The service providers behind the .best and .icu domain spam campaigns
This weekend I decided to extract the IP addresses belonging to hosts used in the ongoing .best and .icu spam campaigns. I’ve only got three weeks of logs to work with so the data set is small, but it still paints a somewhat interesting picture.
As it turns out, 83% of the offending IP addresses belong to an Autonomous System (AS) maintained by the Turkish network operator and hosting provider Fiber Server İnternet Teknolojileri.
Fiber Server along with a few other Turkish hosting providers on the same ASN (AS203377) are seemingly the main sources of the .best and .icu domain spam.
The rest of the spam originates predominantly from IP addresses owned by American companies Hostwinds (11%) and PowerUp Hosting (5%). Completing the American connection is Namecheap, being the registrar of choice.
.best domain spam stats
- 9119 spam delivery attempts from .best domains
- 263 unique IP's in rotation
- 741 unique .best domains deployed
.icu domain spam stats
- 6799 spam delivery attempts from .icu domains
- 362 unique IP's in rotation
- 572 unique .icu domains deployed
Considering the volume of spam coming from AS203377, it might be preferable to reject every IP originating from this ASN. RADb will provide us with a complete list of IP blocks if we ask politely:
whois -h whois.radb.net '!gas203377'
The data I've collected is made available on GitHub. It includes both IP addresses and domain names.