Domains with Arabic, Russian and other characters are now favored by spammers

A security vendor Symantec found that Internationalized Domain Names that include Arabic, Chinese and Russian characters, among others, are increasingly gaining popularity among spammers who use them as a home for penis pill websites.

The availability of such characters gave a new opportunity for spammers to establish spamvertized portals. Symantec intercepted one German language spam message that uses a URL shortening service to redirect to an IDN domain.

Paul Wood of Symantec notes: “The spam itself is fairly normal. It promotes erectile dysfunction drugs, and includes links to a popular URL shortening site… A recipient clicking on one of these links is first redirected to a site with a Cyrillic domain name. This shows a "landing page" for one second and then redirects to a site claiming to be a Swiss pharmacy”

He continues: “Although it is interesting that spammers are using IDN like this, users won't be aware of it unless they pay very close attention to their web browser's address bar while the landing page is being shown”

By using, in this case, a Cyrillic domain name, spammers may make it easier to register more convincing domains. The tactic may decrease hosting costs for penis pill merchants, as Nick Johnston, a senior software engineer at Symantec, explains.

"The main impact of IDN on spam filtering depends on exactly how spammers use IDN," Wood said. "If spammers always include URLs in Punycode form (with a TLD of .xn--p1ai instead of the actual Cyrillic characters .рф) then spam filtering is relatively straightforward. Anti-spam software generally simply needs to be aware that xn--p1ai is a valid top-level domain."

"However, if spammers include IDN URLs not in Punycode, then it's likely that more work could be required, particularly given the various different character encodings that could be used to represent these characters. To convert to IDN, the characters would have to be converted to Unicode and then applying algorithms before finally doing Punycode conversion.”