Spam Trends: December 2023 - February 2024
Modern day spam is rarely benign: as a delivery system, spam is almost always a component of a subsequent cybercriminal activity. We measure spam activity by analysing spam reports from high-confidence blocklist sources that have low false-positive rates.
Little or no “benign” email is marked as spam by our threat intelligence sources. We treat all reported spam from our feeds as deliberate acts, or predicate acts to subsequent crimes including as phishing, counterfeiting, or scams.
We use the term “criminal act” intentionally, because most modern day spam is sent without informed consent, from compromised devices or from accounts where the emission of spam violates acceptable use. Using the Council of Europe’s Convention on Cybercrime as our model of law, we consider these criminal misuses of devices. The unauthorized software (malware) that emits spam emails uses system and nework resources at the expense of unauthorized software. Again using the Convention of Cybercrime as our model, we consider this a criminal act of data or system interference.
A decline in spam domains reported
We saw a 20% drop in domains reported for hosting spam content or spambots in the December - February 2024 reporting period. This follows a modest quarter over quarter decline from the June-August 2023 period to the September-November 2023 period. The declines appear to coincide with increased use of user accounts at subdomain service providers, where we saw a tenfold increase in reports identifying (unique) hostnames where spam content or spambots was found. Stay tuned: we’re still analyzing these reports.
8 of the ten registrars from our September-November 2023 reporting period appear in our ranking of domain registrars by number of spam domains under management for this period. Chengdu West and Alibaba Cloud Computing rejoined the top 10, replacing PDR and Hong Kong Juming Network Technology. Since June 2023, our top 10 hosting networks continues to include Google LLC, Clayer, Cloudflare, OVH SAS, Amazon, and BGP Consultancy. GIR-AS, Microsoft, and Dimension Network & Communication round out the top 10.
Trends in spam domain composition
Some spammers include brand, product, or service names in their spam domains. Paypal (1,930), Apple (1,545), and Microsoft (1,295) were among the brands with the most matches in domain names reported for spam activity. The USPS (1,560) and UPS (1,152) delivery services rounded out the top five. In this reporting period, we find that spammers use one or more English words that attract attention or convince a spam recipient that the domain is legitimate.
English words commonly found in spam domains
We count words that spammers use to attract the attention of a (mail) recipient: joy, happy, special, cheap, smart, gift, shop, great, deal…
What industry sectors or verticals do spammers target?
We grouped these English words into a set of categories to get another insight into where spammers focus attention. Examples of words we include in our categories include:
for Technology: digital, login, ssl, captcha;
for Financial-Crypto: income, wealth, loan, invest, credit; and
for Delivery Services: deliver, parcel, track*;
| TABLE 1: LARGEST TLDs | ||
|---|---|---|
| Ten Largest TLDs | Estimated number of domains in TLD | Spam domain score (spamdomains/DUM)*10,000 |
| com | 157,517,241 | 16.6 |
| de | 16,729,547 | 1.3 |
| net | 12,840,201 | 18.0 |
| org | 10,801,063 | 7.0 |
| uk | 10,173,905 | 5.1 |
| cn | 7,968,520 | 60.0 |
| nl | 6,013,056 | 1.6 |
| ru | 5,415,296 | 21.0 |
| br | 4,559,187 | 2.9 |
| fr | 4,113,924 | 2.9 |
Who’s the spammiest TLD?
The answer depends on what you are measuring. Our quarterly rankings of Top-level Domain operators lists TLDs both large and small. Table 1 shows the spam domain score of the 10 largest TLDs. These TLDs have large total counts of domains reported for spam but if we consider the number of spam domains per 10,000 domains under management, several ccTLDs {de, nl, br, fr, uk) have “low” scores. The nexus obligations or more stringent registration practices of these ccTLDs should serve as models for the gTLD policy development at ICANN.
Table 2 shows the spam domain score of the 2012 expansion of new TLDs with the most spam domains reported. Here, we see TLDs with smaller numbers of domains under management but startingly higher numbers of spam domains under management per 10,000 domains.
For example, the spam domain score of the best TLD is 335 times that of the de TLD and 26 times that of the com TLD. Spam domain scores often indicate that a TLD’s business, pricing, or registration practices make them attractive to criminals
| TABLE 2: NEW TLDs | ||
|---|---|---|
| Ten new TLDs with most spam reported | Estimated number of domains in TLD | Spam domains score (spamdomains/DUM)*10,000 |
| best | 65,551 | 436.0 |
| pics | 66,668 | 197.6 |
| media | 81,490 | 171.7 |
| top | 2,687,971 | 162.3 |
| sbs | 536,396 | 155.5 |
| club | 586,557 | 154.9 |
| bond | 261,229 | 141.6 |
| quest | 41,830 | 120.0 |
| live | 574,548 | 119.7 |
| asia | 309,877 | 119.1 |