[eweek article] Window of "anonymity" when domain exists, whois not updated yet

william(at)elan.net william at elan.net
Tue Jan 11 03:35:33 UTC 2005



On Tue, 11 Jan 2005, Suresh Ramasubramanian wrote:

> and it is being abused - well, nanog found out about this a while
> back, but the popular press (read - eweek magazine) seems to have
> discovered it now, or at least think they've discovered it .. their
> idea of the situation is a bit skewed.
> ...
> http://www.eweek.com/article2/0,1759,1749328,00.asp
"One troublesome technique finding favor with spammers involves sending 
 mass mailings in the middle of the night from a domain that has not yet 
 been registered. After the mailings go out, the spammer registers the 
 domain early the next morning."

Well, spammers do sometimes register domains after mass mailing has 
already started. Its partial result of that spammer enterprises are 
no longer centralized and so one company that actually hosts websites 
that are being promoted is not necessarily same company that is doing 
mass mailing. Sometimes the order-taker spammer tells the mass-mailing 
spammer new domain to use for the spam compaign before domain is even 
registered - and while they expect to register it at the time mailing
gets started their synronization may not be precize and in any case
they actually prefer the first few people who receive such emails to not 
be able to get to the website (no whois and no dns - no chance to report 
it to hosting and quickly shut it down).

But as article specifically mentions sending during the night and
registration next morning that does seem to indicate eweek found out
about "no whois" but with already registered domain, i.e. see

> http://www.mail-archive.com/[email protected]/msg28312.html
> 
> > Read NANOG archives - Verisign now allows immediate (well, within about 10
> > minutes) updates of .com/.net zones (also same for .biz) while whois data is
> > still updated once or twice a day. That means if spammer registers new domain
> > he'll be able to use it immediatly and it'll not yet show up in whois (and so
> > not be immediatly identifiable to spam reporting tools) - and spammers are in
> > fact using this "feature" more and more!

-- 
William Leibzon
Elan Networks
william at elan.net




More information about the NANOG mailing list