The Symantec Global Intelligence network has detected a significant increase in hit-and-run spam attacks (sometimes referred to as ‘snowshoe’ spam attacks) from .club domains in the last 24 hours. Earlier this year the Internet Corporation for Assigned Names and Numbers (ICANN) released a number of generic top-level domains (gTLD), with .club among them. Spammers have taken to abusing gTLDs, and specifically, the .club gTLD to perform hit-and-run spam attacks. Hit-and-run spam attacks quickly cycle through domains and IP addresses with unknown reputation to avoid detection. In this case they are using domains with the .club gTLD because of their lack of reputation.
We have observed the following “From:” header lines in these attacks:
Figure. .club domain hit-and-run spam email example
Symantec is in contact with the administrators of the .club gTLD and we will work together to shut down any spam domains within the .club zone.
We will continue to monitor this type of hit-and-run spam attack and create additional filters to protect our customers.
Symantec advises users to be on their guard and to adhere to the following security best practices: