This is the beginning of a recurring article where I’ll be reviewing patterns in spam activity. I’ll start with something easily overlooked but surprisingly still prevalent in the spam landscape.
Freenom TLDs (Top Level Domains)
Freenom is a service that provides free domain registrations from a specific list of TLDs. While providing free domains to those who lack the resources is a noble purpose, domains registered through Freenom are notorious when it comes to spam. Spammers love to save a buck, unfortunately resulting in Freenom domains being heavily abused.
Freenom domains are domains that end in .tk, .ml, .ga, .cf, or .gq. When it comes to the free registrations, the WHOIS record for that domain will not include the registrant information. Furthermore, even the registration date for the domain is not present. This limits the data that researchers have, making it harder to distinguish between good and bad actors.
Networks Abused by Freenom TLD Spammers
You would think that with the readily available information on how heavily abused Freenom TLDs are, it shouldn’t even be a problem right? Providers should be able to easily detect and prevent these 5 TLDs from abusing their networks. The end, problem solved…
Aug3-2020 22.214.171.124 x2 teranova.tk 126.96.36.199 x4 teranova.cf 188.8.131.52 x2 srv0.testpmta.tk 184.108.40.206 x3 worldoo.tk 220.127.116.11 x10 nj0.niihjuon.ga Aug4-2020 18.104.22.168 x10 cx0.74.swmianllc.ga 22.214.171.124 x1 cx0.76.swmianllc.ga 126.96.36.199 x3 cx0.87.swmianllc.ga 188.8.131.52 x2 cx0.80.swmianllc.ga 184.108.40.206 x2 srv0.mail2s.ml 220.127.116.11 x3 teranova.cf 18.104.22.168 x1 srv0.mail2s.ga 22.214.171.124 x2 pf0.swmianllc.gq 126.96.36.199 x1 srv0.mail2s.cf 188.8.131.52 x1 srv0.mail2s.tk 184.108.40.206 x15 cx0.81.swmianllc.ga 220.127.116.11 x3 cx0.79.swmianllc.ga 18.104.22.168 x4 cx0.77.swmianllc.ga 22.214.171.124 x2 teranova.tk 126.96.36.199 x2 cx0.75.swmianllc.ga 188.8.131.52 x2 srv0.mail2s.gq 184.108.40.206 x3 worldoo.tk 220.127.116.11 x7 pf0.swmianllc.cf 18.104.22.168 x4 cx0.73.swmianllc.ga 22.214.171.124 x9 cx0.82.swmianllc.ga Aug5-2020 126.96.36.199 x3 xa0.02.msllownpl.cf 188.8.131.52 x7 xa0.04.msllownpl.cf 184.108.40.206 x1 xa0.07.msllownpl.cf 220.127.116.11 x5 xa0.12.msllownpl.cf 18.104.22.168 x3 teranova.cf 22.214.171.124 x1 postal.xmailing.tk 126.96.36.199 x2 xa0.10.msllownpl.cf 188.8.131.52 x4 xa0.14.msllownpl.cf 184.108.40.206 x3 xa0.21.msllownpl.cf 220.127.116.11 x2 xa0.06.msllownpl.cf 18.104.22.168 x1 xa0.16.msllownpl.cf 22.214.171.124 x6 worldoo.tk 126.96.36.199 x4 teranova.tk 188.8.131.52 x10 xa0.11.msllownpl.cf 184.108.40.206 x6 xa0.swmianllc.ga 220.127.116.11 x1 xa0.23.msllownpl.cf 18.104.22.168 x14 xa0.24.msllownpl.cf 22.214.171.124 x2 xa0.09.msllownpl.cf Aug6-2020 126.96.36.199 x7 teranova.cf 188.8.131.52 x3 sx0.msllownpl.ml 184.108.40.206 x5 sx0.polgindos.ml 220.127.116.11 x8 vvx0.polgindos.ga 18.104.22.168 x13 worldoo.tk 22.214.171.124 x6 teranova.tk 126.96.36.199 x7 server.xmailing.ml 188.8.131.52 x2 sx0.swmianllc.cf Aug7-2020 184.108.40.206 x2 server.mailpmta.ga 220.127.116.11 x1 dxm0.210.laminopo.gq Aug9-2020 18.104.22.168 x1 mintest.tk Aug10-2020 22.214.171.124 x9 server.ggettools.ml Aug11-2020 126.96.36.199 x1 vq0.718.miditruni.ga 188.8.131.52 x9 vq0.719.miditruni.ga 184.108.40.206 x55 vq0.polgindos.ga 220.127.116.11 x5 vq0.polgindos.gq 18.104.22.168 x1 vq0.asadorewno.cf Aug12-2020 22.214.171.124 x1 pxw0.309.laminopo.cf 126.96.36.199 x2 pxw0.318.laminopo.cf 188.8.131.52 x4 pxw0.302.laminopo.cf 184.108.40.206 x6 pxw0.312.laminopo.cf 220.127.116.11 x5 pxw0.323.laminopo.cf 18.104.22.168 x5 pxw0.miditruni.ml 22.214.171.124 x27 pxw0.317.laminopo.cf 126.96.36.199 x4 pxw0.316.laminopo.cf 188.8.131.52 x2 pxw0.305.laminopo.cf 184.108.40.206 x4 pxw0.319.laminopo.cf 220.127.116.11 x4 pxw0.321.laminopo.cf 18.104.22.168 x6 pxw0.308.laminopo.cf 22.214.171.124 x2 pxw0.304.laminopo.cf 126.96.36.199 x11 pxw0.307.laminopo.cf 188.8.131.52 x9 pxw0.320.laminopo.cf 184.108.40.206 x13 pxw0.313.laminopo.cf 220.127.116.11 x1 pxw0.314.laminopo.cf 18.104.22.168 x12 pxw0.306.laminopo.cf
The above activity is from the past week, and is all from one network: Digital Ocean. Believe us, this activity didn’t suddenly pop up this week, it’s been years. Now, when activity like this (snowshoe spam) is that ubiquitous on your network (for years), you’d think you should do something about it. I mean, this is literally 5 TLDs, it isn’t some complex evasion technique continually evolving and bypassing filters. Either Digital Ocean does not have the capability to detect and prevent this activity from leaving their network, or they’re turning a blind eye to it; it would be insulting to even entertain the idea that their engineers could not solve this problem.
So what can we, the people that this activity affects, the victims of cyber crime, do to stop this from happening? At the very least, if you’re not doing so already, filter (or recommend to your email provider) Freenom domains from this network into your spam folder. You can also utilize effective RBLs that quickly detect and list these IPs from delivering email into your inbox. Feel free to utilize the data provided, I’ll try to regularly provide lists of spammy IPs.