Listen to this Post
Introduction:
Threat intelligence is no longer exclusive to enterprises with massive budgets. Open-source tools like Stephen Doyle’s daily-updated domain registrations dataset empower security teams to proactively identify risks. By monitoring newly registered domains (NRDs), organizations can detect phishing, malware distribution, and other threats early.
Learning Objectives:
- Understand how NRD tracking mitigates email/web-based attacks.
- Learn to integrate NRD data into security workflows (SIEM, proxies, email gateways).
- Automate threat detection using free datasets and scripting.
1. Blocking NRDs in Email Gateways
Use Case: Drop emails from domains <30 days old.
Tools: Postfix (Linux) or Exchange Online (Windows).
Postfix Configuration:
/etc/postfix/main.cf smtpd_recipient_restrictions = check_client_access regexp:/etc/postfix/nrd_denylist
Create a denylist regex file (/etc/postfix/nrd_denylist) with patterns like .\.newlyregistereddomain\.com.
Exchange Online PowerShell:
New-HostedContentFilterPolicy -Name "BlockNRDs" -BlockedSenderDomains (Get-Content "nrd_denylist.txt")
Steps:
- Download daily NRD data from Webamon’s repository.
2. Parse and format domains into denylists.
3. Update configurations daily via cron/PowerShell scripts.
2. Proxy Filtering for NRDs
Tools: Squid (Linux) or Windows Defender Application Guard.
Squid ACL Rule:
/etc/squid/squid.conf acl NRDs dstdomain "/etc/squid/nrd_denylist" http_access deny NRDs
Steps:
1. Convert NRD data into Squid-compatible format:
sed 's/^/./' nrd_data.txt > nrd_denylist
2. Reload Squid: `systemctl reload squid`.
3. SIEM Integration (Splunk Example)
Query: Alert on NRD access attempts.
index=proxy_logs [| inputlookup nrd_domains.csv | fields domain] | stats count by src_ip, domain
Steps:
- Upload NRD data as a lookup table in Splunk.
2. Schedule alerts for hits.
4. Automating NRD Data Fetching
Python Script:
import requests
url = "https://codeberg.org/webamon/newly_registered_domains/raw/branch/main/domains.txt"
response = requests.get(url)
with open("nrd_denylist.txt", "wb") as f:
f.write(response.content)
Cron Job:
0 5 /usr/bin/python3 /path/to/fetch_nrds.py
5. Cloud Hardening (AWS WAF Example)
AWS CLI Rule:
aws wafv2 update-ip-set \ --name "BlockNRDs" \ --scope REGIONAL \ --addresses $(curl -s https://codeberg.org/webamon/newly_registered_domains/raw/branch/main/ips.txt)
What Undercode Say:
- Key Takeaway 1: NRD monitoring is a low-cost, high-impact layer for threat prevention.
- Key Takeaway 2: Automation is critical—manual updates can’t keep pace with domain churn.
Analysis:
Stephen Doyle’s approach highlights the shift toward collaborative security. By open-sourcing NRD data, defenders gain parity with attackers who exploit domain freshness. Future tools may integrate AI to correlate NRDs with historical attack patterns, reducing false positives. However, teams must balance blocking NRDs with operational needs (e.g., legitimate new SaaS platforms).
Prediction:
Within 2 years, NRD-based blocking will become standard in SMB security stacks, driven by API integrations between open-source datasets and commercial platforms like Microsoft Defender and CrowdStrike.
IT/Security Reporter URL:
Reported By: Stephen Doyle – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
