A discussion about abuse mitigation

LoriBeth Blair & Raymond Dijkxhoorn

Presented by: ​LoriBeth Blair & Raymond Dijkxhoorn

LoriBeth Blair 0:00
Good day All right, so now we have our guest on stage with him well, I wanted to start asking start by asking Raymond today how, how does one end up in the position of starting a block list?

Raymond Dijkxhoorn 0:56
Yeah, so it was a long time ago. Remember when that was in 2004, when basically we met up with one of the keynote speakers was in the session yesterday. So Kevin mcgrill, working on the SpamAssassin project. And there was basically a big part missing, we, we felt there was stuff going on with a fourplexes blacklist, the, the maps list that time, Spamhaus was not so doing a good job that that time they they’re doing now. And maps disappeared as many other blacklist. But there was basically no domain blacklist out there. So we, we basically decided, well, that’s something really cool. We can track all the IPS and go after the domains that are going up there in the spam messages. But most most of the time, it was some well filled domain, or Ducktor domain or whatever they were selling. And it always ended up at a website. And websites, typing with IP addresses is not so convenient. So to use domains. And that’s, that’s basically how we got to the idea of like, Let’s collect Track Trace people who do that. And that’s where we are now.

LoriBeth Blair 2:20
Yeah. So is it rude to ask how, how large is the block list? Like how many hundreds of 1000s or millions of domains do you have blocked?

Raymond Dijkxhoorn 2:29
It’s varies over time. Currently, it’s a little over half a million domains that we list. But there’s also stuff what we call we put it in the fridge, because we know they will be reusing those domains. But they’re not in the active set. So basically, the active set that we use is also things that we experience in the wild. So sometimes we take a set out of there, put it in the fridge. And then later on, it’s in the active set again, because we we started off as helping out ISPs with with our spam filtering, for example. But the domain set is used pretty widely nowadays. So it’s used, well, basically any big ESP is using the data set. But it’s also used to take down domains. So if we list something, we talked with the registries and the registrar’s in automated form, and they tried to take it down. So we’re not having all those domains in there, just because we want to have a really big list. But it needs to be accurate. So it needs to be in our eyes small, still familiar. And it’s not like tiny, but it’s it’s the condensed version of what we have.

LoriBeth Blair 3:45
So what are some emerging trends, that you’re in threats that you’re seeing that you’re blocking using this list?

Raymond Dijkxhoorn 3:56
What we see the trends basically, every two, three months, they try to get around detection. The same as an ESB has with their signups their customers. If they have a way in, they try to work around that. Right now we see a lot of things going on with all the new TLDs where they basically register a whole bunch of names. Usually the next day, we see a different pattern. But we we see them trying to evade that. So where they usually register domain started to use it right away and we could determine something with domain age for example, like how, how old is this domain was registered yesterday or is it someone older? There’s also a second hand market for domain names right now, because it has some sending score. It’s has reputation So there’s also a value in just buying a bunch of old domains, which makes it harder for us to determine like, well, it had a good reputation. But that company went bankrupt or something, somebody bought the domain and also with that thought, descending experience, so all the ratings that it had. So we see it moving that way a lot.

LoriBeth Blair 5:21
And just for, you know, some of our maybe less technical users, a TLD is a top level domain.com is an example of a tld.org is a TLD. So is dotnet. And what are some of the new TLDs that that you’re seeing that are like, Okay, if I see this domain, like 99, or no, if I see those TLD 99% chance it’s spam,

Raymond Dijkxhoorn 5:45
we keep a list of what we call the top 20 Worst domains. If you ask it today, likely tomorrow is different. They shift it might be that there is a promotion going on, they tend to buy cheap domains, because they need a lot of them. In the top 20, there’s also the known players. Like if you have.com, it’s only logical that it appears in our abuse top 20. Because of the number of domains in that zone file, it’s by far the largest. So if you have a zone file with let’s say 25 million domain names versus a new TLD, which has a few 1000s, then it’s logical that you see the established players comm org info.net, they will always be in like the top 10. But that’s due to the numbers basically, the new TLDs. And that makes it a bit harder. Also, they have other obligations towards ICANN. So I can is basically the doing the top level domain. So the dot where you start, now you have like dot info or dotnet, those new domains, like dot red dot blue, and we have like 12 180 others, those have different regulations, so they have to take care of abuse. Sometimes if you look in your inbox, you don’t have the feeling that they do. But that’s also the reason that it shifts. Because we focus on on one TLD, they clean out they they do stuff on there and to basically exclude them, and then they move to the next player because they need to get the message out.

LoriBeth Blair 7:33
So would you say it’s fair to say that your job is like playing a constant game of Whack a Mole? Yep.

Raymond Dijkxhoorn 7:40
Yep, that’s, that’s what we do a lot of time. But we also work with the registries and registrar’s. So basically the people who sell you the domain names. And we get some other intel from them. Because we can basically wait till John G, who registered five domains and we got them all in our earliest, then chances are that he has a sixth and the seventh and eighth and ninth and well, the list continues. So we work with those registries and registrar’s and basically have a conversation with Dan, like, hey, we can wait till he uses the sixth one. Or you can just tell us which he registered already. So we can be more proactive and preventive. Because there’s always a gap between our systems recognizing it, and the domain being registered or being bought on the second hand market. So we always try to be more proactive, because that means your inbox will be a lot cleaner than it is now.

LoriBeth Blair 8:42
And that’s gotten a lot more challenging since GDPR, hasn’t it? Since people are able to obscure the registration information behind the privacy filters?

Raymond Dijkxhoorn 8:52
Yep, there’s an awful lot domains registered to someone with the name not disclosed. So it’s

LoriBeth Blair 8:59
definitely and do you think that’s a like reputation indicator because I had heard previously, you know, that if you want to be a reputable organization, you need to have your information public, you know, for your domain name for you know, for your domain, you need to have an abuse contact, you need to have all of that to look legitimate.

Raymond Dijkxhoorn 9:17
Yes, some of that is that’s low level, low level tech, but that’s on the IP side. So where you are sending from, they need to have like abuse contact information. For most of the domain names we learned to deal with it. I mean, we know that the registry information is gone basically. But due to the contacts that we have with all the registrar’s and the registries, we kind of can work our way around that a little bit. But still, if you know who is running that organization behind it, it makes life a lot easier.

LoriBeth Blair 9:54
I want to touch on something you mentioned a moment ago And can you explain for the audience that might not be aware what is I can And

Raymond Dijkxhoorn 10:00
so I can is basically the organization that delegates all of the TLD. So all of the of the domain names go fi, I can, either it’s a country TLD like.fr.nl.uk, or one of the new TLDs, like dot read or well see you or whatever they made up. So I can, is basically the regulation for all that. The reason that a lot of the country TLDs and.com, and a few others have different regulations is because when they started this, nobody would would ever think of people abusing this whole system. So it was not designed with security in mind, not designed with abuse in mind. With the new TLDs. They know, people will register domains with fake rent names, invitation names, and look alike domains. So there’s, there’s a lot more rulings around it. And there’s much more control over it to get basically things sort of

LoriBeth Blair 11:09
Gotcha. What, so, and yeah, explain to us a little bit about some of the maybe, you know, I think we’re all familiar with the use of block lists as far as like, blocking traffic going into inboxes. But can you explain a little bit about how an email email platform provider might want to use a block list to to essentially secure their infrastructure from spam or abuse?

Raymond Dijkxhoorn 11:36
Yeah, I mean, the common use case is ISPs. So when it comes to your inbox, they can filter with the domain names. But that’s basically after the fact. So if an ESB wants to filter, like preventing their users to send out mailings like that, that could be phishing or when it’s which account takeovers which happen on a regular base, it can be all kinds of nasty things they send out, then basically, you can also protect your onboarding process. Like if, if a customer signs up with a domain, which is listed in our data set, that’s likely not the customer that you want to sign up with. And the same for when things go out of your system. If you scan the messages, which leave your ESP platform, and you basically can already check like how those those domains are they what’s the reputation of those domains, make some kind of process where if they have domains in the email message, that you basically have to put them in a form with scoring are something which you make up where you basically say, hey, it already has a bad reputation. We don’t need that reputation also on our outgoing IP set, because it will be damaging if we send this out. So you basically need to try to prevent it from going out at all. And that’s, that’s what the lot are already doing. And there’s also tips, like, if you have customers pointing to redirection services, like Twitter had one T dot CEO, we all know a couple of hours, which are full of abuse. And there’s also one funny trick that people who do account takeovers usually do with that is if you have a redirection domain in there, you can change it after the meal is being sent. So it looks perfectly fine. When they sent it out. With when it landed in the inbox, they changed this station. So if you have something which is under your control, which they cannot send just like that, they cannot change it just like that. That’s also preventive on the sending part.

LoriBeth Blair 13:52
Very important for sure. How are we on time? Cool. I feel like we I feel like we’ve covered a lot of topics. I feel like we’ve learnt like I feel like I’ve learned a lot about, you know, the block listing process. So how do you get the data feed of like new domains that are being registered? Do you get some kind of data feed that’s like this domain was registered? Or you know, how, how does the domain wind up on your naughty list?

Raymond Dijkxhoorn 14:24
There’s not one recipe to cover all of that. But we have all basically the majority of the zone files, what it’s called the zone file, the list with all of the domains have a specific domain TLD. So dot info publishes his song file. We basically look daily when that comes in, or real time with some of the registries that we help out on. And that’s basically how we find new domains. We also see them in their own systems. We run a tremendously big network where we basically The try to capture information and does does not need to be spam traps. We have all kinds of systems doing that. So there’s also the agreements that we have with some hosting companies, like really big hosting companies, which basically say, Well, this is the list of domains, can you please check if there’s anything bad because they also want to do a good job, and basically prevent stuff from going out. There’s also one thing, which is what we don’t hear a lot, most of the people who contact us on our website to get like delisting from a certain domain name. They only do that after the fact. Like when it happens. But it’s also really important to reach out to us like, if you are a bank, and you merge with another bank, that new bank name needs to be, for example, on our whitelist. So we don’t list it by accident, or like think it’s a phishing domain. So there’s multiple reasons also, just to contact us if things change on your end, so we can adjust to that.

LoriBeth Blair 16:08
Gotcha. Awesome. Um, can you explain a little bit more about what technology I think we’re all pretty familiar with, you know, how spam traps were? Can you give any examples without revealing the secret sauce, of course, like, of how what other type of systems would be checking for this, because I know, they’re like bots that crawl the web and try to submit, you know, try to submit data to open endpoints and thing and see what’s vulnerable. But what other kinds of technology that you can reveal to us.

Raymond Dijkxhoorn 16:41
A lot of it is actually made in house, I mean, we’re doing it for this for close to seven years. There, there’s not like, you kind of walk to a bookstore and just buy a book, like how to build a spend trap, or how to well, the previous session, how to build your ESP. So a lot of it is just done by pioneering own systems. So that could be agreements with large universities where we basically engage with them in research, we do a lot of botnet research where we basically try to find out which domains that bot is going to be using for the next two, three weeks, digest the data intercept, and publish it out. So sometimes it’s DGA domain generation algorithms. So the algorithm that is inside the bots, we basically try to reverse engineer to find out what that boss is going to do. Because most of the bad stuff is not manually damage. It’s done by bots.

LoriBeth Blair 17:45
So you’re saying there are bots out there that will like, generate and register new domain names to do bad stuff from like spam, and host malicious content and all that stuff, the current

Raymond Dijkxhoorn 17:57
bad books that are out there, who are very active also in the SMS space, so mobile tech stem, they have Currently they have a monthly rotation, they register 60,000 domain names, basically in their algorithm. And they just pick a few. So they’re registered for like, five day, but we already know that 6000 that are going to be used likely that month. So a lot of it is predictable.

LoriBeth Blair 18:29
That’s, that’s kind of interesting that you’re in and let’s talk a little bit since, you know, this is kind of it’s almost two sides of adversarial forces, like you have the creators of the bots on one side, and then you have people like on your side that are trying to protect the internet. Yep. So I think the predictive technology that you talked about is a great example of how, you know the good guys are trying to get ahead in the fight. But explain to us a little bit about, you know, the complications of how, you know, as soon as you come up with a new protection, they find, like a way around it. Do you have any examples of Yeah, and this has happened.

Raymond Dijkxhoorn 19:08
It happens a lot. So sometimes we figure out the algorithm, they see that we free list domains. But there’s also reasons that we work with all the registry, and are also involved with takedowns. We don’t want to have this fight like every day. So we also work with law enforcement, work with the registries to get more information about like who registered this whole set of domains. And then we basically go out to Hoovy governmental organizations cert organizations to basically see just how can we solve this in a more controlled well, instead of just like playing racquetball everyday?

LoriBeth Blair 19:52
Gotcha. Well, awesome. I don’t think your questions for now. Is there anything else that you can think of that you know? super important. Female, you know, marketers to know about protecting themselves and their traffic streams, you know, kind of against this, you know, as far as don’t use, don’t use public figures. Because again, that can get changed out, you know, the the target link behind that can get changed out to something malicious. You know, make sure that you’re registering domains from reputable organizations. I think any other tips that you have for email marketers out there?

Raymond Dijkxhoorn 20:33
Yeah, I think, you know, like with, with ransomware attacks, a long time that people were ashamed, basically to tell about it, because well, it happened to us. But right now, it’s happening so often. And with so many companies that everybody talks about it. That’s a bit the same with abuse, like if you we virtually don’t know, well, perhaps a few, but there’s very little ESPs that have zero of us like nothing. I mean, it could be an account takeover. But if something happens, be honest about it, and reach out to us if something happens, and it is on the list, and you will have questions about it. Just tell us what happened. And we don’t we likely already know what happened because we see actual evidence might be in our spam traps. Or one of the other detection systems that we have, but it helps really speed up things if you just say, well, we have this web server it was compromised. You can say that every week, but if it’s compromised sure that happens we’re not the bad guys. We are here to help so reach out to us in depth guys and we will get it resolved.

LoriBeth Blair 21:42
Now, awesome. You heard it here Inbox Expo if you you know get an account takeover, like somebody gets access to your ESP account or you know if you have any malicious actors that get a hold of your network contact Raymond and he’ll he’ll help you out