Feeds

Spammers exploit Internationalized Domain Names to punt penis pills

Cyrillic dysfunction

Beginner's guide to SSL certificates

Spammers have begun taking advantage of Internationalized Domain Names as a home for penis pill portals and other spamvertised sites.

Internationalized Domain Names (IDN) allow domain names to include Arabic, Chinese and Russian characters, among others, as well as Latin letters.

The inclusion of non-Latin characters with domain names has been possible for several years, but it's only last year that some top-level domains were given internationalised versions, for example .рф for Russia.

Spammers have begun latching onto the availability of these services to establish spamvertised sites. One German language spam message intercepted by Symantec MessageLabs uses a URL shortening service to redirect to an IDN domain.

The spam message - advertising erectile dysfunction pills and supposedly linking to a Swiss pharmacy site - is nothing out of the ordinary, except for its use of Cyrillic domain names.

By using, in this case, a Cyrillic domain name, spammers may make it easier to register more convincing domains. The tactic may decrease hosting costs for penis pill merchants, as Nick Johnston, a senior software engineer at Symantec, explains.

"MessageLabs Intelligence expects the use of IDN in spam to increase in coming months, especially as it may be easier to find unregistered IDN domains," Johnston writes.

"Some registrars are likely to encourage wider adoption of IDNs and are expected to offer some registries at low prices, as we've seen with the introduction of other new top-level domains in previous years."

A blog post by Symantec, containing screenshots of the spam message and an explanation of the redirection techniques used in the scam, can be found here.

The more widespread use of IDNs in spam poses challenges for both brand protection experts and spam filtering firms, who may need to tweak their technology.

"The main impact of IDN on spam filtering depends on exactly how spammers use IDN," Paul Wood of Symantec MessageLabs told El Reg. "If spammers always include URLs in Punycode form (with a TLD of .xn--p1ai instead of the actual Cyrillic characters .рф) then spam filtering is relatively straightforward. Anti-spam software generally simply needs to be aware that xn--p1ai is a valid top-level domain."

"However, if spammers include IDN URLs not in Punycode, then it's likely that more work could be required, particularly given the various different character encodings that could be used to represent these characters. To convert to IDN, the characters would have to be converted to Unicode and then applying algorithms before finally doing Punycode conversion.

On the other hand, using IDN URLs in this way might harm a spammer's conversion rate due to legacy mail software and so on." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.