On Wed, Apr 15, 2020 at 11:33:58PM -0400, Ross Tajvar wrote:
Can you give some examples of the things you mention above? I'm not doing much in terms of customer filtering and would be interested to hear what others consider best practice.
Sure. These are just examples and are by no means exhaustive. Also, some will work better than others depending on who you are, what services you offer, where you are, etc. There's no substitute for human judgment seasoned with experience. 1. Let's start with a timely one. Whenever there's a national or global crisis, scammers begin registering domains to exploit it. For instance: Thousands of COVID-19 scam and malware sites are being created on a daily basis https://www.zdnet.com/article/thousands-of-covid-19-scam-and-malware-sites-a... [I'll omit the long rant about why ICANN is responsible for this and should be ashamed of what they've not only allowed, but encouraged.] That story contains a link to a repository where somebody is tracking these. I pulled that list a month ago and there were 7500 entries. Now there are over 25,000. (Caveat for anybody doing the same: note carefully the methodology. There are legitimate domains/subdomains/hosts in there, although they're rapidly being swamped by the bogus ones. So don't just blindly use the data: filter out the 1-2% of legitimate entries.) So, if it's April 2020, and a customer comes to you and wants to set up web service for a domain or fifty that have "covid", "corona", "virus", etc., in their names: they're probably up to something. 2. There are longstanding versions of (1) as well. Domains with strings in them like "bulk", "seo", "credit", etc., or domains with variations on the names of financial institutions, or domains which are typos of well-known domains, etc., are all suspect. *That doesn't mean they're all bogus.* It just means that a human being should give them closer scrutiny before the process goes forward. 3. Look at the diversity of their domains. This sort of is a rehash of what I said in (2), but: if all their domains are about one or two topics, yeah, it's probably someone with a business and a hobby or something like that. But if they have domains that suggest they're running 17 different businesses, then look closer. 4. Look at whether they've been, that is, where they were hosted previously, by checking their DNS history. If they've hopped through four different hosts in the last seven months, something is going on. (Note: a few months ago a bunch of cheap VPS services all simultaneously ceased operations. If they were on one of those, then they may have just been caught up in the mess, so don't count that against them.) 5. Check Spamhaus. 6. Find out how many domains they have. People doing legitimate things may have 5 or 17 or something like that. People who have 5,000 are up to something. (Note: I've been doing research in this area for many years. I know of zero instances where registrants with thousands of domains were doing something legitimate. There may still be a counterexample out there, but I haven't seen it yet.) 7. MLM (multi-level marketing) is a red flag. So is Bitcoin et.al. 8. A business putatively located in Iowa but with contact email addresses @163.com or @yandex.com is dubious. Same for other incongruous information: it might really be okay, or it might be a hint that they're up to something. Most of these are just indicators: they're not definitive. And there are counterexamples all over the place. Plus, this list isn't exhaustive: like I said they're just examples. That's why I said at the beginning that there's no substitute for human judgment seasoned with experience. That takes time and probably more than a few bad experiences. But it's worth it, because it's easier to solve problems before you have them. ---rsk