back to article Here's a top tip: Don't trust the new person – block web domains less than a month old. They are bound to be dodgy

IT admins could go a long way towards protecting their users from malware and other dodgy stuff on the internet if they ban access to any web domain less than a month old. This advice comes from Unit 42, the security branch of networking house Palo Alto Networks. To be exact, the recommendation is that any domain created in …

  1. Anonymous Coward
    Anonymous Coward

    How do you tell their age?

    You'd need to do it in an automated fashion, but it would make more sense to block them in the browser and make you click through to view them than for IT admins to do the blocking.

    Though I imagine if it became widespread people with dodgy domains would just register them sooner and let them sit before using them...

    1. jake Silver badge

      Re: How do you tell their age?

      "it would make more sense to block them in the browser and make you click through to view them than for IT admins to do the blocking."

      No. These are work machines, not your personal play toy. The company decides what is allowed, not you.

      1. Anonymous Coward
        Anonymous Coward

        Re: How do you tell their age?

        The company can control browser configuration, or they can add additional blocking if they deem it necessary. But it isn't like only corporations would be interested in blocking web sites that are highly likely to be scams.

      2. Cederic Silver badge

        Re: How do you tell their age?

        Why shouldn't the company decide that they trust their staff to determine, having been warned, whether a site is sensible to access or not?

        1. Charles 9 Silver badge

          Re: How do you tell their age?

          Because, more often than not, their trust has been betrayed. Worse, the betrayal tends to happen in positions not conducive to forceful termination (Meaning, what do you do when it's the people up top that demand the insecurity?).

      3. Anonymous Coward
        Anonymous Coward

        Re: How do you tell their age?

        If I need to access a certain site because of my job, it's my call on whether to do so, not some admin somewhere who has set global rules for everyone and hasn't a clue what my job entails.

        Fortunately, I'm employed at a place where I'm trusted, and not treated as a kid being babysat.

        The fact that you assume that all employees who don't want the hassle of draconian rules made by someone outside their department are automatically "just playing" speaks volumes about you!

        1. This post has been deleted by its author

          1. Charles 9 Silver badge

            Re: How do you tell their age?

            I thought the most dangerous ones are the hopelessly IT-illiterate who also happen to be over IT's head. They're the type who can say, "Who hired this clown?" and get his way.

      4. Anonymous Coward
        Anonymous Coward

        Re: How do you tell their age?

        > No. These are work machines, not your personal play toy. The company decides what is allowed, not you.

        Funny isn't it, we hear this kind of talking down to non-IT people all the time, like they're naughty children who should sit in the sweat shop and keep working. However, walk over to the IT department, and everyone seems to have two monitors one of which is almost invariably filled with mid-purchase web flow of bike parts.

    2. jake Silver badge

      Re: How do you tell their age?

      "if it became widespread people with dodgy domains would just register them sooner and let them sit before using them..."

      Probably not. These people are in-and-out, the concept of having a bunch of inventory to keep track of is alien to them.

      1. Anonymous Coward
        Anonymous Coward

        Re: How do you tell their age?

        OK, but if there was a profit in there you can be damn sure that someone WILL do this.

        In that case I would look at the last registrar transfer date because they will not sell such a domain from their account as any sane registrar (aka anyone but GoDaddy or Network Solutions) would spot the trend eventually.

        1. Michael Wojcik Silver badge

          Re: How do you tell their age?

          Exactly. Attackers registering domains for phishing and typosquatting and the like put them into play immediately because there's no reason not to. If enough people follow Unit 42's advice, we'll just see another service category added to the hacker forums: trade in idle pre-registered domains.

          And, of course, jake's claim doesn't hold much water. Many of the major independent players in IT crime do have "inventory" and manage significant, long-lasting pools of resources. Anyone who pays attention to a decent IT security news source (RISKS, SANS Newsbites, Krebs, Schneier, Threatpost, ...) knows that. And the APT groups, which are mostly government-affiliated, most certainly do.

    3. storner
      FAIL

      Re: How do you tell their age?

      "block them in the browser and make you click through"

      Ordinary users click on anything. It's a no-brainer (literally).

  2. Headley_Grange Silver badge

    ICU Pro

    I've already blocked emails from the .ICU domain because 99% of spam I got for a few weeks was from them and contacting the registrar didn't help. This week I've started to get the same spam from .PRO sites, so it looks like that domain will be next.

    The sites are all made up of two words, oakfill, radicalsurgeon, ribbonrequest, etc., so I assume there's an automated registration system based on word lists. I don't see how they could do this without the connivance of the registrars.

    1. Anonymous Coward
      Anonymous Coward

      Re: ICU Pro

      "The sites are all made up of two words..."

      Yep, I've been seeing a lot of this as well.

      Here's a list of sites I found hidden in the /res/raw directory of a dodgy Android app:

      liarliberty, librarylicense, lifelift, lightlike, limblimit

    2. hakuli

      Re: ICU Pro

      "The sites are all made up of two words, oakfill, radicalsurgeon, ribbonrequest, etc., so I assume there's an automated registration system based on word lists. I don't see how they could do this without the connivance of the registrars."

      I, perhaps wrongly, assumed the sender domains were simply being spoofed. I've never bothered to verify they exist, though, just chucked them straight on the block list...

      1. Michael Wojcik Silver badge

        Re: ICU Pro

        I've never bothered to verify they exist, though, just chucked them straight on the block list...

        Indeed. I've been too lazy to do this systematically (and I don't have enough control over the corporate email system to fix it once and for all with a trivial regex), but whenever I see even a single message from any of the new gTLDs I just blacklist the whole TLD. The probability of legit business email coming from one of those is zero, to a first approximation.

        I haven't bothered blocking URLs yet, because that hasn't been a problem for me (other safe browsing habits, etc), and browser extensions handle a lot of that dreck anyway. But it'd be easy enough to do.

        1. Jamie Jones Silver badge

          Re: ICU Pro

          Alot of them do tend to exist.. I had a bunch of about 30 hit my system.

          Although they came from various different virtual host providers, different domains (also made out of 2 random words) and the advertised producs weren't linked, it was obviously a campaign from the same outfit.

          The domains existed, and had valid SPF records, they also had valid DKIM records, but their return mail servers weren't accepting return mail.

          For only a few quid for a domain, hosted on some pay-per-hour service, you can pass all the spd/dkim/greylisting systems out there.

  3. rcxb Silver badge

    It's just a question of letting somebody ELSE get in trouble first. Then THEY rget scammed, THEY report the domain to the authorities and it gets taken down. If everybody blocked domains for the first month, we'd all be right back in the same position, equally vulnerable.

    You'll miss out on current events, as during political campaigns, major sporting events or the like, result in domains being spun-up quickly and getting flooded with traffic.

    And saying it's suspicious because it's parked or doesn't have much content? That's entirely to be expected.

    1. jake Silver badge

      "You'll miss out on current events"

      Some would say that is a GOOD thing. Short attention span theater might work well for sit-coms, but in RealLife it's pretty much a waste of time.

    2. Just Enough

      "It's just a question of letting somebody ELSE get in trouble first."

      Well isn't that the case for most security measures? All you're doing is protecting yourself and encouraging the criminals to move on to the next guy, who may not be so secure.

      >we'd all be right back in the same position, equally vulnerable.

      Security is a constantly evolving situation. There is almost never a forever-fix. Every measure you employ simply encourages criminals to seek out a weakness elsewhere.

      1. rcxb Silver badge

        Well isn't that the case for most security measures? All you're doing is protecting yourself and encouraging the criminals to move on to the next guy, who may not be so secure.

        No. It's more a matter of increasing the cost of intrusions, so that the payoff isn't worth the added effort. If everybody hardened their systems, it wouldn't just raise the tide, it would reduce the risk for all, and seriously undercut organized crime.

    3. Michael Wojcik Silver badge

      You'll miss out on current events, as during political campaigns, major sporting events or the like, result in domains being spun-up quickly and getting flooded with traffic.

      Do they? And do those new domains have anything of importance (leaving aside sporting events, which I regard as the very nadir of interest)? Because I've had web access since the first Mosaic release and I cannot recall ever having to go to a site in a brand-new domain for anything I needed or wanted to know.

      I suppose it's conceivable that once in a while a new domain will host something worthwhile in its first month of existence. It's even conceivable that I would 1) hear about that, and 2) be sufficiently curious that I'd actually want to visit the site in that interval. But it seems surpassingly unlikely.

      Certainly I would not "miss out on current events", which - last I checked - are still covered adequately by reputable media sources, if those events are of any interest whatsoever. And, often, even if they aren't (see "sporting events").

      1. wayne 8

        "<randompolitco>.org"

        Never, ever going to click on some "<randompolitco>.<tld>"

        Have we not learned from the 80 yr old web site designer's scams?

        Then there are the scams by the "legitimate" political parties.

        "Send us money, we will work for you!" With a value for "you" that is the name of a third party that remains nameless due to anti free speech laws.

  4. jake Silver badge

    One word:

    Duh!

    I've been doing this for years ... but I put 'em on hold for two months, not one. Result: Uncounted scams&etc bypassed and only a couple of complaints, all of which were people unable to access their own vanity domains from work.

    1. Anonymous Coward
      Anonymous Coward

      Re: One word:

      How many users? How many distinct user populations with their own sets of, eg., web or mail requirements? Honest question. 5 - 10k range here, and countless user groups; this wouldn't fly for us. (There's also the small matter that IT is barely above "Chicken Soup Machine Nozzle Engineer, Class 2"in the corporate hierarchy.)

    2. Anonymous Coward
      Anonymous Coward

      Re: One word:

      I filter a million accesses a day - how are you doing this lol.

      Yes it'd make more work for me especially when we launch a new site ourselves but there's potential to save on a few problems each month for IT colleagues.

    3. Anonymous Coward
      Anonymous Coward

      Re: One word:

      Not new news. 15-odd years ago I wrote a program which scanned my emails for URLs, did a whois lookup on the domain, and if it was registered within the past month or so, deleted the email as spam.

      Back then, with email, the spammy domains were typically less than a week old, and commonly only a day or two when the email was sent.

      1. Anonymous Coward
        Anonymous Coward

        Re: One word:

        There's no standard format for whois information and a hell of a lot of domain suffixes out there. So what do you do with the ones you're not sure how to get the reg date? Do you ban everything else?

  5. steward
    Stop

    This should escalate the price...

    ...of parked domains > 2 mos. old.

    End of solution.

    1. januschr

      Re: This should escalate the price...

      Yup. Once implemented it will last exactly two months before the scammers have caught up. Scammers can just buy a small handfull of domains every day so that they will always have a batch of "fresh" old domains ready.

      1. Joe Harrison

        Re: This should escalate the price...

        I have a master plan to defeat the two-monther scams - I will wait three months.

  6. RainCaster

    Where is the list server?

    I get my BLs from a number of places, but I don/t know of one that follows this guideline.

    1. Richard 12 Silver badge

      Re: Where is the list server?

      It's blocked until the 23rd of September

  7. Orv

    I'd also suggest blocking any email with a link to a .info domain.

    1. Mike 16 Silver badge

      Dodgy .info?

      Blocking *.info would be a real inconvenience for me. ibm-1401.info is just my cup of tea. Blocking email from there might be annoying, although not nearly as annoying as preventing my reading of the website.

      Of course, I'm just a geezer, and don't have an employer, other than She Who Writes the To Do List.

      1. Orv

        Re: Dodgy .info?

        Huh. I think that is literally the first legit use of .info I've ever seen.

        I've always seen registrars offering deals where you could get .info domains for ridiculously low prices, so I'm not too surprised most of them are junk.

        That one is cool though.

  8. bpfh
    Paris Hilton

    .xyz is on my postfix header check rules

    Never seen a website with this tld in the wild but a lot of dodgy mails have it in their headers.

    Anyone know if you can do an nslookup and pull the registered since field via Whois - and are we allowed to do this after gdpr?

    1. Anonymous Coward
      Anonymous Coward

      Re: .xyz is on my postfix header check rules

      "Anyone know if you can do an nslookup and pull the registered since field via Whois - and are we allowed to do this after gdpr?"

      It probably wouldn't tell you much information if you did anyway.

      Most dodgy sites use services to hide the true source such as Perfect Privacy LLC.

      1. Anonymous Coward
        Anonymous Coward

        Re: .xyz is on my postfix header check rules

        That's no issue - the 'registered since' date will still be valid, private registration or not.

    2. DaveEdi

      Re: Where do you put those hard drives?

      cidr.xyz is actually really useful.

    3. katrinab Silver badge

      Re: .xyz is on my postfix header check rules

      abc.xyz is Google's parent company, but other than that, I agree.

      1. Michael Wojcik Silver badge

        Re: .xyz is on my postfix header check rules

        Shrug. I don't need to get email from Alphabet, even assuming they're foolish enough to use that domain for their MX. (Which, apparently, they are, judging from the single email address I found in a few minutes of skimming the parts of the site which are accessible with scripting disabled.)

    4. Anonymous Coward
      Anonymous Coward

      Re: .xyz is on my postfix header check rules

      An acquaintance registered a .xyz for a music blog and the trouble he has had has been unreal. Of course, him not being familiar with spam domains and his registrar not giving any inkling .xyz would be a problem, he is not best pleased.

      Soundcloud blocked him registereing/changing his E-Mail and the tech he spoke to "helpfully" told him there had been spam from his domain and that he should use a different E-Mail provider. A great example of blanket-blocking with no capability for exceptions or real understanding of why it doesn't work.

  9. Richocet

    A few thoughts to consider

    Google gives established sites a higher search ranking, so it's difficult for a person to stumble across a new domain by searching.

    New sites are quite suspicious, and when people click in links in emails or are redirected to those sites, or get emails from that domain, that is a strong cause for suspicion.

    Having a parked domain is not in itself suspicious. I bought one for my sole trader contractor business and was too busy to add content for 6 months.

    Current events and new info is primarily going to come from news sites, social media etc. Updates to existing domains won't be affected, so there are minimal issues with blocking new domains. But examples will emerge if blocking based on time is implemented. One example could be a legitimate business registers a new domain for a marketing microsite (because why update an existing site with a strong Google ranking?). It is launched at the very last minute (probably by people working past midnight). If it was widely blocked for the remainder of the month since it was registered this would be a disaster for the company who commissioned it.

    Google's approach of weighting established sites more highly, as one factor amongst many is probably the best.

    And yes, scammers will adapt. The only permanent impact will be reduced agility to respond to events.

  10. Mr Anonymous

    Wow, what amazing research...

    You almost wouldn't realise this has been known about for years.

    Startpage search for the following RBLs, Day Old Bread, SEM have several age lists 5,10, 15 day etc, SURBL Fresh. If your firewall or mail server can use RBLs you can filter these or score them in Spamassassin.

    1. Tom Paine

      Re: Wow, what amazing research...

      Where's the SpamAssassin for HTTPS?

      1. e^iπ+1=0

        Where's the SpamAssassin for HTTPS?

        Couldn't you somehow automagically turn the spamassassin list into a hosts file pointing at 127.0.0.1 to feed into your DNS servers?

  11. Anonymous Coward
    Anonymous Coward

    Hmmmm

    They maybe onto something.

    Blocking new domains for the first few months is a start. Once people get used to the idea, start blocking all of the crap TLDs too.

    If the people looking after the domain name space wont look after it, maybe some consumer pushback might help focus their attention?

    I realise this will inconvenience some people/organisations (advertising and marketing?) but I’m not seeing a lot of downside that a little patience can’t address.

    1. jake Silver badge

      Re: Hmmmm

      "Once people get used to the idea, start blocking all of the crap TLDs too."

      Start? Already done, by many people, in many places.

    2. Doctor Syntax Silver badge

      Re: Hmmmm

      "I realise this will inconvenience some people/organisations (advertising and marketing?) but I’m not seeing a lot of downside that a little patience can’t address."

      I can't see any downside at all to inconveniencing spammers advertising and marketing.

  12. Henry Wertz 1 Gold badge

    yes

    Yes. Dodgy sites plus domain parkers, and so on. Sounds like a fine idea to me. A new business or like a movie site from a ad or whatever will probably have a domain bought up more than 32 days ahead of time I assume.

  13. T. F. M. Reader Silver badge

    Out of methodological curiousity...

    What are the statistics for domains that are between 3M and 1Y old? Between 1Y and 3Y old? Are the counts statistically different? Are they practically different (not the same thing)?

    Inquiring minds want to know...

  14. Blackjack Silver badge

    Old websites are still a risk

    Any old website that has not been updated in years can easily be taken over and infected with malware.

    In fact infecting old websites that have been abandoned but are still online for some reason might even be easier and cheaper.

  15. Anonymous Coward
    Anonymous Coward

    Not just age, but content turnover ....

    although you are basically starting to ape googles page ranking engine ...

  16. lglethal Silver badge
    Go

    OK for those of us not on the IT coalface, but would like to implement this at home, how do we do it? Any chance there's a setting in Firefox that makes this easy?

    1. Pascal Monett Silver badge

      I have a setting in my brain that makes it easy : don't click on dodgy links.

      I never click on a bit.ly link or any other shortened link. I distrust those by default. I always check where the link goes and if it doesn't go to somewhere logical or reasonable, I don't click.

      Of course, all that means that I'm not part of those people who just blindly click, then belatedly wonder how their computer got hacked.

      1. Aleph0

        How do you do it on a phone/tablet? AFAIK there's no way to see the target URL...

        1. e^iπ+1=0

          How do you do it on a phone/tablet?

          Try long push then "copy link" and paste into your fave text editor. May be browser / OS dependent.

        2. katrinab Silver badge

          On iPad, a long tap gives you a menu, with the URL at the top.

      2. Anonymous Coward
        Anonymous Coward

        Aren't you amazing Pascal, however this is a tech site focused towards the big boys who look after tens, hundreds and thousands of users and the OP was looking for a way to protect them, not just the IT literate.

    2. Headley_Grange Silver badge

      Little Snitch

      Little Snitch (Mac) allows incoming and outgoing connections to websites and domains to be blocked for individual, or all, applications. It's not free.

    3. Anonymous Coward
      Anonymous Coward

      for laptops/desktops google 'hosts file block list'

      for Android there are tools like 'NoRoot Firewall' that create a dummy VPN to trap and filter the traffic

      1. Charles 9 Silver badge

        Which is no good if you're already going through a VPN, as Android doesn't support VPN chaining.

  17. 0laf Silver badge
    Happy

    Easier to do than I thought

    Quick Google implies that most web filters will have this on almost be default or will at least have this as an option.

    TBH sounds likea no-brain option (like blocking most TLD really and unblock by exception). I just need to check we're doing it.

  18. lowjik

    All well and good but ...

    When you work at, say, a digital agency and your local IT security team insist on using Cisco Umbrella DNS - then every new domain you register in order to build and launch a shiny new website for a client is rendered un-render-able to everyone on site as it's seen as malicious. So you now have to whitelist every domain you register to avoid a cryptic, hard to debug (can't support https - natch) issue every FSCKing time

    I think to be fair Umbrella sees POSTs going off to a newly seen domain name and thinks "Aha - baddies" which i guess is reasonable until you factor in our use case

    1. Twanky

      Re: All well and good but ...

      So you add the whitelisting step to your new domain registration process... You *do* have a new domain registration process, right?

  19. Harry Stottle

    Blocking ALL new websites is over-reach

    by all means, provide prominent warning that the site is new, and as yet, not widely trusted and should be treated with caution. After that, it's caveat emptor...

    1. Charles 9 Silver badge

      Re: Blocking ALL new websites is over-reach

      Now when you have Joe Stupids under your administration...especially ones over your head.

  20. Anonymous Coward
    Anonymous Coward

    Nah, it's much easier

    Any IP address that is registered to OVH can safely be filtered out. From the occasional analysis of my 404 and failed logon logs, that would rid me of some 85% of breach attempts.

    Personally I wouldn't mind a filter that would strip out all hosting facilities - that's not where real end users' traffic would originate from anyway.

    1. bpfh

      Re: Nah, it's much easier

      Ah, be nice, I think my server is with OVH. I’m doing my best to clean up my part of the cesspool! Then again, the amount of emails I currently send is counted in dozens per month...

  21. Anonymous Coward
    Anonymous Coward

    Har har!

    Any more bad advice they would like to share? :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021