Spam Trends: June 2023 - August 2023
Spammers are alive and thriving. We observed declines compared to the previous quarter in the number of spam reports that we collected from feeds, the number of unique domains, registrars, subdomain resellers, and the number of hosting networks that had gTLD domains under management reported for hosting spammed content or spambots. Here, we make observations from a careful analyses of the 1.3 million spam reports that we processed for this quarterly period.
Are spam domains trending down… or returning to steady state?
Spam in the post-Freenom era
In a recent phishing trends report, we observed that phishers lost a mainstream supply chain when Freenom stopped processing domain registrations in its five commercial ccTLDs. We see declines in spam domains reported for hosting spammed content or spambots in Freenom’s ccTLDs as well.
Where were spammed content and spambots hosted?
Hosting networks in the United States, Hong Kong, Singapore, France and Russian Federation had the most domains reported for hosting spammed content and spambots.
This number of spam domains | resolved to IP addresses geolocated in |
519,415 | US |
146,558 | HK |
49,115 | SG |
48,597 | FR |
28,738 | RU |
And as was the case for phishing, spammers migrated to other TLDs to register spam domains. Six of the 10 TLDs with the most reported spam domains and 18 of the TLDs with the highest reported spam domain scores were new TLDs.
Spammer Migration post-Freenom | ||
  | March 2023 - May 2023 | June 2023 - July 2023 |
Legacy TLDs | 48% | 50% |
new TLDs | 29% | 32% |
ccTLDs | 23% | 18% |
Registrar NameCheap had nearly 192,000 domains reported for phishing, outdistancing #2 GoDaddy by leaps and bounds. NameCheap's spam domain count was nearly 2½ times that of GoDaddy and its spam domain and malicious spam domain scores were both more than 12 times that of GoDaddy.
Who did spammers target or impersonate?
By maintaining historical records at the Cybercrime Information Center, we can look at measurements over time.
One reaction to seeing the number of unique domains reported for spam declining by nearly 250,000 from one quarter to another is to rejoice, proclaim, “DNS abuse is down!”, and go about the business of registering domains as usual.
When we see extraordinary changes, we investigate before we rejoice. First, we determined that one of our feeds enhanced its “catch rates” that resulted in an increase in the number of domain names reported. So some of the increase is improved accuracy.
However, when we observed five quarters of reported spam domains rather than two, we see that the number of unique domains reported for the current June 2023 - August 2023 period declined to more or less the median. That figure merits continuing policy or regulatory attention.
Technology, finance and crypto, and healthcare were the business sectors or services most targeted by spammers, based on suspicious domain composition.
To create this tree map, we compared registered domain names that were reported for spam against lists of English keywords that we curated over time. The wordle shows a partial list of our frequently appearing keywords in spam campaigns that targeted or impersonated the top three business sectors in the tree map.
Internet users should exercise caution when they see domains or URLs that contain these keywords.