-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Thursday, April 21, 2005 7:46 PM To: SURBL Discuss; SpamAssassin Users Subject: Research wanted: age of spam gang URI domains
Does anyone have research or references for the age profiles of domains appearing in the URIs of spam gang (i.e. Ralsky, Lindsay, Richter, etc.) spams? In other words, how old are the domains of sites being spamvertised *by spam gangs*? (By age I mean how long ago they were (most recently) created.)
Jeff C.
Off the top of my nogging, I've seen the major guys be about 1-3 days from registering.
However......
I also saw a pattern a few spammers using ones registered 3 months prior. This is when I began to theorise that there was possibly a spam domain service. Someone simply registering domain names full time, then selling them out to other spammers. I started researching the idea, then got busy on other stuff.
When things settle I'll try to pick back up on the research. Sorry I don't have any hard data for you.
--Chris
Even if data re average age of the domains, wouldn't they just start registering them earlier so as to not match that pattern?
John Delisle, CISA Senior Network Analyst, Network and Security Team Information Systems & Technology Management Dept. Ceridian Canada Ltd 600 - 125 Garry St Winnipeg, MB R3C 3P2 204-975-5909
Chris Santerre csanterre@MerchantsOverseas.com Sent by: discuss-bounces@lists.surbl.org 04/22/2005 08:05 AM Please respond to SURBL Discussion list discuss@lists.surbl.org
To "'Jeff Chan'" jeffc@surbl.org, SURBL Discuss discuss@lists.surbl.org, SpamAssassin Users users@spamassassin.apache.org cc
Subject [SURBL-Discuss] RE: Research wanted: age of spam gang URI domains
-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Thursday, April 21, 2005 7:46 PM To: SURBL Discuss; SpamAssassin Users Subject: Research wanted: age of spam gang URI domains
Does anyone have research or references for the age profiles of domains appearing in the URIs of spam gang (i.e. Ralsky, Lindsay, Richter, etc.) spams? In other words, how old are the domains of sites being spamvertised *by spam gangs*? (By age I mean how long ago they were (most recently) created.)
Jeff C.
Off the top of my nogging, I've seen the major guys be about 1-3 days from registering.
However......
I also saw a pattern a few spammers using ones registered 3 months prior. This is when I began to theorise that there was possibly a spam domain service. Someone simply registering domain names full time, then selling them out to other spammers. I started researching the idea, then got busy on other stuff.
When things settle I'll try to pick back up on the research. Sorry I don't have any hard data for you.
--Chris _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Friday, April 22, 2005, 7:27:17 AM, John Delisle wrote:
Even if data re average age of the domains, wouldn't they just start registering them earlier so as to not match that pattern?
Yeah that's always a possibility. But there seems to be some evidence that a lot of spam domains don't get registered for more than a year and that many are used shortly after they're registered. For example Outblaze looks at registrations fresher than 90 days old in their SURBL listings.
And if some spammers used older domains then we'd use other ways to find those, or not exclude them based on age of registration. In that sense it's a cat and mouse game, but nonetheless, many spam domains use recent registrations.
Jeff C. -- "If it appears in hams, then don't list it."
on Fri, Apr 22, 2005 at 09:05:57AM -0400, Chris Santerre wrote:
-----Original Message----- From: Jeff Chan [mailto:jeffc@surbl.org] Sent: Thursday, April 21, 2005 7:46 PM To: SURBL Discuss; SpamAssassin Users Subject: Research wanted: age of spam gang URI domains
Does anyone have research or references for the age profiles of domains appearing in the URIs of spam gang (i.e. Ralsky, Lindsay, Richter, etc.) spams? In other words, how old are the domains of sites being spamvertised *by spam gangs*? (By age I mean how long ago they were (most recently) created.)
Jeff C.
Off the top of my nogging, I've seen the major guys be about 1-3 days from registering.
However......
I also saw a pattern a few spammers using ones registered 3 months prior. This is when I began to theorise that there was possibly a spam domain service. Someone simply registering domain names full time, then selling them out to other spammers. I started researching the idea, then got busy on other stuff.
When things settle I'll try to pick back up on the research. Sorry I don't have any hard data for you.
See:
http://www.merit.edu/mail.archives/nanog/2005-01/msg00225.html
for one particular spamgang (dunno who); seems to be entirely dedicated to sending out spam in multipart with one redirector link (ends in .html, with embedded hash URL) and one remove link (ends in .htm, otherwise the same hash URL). I'm sure if you did some research you could find out more about current SURBLized domains that point to the name servers listed in the post. The joe job finally stopped around the same week as the post, so maybe they got sick of giving us all that free information.
I've got some several hundred bounces, if you want to pore over them.
On Friday, April 22, 2005, 9:27:56 AM, Steven Champeon wrote:
See:
http://www.merit.edu/mail.archives/nanog/2005-01/msg00225.html
for one particular spamgang (dunno who); seems to be entirely dedicated to sending out spam in multipart with one redirector link (ends in .html, with embedded hash URL) and one remove link (ends in .htm, otherwise the same hash URL). I'm sure if you did some research you could find out more about current SURBLized domains that point to the name servers listed in the post.
Good point.
Thanks for your data too. That particular spammer appears to have used their domains within three weeks of registering them.
Jeff C. -- "If it appears in hams, then don't list it."