It is interesting for me to note that our URL scheme (we started using URLs in our own spam filter in 1999) is now one of the major ways that spam is detected. A few new trends have started popping up (stock spam) but for the most part it has been a very effective way to block spam.
Over the past four years we have used our Stop and Dig system to pause inbound email and go crawl the site in question before deciding to send the email through or not. This used to be very effective, and lately the effectiveness has dropped. That spawned the question in my mind, Why?
It is no secret that spammers adapt. They are a great study is social darwinism in their ability to adapt increbily rapidly. Over the past 6 months we have seen more and more zombie machines (machines infected by malware or virus software). Recently some of the spammers have been setting up DNS records for these zombie machines. That is amazing to me. They know that any link to an IP will probably be ignored, so they will setup a bogus domain and have the www record point to an infected machine. This tells me a couple of interesting things. #1 They have had control of the box for quite sometime, and #2 they know the machine is on 24 hours a day.
We track the number of Url's we see in email by breaking them down into 15 minute intervals. Over the past year that number has grown dramtically. We used to see 100-150 per 15 minutes. Over the past month we have seen an average of 550-650 new domains per 15 minutes. Think about that. That is 52,000+ new domains in a single day, and these are just the ones we see from our spam traps and customers! The vast majority of them are kited domains (they have not been paid for and never will be).
Over 80% of these domains do not exist within 72 hours. Spammers know that traps will pick them up and they will be blocked. So they simply let the reservation period on the domain expire and never bother to pay for it. Why do registrars still allow this type of behavior? Simple, money. They are getting a flat monthly fee from these spammers to be "an affiliate" for registrations. Yea, right. They are paying for the ability to kite domains. Some spammers pay as much as $125,000 per month for the ability to register and dump as many domains as they want.
There may be a time when an effective spam technique is to just simply ensure the domain has been registered for more than 6 months. That will slow down the spammers, but hurt new legitmate users as well. Something to think about.