Blocking domain won't stop spam, Google warned

TrendMicro says blocking an entire second-level domain doesn't solve the problem and hurts genuine sites

Nicole Kobie
11 Jul 2011

Google's move to block malware by dumping "" domains is a "short-term band-aid solution", according to one security firm.

Last week, Google blocked the entire domain, saying its 11 million sites were predominantly malware and spam.

TrendMicro has warned that cyber criminals have already moved on from the second-level domain (SLD), leaving real businesses on that address out of luck.

As a means to protect users, we do not think this is a good solution

"Based on our research and monitoring of malicious domains and cybercrime activity, we know for a fact that all major cybercriminals have already moved from to other similarly abused SLDs like or," said Martin Roesler, director of threat research, in a post on the TrendLabs blog, adding criminals frequently hop from one domain to another.

"As a means to protect users, we do not think this is a good solution," he said.

Instead of blocking an entire block of domains, Google could make a "real and lasting impact" by working more closely with registrars.

"For instance, Google’s massive visibility into the totality of search queries done worldwide can allow it to acquire enough evidence to influence and to put pressure on registrars to pull out SLDs that host malicious activities," he said.

"This is much more effective instead of simply restricting user access to an entire block since we know cybercriminals will just choose to jump SLDs (they are already doing so)," he added. "This also unjustifiably penalises those who are actually using the said SLD for legitimate purposes."

The domain isn't a standard SLD, however. It is technically not an officially authorised SLD but a so-called freehost. A Korean firm owns the "co" part on the .cc domain - a top-level domain (TLD) for the Cocos Islands - and gives domain names away for free or very cheaply, making them ideal for spam and malware.

Top-level troubles

Roesler added that the problem is set to get worse, following the announcement by ICANN that TLDs will be opened up.

"The recent ICANN decision — to add a nearly unlimited number of new top-level domains — will make the problem even more complex in the very near future," he said.

"Add to this the fact that ICANN requires parties interested in becoming a TLD registrar to deposit a certain sum of money in order to get accredited," he added. "Knowing how the cybercriminal mind works, we are pretty sure this is practically an open invitation for cybercrime gangs to launder money while running a completely malicious TLD."

Read more about: