Saturday, June 20, 2009

Spam Crisis in China

At the UAB Spam Data Mine, we continue to see that MOST of the spam we receive has ties to China. As an experiment this morning I looked at 37,825 URLs received in spam on Thursday. These boiled down to 687 domain names, of which 207 ended in ".cn". I decided to expand the scope of my query, and looked at all the spam from May 1 until June 18, 2009.

48 Days of Spam
Total domainsHosted in China

For the year thus far, January 1 to present, we've successfully looked up the hosting IP address of 69,117 domains.

Top Level Domain
48,552 .cn - 70% of all domains used in spam have a Chinese Top Level Domain
14,547 .com
1,553 .net
948 .ru
575 .info
425 .es
278 .at
212 .ch
73 .in
73 .tk
67 .org
46 .pl
30 .biz
27 .cz
22 .eu
16 .de
14 .ws
11 .cc
11 .ar
10 .nu
10 .sk

Hosting Country
48,331 CN - 70% of all spam domains hosted in China
8,412 US
3,914 KR
1,555 RU
1,053 UA
884 CA
719 MY
594 BG
524 DE
460 HK
323 AR
228 BR
210 IL
199 BE
187 NL
185 PL
179 GB
178 RO
104 CZ

It is very normal that more than 1/3rd of the domain names we see each day in spam messages come from China. When one also considers the many ".com" and ".ru" domain names which are also hosted in China, the problem is much worse. More than half of all spam either uses domain names registered in China, is sent from computers in China, or uses computer in China to host their web pages. The numbers above look much higher than half, but these are numbers about spam DOMAINS, not the actual number of spam messages. Some non-CN domains send a disproportionately high number of messages.

Historical Context

Before taking my current position as Director of Research in Computer Forensics at the University of Alabama at Birmingham, I was a volunteer anti-phishing handler at the CastleCops PIRT squad. PIRT, which stood for Phishing Incident Reporting & Termination, had a group of dedicated individuals who donated their time to identifying counterfeit websites designed to steal the login information to real websites, mostly the Userid and Password for your Bank, Credit Union, or other financial institution, or the credentials for your eBay/Paypal account.

From time to time, we would find a Registrar who was facilitating cybercrime. A Registrar is a company that has the ability to assign their customer's the use of a domain name. When a criminal controls their own webservers, or distributes their webservices by hosting on a botnet, its often the case that the only way to stop a particular fraud domain is to terminate the name by having the Registrar "take away" its nameserver. If a domain has no name services, it can't be resolved to an IP address, which means no one can visit the fraudulent domain.

Usually the problem was that the Registrar did not understand how cybercriminals operated, or that they had insufficient fraud detection mechanisms, or they had policies which ended up protecting the criminal. On very rare occasion it was because they chose to host criminal activity.

Some examples we faced at CastleCops included:

YESNIC in Korea who was being used as the preferred Registrar by certain phishing criminals, but we were unable to get the sites terminated. Finally we made friends with a member of the Korean Information Security Agency who was able to take our cause straight to their door, and the behavior changed immediately.

NIC.AT in Austria was hosting criminal activity, and their lawyers told us the only way they would stop was for our team to mail a letter through the postal service to the individual in the WHOIS data. If the letter was returned to us as undeliverable, we could then forward that package to Austria, and they would terminate the domain name. The problem with that of course is that the criminals were using stolen credit cards, and the mail probably WOULD BE deliverable to whoever's credit card information had been used. Spamhaus helped us get them straightened out.

HKDNR in Hong Kong was actually the worst situation, and has turned out to be the most wonderful success story. On March 18, 2007 we finally decided that the only solution to our problem was to go fully public in a plea for help, and I issued an email called Crisis in Hong Kong, which was widely distributed.

Many friends, new and old, stepped forward to assist us in helping to influence change at HKDNR, including friends at HSBC Bank who had staff in Hong Kong who worked with the local police, Suresh Ramasubramian, now with IBM, who describes his own role in the situation in this article, and Howard Lau of the Professional Information Security Association in Hong Kong, who supported our cause with this letter to the CIO of Hong Kong.

As a result, HKDNR's Operations Manager and the Hong Kong Technology Police worked together with us to form a solution, and HKDNR went from one of the highest fraud rates on the Internet to one of the lowest. I was pleased to be able to meet with my friends from this situation in Singapore where the three of us told our story together. They now publish tips for avoiding fraud such as Stay Away from Online Scam and Do's and Don'ts of Online Banking, and were praised in June of 2008 for Reducing Online Fraud 92% in One Year!

What about China?

We are well past time for someone to declare a "Spam Crisis in China".

There are three components to the Spam Crisis:

1) Certain Registrars in China who refuse to cooperate with abuse complaints and who let domains "live forever", even when they are involved in criminal activity. We do not believe these companies are criminals. We believe that these companies have provided "reseller services" to criminals, and do not engage themselves proactively in stopping the criminal activities of their resellers. We look forward to helping in any way possible to identifying and stopping the criminals who are tarnishing the names of the companies listed below. I specifically name:

Sponsoring Registrar: 易名中国 ENAME Corporation,


2) Certain Network operators in China refuse to cooperate with abuse complaints and who let bad computers "live forever", even when they are clearly involved in criminal activity. We invite the companies who are allowing criminals to continuously use their networks to take action so that they can be an International Success Story similar to our friends at HKDNR. We do not believe that these network companies are criminals. We believe that criminals use their network, and these companies have not yet found a way to effectively receive our complaints and remove these criminals from their networks. There are many companies, but I specifically name:

ASN 4837 CHINA169-BACKBONE CNCGROUP China 169 Backbone

ASN 4134 CHINANET-BACKBONE No.31, Jin-rong Street

ASN 9929 CNCNET-CN China Netcom Corp.

3) Law Enforcement activity. It is unacceptable in the International Community to allow one's country to continue to serve as a haven for spammers of illegally counterfeited pills, illegally counterfeited software, and illegally counterfeited watches and handbags. It is also unacceptable to provide hosting services for numerous international criminals to place their servers on networks in your country. We invite Chinese Law Enforcement to become engaged in being part of the solution to this problem, and through dialogue with the International Community learn more about interacting with other countries about these issues.

Examples of Spam Registrars

XIN NET has the distinction of being named the #1 Worst Registry for Spam two years in a row by our friends at Knujon in their Registrars report.

We've mentioned fraud related to these domains repeatedly in this blog in articles such as:

XIN NET Fraud Domains

Oct 10, 2008 where Debt Relief spam was hosted on XIN NET domains using hacked MSN/ accounts to forward the messages.

Nov 12, 2008 where Many Canadian pharmacy domains hosted at McColo were registered at XIN NET (when XIN NET keeps showing up in lists with McColo and EST Domains, its a big hint. Those companies are gone, because they cooperated with criminals too often!)

Nov 21, 2008 where Phishing domains such as were registered with XIN NET
May 31, 2009 where an MSN Worm stealing passwords used XIN NET registered domains

April 13, 2009 where Hydrocodone drug sales sites were registered at XIN NET

ENAME and Malware

April 15, 2009 - SMS Spy version of Waledac.

In that article I mentioned that
The root problem with Waledac's long-lived domains is they are using a Chinese domain name registrar who won't cooperate with anyone on shutdowns. We have sent shutdown requests to their abuse contact, in both English and Chinese, and have received no cooperation whatsoever. If you have good contact information for "",

April 29, 2009 we posted that Waledac-spreading virus domains were all registered at ENAME.

March 16, 2009 - Waledac Dirty Bomb version - using ENAME domain names

February 25, 2090 - Waledac Couponizer version- using ENAME domain names

Examples of Spam Hosting

The China Spam Crisis goes far beyond just the registrar's who refuse to terminate domain names. I'm sorry that I can't put the whole list in my blog here, but here are two example files . . .

20,150 domain/IP pairs for spam received in the UAB Spam Data Mine in May 2009 where the domain is either a ".cn" domain, or is hosted in China.

11,900 domain/IP pairs for spam received in the UAB Spam Data Mine between June 1 and June 18, 2009 where the domain is either a ".cn" domain, or is hosted in China.

We invite others to review these lists, and to make comments or observations about them. If you create derivative products from this data, please provide a pointer back to the original, and share a link with me so that we can add a link here.

These reports contain a great deal of data, but I'd like to point out some of the abusive hosting practices which are occurring in China:

ASN 4837 CHINA169-BACKBONE CNCGROUP China 169 Backbone

From May 1, 2009 until June 18, 2009 this Network has hosted 8,678 unique domains for which I have samples in the UAB Spam Data Mine. Twenty-eight separate IP addresses have been used for the hosting:

ASN 4134 CHINANET-BACKBONE No.31, Jin-rong Street

From May 1, 2009 until June 18, 2009, this Network has hosted 4,146 unique domains for which I have spam examples in the UAB Spam Data Mine. Eighteen separate IP addresses have been used for the hosting:

ASN 9929 CNCNET-CN China Netcom Corp.

From May 1, 2009 until June 18, 2009, this Network has hosted 3,831 unique domains for which I have spam examples in the UAB Spam Data Mine. Three separate IP addresses have been used for the hosting:


Our friend Jeff Chan runs SURBL, a site which tracks "spam-vertised" websites, and allows spam black-listing based on checking new email to see if it is advertising a known spam-vertised website. He ran through our list of more than 10,000 domains above and only found 36 domains which were not confirmed to have been seen in spam according to SURBL!

Next Steps

What do we do about this situation? For now, we are only calling for increased awareness. If you have a Blog, mention this. If you have a group of technical friends, discuss it and offer solutions. Most importantly, if you have contacts in China, whether at an Internet Service Provider, a Hosting Company, or in Law Enforcement, please point out to them these statistics.

I truly believe that the Chinese government would not willingly tolerate this horrible situation. My only answer is that it must not have been properly brought to their attention so far. Think creatively about what you could do to help with that situation, given the resources at your disposal.


Gary Warner

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.