CNNIC changes have effect on spam tactics

Image (1) image001.png for post 24883

As was announced on Dec 11th, CNNIC (China Internet Network Information Center) now requires a “formal paper based application material when making the online application to the registrar.”

The motivation behind this seems more related to cracking down on porn sites, but since .cn domains have been the call-to-action in 35-50% of all spam being sent for well over a year, we were wondering what effect this policy change may have on the prevalence of this TLD in spam. The graph below illustrates the percentage of spam messages sent each day that contain a .cn domain (vast majority are Canadian Pharmacy type spam) as well as the percentage of pharmacy spam messages sent that contain a link to a free webhosting service (blue). I decided to measure the .cn abuse, against free webhosting abuse, as the same Canadian Pharmacy spam that contained links to .cn domains for the past few months, now contain links to a number of free webhosting services instead. The CNNIC changes started to be applied on December 14th.

Three specific free webhosting services seem to currently be the favorite of these specific Canadian Pharmacy spammers, and their growth is illustrated below.

These spammers have not completely moved away from .cn abuse, as this morning we starting seeing an influx of .cn domains not previously sighted in spam before, however all these domains were actually registered well before these new CNNIC requirements were implemented (most registered for 2 years, back in 2008). For example:

example .cn whois
example .cn whois

It will be interesting to monitor if these new CNNIC requirements continue to push these spammers elsewhere, or if this is just a minor hiccup while they find ways around the new registration hoops.