3 Replies Latest reply on Jul 19, 2016 9:27 PM by btlyric

    Looking to block recently-registered domains.  Is there a property that queries whois?  Trusted Source categories?

    Regis

      I'd like to be able to block recently registered domains as they can be popular with phishers.

       

      Now, blocking Uncategorized would likely do it of course, but I'm not confident that the universe of uncategorized is so small that I can manageably live with that.  I've seen a lot of legit things come through as Uncategorized.

       

      Blocking   Uncategorized && ( geoip(list of hostile lawless countries)  || url.host matches in list of {skeezy TLD's}   )  is something we dabble in blocking Uncategorized now, but boy it'd be great to add a notion of   "also block any domain registered in the past 30 days"  too. 

       

      I'm curious if anyone is pulling this off, and if so how?   Does such a primitive exist today or on any roadmap?     Or,  to whom would someone pitch a trusted source categorization(s) of  "registered in past XX days" 

       

      Alternatively, anyone got a decent way to look for typosquatting or look for patterns in domain registration for proactive threat alerting?   This of course would be outside the venue of web gateway, but more a general intelligence gathering exercise.

       

      Thanks in advance for any insight or shared experience.