Spam Trends: March 2024 - May 2024

Modern day spam is rarely benign: as a delivery system, spam is almost always a component of a subsequent cybercriminal activity. We measure spam activity by analysing spam reports from high-confidence blocklist sources that have low false-positive rates.

Little or no “benign” email is marked as spam by our threat intelligence sources. We treat all reported spam from our feeds as deliberate acts, or predicate acts to subsequent crimes including as phishing, counterfeiting, or scams.

We use the term “criminal act” intentionally. Most modern day spam is sent without informed consent, from compromised devices or from accounts where the emission of spam violates acceptable use. Using the Council of Europe’s Convention on Cybercrime as our model of law, we consider these criminal misuses of devices. The unauthorized software (malware) that emits spam emails uses system and nework resources at the expense of unauthorized software. Again using the Convention of Cybercrime as our model, we consider this a criminal act of data or system interference.

A spam domain names shopping frenzy

Domains reported for hosting spammed content or spambots leaped to over 1.5M in the March-May 2024 reporting period, an increase of over 900,000 domains reported over the December - February 2024 reporting period. While we did see a decrease of subdomain provider accounts reported for hosting spam, spammers were more active in the .COM, .TOP, and .XYZ gTLDs, which accounted for more than 880,000 spam domains reported.

Some jockeying for position occurred, but the top 5 registrars from our December - February 2024 reporting period remain the same. In our ranking of domain registrars, GoDaddy.com replaces NameCheap.com as #1, followed by Gname.com, NameCheap.com, NameSilo.com, and DynaDot Inc.

Google LLC, Clayer, Cloudflare again hold the top 3 spots in our top 10 hosting networks.

Trends in spam domain composition

Some spammers include brand, product, or service names in their spam domains. Paypal (2,990), Google (2,669), UPS (1,542), Apple (1,347), and DHL (1,038) were among the brands with the most matches in domain names reported for spam activity.

In this reporting period, we again found that spammers use one or more English words that attract attention or convince a spam recipient that the domain is legitimate.

What industry sectors or verticals do spammers target?

We grouped these English words into a set of categories to get observe where
spammers focus attention. Examples of words we include in our categories include:

  • for Technology: digital, login, ssl, captcha;

  • for Financial-Crypto: income, wealth, loan, invest, credit;

  • for Delivery Services: deliver, parcel, track*;

TABLE 1: LARGEST TLDs
Ten Largest TLDs Estimated number of domains in TLD Spam domain score
(spamdomains/DUM)*10,000
com    156,025,695    39.8
de    16,828,207    3.3
net    12,739,761    45.4
org    10,887,204    27.5
uk    10,013,794    7.0
cn    8,192,048    103.1
nl    5,99,1057    2.0
ru    5,525,370    69.8
br    4,680,960    3.3
fr    4,120,457    3.7

Who’s the spammiest TLD?

The answer depends on what you are measuring. Our quarterly rankings of Top-level Domain operators lists TLDs both large and small. Table 1 shows the spam domain score of the 10 largest TLDs. These TLDs have large total counts of domains reported for spam but if we consider the number of spam domains per 10,000 domains under management, several ccTLDs {de, uk, nl, br, fr) have “low” scores.

Table 2 shows the spam domain score of the 2012 expansion of new TLDs with the most spam domains reported. Here, we see TLDs with smaller numbers of domains under management but startingly higher numbers of spam domains under management per 10,000 domains.

For example, the spam domain score of the .TOP TLD is 295 times that of the .NL TLD and nearly 15 times that of the com TLD. Spam domain scores often indicate that a TLD’s business, pricing, or registration practices make them attractive to criminals. The nexus obligations or more stringent registration practices of ccTLDs with few or no spam domains reported should serve as models for the gTLD policy development at ICANN as they begin a process of expanding the gTLD name space.

TABLE 2: NEW TLDs
Ten new TLDs with most spam reported Estimated number of domains in TLD Spam domains score
(spamdomains/DUM)*10,000
top 2,768,909    590.2
wang 45,921    572.3
vip 93,3681    405.5
cam   41,181    396.1
ink 76,916    392.8
bond 301,689    371.7
club 593,196    369.2
media 84,267    305.8
life 413,647    304.3
xyz 3,39,3065    287.2