Trends in Networks: Spam #1

Posted on August 13, 2020 by Thomas

This is the beginning of a recurring article where I’ll be reviewing patterns in spam activity. I’ll start with something easily overlooked but surprisingly still prevalent in the spam landscape.

Freenom TLDs (Top Level Domains)

Freenom is a service that provides free domain registrations from a specific list of TLDs. While providing free domains to those who lack the resources is a noble purpose, domains registered through Freenom are notorious when it comes to spam. Spammers love to save a buck, unfortunately resulting in Freenom domains being heavily abused.

Freenom domains are domains that end in .tk, .ml, .ga, .cf, or .gq. When it comes to the free registrations, the WHOIS record for that domain will not include the registrant information. Furthermore, even the registration date for the domain is not present. This limits the data that researchers have, making it harder to distinguish between good and bad actors.

Networks Abused by Freenom TLD Spammers

You would think that with the readily available information on how heavily abused Freenom TLDs are, it shouldn’t even be a problem right? Providers should be able to easily detect and prevent these 5 TLDs from abusing their networks. The end, problem solved…

Aug3-2020
139.59.210.137	x2	teranova.tk
139.59.210.186	x4	teranova.cf
139.59.210.73	x2	srv0.testpmta.tk
164.90.225.247	x3	worldoo.tk
167.172.37.58	x10	nj0.niihjuon.ga

Aug4-2020
104.131.65.191	x10	cx0.74.swmianllc.ga
139.59.213.35	x1	cx0.76.swmianllc.ga
161.35.159.198	x3	cx0.87.swmianllc.ga
161.35.159.247	x2	cx0.80.swmianllc.ga
161.35.22.12	x2	srv0.mail2s.ml
161.35.23.127	x3	teranova.cf
161.35.66.227	x1	srv0.mail2s.ga
164.90.201.114	x2	pf0.swmianllc.gq
164.90.213.239	x1	srv0.mail2s.cf
164.90.233.137	x1	srv0.mail2s.tk
165.227.15.184	x15	cx0.81.swmianllc.ga
165.227.33.93	x3	cx0.79.swmianllc.ga
167.71.235.206	x4	cx0.77.swmianllc.ga
188.166.167.190	x2	teranova.tk
188.166.241.127	x2	cx0.75.swmianllc.ga
46.101.221.241	x2	srv0.mail2s.gq
46.101.241.231	x3	worldoo.tk
64.227.12.147	x7	pf0.swmianllc.cf
64.227.32.11	x4	cx0.73.swmianllc.ga
67.205.179.76	x9	cx0.82.swmianllc.ga

Aug5-2020
104.131.77.250	x3	xa0.02.msllownpl.cf
128.199.86.130	x7	xa0.04.msllownpl.cf
138.68.57.68	x1	xa0.07.msllownpl.cf
138.68.68.170	x5	xa0.12.msllownpl.cf
138.68.72.40	x3	teranova.cf
138.68.79.43	x1	postal.xmailing.tk
157.245.100.117	x2	xa0.10.msllownpl.cf
157.245.100.126	x4	xa0.14.msllownpl.cf
157.245.233.1	x3	xa0.21.msllownpl.cf
161.35.80.81	x2	xa0.06.msllownpl.cf
164.90.147.202	x1	xa0.16.msllownpl.cf
164.90.225.31	x6	worldoo.tk
164.90.225.51	x4	teranova.tk
167.99.225.252	x10	xa0.11.msllownpl.cf
188.166.233.72	x6	xa0.swmianllc.ga
188.166.237.115	x1	xa0.23.msllownpl.cf
46.101.97.155	x14	xa0.24.msllownpl.cf
68.183.91.178	x2	xa0.09.msllownpl.cf

Aug6-2020
138.68.72.40	x7	teranova.cf
139.59.1.202	x3	sx0.msllownpl.ml
139.59.29.61	x5	sx0.polgindos.ml
164.90.208.233	x8	vvx0.polgindos.ga
164.90.225.31	x13	worldoo.tk
164.90.225.51	x6	teranova.tk
164.90.229.29	x7	server.xmailing.ml
206.189.22.241	x2	sx0.swmianllc.cf

Aug7-2020
138.68.79.97	x2	server.mailpmta.ga
68.183.53.27	x1	dxm0.210.laminopo.gq

Aug9-2020
139.59.82.18	x1	mintest.tk

Aug10-2020
161.35.207.179	x9	server.ggettools.ml

Aug11-2020
134.209.146.66	x1	vq0.718.miditruni.ga
161.35.74.106	x9	vq0.719.miditruni.ga
164.90.194.226	x55	vq0.polgindos.ga
165.227.50.167	x5	vq0.polgindos.gq
198.199.89.98	x1	vq0.asadorewno.cf

Aug12-2020
104.131.56.120	x1	pxw0.309.laminopo.cf
128.199.172.191	x2	pxw0.318.laminopo.cf
134.209.152.73	x4	pxw0.302.laminopo.cf
134.209.158.145	x6	pxw0.312.laminopo.cf
138.68.90.22	x5	pxw0.323.laminopo.cf
139.59.44.155	x5	pxw0.miditruni.ml
142.93.153.12	x27	pxw0.317.laminopo.cf
157.245.190.180	x4	pxw0.316.laminopo.cf
159.65.149.167	x2	pxw0.305.laminopo.cf
159.89.233.102	x4	pxw0.319.laminopo.cf
161.35.93.70	x4	pxw0.321.laminopo.cf
164.90.159.57	x6	pxw0.308.laminopo.cf
164.90.198.142	x2	pxw0.304.laminopo.cf
164.90.198.240	x11	pxw0.307.laminopo.cf
164.90.239.215	x9	pxw0.320.laminopo.cf
165.22.43.43	x13	pxw0.313.laminopo.cf
167.99.144.136	x1	pxw0.314.laminopo.cf
64.227.97.4	x12	pxw0.306.laminopo.cf

The above activity is from the past week, and is all from one network: Digital Ocean. Believe us, this activity didn’t suddenly pop up this week, it’s been years. Now, when activity like this (snowshoe spam) is that ubiquitous on your network (for years), you’d think you should do something about it. I mean, this is literally 5 TLDs, it isn’t some complex evasion technique continually evolving and bypassing filters. Either Digital Ocean does not have the capability to detect and prevent this activity from leaving their network, or they’re turning a blind eye to it; it would be insulting to even entertain the idea that their engineers could not solve this problem.

So what can we, the people that this activity affects, the victims of cyber crime, do to stop this from happening? At the very least, if you’re not doing so already, filter (or recommend to your email provider) Freenom domains from this network into your spam folder. You can also utilize effective RBLs that quickly detect and list these IPs from delivering email into your inbox. Feel free to utilize the data provided, I’ll try to regularly provide lists of spammy IPs.

This entry was posted in Informative and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply