[gnso-ff-pdp-may08] Detecting new domains

[Marc Perkel <marc@xxxxxxxxxx>]

I'm working on what might be a breakthrough in detecting newly 
registered domains that are driving fast flux. I'm still accumulating 
data but here is how it works.
As you know it's difficult if not impossible to get real time lists of 
tasting domains. So what I'm doing is accumulating lists of existing 
domains and storing them in a list of what I will call "familiar" 
domains. The idea is that if the domain isn't on the list then it will 
be "unfamiliar".
Of course although this will catch all brand new domains - it will catch 
a lot of others as well. But that's not an issue because this is just 
information - not blocking.
Then - botnet spam is easy to detect. So if I detect botnet spam that 
contains links to unfamiliar domains then there's an extremely 
likelihood these unfamiliar domains are pointing to fraud/fast flux. At 
least that's what I'm exploring.