RE: [dssa] Interesting article -- probably out of scope for us, but FYI
- To: "Mike O'Connor" <mike@xxxxxxxxxx>, dssa@xxxxxxxxx
- Subject: RE: [dssa] Interesting article -- probably out of scope for us, but FYI
- From: Greg Aaron <gaaron@xxxxxxxxxxxx>
- Date: Tue, 13 Sep 2011 12:22:40 -0400
Hi, Mikey. I think typosquatting's out of scope, full stop. By allowing
that example in, we'd be allowing virtually any kind security problem or
threat vector back into scope again, simply if it was directed against a
registry operator. That is too much; a rabbit hole we'd never emerge
A lot of things come down to following good IT and administrative
practices, like: having a fundamentally sound network architecture, not
losing one's passwords, and using the UDRP or legal mechanisms when you
need to. There are bodies who do IT best practices better than we do, and
ICANN's not in a position to explore all that kind of stuff.
From: Mike O'Connor [mailto:mike@xxxxxxxxxx]
Sent: Tuesday, September 13, 2011 8:31 AM
Subject: [dssa] Interesting article -- probably out of scope for us, but
i thought some of you (being that we're a gaggle of security type people)
might be interested in this article about typosquatting domain names as a
way to passively harvest sensitive email.
given that we're testing our "scope" rules this week, i thought i'd also
use this as a test case. i would think that the general use-case of this
would be out of scope (malicious use of a domain name). but it would be
in scope if it were used as an attack vector on a registry or registrar.
so does that mean that we should build a section of our report that
collects these attack-vectors for possible inclusion in a "best practices"
food for thought, low priority.
PS -- i have the corp.com domain, which started getting masses of this
kind of email as soon as i registered it in the mid-'90's. i didn't
realize it until i wildcarded the MX for the domain one day and
immediately crashed my server. for example, somebody would mis-address
mail to HRDept@xxxxxxxxxxxx rather than the correct HRDept@xxxxxxxxxxxx.
so there are other variants of this vulnerability and perhaps an
opportunity for somebody to do a great good deed by educating folks about
this. btw, i immediately dropped the MX record out of that domain. :-)
- - - - - - - - -
handle OConnorStP (ID for public places like Twitter, Facebook, Google,