Spammers are increasing the use of Russian domain registrars for their various spam campaigns with up to 600 domains registered at once.
Detection by M86 Security of a continuous stream of newly registered .ru domains in spam email has led to one third of all unique domains being a .ru domain. Almost all of the .ru domains are registered though two registrars, Naunet and Reg.ru (also known as NAUNET-REG-RIPN and REGRU-REG-RIPN), with spammers generally advertising each domain for only a couple of hours and registering new ones all the time.
It said that in the last month from spam alone, it has seen over 4,000 .ru domains registered through Naunet. These are hosting a variety of spam web sites including ultimate replica, Dr Maxman, online casinos, via grow and Eurosoft software.
Although the spammed websites are generally non-malicious as they do not try to exploit vulnerabilities on the visitor's machine, M86 said that it has seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit and Naunet was recently used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains.
Several anti-spam groups have already pointed out these registrars as the source of Russian spam domains and that these registrars often ignore requests to suspend illegal domains.
Talking to SC Magazine, Bradley Anstis, VP technical strategy at M86 Security, said that in the past spammers used Russian registrars, and then the authorities started making noises about tidying things up so domains were moved to China who also began tidying things up also with rules about the limits of domains that can be registered.
He said: “So over a period of time it has all gone back to Russia again, the regulators in Russia are saying 'we have these rules' but they are not enforcing them. We can see a domain registrar where you register 600 domains at once. Why would any commercial organisation want to register 600 domains at once?
“In the last two weeks we have seen about 6,000 domains registered by two registrars, and these two domain registrars seem to be the problem. It is back to the old days of trying to chase the registrars and trying to get the regulators to start enforcing their own policy.”