Analysts see uptick in Russia-registered spam domains

Efforts by Russia to tighten up domain name registrations may not be working

Researchers are seeing an uptick in the number of spam-related domains from Russian registrars, a sign that cybercriminals are choosing those providers due to lax enforcement.

An analysis of spam messages over the last month showed that more than a third of domain names connected with spam are ".ru" ccTLDs (country code Top Level Domains), according to e-mail security vendor M86.

Spam messages advertising products typically include a link to a website. Those websites are hosted on domain names that are sold to cybercriminals. Security companies and researchers have developed ways to quickly detect those domains and block them, but those efforts have still not been successfully in deterring spammers.

Spammers usually register their domains with registrars that are tolerant of the activity or are slow to shut the domains down. It was popular for spammer to buy Chinese ccTLDs, since due to language barriers, time differences and indifference on the part of officials, some Chinese registrars would be slow to shut down the domains.

That has been slowly changing, however, since China implemented a scheme earlier this year that requires those who want to purchase domain names to appear in person at a registrar and provide their photograph. Also, applicants must give a description of their website in addition to other information.

Russia took similar steps in April when it began requiring registrants to provide a copy of their passport or business papers. But it doesn't seems to have made a lot of impact yet.

"Russia continues to be very hard to work with," said Bradley Anstis, vice president of technical strategy for M86. "Even though registrars have some of those rules, there has been no enforcement."

M86 found that in the last month 4,000 new spam-related domains were registered through Naunet, a Russian registrar, and 1,800 through The latter has a feature that allows a person to automatically register up to 600 domains at once. Spammers need lots of fresh domains to keep sites online as the domains are blocked.

"What commercial organization would need to register 600 domains at once?" Anstis said.

Spamhaus, a group of computer security experts based in London that publishes a database used by security vendors to block unsolicited bulk e-mail, has also seen little improvement in the ".ru" domain space with the new rules.

"We haven't seen any changes that would suggest the new .ru 'system' has made any difference," said Richard Cox, the organization's CIO. "Naunet (mainly) and are certainly the most egregious of the Russian registrars."

One Russian registrar, the Regional Network Information Center ANO, acknowledged there have been difficulties in implementing the new system. About 60 percent of the domain names in ".ru" have been verified so far, said Sergey Gorbunov, senior public relations manager for international projects.

It is common knowledge that some Russian companies provide cheap domain name registration services and ignore complaints about those who are breaking the law, the main reason why they remain popular with spammers and search-engine optimization companies. Others accept copies of the documents sent over the Internet, Gorbunov said. Some registrars do not ask for the information, while the honest ones will suspend the domain name if the data is not provided.

"Of course people who register domains for spam or other illegal purposes provide incorrect personal data and passport copies so it's quite difficult to track them when needed," Gorbunov said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymalwarefraudM86

More about etworkM86

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place