> Is there a difference between a decade-old domain with contact information
> where a web server got hacked, and a 1-day old domain with garbage for
> contact information that was set up explicitly for Bad Stuff? How do you
> tell?Yup! One was registered a day ago and is now sending out loads of spaff.
It was a trick question. The next question is "how do you differentiate"?
I took two obvious cases and compared them. In such a case, it should be
reasonably obvious to the average person what the answer is.
The problem is that it is rarely so clear.
Take the example of what happened to seclists.org. Surely it looked like
a legitimate complaint, didn't it? You have a big company like MySpace
that has submitted a complaint claiming that a bunch of user passwords
have been posted on the seclists.org web site. Go to web site, sure
enough. Maybe look at registry info, see "insecure.com" mentioned, maybe
think it is some hacker web site. So shut it down.
The problem here is that any competent abuse department should have done
more research and laughed this into the circular file.
This is the costly bit that a domain registrar isn't going to be likely
to do.
First, analysis of the complaint itself.
Passwords - on seclists.org web site. Okay.
1) Realize that the web site is an archival copy of a mailing list. This
means that heavy distribution has already happened, and any ancillary
distribution happening by the web site is incidental.
2) Because heavy distribution has already happened, the passwords in
question are not in any way "protected" by removing them from the web
page (or removing the web page).
3) Notice that the data has already been posted on *other* web sites.
Conclusion #1 --> MySpace has a serious data breach on its hands.
Distribution is wide on visible community resources. This implies much
heavier distribution is likely on invisible blackhat resources.
Appropriate mitigation steps involve disabling and re-passwording all
accounts.
Conclusion #2 --> Continued listing of the passwords on the web site is
minimally harmful. Stand by for further processing.
Answer #1 to MySpace --> "Disable these accounts, your password list has
been widely distributed."
Further analysis: visit http://www.seclists.org. Notice the words
"security mailing list archive." Attempt to verify that it is what it
appears to be.
Conclusion #3 --> Given a security mailing list, one would expect that
there would be some discussion of current security problems. The inclusion
of an actual password list may have been in mildly poor taste, but it is
not due to deliberate intent of the website's operator. Since the password
list is already public and heavily distributed, it might be reasonable to
request the web site owner to remove the archive page pending a response
from MySpace that the passwords had been disabled.
Answer #1 to seclists.org -> "Disable this web page pending further
developments."
This is one reasonable resolution to the issue. I won't pretend it is the
only possible "whitehat" course of action, but there is no whitehat course
of action that ends with "seclists, we're suspending your domain."
If you do not have clear and obvious things to judge, analysis of a
situation becomes even more difficult. The above is not going to be
something that a first level support lackey is going to be able to work
out on his own... so that implies paying people who are skilled (and
who incidentally would probably have been on seclists mailing lists,
haha)
Right now, 1-day-old domains are a problem because nobody has a compelling
reason to let abuse domains age prior to using them. If it becomes common
policy for major providers to require domains to have existed for a certain
amount of time before they accept mail (as one example) containing that
domain name, then bad actors will simply register domains, allow them to
age, and then use them later.
I am not seeing easy solutions. I am seeing costly solutions that involve
a lot more involvement on the part of registrars. The obvious flags of
trouble (such as "1-day-old") are at best only useful in the short term,
because the bad actors can and will adapt.
Best people to know which domains are involved in sending out spaff? Hotmail?
Yahoo? AOL? Google? You know, those people who run millions and millions of
email accounts and can do rather scary statistical analysis on email..
You trust Hotmail? One of our businesses here has a mail server running
on a clean IP (an IP that had never before been used for mail in the
history of the Internet, and had been inactive for several years in any
case). It exclusively sends a very low volume of support replies and
the occasional billing problem. All mail is text - not HTML. There are
no images. There are no advertisements.
Hotmail is silently dropping every one of those messages sent to them. Not
junk folder. Dropping. Explain *that*.
While Hotmail *could* be bothered to do what you suggest, and I am sure
that it is an incredibly difficult task to handle a freemail system like
theirs, they're not doing it. Surely they've learned a lot of neat stuff
about dropping problematic e-mail, but they're also dropping legitimate
mail, so let's be real. Their priority isn't accurately determining what
domains are spamming. Their priority is running a heavily attacked
freemail provider without a trillion dollar budget. There is some
overlap, but only some.
We take in several megabits of traffic to our spam traps here, and I bet
we (and anyone like us, since there's a bunch of folks who do the same)
could generate some stats. I don't have time for any more projects though.
I wonder if any of the above would be interested in reporting spam-sending
hosts, URLs involved in spam/phish/scam/etc/ to a public group (or semi-public
group - open to join, but not publicly published) who could start working
on feeding these domains back to registrars?
If the registrars were interested in doing anything with the data, I
believe there are already some groups doing the collection of such data.
... JG
