You’ve almost certainly come across the terms Dark Matter, Dark Energy,
or even Dark Fibre.
But we’ve recently come across a suitably similar form
of spam. Spam that is there but you can’t normally see it! - Dark Spam.
The other day, as you do, we decided to create wild card MX records for
subdomains of a few of our DNS names. So, for instance, given the
domain example.com, any name below that e.g xyz.example.com,
becomes a valid domain for an email address - e.g. johnsmithsvt@xyz.
example.com. We then got our friendly qmail smtp daemon to accept
any email for subdomains by adding “.example.com” to its rcpthosts file.
The leading ‘.’ being the important item to create the wildcard.
The next thing we knew was that loads of spam started arriving.
What is this Dark Spam?
As well as performing dictionary attacks on the left hand side (mailbox)
part of analysis address - sales@, billing@, info@, john@, the
spammers are doing similar tricks with the righthand side - in the hope of
finding a valid domain - the obvious one is “www”, but if you’ve ever had
urls published, scrapable from the web, then you’ll be getting spam to
these. This includes names such as lists.example.com, cvs.example.com
and so on. In fact, you don’t even need an MX record - just an A record
and and an smtp service to recieve it will do.
We’ve labelled this phenonemon “Dark Spam”. Spam that is out
there, just waiting to spring into visibilty.
Another, more obvious, source of dark spam are dormant domain names.
We once re-established a long expired domain name and found that
even after a number of years of non-existence, it was getting more spam
than ever.
However, it is the idea of speculative domain name creation by the
spammers - so that spam is already to arrive as soon as a DNS record
and SMTP server is set up that really defines the phenonemon that is Dark Spam.