To block or takedown: How to treat malicious activity on the Internet?

Malicious activities on the Internet cause billions of dollars in damages every year. Companies need to be aware of the risks posed by malware and phishing attacks, which can lead to ransomware incidents, resulting in data loss and business activity interruptions. The latest FBI Internet Crime Report estimates that business email compromise resulted in losses of $2.9 billion in 2023. To prevent such devastating losses, it is important to act quickly to takedown or block malicious activity. The question is, what is the most effective method: blocking or takedown?

Let’s consider the different scenarios…

Attacks can be initiated in different ways, often starting with an email or short message that includes a link to a malicious website or attachment. For the attack to be successful, the email content, the sender email address, and the domains used in the email and linked websites often closely resemble the real ones, making it difficult for users to identify the impersonator. 

If weak account credentials or security issues in software are used, installed malware still often has to communicate with command-and-control servers. Therefore, several components need to be defused, including mailboxes, web spaces, or whole domains, often including their authoritative name servers. The link you see in an email is only the beginning of a redirect chain that leads to the final malicious site. 

For every hop on the chain, a decision must be made. Should it be reported to the hosting provider, the registrar, the domain registry, or is it an abused legitimate service like well-known short link providers that can be contacted directly?

First reflex: Let's block!

Blocking may seem like an easy solution. The object (IP, domain/hostname) is blocked, therefore it can no longer be reached. Problem solved, right? Unfortunately, no. Even if you block certain things in your local/network firewalls, DNS resolvers, or routers, it may not protect your home office setup. Perhaps you have a split tunnel configuration for your VPN, enabling employees to reach the Internet directly on their devices. While this might protect your employees, such local block measures will not protect your customers.

To ensure your customers are protected, you need to use public blocklists that cover the attack scenario. Google Safe Browsing is a popular, easy option used by most browsers. Email filters that stop the incoming message flow of a campaign are different. Every mailbox provider has its own filtering setup, which may not be disclosed.

Many public filter lists, like ours, are available from different projects and companies to which you can submit your findings. Each competes to offer the most effective filtering solutions, and some are more popular than others. Even so, you will never get full protection for all mailboxes and webmail deferrers. Furthermore, some ISPs also block malicious activity on their network border routers. How they decide what to block is unknown to the public.

To summarize, while blocking can offer local infrastructure quick and reliable protection from threats, when it comes to public infrastructure, it only offers protection for a subset of customers. As a result, malicious content must also be taken down to protect end users.

Protection by takedown

Taking down content on the Internet is not as simple as it might first appear. The general process involves writing an email to the abuse contact of the hosting provider and, in case of a fake domain, to the registrar.  However, finding these contact addresses can be complicated, as they are not always part of the Whois records. Sometimes, the only available way to contact them is through web forms, which can also be difficult to locate. Depending on the country involved, only certified organizations may be authorized to request takedowns.

In cases where abused legitimate services like short URL providers are being used, it is more effective to contact them directly instead of the hosting provider. Moreover, some providers are bulletproof and never respond to takedown requests. Often you can find phishing, scam, malware, and fake news sites on such platforms. It is clear that many of those bulletproof organizations support criminal activity and/or hybrid warfare instead of the free speech they claim to support. Therefore, different takedown measures, such as contacting upstream providers, are needed to remove such content effectively.

What to include when you report abuse

When reporting abuse, it’s important to provide proof of the abuse. Screenshots, network logs, and sample emails are welcome as evidence. Metadata such as the country where the phishing website is visible, the device and user agent used, and the genuine site may also be required. There is, however, a technical hurdle, in that some legitimate hosting providers only accept abuse reports in the machine-readable XARF format, which could be problematic for occasional reporters.

A law degree? No, not me.

An important tip to remember when reporting abuse is not to mention your legal knowledge. Even if you have a law degree and can recite all the relevant regulations and paragraphs, don’t mention it in your initial report! This is because anti-abuse and support departments are often trained to forward such cases to the legal team, which can take a long time to reach a juridical result. Instead, focus on providing a technical report direct to the point to speed up the process. Keep in mind that anti-abuse departments deal with hundreds, even thousands of reports every day. Treat them as a partner rather than enemies.

Should I leave it to the professionals?

There are professional services that specialize in creating machine-readable takedown requests. These experts are well-versed in the various written and unwritten rules, as well as special cases. Of course, each time a report is forwarded, the takedown processing time increases, but these providers are skilled and reliable. As their reputation grows, they often gain access to special APIs that allow them to suspend domains, hosts, or short links within seconds. Their tickets are handled with higher trust and priority, and sometimes even automatically. This can decrease takedown time compared to your own reports. Furthermore, as trust is key on the Internet, in urgent cases, they may even be able to call direct contacts to speed up the process.

So, why bother blocking at all?

Blocking and takedowns complement each other and work most effectively when used together. Blocking is often faster than a takedown, but it depends on the parties involved. Some hosting providers or registrars may ignore abuse reports from “small” or occasional reporters. However, many of them scan reputation lists for their customers and will start the automated abuse process when they see a new listing. Such a process can be disputed, as everyone, not only large professional companies, has the right to report abuse.

Blocking and takedown: powerful partners

When dealing with malicious activity on the Internet, the ultimate goal is to remove the issue quickly and reliably. To get results, both approaches are needed: reporting malicious activity for takedown and adding to blocklists.

Sven Krohlas is a detection engineer at Spamhaus Technology, responsible for detecting phishing attempts and assessing new contributors on the Spamhaus Threat Intel Community portal. With almost ten years of experience, Sven started his career in the email security team of a large mailbox provider. Afterward, he joined a German provider specializing in taking down malicious websites.

Interesting fact: Sven is a member of Retrogames e.V. and a self-confessed retro gaming addict who owns hundreds of retro games!