.ICU TLD - I See You Spammer

ICANN’s decision to cash in and allow an unlimited number of new gTLDs has provided us with several new TLDs used predominantly for criminal purposes by malicious actors. My inbound mail servers have been flooded with spam from thousands of .icu domains for the better part of 2019.

Email service providers should kill off the bitcoin extortion scam

Like everyone else with an email address, I’ve been receiving these bitcoin extortion messages for months. I’ve also observed with ever greater dissatisfaction as scammers raked in tens of bitcoins within a week. What especially annoys me is not so much that people are falling for this scam, but that email service providers are simply looking the other way.

Malicious bots sending siteru as the HTTP referer

I’ve received a few hundred requests originating from bots setting as their referrer. These attacks are scanning for compromised WordPress installations and PHP based shells and backdoors. The attacking IP’s belong to compromised hosts and websites from service providers around the world.

The art of blocking referrer spam

Lately I’ve noticed a steady increase in the amount of referrer spam I’m getting, so I decided to see if there was a simple way to trap and ban these bots. The typical approach is usually to maintain a blacklist of domain names and deny them using mod_rewrite rules. The downside to this approach is the amount of time and effort that goes into maintaining your blacklist.

The scam

Referrers from a domain called have been filling up my logs lately. I initially believed it was visitors using an anonymizing service, but alas, it’s yet another referrer scam.