ICU.TLD - I See You Spammer

ICANN’s decision to cash in and allow an unlimited number of new gTLDs has provided us with several new TLDs used predominantly for criminal purposes by malicious actors. My inbound mail servers have been flooded with spam from thousands of .icu domains for the better part of 2019.

.icu spam domains

An inbound mail server showing spam delivered from .icu domains.

A quick rundown

Upon closer inspection of last month’s spam campaign, a repeating pattern quickly emerged:

  • Domain names are seemingly assembled from random words.
  • Every domain I checked was registered with Namecheap.
  • Every domain I checked was anonymized behind Cloudflare.
  • Turkish based hosting services were used to deliver e-mail spam.
  • Domain names were suspended after a month, give or take.
Postfix recieving spam from .icu domains

Postfix receiving spam from .icu domains by courtesy of a Turkish provider.

I was initially somewhat curious as to why Namecheap was used for domain registrations, but the answer was all in the name. At the time, Namecheap gave out .icu domains for approximately $1 and ended up with somewhere in the ballpark of 236,000 .icu domains.

Why do companies indulge in this practice?

Everybody is making money. You might be surprised to learn that criminals are allowed to own and operate large sections of the Internet. Unfortunately, they are kept in good standing as long as their revenue also makes it upstream.

ShortDot SA, Namecheap and the Turkish web hosting providers will act on abuse complaints, but that’s as far as it goes. After all, it’s not their responsibility to govern the internet right? In the end, it’s a game of whack a mole that allows the criminals to effortlessly rinse and repeat.

How to block spam from .icu domains

I’ve seen enough of this garbage and have started to reject delivery from any .icu domain, to mail servers under my administration. I’ve never come across a non-spam e-mail from a .icu domain, and besides, who would ever want a .icu domain for anything else than malicious activity.

.icu is owned by ShortDot SA

I’ll See You No More – Block .icu domain spam forever.

With postfix, you may add or edit /etc/postfix/reject_domains to identify .icu domains using a simple regular expression:

# /etc/postfix/reject_domains
/\.icu$/ REJECT We don’t talk to .icu domains
Proceed to edit the main Postfix configuration and append the regexp lookup to the smtpd_sender_restrictions policy:
# /etc/postfix/main.cf
smtpd_sender_restrictions = pcre:/etc/postfix/reject_domains
Reload Postfix and count it as a victory for the good guys.

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.