I noticed some spam using a relatively uncommon "new TLD" (.christmas) in my honeypots this week, and, since it is almost Christmas, thought it was worth a look to see how it's being used or abused...
.Christmas has been around for a couple of years, but hasn't had many high-traffic domains, at least, until recently.
Checking the WebPulse logs for .christmas traffic revealed quite a lot of it, most of which appeared to be shady. How shady? Well, not as bad as most of the Shady TLDs we've profiled over the last couple of years, but still enough to warrant consideration for membership on Santa's naughty list...
Here is a look at how the Top 50 sites, by total traffic, stack up in our logs the last few days:
Category | Count & Percentage |
|---|---|
Suspicious | 39 (78%) |
Scam/Questionable | 1 (2%) |
Business | 4 (8%) |
Personal Site | 2 (4%) |
Society/Daily Living | 2 (4%) |
Placeholder | 2 (4%) |
Without the two Placeholder sites being included (they're not considered to be quite shady enough for counting in the rankings), .christmas would score an even 80% shady. Compared to other Shady TLDs, this wouldn't rank in the top 20.
Still, all of the high-traffic .christmas domains are shady, and so we might make our first calendar-based recommendation. Namely, if you don't have WebPulse to let you know if a particular .christmas domain is likely to be shady or not, maybe consider blocking all .christmas URLs from January thru October, as the legitimate ones are very seasonal, as you might expect.
Peeking at the Packages
So what are these shady .christmas sites up to? It appears to be primarily spam-related, with some high-traffic WebAd/Analytics sites -- many of the URLs I checked returned single-pixel "tracking PNGs" (small image files used to track users who visit sites), or else they relayed visitors to sites that we had already identified as Spam or Phishing. Unfortunately, tracking pixels don't make for compelling screenshots, so I'm leaving those out.
There are several different domain naming styles being used by the major shady networks:
(1) A random-words-glued-together group (using words related to Christmas), such as happysing.christmas, celebratewish.christmas, merryseparate.christmas, jollysleep.christmas, etc.
(2) A random-word-plus-a-color group, with domains like happenyellow.christmas, dependred.christmas, turnblack.christmas, etc. (My favorite was kronosaurusblack.christmas.)
(3) A random-words-plus-digit group: handbelieve0.christmas, reasoncould7.christmas, bodyconsist1.christmas, namedevelop9.christmas, etc.
As shown in the table above, there were a handful of legitimate Christmas-themed businesses (generally "come meet (or e-mail) Santa" type), and a few other legitimate sites in the mix. But they were outnumbered by shady shopping sites (in particular, there is a network of cookie-cutter sites that weren't quite believable as places I'd want to spend money), and a couple of sites offering knock-off fashion goods for ultra-low prices.
In summary, it looks like the spammer/scammer Grinches are definitely out to ruin .christmas...
--C.L.
P.S. For easy reference, here are the links to the earlier posts in our "Shady TLD" series: