report domains found in malware distrabution

• Previous message (by thread): report domains found in malware distrabution
• Next message (by thread): IP Route Hijacking Bad Actor: AS57129/RU-SERVERSGET-KRSK, RU/Optibit LLC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Sun, 25 Aug 2019 at 03:17, james jones <james.voip at gmail.com> wrote:
>
> just quick question:
>
> is the abuse emails still best way to report domains that are being used in malware scripts? or is there a more central place to report such things?


This may be more from a sysadmin perspective than network operations.  However:

- Microsoft has a URL reputation service as well as Google, it's
called Windows Defender SmartScreen
(https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
This is used by default in Edge, IE, Exchange, Office365, Outlook,com
etc
- Windows comes with Windows Defender as part of the licence.
- Windows Defender has an optional feature enablable by the sysadmin
called Network Protection. Network Protection causes *all* HTTP(S)
connections made by the system to be checked against the URL
reputation list, regardless of a process is making the connection
(https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard).
- Microsoft also shares malware information with other security
organisations, so reporting to Microsoft can often also mean that
security software from other vendors will start blocking the site
(https://docs.microsoft.com/en-gb/windows/security/threat-protection/intelligence/cybersecurity-industry-partners).

If you use Windows desktops/laptops in your business, enabling Network
Protection can be useful.  Likewise, because of the number of Windows
machines out there (and the ubiquity of Exchange / Office365)
reporting to Microsoft can also be useful, especially as other
security organisations can get details of the submission and start
blocking both the site and the malware.

You can report to Microsoft by going to
https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site (also
allows for bulk submissions) or
https://feedback.smartscreen.microsoft.com/feedback.aspx?url= and
putting the address you want to report after the =.

You can also submit whole phishing (or spam) emails to Microsoft by
using the addresses at
https://docs.microsoft.com/en-gb/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis.

*phishing* sites are also collected by US-CERT at
https://www.us-cert.gov/report-phishing.  I have no idea what they
actually do with them though.

Alex

• Previous message (by thread): report domains found in malware distrabution
• Next message (by thread): IP Route Hijacking Bad Actor: AS57129/RU-SERVERSGET-KRSK, RU/Optibit LLC
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]