IETF Logo Mail Archive

Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains By DNS)

"Brotman, Alex" <Alex_Brotman@comcast.com> Wed, 04 March 2020 03:09 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF2443A0C70 for <dnsop@ietfa.amsl.com>; Tue, 3 Mar 2020 19:09:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b=ZxAY9/PK; dkim=pass (2048-bit key) header.d=comcast.com header.b=r4bMH3GG; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=comcastcorp.onmicrosoft.com header.b=Cc2Sp+UE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dw2fGSDsXi7v for <dnsop@ietfa.amsl.com>; Tue, 3 Mar 2020 19:09:22 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5A8B3A0C72 for <dnsop@ietf.org>; Tue, 3 Mar 2020 19:09:22 -0800 (PST)
Received: from pps.filterd (m0184892.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 02439I26023241 for <dnsop@ietf.org>; Tue, 3 Mar 2020 22:09:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20190412; bh=ukDAoLhZubLqRxX/6OGpM59Uxf+jRCKv7e9KX/4QES0=; b=ZxAY9/PKwo9gFl5M9udIUsnbE7dNJwSJaTk41tPd6UThTlhMqFXZUr+WU/MZYpAzNbR1 UWQ3P09U4jGuzivJRxL6yXNKqSMPv39aulNclGlxCAqG+bdtF/8RRf+Mt4XmrIEGoeCC G4A7owc0uphsPh+s630XXwTtws615s61AFRFxDEVk/BIFZxxu5a/uYCjptKWJQPj6Nvy cZMiWX/2pE1b+0KjPEsUpvtvF0BunagDjCnInSIIS0QnnmFXuRTsswxwZti7BVQ8UNEd eYyEuSMokyZjJrPciZwKe2MYHm4oAv92yJkpDqoeg73z2tIcpCBu3BK6W28Z6rUvIPay Xw==
Received: from pacdcmhout01.cable.comcast.com (PACDCMHOUT01.cable.comcast.com [68.87.31.167]) by mx0a-00143702.pphosted.com with ESMTP id 2yfkpwn9vt-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dnsop@ietf.org>; Tue, 03 Mar 2020 22:09:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; d=comcast.com; s=20190412; c=relaxed/simple; q=dns/txt; i=@comcast.com; t=1583291361; x=2447204961; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ukDAoLhZubLqRxX/6OGpM59Uxf+jRCKv7e9KX/4QES0=; b=r4bMH3GGTqqXKuxdo9Y6MuVM9FfDbrx9O9B+x3axTgBKfICAeXipJXqV4WrLfAqX TXW3V6BjUBUseURX1fxqrKN/AIz/j/ni7QUgx85xlR7z0j1cHFJiKSUjFZpxECF1 dxXuEe/sCgMB8LgeGzk1lZoDgo6HyuSoGMX1BbU+r5hB5nk6mPnbEGTcL5PMYIZG 551QEAQWYADUpK7FbSrEPNOj54GATxgoU1znT7uDZyxlwQjxDBPmsh3g2Jeuewaf lKGwsI2+bBHC0AfWpyH95DfYjt3W+kOuFWAiLh1aqs7CN6TyMowxTARc/osy2CeF ZKRIGJ+p3BrOCvjtKGUAtw==;
X-AuditID: 44571fa7-545ff700000036a5-df-5e5f1be103e1
Received: from PACDCEX16.cable.comcast.com (cas-umc02.ndceast.pa.bo.comcast.net [68.87.34.28]) (using TLS with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client did not present a certificate) by pacdcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id A7.15.13989.1EB1F5E5; Tue, 3 Mar 2020 22:09:21 -0500 (EST)
Received: from PACDCEX20.cable.comcast.com (24.40.1.143) by PACDCEX16.cable.comcast.com (24.40.1.139) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 22:09:20 -0500
Received: from PACDCEXEDGE01.cable.comcast.com (76.96.78.71) by PACDCEX20.cable.comcast.com (24.40.1.143) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Mar 2020 22:09:20 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (104.47.36.52) by webmail.comcast.com (76.96.78.71) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 22:09:20 -0500
Received: from SN6PR11MB2638.namprd11.prod.outlook.com (2603:10b6:805:58::21) by SN6PR11MB3310.namprd11.prod.outlook.com (2603:10b6:805:b9::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15; Wed, 4 Mar 2020 03:09:18 +0000
Received: from SN6PR11MB2638.namprd11.prod.outlook.com ([fe80::59d6:351d:d81:6943]) by SN6PR11MB2638.namprd11.prod.outlook.com ([fe80::59d6:351d:d81:6943%7]) with mapi id 15.20.2772.019; Wed, 4 Mar 2020 03:09:18 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: Ben Schwartz <bemasc@google.com>
CC: "dnsop@ietf.org" <dnsop@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [EXTERNAL] Re: [DNSOP] RDBD (Related Domains By DNS)
Thread-Index: AdXxjnC1AAeKZw29QTiE+Dkc1lmpPwAHfRiAAAjD9rA=
Date: Wed, 04 Mar 2020 03:09:17 +0000
Message-ID: <SN6PR11MB2638E17F7238590571642988F7E50@SN6PR11MB2638.namprd11.prod.outlook.com>
References: <SN6PR11MB263815A3157874070BE86908F7E40@SN6PR11MB2638.namprd11.prod.outlook.com> <CAHbrMsBa0rmhP9=qq_g9dBjiui84A7XqW1eC=18EENoOnKTuxg@mail.gmail.com>
In-Reply-To: <CAHbrMsBa0rmhP9=qq_g9dBjiui84A7XqW1eC=18EENoOnKTuxg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2601:43:101:380:acde:4666:a84a:92fd]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ed21bff6-1f29-4d48-7fbf-08d7bfe96d6d
x-ms-traffictypediagnostic: SN6PR11MB3310:
x-microsoft-antispam-prvs: <SN6PR11MB3310B4C2BE9A0F81F4548D76F7E50@SN6PR11MB3310.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0332AACBC3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(396003)(346002)(376002)(136003)(39860400002)(199004)(189003)(4326008)(5660300002)(81166006)(81156014)(8676002)(66446008)(52536014)(186003)(66556008)(64756008)(66476007)(66946007)(76116006)(6916009)(478600001)(2906002)(71200400001)(316002)(7696005)(53546011)(9686003)(55016002)(54906003)(966005)(33656002)(8936002)(6506007)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR11MB3310; H:SN6PR11MB2638.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: comcast.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: i+4erYKcW4G9uD+b44Up61/8n1XiDvSBe4BtSssF/LXQ/35sgdWBJp6EZdyqm/9dBC0wMLmBQJGUBVmlEx33VLDeQd8+eykdeBhnEOCfo6a8Cdk+7vcUQaldWxt9QGerezuxHLy4UO8AVFVZ5PRnb6oWfWw15suD01LIs432bzMO24PFJUnP7yy6Gd4rOfV+Q3BDT4r0DBx3pkVKoZEhl/6tib5Rn0PSVzQceud5HmaThTvZasLzLGNafiu4pKcePZNL85bsik5+0JJpTEq/FjBbwyZ4jan0rQwJRaMyyyhNPsG6FbyUev5M/lkaUkP00xoPE9Cw9jNTe60Sm/Khlql8/AaU3T5e68oYGeUgDln8tCgcTVfCsbBGODNS2HPs4fqaFPpdsxrAJsspErZ9oephVm6XPBOds5TBD9vzeiIYu7ReLlq3d8sUQgixfVe83nYVw7ktkwL/voFsRaKoB7asYN6grxziuxnjpDgjNd4Rwkf8IyXcni6/Hqp9usPep6gRr7QJlDm0aksME06r9Q==
x-ms-exchange-antispam-messagedata: 2mMRST6Sp3u2Ov1AkMTAa2/a5E9AQS7XOSod3Ln/qXxvgk+dNu7R4Y03iB02koYaiB7FnWv3Gtsn+WFoMALh4H9/D3gx1nl04sBlIZZV5UP6+3JDJqW8tp8eQnq8DL9DlJLzHd1Tuv92RVCIpFas5fS3atKrX8CCWwPTEnj+aVjenYnanxrFR4/auL++IB7uJJOR6K2Lrn2SQ05C0toy/A==
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WjS9oC5qb+xWWopyIs/XSR1eoSpKhj6agPVfWgeZtTplNw1uHOhKWhCu6v8GeUwT2kVbsZ2y5jzN6cZ3f9J7ZdSD9tR8aAoBPsV8c51Doc+VwvMEI1aE2ccgk+XqVi2pD/Fb+g17szfedp1ow6QKbjvJ5F91oKfD5PGLgKgzTJz603/4xvNcPh6XB29L4rh+WcwocbYgy16ry9CEAnoM9IUWf2+p9SCweKdxOElk9opZxOTDjA6gohZqwSJWx6ik+oewpaAOzSnkt7bWf4f0L2jkrqVgKFgTCy2StgtwgZbKlJ1eBbLlr8+u40zvNIhKXz5s2w6KkRGuoESlng6ezQ==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=fC/ACy8PYX3VNiY6IDvcbrDeUyyWoDJw70PZDSJlYE0=; b=S4SZUTP94wD0i0UKHvWATBrzANiAAtIenP9nhLBW1PFT7ZbU+Z56kTOQXEziL/3OqKB20wbwZuGkkDxaLkvef+sQ+mBMF16KJVpCBs12wsqXIFCkYq1jhNBitTO2hvHKb5P5s8/Q5RItZ7VoIYdf3JfyaUxc2fkNW6yULfF5rMHA+7/m4pDp78TJoZvAqAoxHVHXnf1AbIPjBZjYptyIvuBV1nVpc5zHJS5HZ1mTx+LCkDgePpFaRmyZmWQPng/CojBK+D+3zHJmoO74LSP3M5HiGAq8JxRQaivzoKqoKMBfb2AOBzv5U6r5eU6uOjRatIMgAOCThvSU2Rzn/35AMw==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=fC/ACy8PYX3VNiY6IDvcbrDeUyyWoDJw70PZDSJlYE0=; b=Cc2Sp+UEI32yfubW+ZxXo0dyFM6p8SaDKEjg1CiPuUVIKCZM5R56aBiLhUr4ap2ryYtXPZpSElYElTNoj13gMbuuKMKmPnBO1Rh/zPOeiJKqpsf5k7nmC7wLTGrBZkHTuPoDdT8qny70zEMrWTz7ZE524Y5tCGNWl2bqwuKmkpg=
x-ms-exchange-crosstenant-network-message-id: ed21bff6-1f29-4d48-7fbf-08d7bfe96d6d
x-ms-exchange-crosstenant-originalarrivaltime: 04 Mar 2020 03:09:17.9303 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: WC0LDetnebHbdg8UQ5NTCMVSHjd0MwAxPoeOHgFztUsbMW5vU3YdUsykBpdwmIKAKc4lMl6TnQYI9smCEuUu98a3NywKxPheJtYb1qLXzBU=
x-ms-exchange-transport-crosstenantheadersstamped: SN6PR11MB3310
x-originatororg: comcast.com
Content-Type: multipart/alternative; boundary="_000_SN6PR11MB2638E17F7238590571642988F7E50SN6PR11MB2638namp_"
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGKsWRmVeSWpSXmKPExsXiEq4ko/tQOj7O4MNbGYu/D+ayWtx9c5nF Yvrea+wOzB5ru6+yeSzYVOqxZMlPpgDmKC6blNSczLLUIn27BK6MBc+XMxUcy6rY/3UBSwPj lfQuRk4OCQETiV17NrB3MXJxCAkcYZJY8fcGG4Szk1Giq/ULVOYKo8Smwx2sUGWMEosONzBD OIuYJLY/W8IE4dxnlJiz9TMbyGQ2AQOJV5cOsoDYIgIqElvnPgOzmQVCJL4s3wBUw8EhLOAo 8fMDJ0SJk8T2dT+ZIGwrid8/TrKC2CxArV9OfQWzeQViJA68fAm1azGjxOGPs9lBEpwCgRLX 1zWD7WUUEJP4fmoNE8QucYlbT+YzQXwqILFkz3lmCFtU4uXjf6wQ9dESy171MILcIyFgLtG4 mRWiRFbi0vxuRgjbV2Lahk0sELaWxOsHX9gg7GyJBWfeQ41Ul2j5OI8VYoyMxKWPMRDhGSwS GzvBRgoJpEjs2nmQHSIuJ7Gq9yHLBEbjWUgOhbDzJVadvMoyC+xjQYmTM58A2RxAcU2J9bv0 IUoUJaZ0P2SHsDUkWufMZUcWX8DIvoqRx8xCz8Jcz9hQz9DMfBMjOPXIL9/BuH1WxiFGAQ5G JR5eXqn4OCHWxLLiytxDjBIczEoivD/OxMUJ8aYkVlalFuXHF5XmpBYfYpTmYFES511sHBAn JJCeWJKanZpakFoEk2Xi4JRqYJy5eJ1wUgDjlMrvFy5OW1Uv2PJf+5v3H/cKgRepa6RjPvis mdg4aX1p2hE/340nHWxKQuKXPvUQj/OrS7CfzeV9U2aBvxAfY2yzdI2InOAUZb4PtgtnK9Ye DZ3Z5C+2os31ppGeytS2U1/ep6TXJ1V/vMHi0GWo8N2unVFaUrue9dz+R/aHlFiKMxINtZiL ihMBiOHmxjkDAAA=
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.572 definitions=2020-03-03_08:2020-03-03, 2020-03-03 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3i0mRY6CvkI1iLRybooA_Xmz1hU>
Subject: Re: [DNSOP] [EXTERNAL] Re: RDBD (Related Domains By DNS)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 03:09:25 -0000

From the perspective of messaging anti-abuse, this can help when that department goes to an outside source.  If I see “example.com” and “example-hr.com”, is there an easy way today to ensure they’re actually related if they’re not registered through the same firm or hosted at the same NS systems?  If one can’t definitively determine that, you might decide that they are spam/phishing messages, and treat them more harshly when trying to determine if they are legit/spam.  For example, I’m pretty sure that “google.com” and “google-events.com” aren’t related based on the content of the latter’s website, but if I were to receive an email message from google-events.com, it might not be as easy to tell.  As for cousin domains, if you already know that the malicious domain exists, you can assert a negative relationship.  If “example.com” does not know “examp1e.com” exists, there would be neither a positive or negative relationship asserted, but the lack of a positive (when others are stated positively/negatively), could be used as some signal by the evaluator.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: Ben Schwartz <bemasc@google.com>
Sent: Tuesday, March 3, 2020 5:38 PM
To: Brotman, Alex <Alex_Brotman@comcast.com>
Cc: dnsop@ietf.org; Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: [EXTERNAL] Re: [DNSOP] RDBD (Related Domains By DNS)

Thanks for the draft.  I haven't been following this, and I found it interesting.

I would appreciate more fully worked use cases to explain the motivation.  What is the use in correlating different domains?  How would one use this to prevent "cousin" attacks?

On Tue, Mar 3, 2020 at 2:12 PM Brotman, Alex <Alex_Brotman@comcast.com<mailto:Alex_Brotman@comcast.com>> wrote:
Hello,

A while ago, Stephen and I had sent out a few versions of this, and we had some discussions and revisions were made.  At the time, discussion waned, however I wanted to pick this up again before the onset of IETF107.

https://datatracker.ietf.org/doc/draft-brotman-rdbd/

 I've had some folks contact me privately, and I saw an inquiry on another list.  There does seem to be some interest, at least in the anti-abuse and research communities, of making this a functional proposition.

To recap, the rough idea is that implementers would be able to positively or negatively confirm relationships between domains.  In the world of anti-abuse and research, these links are not always obvious.  For example, in a large corporation, some teams may go outside acceptable practice and register a domain through another provider.  Or it may be that you have international branches that operate on a different TLD, but you may not have registered with all TLDs.  In the latter case, being able to both positively and negatively state a relationship could be useful for anti-spam/phishing.

Any questions or comments would be greatly appreciated.  Thank you.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org<mailto:DNSOP@ietf.org>
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email