Researchers are seeing an uptick in the number of spam-related domains from Russian registrars, a sign that cybercriminals are choosing those providers due to lax enforcement.
An analysis of spam messages over the last month showed that more than a third of domain names connected with spam are “.ru” ccTLDs (country code Top Level Domains), according to e-mail security vendor M86.
Spam messages advertising products typically include a link to a website. Those websites are hosted on domain names that are sold to cybercriminals. Security companies and researchers have developed ways to quickly detect those domains and block them, but those efforts have still not been successfully in deterring spammers.
Spammers usually register their domains with registrars that are tolerant of the activity or are slow to shut the domains down. It was popular for spammer to buy Chinese ccTLDs, since due to language barriers, time differences and indifference on the part of officials, some Chinese registrars would be slow to shut down the domains.
That has been slowly changing, however, since China implemented a scheme earlier this year that requires those who want to purchase domain names to appear in person at a registrar and provide their photograph. Also, applicants must give a description of their website in addition to other information.
Russia took similar steps in April when it began requiring registrants to provide a copy of their passport or business papers. But it doesn’t seems to have made a lot of impact yet.
“Russia continues to be very hard to work with,” said Bradley Anstis, vice president of technical strategy for M86. “Even though registrars have some of those rules, there has been no enforcement.”
M86 found that in the last month 4,000 new spam-related domains were registered through Naunet, a Russian registrar, and 1,800 through Reg.ru. The latter has a feature that allows a person to automatically register up to 600 domains at once. Spammers need lots of fresh domains to keep sites online as the domains are blocked.
“What commercial organization would need to register 600 domains at once?” Anstis said.
Spamhaus, a group of computer security experts based in London that publishes a database used by security vendors to block unsolicited bulk e-mail, has also seen little improvement in the “.ru” domain space with the new rules.
“We haven’t seen any changes that would suggest the new .ru ‘system’ has made any difference,” said Richard Cox, the organization’s CIO. “Naunet (mainly) and Reg.ru are certainly the most egregious of the Russian registrars.”
One Russian registrar, the Regional Network Information Center ANO, acknowledged there have been difficulties in implementing the new system. About 60 percent of the domain names in “.ru” have been verified so far, said Sergey Gorbunov, senior public relations manager for international projects.
It is common knowledge that some Russian companies provide cheap domain name registration services and ignore complaints about those who are breaking the law, the main reason why they remain popular with spammers and search-engine optimization companies. Others accept copies of the documents sent over the Internet, Gorbunov said. Some registrars do not ask for the information, while the honest ones will suspend the domain name if the data is not provided.
“Of course people who register domains for spam or other illegal purposes provide incorrect personal data and passport copies so it’s quite difficult to track them when needed,” Gorbunov said.