Numerous (as in "at least hundreds, probably more") of spam gangs are
purchasing domains and "burning through" them in spam runs. In many
cases, there's a pattern to them; in others, if there's a pattern,
it's not clear to me what it might be.
From my point of view, "pattern" is which registars are getting the buys,
for which registries, where the ns's are hosted, and for domains used in
the return value side, hosting details. The latter to reduce to RIR CIDRs.
There is more, but that is the first cut, localization of registrar(s) and
registries and CIDRs.
This bunch prefers domains in .info -- no doubt motivated in part by things
like the recent $1.95 sale on such domains.
OK. Now you've identified price as a significant control variable. There are
registrars that don't sell .info. I don't. There are registars that don't
sell to directly to registrants. I can think of half a dozen of us who only
sell to corporations and bonafide people who buy reasonable names.
Transcendental numbers in decimal character form are "reasonable". Your
two example sets are not "reasonable".
The dirty little secret is that all this activity on the part of spammers
is a gold mine for registrars.
This isn't going to make me think you can add or subtract.
It's gotten so bad that -- to a darn good first approximation -- if you
find a domain in the .biz or .info TLDs
I agree, and don't sell .biz, .info or .name, or .cc or .tv or .bz or any
of the obvious repurposed cctlds, with the exception of my friend Bill
Semich's .nu, which actually means something in Sweden for local reasons.
I do plan to sell .aero, .coop and .museum, however.
In case it is inobvious, there is a possibility that part of _your_
problem (and a big part of my problems) can be placed at the figurative
"door" of a 501(c)(3) located in California.
The answer? (1) no obfuscated registrations (2) mass, fast, permanent
confiscation of spammer domains (3) requirement for reasonably correct
domain registration info ... and (4) publication of all WHOIS data in
a simple, easily parseable form ...
Nothing in this laundry list that makes the cost of bad business for my
competitors rise, see add and subtract, above.
Try the following: 1,$s/registrars/isp/g and 1,$s/registry/rir/g, and
1,$s/domain/ipv4_addr/. If you're still keen on your approach, then it
might be a good one.
I've replied after removing your personal identifiers back to NANOG.
I appreciate the data, but I want the discourse to be multicast.