Fries, Waffles and Spam
Tue, Mar 27, 2012 by James Hoddinott
Think of Belgium and what comes to mind? Fries, waffles, beer? Maybe even the Manneken Pis. What you might not think of is spammy domain names.
A couple of weeks ago, the Internet pharmacy verification site LegitScript released a report detailing how the domain registrar Internet.bs was helping to support the rogue online pharmacy trade by allowing suspect organisations to register thousands of domains which are then used in spam attacks. Spamhaus further added to this report, commenting:
A lot of registrars still need to step up their game in dealing with abuse issues. The clock is ticking, because if the domain industry does not start playing their part in the global fight against cybercrime and regulates itself, it will be regulated by others.
Since March 20th, we have been tracking a noticeable increase in the number of new .be domains (the country code for Belgium) being seen used as the the call-to-action domain in a variety of snowshoe spam attacks. This isn’t anything new, of course. We see spammers rapidly rotate through all manner of domains (URL shorteners, other country code top level domains, hacked websites) with this type of attack but what makes this interesting is that they are all registered via…Internet.bs.
This is a sample screenshot from one of the domains (each one points to the same template site, with the domain substituted at numerous places throughout). If we take a look at the numbers from the past 30 days:
This shows that there has been a 40% increase in .be domains seen in spam in the past week, compared to the previous 3 weeks. If you then look at the date of registration for those domains, this activity stands out even more:
That is over 10 times more registrations in the past week, compared to the previous 3 weeks. There are many players needed in the fight against spam and, like Spamhaus, we would also urge the domain industry to take a tougher and more decisive stand against the registration of such rogue domains, and the entities that allow it to happen.
For completeness, it should be noted that Internet.bs also issued a press release in response to the LegitScript report.