Educause Security Discussion mailing list archives

Re: Blacklisting XYZ Domains

From: Glenn Forbes Fleming Larratt <gl89 () CORNELL EDU>
Date: Thu, 12 Nov 2020 06:35:31 -0500

TL;DR We blocked .xyz in 2019-02 and got our hands slapped; after buildinga method to "block all of .xyz *except*...", we've been able to use thisas a protective measure for the last 18 months.


===========

The .xyz and .online TLD's - as loci of dirt-cheap domain registrationsuitable for attackers - were used to preregister about 14 domains in eachfor a phishing campaign against us in early 2019. Our initial block of the.xyz TLD, using a homegrown SafeDNS application, ran afoul of at least oneresearcher and had to be removed.

We invested some development time into our SafeDNS app to allowconfiguration of exceptions to blocks of TLD'S and other wide-swaths ofnamespace (co.com, for example). Having done so, we reinstituted the blockon .xyz in March of 2019, and subsequently added blocks on each of.online, .site, .icu, and .top; our list of exceptions currently numbers50 (55 including the nic.*blotz* domain for each TLD), and we cantypically configure an exception and have it take effect in 60-90minutes.


        -g
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 11 Nov 2020, SECURITY automatic digest system wrote:

------------------------------

Date:    Wed, 11 Nov 2020 20:55:23 +0000
From:    "Valentijn, Ashley" <axv749 () MIAMI EDU>
Subject: Blacklisting XYZ Domains

Hello all,

Hope everyone is doing well and staying safe!

Our office recently received a request to block the XYZ domain on theuniversity network due to the increased rise in phishing attacks. Hasthis been done at other universities and colleges and if so, was thereany backlash from faculty members, researchers, etc.?

Best regards,
Ashley Valentijn, M.S.
Security Engineer
Information Security Office
P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>
[cid:e0a62019-dfa1-4182-8283-201312ddaa5f]

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

------------------------------

Date:    Wed, 11 Nov 2020 21:16:42 +0000
From:    "Adam T. Ferrero" <adam () TEMPLE EDU>
Subject: Re: [External] [SECURITY] Blacklisting XYZ Domains

We use Palo Alto and allow it to DNS sinkhole malware, etc. as well asa custom list of targeted bad stuff. We only block the bad stuff so noone complains about that.

 Adam
 https://www.marketplace.org/2020/06/17/tech-companies-update-language-to-avoid-offensive-terms/

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Valentijn, Ashley
Sent: Wednesday, November 11, 2020 3:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [External] [SECURITY] Blacklisting XYZ Domains

Hello all,

Hope everyone is doing well and staying safe!

Our office recently received a request to block the XYZ domain on the university network due to the increased rise in 
phishing attacks. Has this been done at other universities and colleges and if so, was there any backlash from faculty 
members, researchers, etc.?

Best regards,
Ashley Valentijn, M.S.
Security Engineer
Information Security Office
P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>
[cid:image001.jpg@01D6B845.F9CAA5B0]

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

------------------------------

Date:    Wed, 11 Nov 2020 21:24:33 +0000
From:    "Bandy, John" <jbandy () SAMFORD EDU>
Subject: Re: [External] [SECURITY] Blacklisting XYZ Domains

I block domains daily based on phishing requests reported by employees.I have not had any issues. I have been doing this for several years.We use Cisco's IronPort so IronPort catches many of them before they getto the mailboxes.Of course, general user domains (such as yahoo, gmail, hotmail etc) arenot able to be blocked. We only block the sending address.I will run a query before blocking the domain to make sure no legitimateemail (from other addresses from that domain) will be affected.

John Bandy
Chief Information Security Officer
Technology Services

205-726-2692<tel:+1205-726-2692> | office
205-726-2692 | fax
JBandy () Samford Edu<mailto:JBandy () Samford Edu>
Twitter<http://twitter.com/SamfordInfoSec>
800 Lakeshore Drive
Birmingham, AL 35229<https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US>

[mford Samford University Logo]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Adam T. Ferrero
Sent: Wednesday, November 11, 2020 3:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [EXTERNAL]Re: [SECURITY] [External] [SECURITY] Blacklisting XYZ Domains


 We use Palo Alto and allow it to DNS sinkhole malware, etc. as well as a custom list of targeted bad stuff.  We only 
block the bad stuff so no one complains about that.

 Adam
 
https://www.marketplace.org/2020/06/17/tech-companies-update-language-to-avoid-offensive-terms/<https://secure-web.cisco.com/1OEWugbfkzIolzI3lgHESGxfiNN8fdvcs8D94UuW--eKv82kJpZTRHrFlSvuSR3WBuGJ-oY1I9TCuXILg8a-_IUD0Q1ikq5HVoYIkXDEshgd6zIe-8d7PTyWgjCOuo6z2yDY9C-_cYgi-kGil1WEpoZl-_ft1HuGQQ4n6DwyN3G1HgdwuctK1CJTSvf7ykgYL-AsjI-UeQxEcyZ-5W2yNyi1DR6w7v5UDzR-NbP754q_oE8W08n9sqVG2TZN6aSUsS4ygfl7B0WR0Y8j_QL8YXOoa7d3ki_C4ZFhvW4EHUCt_ET_eLIeZRq5UHPG25p2g/https%3A%2F%2Fwww.marketplace.org%2F2020%2F06%2F17%2Ftech-companies-update-language-to-avoid-offensive-terms%2F>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE 
EDU>> On Behalf Of Valentijn, Ashley
Sent: Wednesday, November 11, 2020 3:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [External] [SECURITY] Blacklisting XYZ Domains

Hello all,

Hope everyone is doing well and staying safe!

Our office recently received a request to block the XYZ domain on the university network due to the increased rise in 
phishing attacks. Has this been done at other universities and colleges and if so, was there any backlash from faculty 
members, researchers, etc.?

Best regards,
Ashley Valentijn, M.S.
Security Engineer
Information Security Office
P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>
[cid:image003.jpg@01D6B83E.C0D75930]

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who 
sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription 
information can be found at 
https://www.educause.edu/community<https://secure-web.cisco.com/1faRlajDxNlE3mmgy5S-hLPr2kNeQAmdyIaiTEHi1_bRcb6YPNDCENBpejPW6gJY18RH_T3cner-iM4TqSUrHpYAtOIAGX6nQruv3ztFRlrJ0KNfOaEYEiD5EYRkGHsnOY81RHZHDWK06BodlORS69DUOnL6hpxvRUL1gp0qaNk_xaFUMhxBfsUfMLvVFNgZ51X7_6IjMKxq3LedyegoKqmq177HTMLWB5o5CMe2wJzaaoujQUr-q7Fw0owo3xA2v4Khf9KUqfsI00YxHCw3-1K_5IvvZhWHbjNwQ5njEDFMIlzw2uuCCakZsF7NGfCt1/https%3A%2F%2Fwww.educause.edu%2Fcommunity>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who 
sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription 
information can be found at 
https://www.educause.edu/community<https://secure-web.cisco.com/1faRlajDxNlE3mmgy5S-hLPr2kNeQAmdyIaiTEHi1_bRcb6YPNDCENBpejPW6gJY18RH_T3cner-iM4TqSUrHpYAtOIAGX6nQruv3ztFRlrJ0KNfOaEYEiD5EYRkGHsnOY81RHZHDWK06BodlORS69DUOnL6hpxvRUL1gp0qaNk_xaFUMhxBfsUfMLvVFNgZ51X7_6IjMKxq3LedyegoKqmq177HTMLWB5o5CMe2wJzaaoujQUr-q7Fw0owo3xA2v4Khf9KUqfsI00YxHCw3-1K_5IvvZhWHbjNwQ5njEDFMIlzw2uuCCakZsF7NGfCt1/https%3A%2F%2Fwww.educause.edu%2Fcommunity>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

------------------------------

End of SECURITY Digest - 10 Nov 2020 to 11 Nov 2020 (#2020-218)
***************************************************************


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Blacklisting XYZ Domains Valentijn, Ashley (Nov 11)
- Re: [External] [SECURITY] Blacklisting XYZ Domains Adam T. Ferrero (Nov 11)
  - Re: [External] [SECURITY] Blacklisting XYZ Domains Bandy, John (Nov 11)
- Re: Blacklisting XYZ Domains Jesse Bowling (Nov 11)
  - Re: [External] Re: [SECURITY] Blacklisting XYZ Domains Kevin Wilcox (Nov 12)
- <Possible follow-ups>
- Re: Blacklisting XYZ Domains Glenn Forbes Fleming Larratt (Nov 12)
  - Re: Blacklisting XYZ Domains Von Welch (Nov 12)