Educause Security Discussion mailing list archives

Re: Blacklisting XYZ Domains

From: Von Welch <von () VONWELCH COM>
Date: Thu, 12 Nov 2020 16:11:14 +0000
Good morning.

Someone else quietly introduced the following into this conversation and I just want to highlight it given the subject 
line.

    >  https://www.marketplace.org/2020/06/17/tech-companies-update-language-to-avoid-offensive-terms/

Best,

Von



On 11/12/20, 6:35 AM, "The EDUCAUSE Security Community Group Listserv on behalf of Glenn Forbes Fleming Larratt" 
<SECURITY () LISTSERV EDUCAUSE EDU on behalf of gl89 () CORNELL EDU> wrote:

    TL;DR We blocked .xyz in 2019-02 and got our hands slapped; after building 
    a method to "block all of .xyz *except*...", we've been able to use this 
    as a protective measure for the last 18 months.

    ===========

    The .xyz and .online TLD's - as loci of dirt-cheap domain registration 
    suitable for attackers - were used to preregister about 14 domains in each 
    for a phishing campaign against us in early 2019. Our initial block of the 
    .xyz TLD, using a homegrown SafeDNS application, ran afoul of at least one 
    researcher and had to be removed.

    We invested some development time into our SafeDNS app to allow 
    configuration of exceptions to blocks of TLD'S and other wide-swaths of 
    namespace (co.com, for example). Having done so, we reinstituted the block 
    on .xyz in March of 2019, and subsequently added blocks on each of 
    .online, .site, .icu, and .top; our list of exceptions currently numbers 
    50 (55 including the nic.*blotz* domain for each TLD), and we can 
    typically configure an exception and have  it take effect in 60-90 
    minutes.

        -g
    --
    Glenn Forbes Fleming Larratt
    Cornell University IT Security Office

    On Wed, 11 Nov 2020, SECURITY automatic digest system wrote:

    > ------------------------------
    >
    > Date:    Wed, 11 Nov 2020 20:55:23 +0000
    > From:    "Valentijn, Ashley" <axv749 () MIAMI EDU>
    > Subject: Blacklisting XYZ Domains
    >
    > Hello all,
    >
    > Hope everyone is doing well and staying safe!
    >
    > Our office recently received a request to block the XYZ domain on the 
    > university network due to the increased rise in phishing attacks. Has 
    > this been done at other universities and colleges and if so, was there 
    > any backlash from faculty members, researchers, etc.? 
    >
    > Best regards,
    > Ashley Valentijn, M.S.
    > Security Engineer
    > Information Security Office
    > P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>
    > [cid:e0a62019-dfa1-4182-8283-201312ddaa5f]
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to 
the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at https://www.educause.edu/community
    >
    > ------------------------------
    >
    > Date:    Wed, 11 Nov 2020 21:16:42 +0000
    > From:    "Adam T. Ferrero" <adam () TEMPLE EDU>
    > Subject: Re: [External] [SECURITY] Blacklisting XYZ Domains
    >
    >
    >  We use Palo Alto and allow it to DNS sinkhole malware, etc. as well as 
    > a custom list of targeted bad stuff.  We only block the bad stuff so no 
    > one complains about that.
    >
    >  Adam
    >  https://www.marketplace.org/2020/06/17/tech-companies-update-language-to-avoid-offensive-terms/
    >
    >
    > From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Valentijn, 
Ashley
    > Sent: Wednesday, November 11, 2020 3:55 PM
    > To: SECURITY () LISTSERV EDUCAUSE EDU
    > Subject: [External] [SECURITY] Blacklisting XYZ Domains
    >
    > Hello all,
    >
    > Hope everyone is doing well and staying safe!
    >
    > Our office recently received a request to block the XYZ domain on the university network due to the increased 
rise in phishing attacks. Has this been done at other universities and colleges and if so, was there any backlash from 
faculty members, researchers, etc.?
    >
    > Best regards,
    > Ashley Valentijn, M.S.
    > Security Engineer
    > Information Security Office
    > P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>
    > [cid:image001.jpg@01D6B845.F9CAA5B0]
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to 
the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at https://www.educause.edu/community
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to 
the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at https://www.educause.edu/community
    >
    > ------------------------------
    >
    > Date:    Wed, 11 Nov 2020 21:24:33 +0000
    > From:    "Bandy, John" <jbandy () SAMFORD EDU>
    > Subject: Re: [External] [SECURITY] Blacklisting XYZ Domains
    >
    > I block domains daily based on phishing requests reported by employees. 
    > I have not had any issues.  I have been doing this for several years. 
    > We use Cisco's IronPort so IronPort catches many of them before they get 
    > to the mailboxes. 
    >
    > Of course, general user domains (such as yahoo, gmail, hotmail etc) are 
    > not able to be blocked.  We only block the sending address. 
    >
    > I will run a query before blocking the domain to make sure no legitimate 
    > email (from other addresses from that domain) will be affected. 
    >
    > John Bandy
    > Chief Information Security Officer
    > Technology Services
    >
    > 205-726-2692<tel:+1205-726-2692> | office
    > 205-726-2692 | fax
    > JBandy () Samford Edu<mailto:JBandy () Samford Edu>
    > Twitter<http://twitter.com/SamfordInfoSec>
    > 800 Lakeshore Drive
    > Birmingham, AL 35229<https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US>
    >
    > [mford Samford University Logo]
    >
    >
    >
    > From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Adam T. 
Ferrero
    > Sent: Wednesday, November 11, 2020 3:17 PM
    > To: SECURITY () LISTSERV EDUCAUSE EDU
    > Subject: [EXTERNAL]Re: [SECURITY] [External] [SECURITY] Blacklisting XYZ Domains
    >
    >
    >  We use Palo Alto and allow it to DNS sinkhole malware, etc. as well as a custom list of targeted bad stuff.  We 
only block the bad stuff so no one complains about that.
    >
    >  Adam
    >  
https://www.marketplace.org/2020/06/17/tech-companies-update-language-to-avoid-offensive-terms/<https://secure-web.cisco.com/1OEWugbfkzIolzI3lgHESGxfiNN8fdvcs8D94UuW--eKv82kJpZTRHrFlSvuSR3WBuGJ-oY1I9TCuXILg8a-_IUD0Q1ikq5HVoYIkXDEshgd6zIe-8d7PTyWgjCOuo6z2yDY9C-_cYgi-kGil1WEpoZl-_ft1HuGQQ4n6DwyN3G1HgdwuctK1CJTSvf7ykgYL-AsjI-UeQxEcyZ-5W2yNyi1DR6w7v5UDzR-NbP754q_oE8W08n9sqVG2TZN6aSUsS4ygfl7B0WR0Y8j_QL8YXOoa7d3ki_C4ZFhvW4EHUCt_ET_eLIeZRq5UHPG25p2g/https%3A%2F%2Fwww.marketplace.org%2F2020%2F06%2F17%2Ftech-companies-update-language-to-avoid-offensive-terms%2F>
    >
    >
    > From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>> On Behalf Of Valentijn, Ashley
    > Sent: Wednesday, November 11, 2020 3:55 PM
    > To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    > Subject: [External] [SECURITY] Blacklisting XYZ Domains
    >
    > Hello all,
    >
    > Hope everyone is doing well and staying safe!
    >
    > Our office recently received a request to block the XYZ domain on the university network due to the increased 
rise in phishing attacks. Has this been done at other universities and colleges and if so, was there any backlash from 
faculty members, researchers, etc.?
    >
    > Best regards,
    > Ashley Valentijn, M.S.
    > Security Engineer
    > Information Security Office
    > P: 305-284-4582 | E: axv749 () miami edu<mailto:axv749 () miami edu>
    > [cid:image003.jpg@01D6B83E.C0D75930]
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to 
the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at 
https://www.educause.edu/community<https://secure-web.cisco.com/1faRlajDxNlE3mmgy5S-hLPr2kNeQAmdyIaiTEHi1_bRcb6YPNDCENBpejPW6gJY18RH_T3cner-iM4TqSUrHpYAtOIAGX6nQruv3ztFRlrJ0KNfOaEYEiD5EYRkGHsnOY81RHZHDWK06BodlORS69DUOnL6hpxvRUL1gp0qaNk_xaFUMhxBfsUfMLvVFNgZ51X7_6IjMKxq3LedyegoKqmq177HTMLWB5o5CMe2wJzaaoujQUr-q7Fw0owo3xA2v4Khf9KUqfsI00YxHCw3-1K_5IvvZhWHbjNwQ5njEDFMIlzw2uuCCakZsF7NGfCt1/https%3A%2F%2Fwww.educause.edu%2Fcommunity>
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to 
the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at 
https://www.educause.edu/community<https://secure-web.cisco.com/1faRlajDxNlE3mmgy5S-hLPr2kNeQAmdyIaiTEHi1_bRcb6YPNDCENBpejPW6gJY18RH_T3cner-iM4TqSUrHpYAtOIAGX6nQruv3ztFRlrJ0KNfOaEYEiD5EYRkGHsnOY81RHZHDWK06BodlORS69DUOnL6hpxvRUL1gp0qaNk_xaFUMhxBfsUfMLvVFNgZ51X7_6IjMKxq3LedyegoKqmq177HTMLWB5o5CMe2wJzaaoujQUr-q7Fw0owo3xA2v4Khf9KUqfsI00YxHCw3-1K_5IvvZhWHbjNwQ5njEDFMIlzw2uuCCakZsF7NGfCt1/https%3A%2F%2Fwww.educause.edu%2Fcommunity>
    >
    > **********
    > Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to 
the person who sent the message, copy and paste their email address and forward the email reply. Additional 
participation and subscription information can be found at https://www.educause.edu/community
    >
    > ------------------------------
    >
    > End of SECURITY Digest - 10 Nov 2020 to 11 Nov 2020 (#2020-218)
    > ***************************************************************
    >

    **********
    Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

Blacklisting XYZ Domains Valentijn, Ashley (Nov 11)
- Re: [External] [SECURITY] Blacklisting XYZ Domains Adam T. Ferrero (Nov 11)
  - Re: [External] [SECURITY] Blacklisting XYZ Domains Bandy, John (Nov 11)
- Re: Blacklisting XYZ Domains Jesse Bowling (Nov 11)
  - Re: [External] Re: [SECURITY] Blacklisting XYZ Domains Kevin Wilcox (Nov 12)
- <Possible follow-ups>
- Re: Blacklisting XYZ Domains Glenn Forbes Fleming Larratt (Nov 12)
  - Re: Blacklisting XYZ Domains Von Welch (Nov 12)