Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.
Figure 1. .pw TLD spam message increase
Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada.
Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. The top 25 subject lines from .pw URL spam from May 1, 2013 were:
In addition to creating anti-spam filters as needed, Symantec has been in contact with Directi and working with the registry to report and take down the .pw domains associated with spam. Symantec believes that collaborating with the registry is a more progressive and holistic approach to solving this problem.