Some Changes in Continuing .PW Spam

June 17, 2013 - By Chris Larsen

A month ago, we advised people to consider blocking the .PW top level domain (TLD). There is still a lot of spam happening there, but there have been some changes recently. In particular, there are more "normal" TLDs mixed in with the .PW ones.

However, even though the TLD may be normal -- like .com -- the domain name itself won't necessarily be...

In following one interesting .PW domain last week (polyco.pw), I found a whole nest of spammers inhabiting a dozen IP addresses in the 142.0.34.0/24 block. Of the top domains they'd used in the preceding days, this was the only .PW one. The highest traffic domains actually looked pretty reasonable: bestappsfree.org and bestitwork.org

A bit further down the list, the spammers got more creative with their domains. My favorites were purpledice.com and pinkmarriages.com.

All of these domains tend to lead to "unsubscribe" pages, that look like this:

screenshot of Unsubscribe page

 

Note that I had just gone to the plain domain URL here, not the unsubscribefinal.php page, and I certainly didn't put in an e-mail address or any other sort of ID code in the process. In other words, I'm extremely sceptical that this page does any sort of unsubscribing, since they display it by default -- there's no way they could have actually unsubscribed me. Oh, I'm sure I'll never see any more spam from pinkmarriages.com, but that would be true whether or not I actually tried to unsubscribe -- it's just that the spammers aren't going to use that domain ever again.

As a final note of interest, in poking around in our logs a bit more, I was able to find a URL to the image file that was used in the spam from pinkmarriages.com:

a look at the spam image (bed bug defense)

 

There's something richly ironic about one group of blood-sucking parasites (spammers) trying to sell you a defense against another group of blood-sucking parasites (bed bugs). Where's the professional courtesy?

 

--C.L.