Spammers Preying on Domain Registration Software Flaw
Norton-vendor Symantec Corporation (NASDAQ: SYMC) has revealed a vulnerability in a domain registration software for domain parking services allowing spammers to randomly redirect to any URL.
“We recently noticed a large domain parking service being abused by spammers on a massive scale. Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice,” Symantec senior software engineer Nick Johnston explained.
Spams have continued to flood the inbox despite the shutdown on March of botnet Rustock that was responsible for spreading as many as 30 billion spam messages every day. Last week, Microsoft reported that it had spotted more than 400,000 email addresses on one hard drive it seized during the raid.
Microsoft, which led the take-down against Rustock, reported that it had found further evidence of spam distribution of the botnet, “including custom-written software relating to assembly of spam emails and text files containing thousands of email addresses and username/password combinations.”
Domain parking services allow registration of internet domain names without using them for services like email or hosting a website.
Domain registered on parking services are reserved for future use to prevent cybersquatting or earn money via advertising hosted on an automatically-generated Web site on the domain.
The abuse, according to Symantec, does not target directly the domain parking services, but takes advantage of a feature of the domain registration software.
It is also impossible for domain owners to notice that their domains are added to anti-spam blocklists because the redirect does not affect the parking page, which is typically not used for other purposes. Additionally, the domain parking service may not have been aware of the abuse.
Symantec said it has already informed the domain parking service about the abuse.
The abuse, Symantec continued, “could be effective against some anti-spam products since many of the domains affected have been registered for years, and therefore seen as more likely to have a good reputation.”
For example, Symantec caught a redirect to “get rich quick” sites used by spammers, which spoof a popular US broadcaster.
The security vendor said it has automatically blocked tens of thousands of these domains.
“This latest abuse shows the lengths spammers are prepared to go to in attempting to conceal their spam sites.”
Symantec advised users to check the HTTP “Referer” [sic] header before redirecting to prevent the abuse.
“Using cryptographic hashing can also be useful, as can restricting the set of sites which can be redirected to,” it said.