x7	x2

Aug7-2020	x2	x1

Aug9-2020	x1

Aug10-2020	x9

Aug11-2020	x1	x9	x55	x5	x1

Aug12-2020	x1	x2	x4	x6	x5	x5	x27	x4	x2	x4	x4	x6	x2	x11	x9	x13	x1	x12

The above activity is from the past week, and is all from one network: Digital Ocean. Believe us, this activity didn’t suddenly pop up this week, it’s been years. Now, when activity like this (snowshoe spam) is that ubiquitous on your network (for years), you’d think you should do something about it. I mean, this is literally 5 TLDs, it isn’t some complex evasion technique continually evolving and bypassing filters. Either Digital Ocean does not have the capability to detect and prevent this activity from leaving their network, or they’re turning a blind eye to it; it would be insulting to even entertain the idea that their engineers could not solve this problem.

So what can we, the people that this activity affects, the victims of cyber crime, do to stop this from happening? At the very least, if you’re not doing so already, filter (or recommend to your email provider) Freenom domains from this network into your spam folder. You can also utilize effective RBLs that quickly detect and list these IPs from delivering email into your inbox. Feel free to utilize the data provided, I’ll try to regularly provide lists of spammy IPs.

This entry was posted in Informative and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply