So milling around in some spam while on another research project, I started noticing something strange… how so many seemingly unrelated domains appeared in the Reply To address of the same spam campaign. I began digging into the domains for multiple campaigns and I am currently monitoring the behavior and working on mapping the associations of the bad guys. Granted, there’s nothing glorious about discovering spammers or shutting them down, but uncovering a large enterprise of what appears to be individuals working together kind of intrigues me.
Anyway, while working on this, I found someone that sticks out like a sore thumb. Why, because they are “loud” and have a huge footprint. This individual has registered over 4,000 domains in 11 days. I’m sure he/she has reasons, but none that I’m currently interested in hearing. Not surprisingly, the actor is also associated with over 100K other active domains. I’m not sure what you plan to do about it, but in the mean time, I’m blocking these.
For the record, at this present moment I have only tied this actor to spam (in my resources) and malicious sites as indicated by other research sources, but I have not personally tied them to specific malware. If I do, I will update this blog with those details provided it doesn’t compromise any other OPSEC.
As a general rule, I’d recommend blocking non standard gTLDs and allowing your users to request an exception.
Here’s a link to the blacklist thanks T-byrd for hosting it. https://www.dropbox.com/s/31c2p85naba08wa/blacklist.txt?dl=0
Check back to that link for future updates.
That’s all for now, if this was helpful to you please let me know.
**UPDATE** 2016-03-29 (0446-UTC)
Additional investigation shows the registrant is a Chinese reseller (http://www.wuyumi.com/). I’ve personally linked many of the domains to spam, and others are blacklisted by Domain Tools and other resources. The seller’s page reveals the price they sell domains at is (2.9-3.5 Yuan, take the avg) less than 50 cents (3.27 Yuan = 0.50 USD) and pricing is also per month in many cases.
So let’s math a little here (assuming all his domains are “rented” for the next 12 months at the average rate)
x 50 cents/mo
x 12 month
Now I’m not sure what their cost is, but let’s assume they bought a .download domain from ALPNAMES for the advertised $0.60 for 1 year. They just rented it for .50 x 12 = $6.00 – .60 = profit of $5.40
ROI = 5.40/.60 = 9
9 x 100% = 900% return on investment of 60 cents for one domain.
So we have a low cost of entry to do [bad] business (both the folks buying & renting the domain), links to multiple spam campaigns, some with phishing elements, and links to other confirmed spam campaigns. I don’t care what they are re/selling them for, at that price, nothing good is going to come of it IMHO. So the list has been made available WITHOUT WARRANTY you may do with it what you wish.