topic Re: Block recently registered domains in General Topics

Block recently registered domains

ASCIT — Sun, 04 Feb 2018 01:46:52 GMT

Is anyone successfully blocking domains that have been registered recently (last 30 days)? My testing has shown in the last three days, 380k domains have been registered. My PA-3020 capacity for External Dynamic Lists only supports a total capacity of 50k domains. Does anyone know of a better method to achieve this?

Re: Block recently registered domains

OtakarKlier — Mon, 05 Feb 2018 22:31:02 GMT

Hello @ASCIT,

We dont block based on the age of a domain, we only block on categories. Quite a bit of the time, but not always, the newer ones are lumped into the 'Unknow' category and we block that one.

I would say that not all newly registered domains are 'bad' and can have an impact on the user base.

Hope that helps.

Re: Block recently registered domains

reaper — Tue, 06 Feb 2018 10:49:29 GMT

Most of the new domains will fall under the 'unknown' category as @OtakarKlier mentions, until our crawlers pay a visit, or we get submissions/field reports/samples of what the domain is hosting and then it get categorized as one of the regular categories

so blocking 'unknown' will likely do the job satisfactory

Re: Block recently registered domains

ASCIT — Tue, 06 Feb 2018 22:21:24 GMT

We do block the unknown category. A known malicious domain which was registered 8 days prior to the phishing emails being sent through was categorised as computer-and-internet-info.

Re: Block recently registered domains

OtakarKlier — Wed, 07 Feb 2018 00:00:48 GMT

Hello,

I understand the frustration there. Does your company use a mail filtering tool or service? This is where it should have gotten caught I think since it was delivered via an email?

Just a few thoughts.

Re: Block recently registered domains

ASCIT — Wed, 07 Feb 2018 00:24:11 GMT

Thanks for your input. Blocking this traffic at the firewall would be far more effective.