On Apr 2, 2007, at 10:27 PM, Douglas Otis wrote:

...

The suggestion was to preview the addition of domains 24 hours in advance of being published. This can identify look-alike and cousin domain exploits, and establish a watch list when necessary. A preview provides valuable information for tracking bad actors and for setting <> up more effective defenses as well.

And just how many humans would this require?

Or are you going to write a 12-kilobyte regex in Perl to do the work for you?

Do you know how many trademarks and words that represent companies

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Patrick Giagnocavo <patrick@zill.net> wrote: there are in existence?

What about local lingo that might be misleading--like if you weren't

familiar with college sports and thus "officialNittanyLions.com" (contrived example) didn't raise any red flags with you?

I could see perhaps a flag or a standard value to go into TXT (maybe

part of the exiting SPF conventions) that indicate the age of the domain.

Then leave it up to the user as to what to do with that information (a

mail server not allowing emails from domains less than 15 days old for example).

Good questions, all -- but having said that, there are certainly ways to approach each of these. And of course, there will obviously be things that fall through the cracks. And having said that, something is better than nothing. The value in matching newly registered domains, the registrants themselves, the nameservers, MX records, and historical IP addresses as a matrix operation is incrementally positive as the effort itself becomes also incremental in the positive. What I'm saying is this: Historical reputation systems, coupled with intelligence on known malware domains, observed fast-flux'ers, etc., gives some measure of control. You still have to do an enormous amount of weeding, but again, this is an endeavor that can be undertaken by private and commercial organizations, as long as the domain registration process is changed only slightly, to allow for a minor delay between toe time that the registration(s) are made, and the time that they become "live". As it stands now, everyone gets pretty much blind-sided by domains that crop up solely for the sake of malfeasance. I'm not sure I articulated that very well, but there it is. :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGEcveq1pz9mNUZTMRAtR8AKDvPCd/yJ4plkMROu/xg69CiHWfuQCfUmpZ SEW7BxFuIWvenbzn3KxBK38= =3prE -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/