Earlier this week I discovered an interesting Outlook.com phishing mail that had been caught by the anti-spam measures we deploy for our e-mail customers. Well, to be fair, the phishing attack itself was not anything new or sophisticated, but the choice of hosting provider was rather interesting.
After noticing that the majority of the .ICU spam campaigns were drying up, I headed over to Namecheap to find out which gTLD was the next likely target for abuse. Well, what do you know, Namecheap was throwing out .XYZ domains for 1$ a pop.
This weekend I decided to extract the IP addresses belonging to hosts used in the ongoing .best and .icu spam campaigns. I’ve only got three weeks of logs to work with so the data set is small, but it still paints a somewhat interesting picture.
I’ve made the decision to go ahead and block another one of those pesky new gTLDs that are seemingly exclusively used by malicious actors. Email delivery from .best domains will no longer get past any spam filter under my control.
Over the last several months, I’ve seen a steady flow of spam emails containing only a single line of text encouraging recipients to visit a blogspot.com address. Should the recipient choose to follow the link, they would soon find themselves on a cryptocurrency scam site with amazing propositions.
ICANN’s decision to cash in and allow an unlimited number of new gTLDs has provided us with several new TLDs used predominantly for criminal purposes by malicious actors. My inbound mail servers have been flooded with spam from thousands of .icu domains for the better part of 2019.
Like everyone else with an email address, I’ve been receiving these bitcoin extortion messages for months. I’ve also observed with ever greater dissatisfaction as scammers raked in tens of bitcoins within a week. What especially annoys me is not so much that people are falling for this scam, but that email service providers are simply looking the other way.
Lately I’ve noticed a steady increase in the amount of referrer spam I’m getting, so I decided to see if there was a simple way to trap and ban these bots. The typical approach is usually to maintain a blacklist of domain names and deny them using mod_rewrite rules. The downside to this approach is the amount of time and effort that goes into maintaining your blacklist.
Referrers from a domain called anonymizeme.pro have been filling up my logs lately. I initially believed it was visitors using an anonymizing service, but alas, it’s yet another referrer scam.