DNS-BH – Malware Domain Blocklist

We just reevaluated 1824 domains… 1720 were removed,  79 were STILL actively blacklisted by google after many months and were added our  “immortal” list.

List of removed domains is: http://mirror2.malwaredomains.com/files/removed-domains-20120402.txt

List of “immortal” malware domains:  http://mirror2.malwaredomains.com/files/immortal_domains.txt

Over 1300 domains have been delisted.   Please update your blocklists

Reminders:

• the main site does not contain any zone files. Please download files from one our our download mirrors
• Pull ONLY the file you need – there is no need to pull every zone file!  Abusers will be banned!
• Anyone pulling files more than every 12 hours will be banned!
• We also have a mirror dedicated to research and Open Source Projects – contact us for details.
• Please use the “datestamp” and “timestamp” file to determine if the list has been updated and ONLY pull the files you need – abusers will be banned! Use the “wget -N”!

mirror2.malwaredomains.com is back up – direct access to the zone files is working but things like displaying directory indices is a work-in-progress.

We are also testing another mirror  –  compressed full zone files only  –  located at  http://www.malware-domains.com/ (note the dash)

Please give it a try and let us know…

mirror2.malwaredmains.com is temporarily down; we will update you once it is back up.  In the meantime, please use one of the other mirrors or contact us for details regarding the mirror handling only compressed files.

Guy has updated his DNS Sinkhole Scripts. More info here.  Also check out his DNS Sinkhole ISO.

We recently revalidated about 800 long-lived, “immortal” malware domains.

These are domains which were identified as malicious anywhere between 90 and 360 days ago. but according to google safebrowsing, are still actively involved in badness.
Some of these domains have been on the DNS-BH List for YEARS.

Of these 800 domains,  55 were removed. That means that 745, or over 93%, are still actively associated with malware.

List of removed (non immortal?) domains:  removed-domains-20120104.txt

List of “the immortals: immortal_domains.txt

A “psychohistory” of these long-lived malicious domains would be interesting and we’d be happy to help with any of those research efforts.

We just checked some server statistics… Started fresh for 2012…  How is it possible for 17.51 MB of files to be downloaded in 2012 and the day isn’t over yet???

Unfortunately, we are forced to continue to ban IP addresses which for whatever reason continue to abuse our download servers.

Hosting costs money. Please contribute whatever you can.

Interesting article about integrating Blackhole DNS with F5 irules.

The Internet Storm Center recommends blocking the following domains in this post:

• .nl.ai
• .c0m.li
• .cd.am
• .coom.in

We want to make you aware that we have the following lists:

• Free/bulk Domain registrars: bulk_registrars.txt
• Dynamic DNS Providers: dynamic_dns.txt
• Free Web Hosts: freewebhosts.txt

The domains listed in each of these files are NOT included in the DNS-BH Blocklists.

It’s up to you if you wish to block, track, or allow access to these domains.