.ICU TLD - I See You Spammer

ICANN’s decision to cash in and allow an unlimited number of new gTLDs has provided us with several new TLDs used predominantly for criminal purposes by malicious actors. My inbound mail servers have been flooded with spam from thousands of .icu domains for the better part of 2019.

.icu spam domains

An inbound mail server showing spam delivered from .icu domains.

A quick rundown

Upon closer inspection of last month’s spam campaign, a repeating pattern quickly emerged:

  • Domain names are seemingly assembled from random words.
  • Every domain I checked was registered with Namecheap.
  • Every domain I checked was anonymized behind Cloudflare.
  • Turkish based hosting services were used to deliver e-mail spam.
  • Domain names were suspended after a month, give or take.
Postfix recieving spam from .icu domains

Postfix receiving spam from .icu domains by courtesy of a Turkish provider.

I was initially somewhat curious as to why Namecheap was used for domain registrations, but the answer was all in the name. At the time, Namecheap gave out .icu domains for approximately $1 and ended up with somewhere in the ballpark of 236,000 .icu domains.

Why do companies indulge in this practice?

Everybody is making money. You might be surprised to learn that criminals are allowed to own and operate large sections of the Internet. Unfortunately, they are kept in good standing as long as their revenue also makes it upstream.

ShortDot SA, Namecheap and the Turkish web hosting providers will act on abuse complaints, but that’s as far as it goes. After all, it’s not their responsibility to govern the internet right? In the end, it’s a game of whack a mole that allows the criminals to effortlessly rinse and repeat.

How to block spam from .icu domains

I’ve seen enough of this garbage and have started to reject delivery from any .icu domain, to mail servers under my administration. I’ve never come across a non-spam e-mail from a .icu domain, and besides, who would ever want a .icu domain for anything else than malicious activity.

.icu is owned by ShortDot SA

I’ll See You No More – Block .icu domain spam forever.

Block spam from .icu domains with Postfix

With postfix, you may add or edit /etc/postfix/reject_domains to identify .icu domains using a simple regular expression:

# /etc/postfix/reject_domains
/\.icu$/ REJECT We don't talk to .icu domains

Proceed to edit the main Postfix configuration and append the regexp lookup to the smtpd_sender_restrictions policy:

# /etc/postfix/main.cf
smtpd_sender_restrictions = pcre:/etc/postfix/reject_domains

Reload Postfix and count it as a victory for the good guys.

Block spam from .icu domains with Sendmail

With Sendmail, you may use the access database to reject messages from .icu domains. Simply edit /etc/mail/access and add a reject statement at the end of the file:

# /etc/mail/access
icu  ERROR:"550 We don't talk to .icu domains"

Finally, we’ll use makemap to rebuild the access database with the following command:

makemap hash /etc/mail/access.db < /etc/mail/access

And that’s all she wrote for .icu domain spam.

Addendum