Colleague Steve Sheng and I presented a second in an ongoing series of studies into the abuse of privacy protection services by spammers at the APWG eCrime Researchers Summit in Dallas. For this study, we sought to use a larger sampling collected over a longer time period. By automating our collection methodology, we obtained 58,000 domains from the SpamHaus DBL from August and September 2010. All the alleged spam domains we used were registered in generic Top Level Domains (com, net, info, org, ...). We collected the domain registrations using WHOIS, and obtained the registrar and proxy/privacy service provider from these using parsers developed by two CMU students, Nicolas Cristin and Ryan Su.
The studies show that a higher percentage of spammers use privacy protection services than registrants randomly selected from the general population, and that the percentage of spammers is consistent across our two study samples.
Studying a longer period gave us some additional insights. When we examined the dates that domains were reported as spam by SpamHaus, we observed "reporting spikes" in both the volume of spam registered in a given registry by a specific sponsoring registrar:
We're going to study these spikes more closely to understand what causes this behavior beyond the obvious reporting of a spam campaign. Why did the spammers use this registrar and this registry? Were they influenced by a promotion? bulk discount? bundling of privacy protection with a new registration?
I'm a big believer in the axiom "go where the data lead you". We'll continue to sample and study privacy protection services. Meanwhile, if you have an opinion regarding registration spikes, leave a comment.