Is there an abuse combat feed available at SURBL ? The hope was to get information that would trigger abuse investigations and possible domain take-downs of phishing/malware that is enjoying benefit from the domain name (e.g., using a domain name like bank-name-security.TLD)... parsing the full URI data seems the most logical option, but that there doesn't seem to exist a TLD-specific feed or an specific $ condition for TLD registries.
Ideas ?
Tks, Rubens
Hi Ruben - thanks for your note, and interest in surbl. We can very likely provide a feed which will help.
I'd like to get a bit more information, so we can best meet your objectives.
Are you free for a call sometime this week, or next?
Best regards Arnie
On Feb 14, 2017, at 5:26 PM, Rubens Kuhl rubensk@nic.br wrote:
Is there an abuse combat feed available at SURBL ? The hope was to get information that would trigger abuse investigations and possible domain take-downs of phishing/malware that is enjoying benefit from the domain name (e.g., using a domain name like bank-name-security.TLD)... parsing the full URI data seems the most logical option, but that there doesn't seem to exist a TLD-specific feed or an specific $ condition for TLD registries.
Ideas ?
Tks, Rubens
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Tuesday, February 14, 2017, 5:44:28 PM, Arnieb Arnieb wrote:
Hi Ruben - thanks for your note, and interest in surbl. We can very likely provide a feed which will help.
I'd like to get a bit more information, so we can best meet your objectives.
Are you free for a call sometime this week, or next?
Best regards Arnie
Looks like our emails crossed. I'm sure Arnie can help answer your questions about SURBL data. I hope my introduction was helpful too.
Cheers,
Jeff C.
On Feb 14, 2017, at 5:26 PM, Rubens Kuhl rubensk@nic.br wrote:
Is there an abuse combat feed available at SURBL ? The hope was to get information that would trigger abuse investigations and possible domain take-downs of phishing/malware that is enjoying benefit from the domain name (e.g., using a domain name like bank-name-security.TLD)... parsing the full URI data seems the most logical option, but that there doesn't seem to exist a TLD-specific feed or an specific $ condition for TLD registries.
Ideas ?
Tks, Rubens
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Tuesday, February 14, 2017, 5:26:19 PM, Rubens Kuhl wrote:
Is there an abuse combat feed available at SURBL ? The hope was to get information that would trigger abuse investigations and possible domain take-downs of phishing/malware that is enjoying benefit from the domain name (e.g., using a domain name like bank-name-security.TLD)... parsing the full URI data seems the most logical option, but that there doesn't seem to exist a TLD-specific feed or an specific $ condition for TLD registries.
Ideas ?
Tks, Rubens
Hi Rubens, Thanks very much for your questions. We would be very glad if our data could be used to help with investigations, and we feel we have some of the most accurate, careful and actionable data available.
SURBL has a main list of abuse, phishing, malware, and cracked hosts (domains and IPs). Most of the abuse hosts are used for spam. Cracked hosts tend to be used for spam, phishing, malware, botnets, DDOS, etc. SURBL also has full URI data available in different ways. Both types of data may be useful for you, but it may be simplest to start with the host data and then try URIs. There is also a logical process to check our host data first, then check our URI data for deeper information where available. (Not all blacklisted hosts have corresponding blacklisted URIs, and vice versa.)
We can make reports about specific TLDs, for example .br or even Brazilian brands, but the .br domains are also trivially searchable in our main host blacklist.
Let us ask Arnie or Allen of our reseller SecurityZones to please follow up with you about these questions. They can also explain some of our other datasets and services which may be useful.
SecurityZones web site is:
Hi Arnie and Allen, Please reply to Rubens and include SURBL so we can also follow up with any technical questions as needed.
Cheers,
Jeff C.
SURBL has a main list of abuse, phishing, malware, and cracked hosts (domains and IPs). Most of the abuse hosts are used for spam. Cracked hosts tend to be used for spam, phishing, malware, botnets, DDOS, etc. SURBL also has full URI data available in different ways. Both types of data may be useful for you, but it may be simplest to start with the host data and then try URIs. There is also a logical process to check our host data first, then check our URI data for deeper information where available. (Not all blacklisted hosts have corresponding blacklisted URIs, and vice versa.)
Ok, got it. I was thinking on parsing URIs only, now I know better. URIs are good when verifying the case is not a false positive.
We can make reports about specific TLDs, for example .br or even Brazilian brands, but the .br domains are also trivially searchable in our main host blacklist.
It's usually simpler parsing than asking for an specific subset. But if an specific subset is all that the source is willing to make available, than we can live with that... we have done it both ways with other data feeds. Having them complete though is showing one interesting feature: if a domain registrant asks for a CNAME or HTTP redirection to a different TLD, having the full dataset instead of per-TLD helps preventing those redirections from ever being provisioned.
Rubens
Hi Rubens - I think we can indeed provide you data sets, and look forward to discussing.
Are you free for a call this week - Thursday afternoon?
Thanks - looking forward to chatting with you
Regards Arnie
Sent from my iPhone
On Feb 14, 2017, at 6:22 PM, Rubens Kuhl rubensk@nic.br wrote:
SURBL has a main list of abuse, phishing, malware, and cracked hosts (domains and IPs). Most of the abuse hosts are used for spam. Cracked hosts tend to be used for spam, phishing, malware, botnets, DDOS, etc. SURBL also has full URI data available in different ways. Both types of data may be useful for you, but it may be simplest to start with the host data and then try URIs. There is also a logical process to check our host data first, then check our URI data for deeper information where available. (Not all blacklisted hosts have corresponding blacklisted URIs, and vice versa.)
Ok, got it. I was thinking on parsing URIs only, now I know better. URIs are good when verifying the case is not a false positive.
We can make reports about specific TLDs, for example .br or even Brazilian brands, but the .br domains are also trivially searchable in our main host blacklist.
It's usually simpler parsing than asking for an specific subset. But if an specific subset is all that the source is willing to make available, than we can live with that... we have done it both ways with other data feeds. Having them complete though is showing one interesting feature: if a domain registrant asks for a CNAME or HTTP redirection to a different TLD, having the full dataset instead of per-TLD helps preventing those redirections from ever being provisioned.
Rubens
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Hi Rubens - just a friendly follow up... to see if you might have time for a call today?
Best Regards Arnie
Sent from my iPhone
On Feb 14, 2017, at 6:22 PM, Rubens Kuhl rubensk@nic.br wrote:
SURBL has a main list of abuse, phishing, malware, and cracked hosts (domains and IPs). Most of the abuse hosts are used for spam. Cracked hosts tend to be used for spam, phishing, malware, botnets, DDOS, etc. SURBL also has full URI data available in different ways. Both types of data may be useful for you, but it may be simplest to start with the host data and then try URIs. There is also a logical process to check our host data first, then check our URI data for deeper information where available. (Not all blacklisted hosts have corresponding blacklisted URIs, and vice versa.)
Ok, got it. I was thinking on parsing URIs only, now I know better. URIs are good when verifying the case is not a false positive.
We can make reports about specific TLDs, for example .br or even Brazilian brands, but the .br domains are also trivially searchable in our main host blacklist.
It's usually simpler parsing than asking for an specific subset. But if an specific subset is all that the source is willing to make available, than we can live with that... we have done it both ways with other data feeds. Having them complete though is showing one interesting feature: if a domain registrant asks for a CNAME or HTTP redirection to a different TLD, having the full dataset instead of per-TLD helps preventing those redirections from ever being provisioned.
Rubens
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss