Constant Abuse Reports / Borderline Spamming from RiskIQ

Fri Apr 17 13:51:25 UTC 2020

On Wed, Apr 15, 2020 at 11:33:58PM -0400, Ross Tajvar wrote:
> Can you give some examples of the things you mention above? I'm not doing
> much in terms of customer filtering and would be interested to hear what
> others consider best practice.

Sure.  These are just examples and are by no means exhaustive.  Also,
some will work better than others depending on who you are, what services
you offer, where you are, etc.  There's no substitute for human judgment
seasoned with experience.

1. Let's start with a timely one.  Whenever there's a national or global
crisis, scammers begin registering domains to exploit it.  For instance:

	Thousands of COVID-19 scam and malware sites are being created on a daily basis
	https://www.zdnet.com/article/thousands-of-covid-19-scam-and-malware-sites-are-being-created-on-a-daily-basis/

[I'll omit the long rant about why ICANN is responsible for this and
should be ashamed of what they've not only allowed, but encouraged.]

That story contains a link to a repository where somebody is tracking
these.  I pulled that list a month ago and there were 7500 entries.
Now there are over 25,000.   (Caveat for anybody doing the same: note
carefully the methodology.  There are legitimate domains/subdomains/hosts
in there, although they're rapidly being swamped by the bogus ones.  So don't
just blindly use the data: filter out the 1-2% of legitimate entries.)

So, if it's April 2020, and a customer comes to you and wants to set up
web service for a domain or fifty that have "covid", "corona", "virus",
etc., in their names: they're probably up to something.

2. There are longstanding versions of (1) as well.  Domains with strings
in them like "bulk", "seo", "credit", etc., or domains with variations
on the names of financial institutions, or domains which are typos of
well-known domains, etc., are all suspect.  *That doesn't mean they're
all bogus.*  It just means that a human being should give them closer
scrutiny before the process goes forward.

3. Look at the diversity of their domains.  This sort of is a rehash
of what I said in (2), but: if all their domains are about one or
two topics, yeah, it's probably someone with a business and a hobby
or something like that.  But if they have domains that suggest they're
running 17 different businesses, then look closer.

4. Look at whether they've been, that is, where they were hosted
previously, by checking their DNS history.  If they've hopped through
four different hosts in the last seven months, something is going on.
(Note: a few months ago a bunch of cheap VPS services all simultaneously
ceased operations.  If they were on one of those, then they may have just
been caught up in the mess, so don't count that against them.)

5. Check Spamhaus.

6. Find out how many domains they have.  People doing legitimate things
may have 5 or 17 or something like that.  People who have 5,000 are up
to something.  (Note: I've been doing research in this area for many
years.  I know of zero instances where registrants with thousands of
domains were doing something legitimate.  There may still be a
counterexample out there, but I haven't seen it yet.)

7. MLM (multi-level marketing) is a red flag.  So is Bitcoin et.al.

8. A business putatively located in Iowa but with contact email
addresses @163.com or @yandex.com is dubious.  Same for other
incongruous information: it might really be okay, or it might
be a hint that they're up to something.

Most of these are just indicators: they're not definitive.  And there
are counterexamples all over the place.  Plus, this list isn't exhaustive:
like I said they're just examples.  That's why I said at the beginning
that there's no substitute for human judgment seasoned with experience.
That takes time and probably more than a few bad experiences.  But it's
worth it, because it's easier to solve problems before you have them.

---rsk