[dns-operations] Bluecoat report on newer TLDs heavily used for botnet C&C, phishing, and spamming.

Fred Morris m3047 at m3047.net
Mon Sep 7 19:24:09 UTC 2015

To operationalize this...

On Monday 07 September 2015 05:52, Stephane Bortzmeyer wrote:
> On Thu, Sep 03, 2015 at 03:49:28PM -0300,
>  Rubens Kuhl <rubensk at nic.br> wrote 
>  a message of 13 lines which said:
> > > 
> > 
> > Not that much useful, considering they made a gross mistake like not
> > differentiating .zip URIs from .zip domain names.
> I thought you were trolling but no, they are indeed stupid enough to
> do that:

For those of you who may have missed the recent whistling past the 
graveyard^H^H^H^H^H^H^H^H errmmm... Windows trusting file shares issues or 
have never seen 
I believe that they may be alluding to e.g. client-side software which is 
faced with the question:

"Ok, this is a reference. I'm supposed to fetch it. What kind of reference is 

and that they're seeing the FOD of attempts to find e.g. my-presentation.zip 
which were meant to refer to a file of the same name, present or otherwise. 
If this is the case, then other TLDs which collide with file extensions could 
see the same traffic.

"Shady" is a bit of a head scratcher, although if there are (malware) DGA 
algorithms which are already generating domains under a TLD which has almost 
none, then seeing those on your own network would also be useful counter 


Fred Morris

More information about the dns-operations mailing list