Spam Trends: September 2024 - November 2024

Spam activity declined following an 18-month high

We collected 1.1M fewer spam reports from our contributing feeds during the September-November 2024 period than the prior period.

Domains reported for hosting spammed content or spambots declined by 11% but there were still over 2.1M spam domains reported in this period.

Top-level Domains

  • Noteworthy decreases in spam domain counts. CLUB (65%), XYZ (45%), APP (41%), ORG (34%) RU (31%) and COM (29%).

  • Most dramatic increases. BID (+1,914%) and (LOAN (+1,446%).

  • Worst locus of abuse. The TOP TLD remains the #2 ranked TLD with ~303,000 spam domains reported. For context, this figure is nearly 1/2 of the ~637,000 spam domains reported in COM, which has 155M domains under management compared to TOP’s 2.9M. When you also consider that .TOP spam domain score is 1056.2 whereas .COM is 41.3, it’s clear that .TOP needs to up its abuse mitigation game.

We again observed a decrease of subdomain provider accounts reported for hosting spam, where subdomain reseller accounts reported for hosting spammed content declined 32%.

Reminder: Why is spam a threat?

Spam is almost never benign, and in our experience, it is a deliberate threat, or a predicate act to subsequent crimes including phishing, scams, or sales of counterfeit goods.

Is it really a crime?

Modern day spam is sent without informed consent, from compromised devices or from accounts where the emission of spam violates acceptable use. Using the Council of Europe’s Convention on Cybercrime as our model of law, we consider these criminal misuses of devices. The unauthorized software (malware) that emits spam emails uses system and nework resources at the expense of unauthorized software. The Convention of Cybercrime considers these to be criminal acts of data or system interference.

Hosting Networks

For the September-November 2024 period, Cloudflare rose three spots to become the #1-ranked hosting network (ASN) by hosted spammed cntent or spambots. CTG Server Limited retained second place, Dimension Network & Communication Limited rose from fourth to third, and Amazon dropped from the one-spot to fifth.

We found a 678% increase in spam domains hosted at previously unranked SEDO GmbH. A close look revealed that two IP addresses - 91.195.240.12 and 91.195.240.123 - host all the domains reported for spam activity. 23,655 domains in the TOP TLD are hosted here. We visited a sample of approximately 600 of these domains. However, as of the January 10 posting of this article, many still resolve to the (online gambling) web sites advertised in spam messages. Others are redirected to a landing page that gives notice that “Access to the site is limited in your country. Yet others resolve to pay-per-click landing pages or to secondary market (buy this domain) pages. Only some of these no longer resolve, which we believe is the appropriate treatment of domains used in asssociation with spam specifically and cybercrimes generally. The diverse treatment or disposition of domain names creates uncertainty for reputation service providers, who may leave domains on blocklists while domains resolve. The reputation of the domain registrar and TLD registry are adversely affected while the domains remain on blocklists, and user confidence in the name and hosting services is undermined.

Domain Registrars

In our ranking of domain registrars, Dynadot replaced GoDaddy as #1-ranked registrar by spam domains reported, with ~195,000 spam domains compared to ~182,000 reported from GoDaddy’s registrations. Again, for context, Dynadot’s 4.4M domain registrations is 1/16th that of GoDaddy’s 65M.

Gname.com, NameSilo, and NameCheap round out the top 5 registrars ranked by spam domains reported. Porkbun (130%) experienced the most dramatic increase in spam domains reported, followed by Name.com (62%), Sav.com (43%) and Dynadot (39%).

Spammers seem to exploit some domain registrars more so than others for certain Top-level Domains.

In this table, we show which registrar was most exploited by spammers to obtain domains for the ten top-ranked TLDs by spam domain count.

We generated this table from data that can be downloaded in CSV format from the Records page. In this case, we used the TLD Spam Table Data from our Records Repository. We encourage you to download and use these data to view all the TLD, domain registrar, and hosting network operators for which we receive and process spam reports.