Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

Spammers Move To “Disposable Domains”

Spammers, like all primitive forms of life, continue to evolve in ways calculated to enhance their viability or survival potential. The most recently observed wrinkle they've come up with is using short-lived or "disposable" domain names.  These are domains that they use for only a few hours before switching to the next one.

The spammers will buy dozens (or in some cases, hundreds) of domain names, get them set up, and then use them in a "round-robin" fashion, discarding them as they go. This new technique was discovered by M86 Security Labs, who looked at 60 days worth of data from their customers and found that almost 75% of the domains used by spammers were active for a day or less.

This a significant change from previous behavior, when large-scale spam operations would buy a few dozen domains, put them in operation (usually with a "bulletproof" host) and then use them for weeks or months at a time.  In this case, though, the speed with which spammers can buy a set of domains and then move their operation from one to another presents significant new challenges for law enforcement organizations. It also ups the ante for spam-filtering techniques, since the source domain has always been a key identifier for spam detection.

Now the source domain information will be relatively useless in terms of the overall picture- a domain name that would be "caught" at 8:00am and listed the next day is now going to be old news. The new paradigm is that a domain caught at 8:00am will be defunct by 6:00pm or so, making it pointless to screen against.

So, expect more spam to show up in your inbox and expect that tracking and prosecuting spammers will become more difficult in the future. When a workable technique is found and used by one spam organization, the others will quickly adopt the same methods in order to keep up.

This entry was posted in Uncategorized and tagged , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.