CNNIC changes have effect on spam tactics

Filed Under: SophosLabs, Spam

As was announced on Dec 11th, CNNIC (China Internet Network Information Center) now requires a "formal paper based application material when making the online application to the registrar."

The motivation behind this seems more related to cracking down on porn sites, but since .cn domains have been the call-to-action in 35-50% of all spam being sent for well over a year, we were wondering what effect this policy change may have on the prevalence of this TLD in spam. The graph below illustrates the percentage of spam messages sent each day that contain a .cn domain (vast majority are Canadian Pharmacy type spam) as well as the percentage of pharmacy spam messages sent that contain a link to a free webhosting service (blue). I decided to measure the .cn abuse, against free webhosting abuse, as the same Canadian Pharmacy spam that contained links to .cn domains for the past few months, now contain links to a number of free webhosting services instead. The CNNIC changes started to be applied on December 14th.

Three specific free webhosting services seem to currently be the favorite of these specific Canadian Pharmacy spammers, and their growth is illustrated below.

These spammers have not completely moved away from .cn abuse, as this morning we starting seeing an influx of .cn domains not previously sighted in spam before, however all these domains were actually registered well before these new CNNIC requirements were implemented (most registered for 2 years, back in 2008). For example:

example .cn whois

example .cn whois

It will be interesting to monitor if these new CNNIC requirements continue to push these spammers elsewhere, or if this is just a minor hiccup while they find ways around the new registration hoops.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Brett is a Technical Lead in the AntiSpam Operations team within SophosLabs. He has been working for Sophos since their acquisition of ActiveState in 2003.