A crackdown by the Chinese government on anonymous domain name registrations has chased spammers from Chinese registrars (.cn) to those that handle the registration of Russian (.ru) Web site names, new spam figures suggest. Yet, those spammy domains may soon migrate to yet another country, as Russia is set to enforce a policy similar to China’s beginning April 1.
In mid-December 2009, the China Internet Network Information Center (CNNIC) announced that it was instituting steps to make it much harder to register a Web site anonymously in China, by barring individuals from registering domains ending in .cn. Under the new policy, those who want to register a new .cn domain name need to hand in written application forms, complete with a business license and an identity card.
Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet. Nevertheless, the policy clearly caught the attention of the world’s most profligate spammers, who spam experts say could always count on Chinese registrars as a cheap and reliable place to buy domains for Web sites that would later be advertised in junk e-mail.
According to data obtained from two anti-spam experts, new registrations for sites advertised in spam began migrating from .cn to .ru just a few weeks after the Chinese domain policy took effect.
In early January 2010, and indeed in the months leading up to the new year, the percentage of domains advertised in spam registered in the .cn space dwarfed the number of .ru spam-related domains, according to figures gathered by the University of Alabama at Birmingham. But by mid-January, the number of .cn spam domains began to fall off dramatically, while the number of .ru spam domains increased markedly, UAB found (see graphic above).
Gary Warner, director of research in computer forensics at UAB Birmingham, said a sizable share of spam-related new domain registrations continue to come through the .com space — which is served by hundreds of domain name registrars. But he said the biggest bulk registrations for spam domains routinely came out of .cn, particularly those associated with rogue online pharmacies.
“The .com never had the volumes of abuse you’d see at one time in .cn, where you’d typically have one guy registering hundreds or thousands of spam domains every day,” Warner said.
There is a decent chance that the spammers will move to another country-code registrar soon. Beginning April 1, Russia’s Coordination Center for domain registration will require individuals and businesses applying for a .ru address to provide a copy of a passport or legal registration papers.
Warner said he’s looking forward to seeing a similar exodus from Russia in the weeks ahead.
“I’m excited about the prospects of seeing the [number of] .ru spam domains going down just like we saw with China,” he said.
I wanted to gut check these figures, so I asked Andy Fried, a computer forensics expert who formerly tracked spam and phishing domains at the Internal Revenue Service, and is now a researcher at the Internet Systems Consortium, a Redwood City, Calif., company whose open-source domain name system (DNS) software powers millions of Internet servers around the globe. Fried checked ISC’s spam traps a few days ago to see if they were showing the same trend.
Fried found that over a 24-hour period, ISC’s spam traps had identified more than 10,000 unique domain names being advertised in spam. More than 1,870 of those domains were tied to recently registered rogue pharmacies, and of those, 491 were registered in the .com space, while 18 were from .cn and 1,366 were at .ru Web sites.
“Originally, the vast majority of the pharmacy spam site registrations were coming out of China, and now they’re almost all coming out of Russia,” Fried said. “It’s a good bet they’re going to be moving from Russia to some other top-level domain soon.”