Understanding the domain registration behavior of spammers

Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck

Research output: Chapter in Book/Report/Conference proceedingConference contribution

75 Scopus citations


Spammers register a tremendous number of domains to evade blacklisting and takedown efforts. Current techniques to detect such domains rely on crawling spam URLs or monitoring lookup traffic. Such detection techniques are only effective after the spammers have already launched their campaigns, and thus these coun-termeasures may only come into play after the spammer has already reaped significant benefits from the dissemination of large volumes of spam. In this paper we examine the registration process of such domains, with a particular eye towards features that might indicate that a given domain likely has a malicious purpose at registration time, before it is ever used for an attack. Our assessment includes exploring the characteristics of registrars, domain life cycles, registration bursts, and naming patterns. By investigating zone changes from the.com TLD over a 5-month period, we discover that spammers employ bulk registration, that they often re-use domains previously registered by others, and that they tend to register and host their domains over a small set of registrars. Our findings suggest steps that registries or registrars could use to frustrate the efforts of miscreants to acquire domains in bulk, ultimately reducing their agility for mounting large-scale attacks.

Original languageEnglish (US)
Title of host publicationIMC 2013 - Proceedings of the 13th ACM Internet Measurement Conference
Number of pages13
StatePublished - 2013
Event13th ACM Internet Measurement Conference, IMC 2013 - Barcelona, Spain
Duration: Oct 23 2013Oct 25 2013

Publication series

NameProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC


Other13th ACM Internet Measurement Conference, IMC 2013

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications


  • Blacklist
  • DNS
  • Domain registration
  • Spam


Dive into the research topics of 'Understanding the domain registration behavior of spammers'. Together they form a unique fingerprint.

Cite this