Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [eweek article] Window of "anonymity" when domain exists, whoisnot updated yet

  • From: william(at)elan.net
  • Date: Mon Jan 10 22:34:38 2005


On Tue, 11 Jan 2005, Suresh Ramasubramanian wrote:

> and it is being abused - well, nanog found out about this a while
> back, but the popular press (read - eweek magazine) seems to have
> discovered it now, or at least think they've discovered it .. their
> idea of the situation is a bit skewed.
> ...
> http://www.eweek.com/article2/0,1759,1749328,00.asp
"One troublesome technique finding favor with spammers involves sending 
 mass mailings in the middle of the night from a domain that has not yet 
 been registered. After the mailings go out, the spammer registers the 
 domain early the next morning."

Well, spammers do sometimes register domains after mass mailing has 
already started. Its partial result of that spammer enterprises are 
no longer centralized and so one company that actually hosts websites 
that are being promoted is not necessarily same company that is doing 
mass mailing. Sometimes the order-taker spammer tells the mass-mailing 
spammer new domain to use for the spam compaign before domain is even 
registered - and while they expect to register it at the time mailing
gets started their synronization may not be precize and in any case
they actually prefer the first few people who receive such emails to not 
be able to get to the website (no whois and no dns - no chance to report 
it to hosting and quickly shut it down).

But as article specifically mentions sending during the night and
registration next morning that does seem to indicate eweek found out
about "no whois" but with already registered domain, i.e. see

> http://www.mail-archive.com/nanog@merit.edu/msg28312.html
> 
> > Read NANOG archives - Verisign now allows immediate (well, within about 10
> > minutes) updates of .com/.net zones (also same for .biz) while whois data is
> > still updated once or twice a day. That means if spammer registers new domain
> > he'll be able to use it immediatly and it'll not yet show up in whois (and so
> > not be immediatly identifiable to spam reporting tools) - and spammers are in
> > fact using this "feature" more and more!

-- 
William Leibzon
Elan Networks
william@elan.net





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.