<<<
Chronological Index
>>> <<<
Thread Index
>>>
[gnso-ff-pdp-may08] Domain takedown through 100% automation - kicking the hornet's nest of controversy
- To: gnso-ff-pdp-May08@xxxxxxxxx
- Subject: [gnso-ff-pdp-may08] Domain takedown through 100% automation - kicking the hornet's nest of controversy
- From: Marc Perkel <marc@xxxxxxxxxx>
- Date: Sun, 03 Aug 2008 08:29:16 -0700
OK - moving to controversial, I want to address automated domain
takedown. Let me give you an example of why this can work.
I am a spam filtering operation and a huge number of fraud attempts come
into our servers every hour. In this example I'll use PayPal. A message
comes into the system in this form:
From: paypaI@xxxxxxxxxxxxxxxxxxxxxxxx
To: honeypot@xxxxxxxxxxxxxxxxxxx
Subject: Please unlock your PayPal Password
Your Online PayPal Password was blocked on 19/07/2008
Log In into your account to resolve the problem.
Click here to Log In
The link goes to this address: http://paypaI.com/login.cgi
The message did not come from a PayPal server and does not have PayPal's
domain key signature. So there's no doubt that it's bogus and there are
no civil liberty or free speech issues involved. This is 100% about
criminals stealing money form technically ignorant users.
My software isolates the domain from the link and sees "paypaI.com"
(note the I instead of the L) and the domain appears in URI blacklist.
And suppose I read information from the DNS info I've proposed and I can
see the domain is 1 day old, the name servers have changed 40 times in
the first day (clearly fast flux), and the domain is registered through
godaddy.com. So - being part of a trusted closed reporting group my
software blocks the email and sends it to GoDaddy's automated abuse
system. At the same time GoDaddy has received similar messages from
several other trusted sources (not a secret society forming a shadow
government to dominate the world).
So as a result GoDaddy - through automation - takes down paypai.com in
less that 15 minutes after the fraud starts, disrupting the fraud, and
saving thousands of people from being ripped off by the russian mafia.
With a network like this one could probably ID 90% of purely criminal
fast flux abuse with 100% accuracy and be so effective that fast flux no
longer works and criminal abandoned the technique.
Tell me why this isn't a good idea.
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|