September 12, 2007More Spammer Domains
Looking For Patterns
Spammers don’t use established domains, not often anyway. There will be the occasional registration from gmail or yahoo that comes through but for the most part they seems to be more interested in getting their own new domains, spamming the heck out of everybody, and moving on. I noticed some trends after reviewing the log from my Checkbox Challenge MOD that I thought would be interesting to share.
Domain List
All of the following domains were used to attempt to register on my biggest phpBB board. These are domains that were used on at least 30 or more failed registration attempts. I have extended the raw data by getting the “whois” data for creation dates and name servers. Let me let you look at it and soak it in before I draw any conclusions for you. 
Domain WHOIS Create date Name Servers illusioncorpmail.com 4/6/2007 estboxes.com goglemailoffice.com 4/6/2007 estboxes.com junkmailsite.com 4/21/2007 estboxes.com securefreemail.com 4/21/2007 estboxes.com freemailid.com 4/21/2007 estboxes.com bestmailguide.com 4/21/2007 estboxes.com greatmailworld.com 4/21/2007 estboxes.com homeinternetonline.com 5/11/2007 hqhost.net wirelessinternetlab.com 5/11/2007 hqhost.net socialsecurityinc.com 5/11/2007 hqhost.net airsecurityonline.com 5/11/2007 hqhost.net homeinternetsystems.com 5/11/2007 hqhost.net greatroy.com 5/25/2007 thefreemail.com mileupper.com 5/25/2007 thefreemail.com canadianhomeschool.com 5/25/2007 thefreemail.com playlistsite.com 5/25/2007 thefreemail.com kenwoodfunky.com 5/26/2007 thefreemail.com jayblogspot.com 6/6/2007 779host.net charitybeginsonline.com 6/6/2007 779host.net asiahomesite.com 6/6/2007 779host.net frontpagemanager.com 6/6/2007 779host.net bradsportspage.com 6/6/2007 779host.net theburtonblog.com 6/6/2007 779host.net scriptsmysql.com 8/14/2007 thefreemail.com
First, notice that even the oldest domains on this list are still very new. One of the additions I plan to add to the Checkbox Challenge is a domain creation date test; any domain less than “x” days old (where “x” is configurable via the admin control panel or ACP) will be rejected even if they pass the Checkbox Challenge.
Second, look at the name servers. The pattern is quite obvious. The name servers may be run by the spammers too. I suspect not, as it seems they use (abuse) one for a while and then move on.
Third, and not shown, every single one of these domains is protected by Privacyprotect.org. I use it myself. What it does is prevent any identifying information from being displayed. A whois record looks like this:
Domain Name: GREATMAILWORLD.COM
Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 65
All Postal Mails Rejected, visit Privacyprotect.org
Monster
null,2680 AB
NL
Tel. +45.36946676
Creation Date: 21-Apr-2007
Expiration Date: 21-Apr-2008
Domain servers in listed order:
managedns4.estboxes.com
managedns3.estboxes.com
managedns2.estboxes.com
managedns1.estboxes.com
So what does any of this mean?
Spammer registration bots look for patterns. Once they see a pattern, they can take action. I can look for patterns and take actions too. Adding a “whois” check to Checkbox Challenge is nearly completed, and I hope to be able to start reporting additional statistics based on those results within the next few weeks. Or months. You know, when it’s done. 
Supporting Scripts
Want to ban all of the above? Here you go. This script works for phpBB2. You may need to make adjustments for other boards or versions.
insert into phpbb_banlist (ban_email) values ('*@airsecurityonline.com');
insert into phpbb_banlist (ban_email) values ('*@asiahomesite.com');
insert into phpbb_banlist (ban_email) values ('*@bestmailguide.com');
insert into phpbb_banlist (ban_email) values ('*@bradsportspage.com');
insert into phpbb_banlist (ban_email) values ('*@canadianhomeschool.com');
insert into phpbb_banlist (ban_email) values ('*@charitybeginsonline.com');
insert into phpbb_banlist (ban_email) values ('*@freemailid.com');
insert into phpbb_banlist (ban_email) values ('*@frontpagemanager.com');
insert into phpbb_banlist (ban_email) values ('*@goglemailoffice.com');
insert into phpbb_banlist (ban_email) values ('*@greatmailworld.com');
insert into phpbb_banlist (ban_email) values ('*@greatroy.com');
insert into phpbb_banlist (ban_email) values ('*@homeinternetonline.com');
insert into phpbb_banlist (ban_email) values ('*@homeinternetsystems.com');
insert into phpbb_banlist (ban_email) values ('*@illusioncorpmail.com');
insert into phpbb_banlist (ban_email) values ('*@jayblogspot.com');
insert into phpbb_banlist (ban_email) values ('*@junkmailsite.com');
insert into phpbb_banlist (ban_email) values ('*@kenwoodfunky.com');
insert into phpbb_banlist (ban_email) values ('*@mileupper.com');
insert into phpbb_banlist (ban_email) values ('*@playlistsite.com');
insert into phpbb_banlist (ban_email) values ('*@scriptsmysql.com');
insert into phpbb_banlist (ban_email) values ('*@securefreemail.com');
insert into phpbb_banlist (ban_email) values ('*@socialsecurityinc.com');
insert into phpbb_banlist (ban_email) values ('*@theburtonblog.com');
insert into phpbb_banlist (ban_email) values ('*@wirelessinternetlab.com');
Comments (2)
I was surprised to see my website on your list, especially the date 6/6/2007, and the 779host.net. I just registered this site with goDaddy.com. They said it was “good to go”. How did it wind up on your list when I did a search for it? Can you help me? BobG.
Comment by Bob — December 3, 2008 @ 6:00 am
It was probably registered by a spammer years ago, and was dropped after getting shut down or blocked for spamming. You can find some sites on the Internet that show you the “whois” history of a domain; I looked this one up and the history does go back to before you owned it.
It’s probably not a bad idea to do some research on an available domain before you sign up for it, just to make sure you’re not getting into a situation like this.
Comment by Dave Rathbun — December 6, 2008 @ 11:12 am