For reporting, it might be nice to indicate if a filtered domain is known for being used by hidden background processes, rather than for www-browsing. This would include domains used by trojans to send captured private data, and domains used by dialers or botnets (zombie computers) to fetch new instructions.
In reporting this indicator would tell the administrator that it was not a person who was trying to access the blocked domain (using some browser), but some hidden software running in the background -- which should make some alarm bells ring. And if e-mail reporting is ever implemented, then some administrators might especially want reports for these kind of blocked access, while ignoring the blocked www-browsing.
Simulary, an indicator could be used for MX queries, to report spamming software running in the background (see also Block MX Lookups in this very Idea Bank).
6 Comments
In reporting this indicator would tell the administrator that it was not a person who was trying to access the blocked domain (using some browser), but some hidden software running in the background -- which should make some alarm bells ring. And if e-mail reporting is ever implemented, then some administrators might especially want reports for these kind of blocked access, while ignoring the blocked www-browsing.
Simulary, an indicator could be used for MX queries, to report spamming software running in the background (see also Block MX Lookups in this very Idea Bank).
6 Comments
Who voted for this idea
Comments
There's no way for OpenDNS to know what software is making the DNS request. Besides, this is not something that can effectively be controlled, as the malware could just use IP addresses instead of domain names to get around any domain filtering.
I know that the DNS cannot detect what software issues the request, but the idea was to indicate this when submitting a domain to. So actually it would be some indicator saying "no known usage in hidden non-interactive background processes for this domain", "known to be used especially in malware background processes" and "known to be used in both background processes and interactive email and browsing". Something like that.
However: indeed using IP addresses (or accounts within some wellknown approved domain, like www.honestprovider.tld/~hacker/post-keyboard-logger-results.php) would not be filtered, so I guess you're right: my idea should NOT be bothered about. Even worse: implementing it might give some sense of security which is not at all for real.
So: NOT WORTH THE EFFORT!
Too bad one always gives one's own idea a vote, and cannot revoke that ;-)
Okay, I hear ya about worrying about giving a false sense of security, but the "idea" of this thread touches on an important point.
On the tagging submission/voting form(s), we really need a freeform text/textarea comment field which can be used when the reason for tagging isn't immediately IN YOUR FACE obvious. Without this:
I submit a "badware" site... but there's nothing obvious on the homepage of the domain, so how can others know/understand why it was submitted? They are resigned to vote "not sure", or "no" -- meaning they (and I) have just wasted time spinning our wheels.
@avbentem:
dont be so quick to diss your own idea. OpenDNS is already doing this with conflicker, blocking and tracking the the phone-home requests it makes.
while no security measure is absolute, every little bit helps imho. as for the false sense of security, that argument could be applied to any security measure as well, since none is absolute..
i vote yes!
Sign in to comment or register here.
Sort of like today's "Adware" category, only focusing on the back-end domains rather than the domains serving up the malware?