cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

Looking to block recently-registered domains. Is there a property that queries whois? Trusted Source categories?

I'd like to be able to block recently registered domains as they can be popular with phishers.

Now, blocking Uncategorized would likely do it of course, but I'm not confident that the universe of uncategorized is so small that I can manageably live with that.  I've seen a lot of legit things come through as Uncategorized.

Blocking   Uncategorized && ( geoip(list of hostile lawless countries)  || url.host matches in list of {skeezy TLD's}   )  is something we dabble in blocking Uncategorized now, but boy it'd be great to add a notion of   "also block any domain registered in the past 30 days"  too. 

I'm curious if anyone is pulling this off, and if so how?   Does such a primitive exist today or on any roadmap?     Or,  to whom would someone pitch a trusted source categorization(s) of  "registered in past XX days" 

Alternatively, anyone got a decent way to look for typosquatting or look for patterns in domain registration for proactive threat alerting?   This of course would be outside the venue of web gateway, but more a general intelligence gathering exercise.

Thanks in advance for any insight or shared experience.

0 Kudos
3 Replies
ITWebSec
Level 8

Re: Looking to block recently-registered domains. Is there a property that queries whois? Trusted Source categories?

You do realize that most of the domains that are used for malware distribution are registered well in advance until they are needed?

It is common practice to pre-register domains many months in advance before a new campaign is launched.

I have found that most "New" domains within the last 30 days are actually legitimate newbie sites.

0 Kudos
Regis
Level 12

Re: Looking to block recently-registered domains.  Is there a property that queries whois?  Trusted Source categories?

Thank you for your reply (though I struggle to read past "you do realize" as a sentence lead thanks to an irritating coworker who uses it too often :-)  ).

I agree that while many are registered in advanced,  most that hit my inbox via phishing campaigns with uncategorized URL's  are often quite newly registered, and nearly always malicious.  Born on dates of domains are a useful classifier  anded with Uncategorized  that helps the shoulder shrugging of "uncategorized."     Domains  pre-registered in advance can also be easily seeded into a category with the right content, but my experience is that there are many attackers and domains that don't bother.    Blocking uncategorized && newer than 30 days is a policy from which a lot of environments would block some badness they otherwise wouldn't.   We're able to be more nimble than most though (I can see how this'd be a pain in bigger environments).  https://isc.sans.edu/forums/diary/Do+you+block+new+domain+names/17564  has an interesting discussion of the topic from 2 years ago indicating some appliances have this capability.

At any rate, I see this is a duplicate topic of this from a few months back ( )  wherein the answer appears to be "no" currently for us MWG folk.

Might be one for the product enhancement database, but I imagine it'd be in Trusted Source where the domain registration date is most useful to implement rather in MWG.

0 Kudos
btlyric
Level 12

Re: Looking to block recently-registered domains. Is there a property that queries whois? Trusted Source categories?

If you have a way to gather the data related to recently registered domains, you could theoretically use a customer-subscribed list..

0 Kudos