Here's a top tip: Don't trust the new person – block web domains less than a month old. They are bound to be dodgy IT admins could go a long way towards protecting their users from malware and other dodgy stuff on the internet if they ban access to any web domain less than a month old. This advice comes from Unit 42, the security branch of networking house Palo Alto Networks. To be exact, the recommendation is that any domain created in …
You'd need to do it in an automated fashion, but it would make more sense to block them in the browser and make you click through to view them than for IT admins to do the blocking.
Though I imagine if it became widespread people with dodgy domains would just register them sooner and let them sit before using them...
If I need to access a certain site because of my job, it's my call on whether to do so, not some admin somewhere who has set global rules for everyone and hasn't a clue what my job entails.
Fortunately, I'm employed at a place where I'm trusted, and not treated as a kid being babysat.
The fact that you assume that all employees who don't want the hassle of draconian rules made by someone outside their department are automatically "just playing" speaks volumes about you!
This post has been deleted by its author
> No. These are work machines, not your personal play toy. The company decides what is allowed, not you.
Funny isn't it, we hear this kind of talking down to non-IT people all the time, like they're naughty children who should sit in the sweat shop and keep working. However, walk over to the IT department, and everyone seems to have two monitors one of which is almost invariably filled with mid-purchase web flow of bike parts.
OK, but if there was a profit in there you can be damn sure that someone WILL do this.
In that case I would look at the last registrar transfer date because they will not sell such a domain from their account as any sane registrar (aka anyone but GoDaddy or Network Solutions) would spot the trend eventually.
Exactly. Attackers registering domains for phishing and typosquatting and the like put them into play immediately because there's no reason not to. If enough people follow Unit 42's advice, we'll just see another service category added to the hacker forums: trade in idle pre-registered domains.
And, of course, jake's claim doesn't hold much water. Many of the major independent players in IT crime do have "inventory" and manage significant, long-lasting pools of resources. Anyone who pays attention to a decent IT security news source (RISKS, SANS Newsbites, Krebs, Schneier, Threatpost, ...) knows that. And the APT groups, which are mostly government-affiliated, most certainly do.
I've already blocked emails from the .ICU domain because 99% of spam I got for a few weeks was from them and contacting the registrar didn't help. This week I've started to get the same spam from .PRO sites, so it looks like that domain will be next.
The sites are all made up of two words, oakfill, radicalsurgeon, ribbonrequest, etc., so I assume there's an automated registration system based on word lists. I don't see how they could do this without the connivance of the registrars.
"The sites are all made up of two words, oakfill, radicalsurgeon, ribbonrequest, etc., so I assume there's an automated registration system based on word lists. I don't see how they could do this without the connivance of the registrars."
I, perhaps wrongly, assumed the sender domains were simply being spoofed. I've never bothered to verify they exist, though, just chucked them straight on the block list...
I've never bothered to verify they exist, though, just chucked them straight on the block list...
Indeed. I've been too lazy to do this systematically (and I don't have enough control over the corporate email system to fix it once and for all with a trivial regex), but whenever I see even a single message from any of the new gTLDs I just blacklist the whole TLD. The probability of legit business email coming from one of those is zero, to a first approximation.
I haven't bothered blocking URLs yet, because that hasn't been a problem for me (other safe browsing habits, etc), and browser extensions handle a lot of that dreck anyway. But it'd be easy enough to do.
Alot of them do tend to exist.. I had a bunch of about 30 hit my system.
Although they came from various different virtual host providers, different domains (also made out of 2 random words) and the advertised producs weren't linked, it was obviously a campaign from the same outfit.
The domains existed, and had valid SPF records, they also had valid DKIM records, but their return mail servers weren't accepting return mail.
For only a few quid for a domain, hosted on some pay-per-hour service, you can pass all the spd/dkim/greylisting systems out there.
It's just a question of letting somebody ELSE get in trouble first. Then THEY rget scammed, THEY report the domain to the authorities and it gets taken down. If everybody blocked domains for the first month, we'd all be right back in the same position, equally vulnerable.
You'll miss out on current events, as during political campaigns, major sporting events or the like, result in domains being spun-up quickly and getting flooded with traffic.
And saying it's suspicious because it's parked or doesn't have much content? That's entirely to be expected.
"It's just a question of letting somebody ELSE get in trouble first."
Well isn't that the case for most security measures? All you're doing is protecting yourself and encouraging the criminals to move on to the next guy, who may not be so secure.
>we'd all be right back in the same position, equally vulnerable.
Security is a constantly evolving situation. There is almost never a forever-fix. Every measure you employ simply encourages criminals to seek out a weakness elsewhere.
Well isn't that the case for most security measures? All you're doing is protecting yourself and encouraging the criminals to move on to the next guy, who may not be so secure.
No. It's more a matter of increasing the cost of intrusions, so that the payoff isn't worth the added effort. If everybody hardened their systems, it wouldn't just raise the tide, it would reduce the risk for all, and seriously undercut organized crime.
You'll miss out on current events, as during political campaigns, major sporting events or the like, result in domains being spun-up quickly and getting flooded with traffic.
Do they? And do those new domains have anything of importance (leaving aside sporting events, which I regard as the very nadir of interest)? Because I've had web access since the first Mosaic release and I cannot recall ever having to go to a site in a brand-new domain for anything I needed or wanted to know.
I suppose it's conceivable that once in a while a new domain will host something worthwhile in its first month of existence. It's even conceivable that I would 1) hear about that, and 2) be sufficiently curious that I'd actually want to visit the site in that interval. But it seems surpassingly unlikely.
Certainly I would not "miss out on current events", which - last I checked - are still covered adequately by reputable media sources, if those events are of any interest whatsoever. And, often, even if they aren't (see "sporting events").
Never, ever going to click on some "<randompolitco>.<tld>"
Have we not learned from the 80 yr old web site designer's scams?
Then there are the scams by the "legitimate" political parties.
"Send us money, we will work for you!" With a value for "you" that is the name of a third party that remains nameless due to anti free speech laws.
How many users? How many distinct user populations with their own sets of, eg., web or mail requirements? Honest question. 5 - 10k range here, and countless user groups; this wouldn't fly for us. (There's also the small matter that IT is barely above "Chicken Soup Machine Nozzle Engineer, Class 2"in the corporate hierarchy.)
Not new news. 15-odd years ago I wrote a program which scanned my emails for URLs, did a whois lookup on the domain, and if it was registered within the past month or so, deleted the email as spam.
Back then, with email, the spammy domains were typically less than a week old, and commonly only a day or two when the email was sent.
Blocking *.info would be a real inconvenience for me. ibm-1401.info is just my cup of tea. Blocking email from there might be annoying, although not nearly as annoying as preventing my reading of the website.
Of course, I'm just a geezer, and don't have an employer, other than She Who Writes the To Do List.
"Anyone know if you can do an nslookup and pull the registered since field via Whois - and are we allowed to do this after gdpr?"
It probably wouldn't tell you much information if you did anyway.
Most dodgy sites use services to hide the true source such as Perfect Privacy LLC.
Shrug. I don't need to get email from Alphabet, even assuming they're foolish enough to use that domain for their MX. (Which, apparently, they are, judging from the single email address I found in a few minutes of skimming the parts of the site which are accessible with scripting disabled.)
An acquaintance registered a .xyz for a music blog and the trouble he has had has been unreal. Of course, him not being familiar with spam domains and his registrar not giving any inkling .xyz would be a problem, he is not best pleased.
Soundcloud blocked him registereing/changing his E-Mail and the tech he spoke to "helpfully" told him there had been spam from his domain and that he should use a different E-Mail provider. A great example of blanket-blocking with no capability for exceptions or real understanding of why it doesn't work.
Google gives established sites a higher search ranking, so it's difficult for a person to stumble across a new domain by searching.
New sites are quite suspicious, and when people click in links in emails or are redirected to those sites, or get emails from that domain, that is a strong cause for suspicion.
Having a parked domain is not in itself suspicious. I bought one for my sole trader contractor business and was too busy to add content for 6 months.
Current events and new info is primarily going to come from news sites, social media etc. Updates to existing domains won't be affected, so there are minimal issues with blocking new domains. But examples will emerge if blocking based on time is implemented. One example could be a legitimate business registers a new domain for a marketing microsite (because why update an existing site with a strong Google ranking?). It is launched at the very last minute (probably by people working past midnight). If it was widely blocked for the remainder of the month since it was registered this would be a disaster for the company who commissioned it.
Google's approach of weighting established sites more highly, as one factor amongst many is probably the best.
And yes, scammers will adapt. The only permanent impact will be reduced agility to respond to events.
You almost wouldn't realise this has been known about for years.
Startpage search for the following RBLs, Day Old Bread, SEM have several age lists 5,10, 15 day etc, SURBL Fresh. If your firewall or mail server can use RBLs you can filter these or score them in Spamassassin.
They maybe onto something.
Blocking new domains for the first few months is a start. Once people get used to the idea, start blocking all of the crap TLDs too.
If the people looking after the domain name space wont look after it, maybe some consumer pushback might help focus their attention?
I realise this will inconvenience some people/organisations (advertising and marketing?) but I’m not seeing a lot of downside that a little patience can’t address.
I have a setting in my brain that makes it easy : don't click on dodgy links.
I never click on a bit.ly link or any other shortened link. I distrust those by default. I always check where the link goes and if it doesn't go to somewhere logical or reasonable, I don't click.
Of course, all that means that I'm not part of those people who just blindly click, then belatedly wonder how their computer got hacked.
When you work at, say, a digital agency and your local IT security team insist on using Cisco Umbrella DNS - then every new domain you register in order to build and launch a shiny new website for a client is rendered un-render-able to everyone on site as it's seen as malicious. So you now have to whitelist every domain you register to avoid a cryptic, hard to debug (can't support https - natch) issue every FSCKing time
I think to be fair Umbrella sees POSTs going off to a newly seen domain name and thinks "Aha - baddies" which i guess is reasonable until you factor in our use case
Any IP address that is registered to OVH can safely be filtered out. From the occasional analysis of my 404 and failed logon logs, that would rid me of some 85% of breach attempts.
Personally I wouldn't mind a filter that would strip out all hosting facilities - that's not where real end users' traffic would originate from anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
