ICU.TLD - I See You Spammer
ICANN’s decision to cash in and allow an unlimited number of new gTLDs has provided us with several new TLDs used predominantly for criminal purposes by malicious actors. My inbound mail servers have been flooded with spam from thousands of .icu domains for the better part of 2019.
A quick rundown
Upon closer inspection of last month’s spam campaign, a repeating pattern quickly emerged:
- Domain names are seemingly assembled from random words.
- Every domain I checked was registered with Namecheap.
- Every domain I checked was anonymized behind Cloudflare.
- Turkish based hosting services were used to deliver e-mail spam.
- Domain names were suspended after a month, give or take.
I was initially somewhat curious as to why Namecheap was used for domain registrations, but the answer was all in the name. At the time, Namecheap gave out .icu domains for approximately $1 and ended up with somewhere in the ballpark of 236,000 .icu domains.
Why do companies indulge in this practice?
Everybody is making money. You might be surprised to learn that criminals are allowed to own and operate large sections of the Internet. Unfortunately, they are kept in good standing as long as their revenue also makes it upstream.
ShortDot SA, Namecheap and the Turkish web hosting providers will act on abuse complaints, but that’s as far as it goes. After all, it’s not their responsibility to govern the internet right? In the end, it’s a game of whack a mole that allows the criminals to effortlessly rinse and repeat.
How to block spam from .icu domains
I’ve seen enough of this garbage and have started to reject delivery from any .icu domain, to mail servers under my administration. I’ve never come across a non-spam e-mail from a .icu domain, and besides, who would ever want a .icu domain for anything else than malicious activity.
With postfix, you may add or edit
/etc/postfix/reject_domains to identify .icu domains using a simple regular expression:
# /etc/postfix/reject_domains /\.icu$/ REJECT We don’t talk to .icu domainsProceed to edit the main Postfix configuration and append the regexp lookup to the
# /etc/postfix/main.cf smtpd_sender_restrictions = pcre:/etc/postfix/reject_domainsReload Postfix and count it as a victory for the good guys.