How the Newly Observed Domain List (NOD) is being built:
This list is completely automated and is one of the only datasets where we get the base data from an external source.
The company in question is the excellent Farsight Security. They have a network of passive DNS sensors all over the world which feed into their massive Security Information Exchange (SIE) platform.
We run Farsight DNS sensors on the DNS servers that are used by the Abusix Mail Intelligence processors which feeds their platform lots of valuable data relating to email threats and that data then loops back to us via their SIE once it has been processed.
They know about every domain in existence and when their passive DNS sensors see a new domain that they have not seen before, it is emitted on one of their SIE channels.
We retrieve this information in real-time and store each emitted domain for 25 hours and that is our Newly Observed Domains list.
One of the benefits of using Passive DNS replication for this data is that we see domains when they are first used, not when they are first registered. This is far more useful when dealing with spam.
What is this Newly Observed Domain List designed for?
New domains that we see hitting our spam traps are automatically listed in our Domain Blocklist that we covered in Part 5 of this series.
Other new domains aren’t necessarily bad, but seeing a brand new domain being used to send email, or being used in the message body should be treated as suspicious and that is why we make this data available.
It’s useful to add additional metadata into your filtering platform or to add additional scores into scoring systems like SpamAssassin or rspamd.
It can also be used to combine this with other indicators to cause the message to be treated as spam e.g. new domain AND from an IP you haven’t seen before.
Hope that is useful.
Until next time – stay safe.