Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5011
Views
0
Helpful
3
Replies

Suddenly a lot of spam getting in from the .top domain today.

keithsauer507
Level 5
Level 5

‎09-29-2016 04:35 AM

Ironport C100V, 9.7.2-047

Today a flood of spam made it past this ESA all with one commonality...  The sender's domain was .top.

What is this new domain called .top?  Did it just become available, hence the spam?

Anyone else seeing this?

I added a regex in our blocked senders dictionary which is tested against in an incoming content rule, so hopefully this stops it.  But what have you guys seen out there?

Labels:
0 Helpful
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

‎09-29-2016 10:32 AM

Hi Keith,

Domains with .top are usually private domains available for purchase. These could very well be used by spammers, however no such instance was brought to our notice.

Domains with .top are listed as most abused top level domains on spamhaus as well.

https://www.spamhaus.org/statistics/tlds/

For all spam emails the process would remain the same, please submit the original email sample with headers intact to spam@access.ironport.com.

Using a custom filter to block the  domain entirely would also help if you do not receive legitimate emails from such domains.

Cisco spam submission and tracking portal went live last week, below is a FAQ for the same.

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200648-ESA-FAQ-How-to-work-with-Cisco-Email-Su.html

Thanks

Libin

0 Helpful

exMSW4319
Level 3
Level 3
In response to Libin Varghese

‎09-30-2016 12:16 AM

Was going to post the Spamhaus link but Libin has beaten me to it :-)

As soon as one of those goes anywhere near 50% or appears on my own radar, I do diligence then block the whole TLD, hosts and senders. Currently on my own Junk TLD list:

  • .accountant
  • .click
  • .date
  • .diet
  • .download
  • .gdn
  • .science
  • .stream
  • .top
  • .work

Hmm, looks like .trade might become a problem too...

Now this might work for my own network and I can afford to take a fairly robust attitude to any genuine senders who sign up to a blatantly stupid idea, but to repeat do perform your own checks before slamming any of these domains. That also means having mechanisms in place to detect and respond to any necessary exceptions.

0 Helpful

tsilveruits
Level 1
Level 1

‎09-29-2016 01:44 PM

We have seen spam from .top as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents