Reputation based blocking

Follow

darthinvader

June 06, 2017 19:26

Reputation based blocking should be created, you have the data to do it.

Use investigate to look up hrldedington@rocketmail.com

That email has 82 domains, 7 marked as malware the remainder no classification

A quick look at the domain names, they look to be DGA.

I personally go in an block all of the domains from jokers like this, but what a hassle and so many that I don't know about to proactively block.

A simple algorithm could classify this as a reputation block category thereby proactively blocking future malware/botnet sites you know will go active down the road.

9

• 

  rotblitz June 06, 2017 19:53

  "That email has 82 domains"

  How do you calculate this?

  nslookup -type=mx rocketmail.com.
  Server:  home.prv
  Address:  10.165.111.43
  
  Non-authoritative answer:
  rocketmail.com  MX preference = 10, mail exchanger = mta6.am0.yahoodns.net
  rocketmail.com  MX preference = 10, mail exchanger = mta7.am0.yahoodns.net
  rocketmail.com  MX preference = 10, mail exchanger = mta5.am0.yahoodns.net
  
  mta6.am0.yahoodns.net   internet address = 66.196.118.35
  mta6.am0.yahoodns.net   internet address = 98.136.217.202
  mta6.am0.yahoodns.net   internet address = 98.138.112.34
  mta6.am0.yahoodns.net   internet address = 66.196.118.36
  mta6.am0.yahoodns.net   internet address = 98.138.112.35
  mta6.am0.yahoodns.net   internet address = 63.250.192.45
  mta6.am0.yahoodns.net   internet address = 98.138.112.37
  mta6.am0.yahoodns.net   internet address = 98.136.217.203
  mta7.am0.yahoodns.net   internet address = 98.136.217.203
  mta7.am0.yahoodns.net   internet address = 66.196.118.35
  mta7.am0.yahoodns.net   internet address = 63.250.192.46
  mta7.am0.yahoodns.net   internet address = 66.196.118.37
  mta7.am0.yahoodns.net   internet address = 98.138.112.37
  mta7.am0.yahoodns.net   internet address = 66.196.118.34
  mta7.am0.yahoodns.net   internet address = 98.138.112.35
  mta7.am0.yahoodns.net   internet address = 63.250.192.45
  mta5.am0.yahoodns.net   internet address = 98.136.217.202
  mta5.am0.yahoodns.net   internet address = 66.196.118.34
  mta5.am0.yahoodns.net   internet address = 98.136.217.203
  mta5.am0.yahoodns.net   internet address = 98.136.216.25
  mta5.am0.yahoodns.net   internet address = 66.196.118.37
  mta5.am0.yahoodns.net   internet address = 66.196.118.240
  mta5.am0.yahoodns.net   internet address = 98.138.112.32
  mta5.am0.yahoodns.net   internet address = 98.138.112.37

  This seems to be Yahoo's mail service.

  -1

  Comment actions Permalink
• 

  darthinvader June 06, 2017 20:31

  You missed the line where I said use investigate with OpenDNS, see the domains registered with that email address.

  Domain Name	Security Categories	Content Categories	Last Observed
  amlc2y1krhbq-fgp.com	Malware		Past
  fxuqvqfcndkfieos.com	Malware		Past
  iaesiahyacctpsdi.com	Malware		Past
  jetro--t00ls.com	Malware		Past
  lyxnuhtaiplz7.com	Malware		Past
  vbhw53jnjjn00o.com	Malware		Past
  y8hf3idulwmvdt.com	Malware		Past
  06dzy4obolyntsn.com			Past
  0lzyszmfpfzz7rusqd.com			Current
  0pap2a8fa0raofewa.com			Current
  11geeeernmknk-09l.com			Past
  1kcjq9dhq5qywvlmh.com			Past
  1rbyyj3swwmvlkry3.com			Past
  2n29jm6oxkd0sck.com			Current
  3g15fcqphw2xx.com			Current
  3zimqqzzqpkxcrh.com			Current
  53l5am33fircpv2dake.com			Current
  57uuisnkyxpd7.com			Current
  6zrt3vuwf-39qwkam.com			Current
  7oirxux8bfvgrarf.com			Current
  7xjl3xofqvxavoaiw1.com			Past
  8iprridckt2hys7.com			Current
  9vjgrei32vlk.com			Past
  a3lzfnbtpglvlpc.com			Past
  acramm0dz0s2ingne.com			Past
  azcylptudoplfcrl.com			Current
  br0wn-moove.com			Past
  c2ijbty0-s18abm3d.com			Current
  cboygsepj2hb1nd.com			Past
  cpln-cudxt88.com			Past
  cr4hasi4bxnp-yzr.com			Past
  dlzrnlf3iagwptor.com			Current
  drqd3ulqaznpe2x86ia3.com			Current
  eel00df-nmmm1.com			Current
  ej5sr8unu-n9s.com			Past
  erae0jne6lnasgf.com			Current
  etqqmm-la44nado.com			Past
  exiz7ipz4fmgko.com			Past
  f0wl9o0y2agac8zpk.com			Past
  faqhxbyjmre4selq.com			Past
  fovluderobcorsugk.com			Current
  gic-kbmtu0zkvwylf.com			Current
  heksofrhag3e4ssff2.com			Current
  hg000vdsjh--b33.com			Past
  hiw4phjtrvb2guyj.com			Past
  indggfxo1feh1.com			Current
  innnmja-9ztbnkd.com			Current
  jhbcrh57-hertuol.com			Current
  jhbsdkcbdk-00heero.com			Current
  k0bkdbf-keef.com			Current
  kaxqslnqegwrte-o.com			Past
  kaziel5nnwl8quv.com			Current
  kulm4a7mqsmuow45.com			Past
  l90mbzioptrhwnnj4f.com			Past
  life-essence1.com			Current
  mb1xpirfcd-0fyrd.com			Current
  mnip-6tqtunl.com			Past
  mvgck7yxtxjgams.com			Past
  nbudfshtirpbnx1hz9.com			Current
  oqkffn5zcxkkdl.com			Past
  rem0te-analitikzz.com			Current
  rev0l--r0under.com			Current
  riv-50dgyuregh.com			Current
  rombwkupzmrao.com			Current
  rot0r-0il1.com			Past
  s-mzebph8g866.com			Past
  shz-mjswmxerj.com			Past
  sua8phgumxrpc.com			Current
  te0logic-res.com			Past
  term0genesis.com			Current
  thbqeoelnzonind.com			Past
  tlhmkmytvimkapdq.com			Current
  v9rotzpmqkoatl4794.com			Past
  vmvacvo3ypw2u9ds.com			Current
  vpcpyynqdqjptzp.com			Past
  ww5i4dc3ovxxcz.com			Current
  xg-dhb7yuxbxgfql.com			Current
  xoyzqq9ygresid76.com			Current
  xzidr9kch6y93kz9.com			Current
  y5nn8obw0b00sudut.com			Current
  zoir9cwakarohm.com			Current
  zp8iyuu2rpozg7p.com			Current

  1

  Comment actions Permalink
• 

  rotblitz June 07, 2017 08:50

  Agreed.  You didn't say that this is about Umbrella's "investigate".  You posted in the OpenDNS forum.

  0

  Comment actions Permalink
• 

  darthinvader June 07, 2017 12:17

  True, my thought context was enterprise OpenDNS where you have investigate and personal accounts do not.  This is a huge miss for OpenDNS to not incorporate reputation based blocking, much like email reputation based blocking has done for spam. Why would I allow my company to visit a site registered to an email with a significant number of domains categorized as malware or botnet, I wouldn't if I could stop it. 

  1

  Comment actions Permalink
• 

  rotblitz June 07, 2017 12:29

  Again agreed and voted up.  I also did not understand what you meant by "That email has 82 domains".  I now believe that this e-mail address as sender has sent e-mails from these 82 domains or has spamvertized them?

  0

  Comment actions Permalink
• 

  darthinvader June 07, 2017 14:24

  When you register a domain, you setup admin and technical contact email addresses. Because OpenDNS has registration data it pulls from registrars, using investigate you are able to look up an email address and see what domains are registered to that email. There are 82 domains where that email is used as the admin contact.  You can get similar data from some free reverse domain lookup sites, but generally you need a paid account at whois.sc or enterprise OpenDNS to have access to that kind of intel.

  0

  Comment actions Permalink
• 

  rotblitz June 07, 2017 16:17

  Ah, fully clear now, the e-mail address from the WHOIS entry.  Thanks for the explanations.

  0

  Comment actions Permalink
• 

  dnsalunebis June 07, 2017 16:50

  I also voted up

  0

  Comment actions Permalink
• 

  darthinvader June 07, 2017 17:48

  OpenDNS had a good thing when they added newly seen domains, which is actually hosts too, now if they would add reputation blocking, we would have some strong capabilities to block a lot of the botnet/malware sites.

  0

  Comment actions Permalink

Please sign in to leave a comment.