Page 1 of 3

sub-domains reputation

Posted: Wed Aug 22, 2012 4:08 pm
by th3br41n
I have a doubt about reputation of sub-domains...

As I read on other posts subdomains automatically inherit the reputation of the domain until each subdomain has sufficient ratings of its own to acquire a separate reputation from the domain. ([url=https://www.mywot.com/en/forum/26044-how-to-link-subdomain-to-a-domain-reputation?comment=157532#comment-157532 t=_self]reference[/url]).

I'm wondering if this is true only for the third-level subdomain or for every level... If the answer is "for every level" then there is a bug somewhere since, for example, the subdomain:

www.postepay.it.online.ergergerger.aguabomba.cl

does not inherit the reputation of aguabomba.cl. This could be a problem if it is necessary to block all sub-domains; for example in the case where it is not possible to rate all subdomains (the example above is a phishing URL and a part of the sub-domain is always random www.postepay.it.online.*.aguabomba.cl.)

Thanks in advance

RE: sub-domains reputation

Posted: Wed Aug 22, 2012 7:00 pm
by Guest
I think the third / fourth subdomains levels do not inherit their main domain reputation somehow.
This is a flaw in my opinion or something that was not taken into consideration for some reasons

In facts EnKIULSxUF.racecanoes.com/.redirect/ redirects me to a load of random aguabomba.cl/online subdomains which appears to be unrated
eg
postepay.it.online.cgkdhu.aguabomba.cl/online/
see scorecard:
https://www.mywot.com/en/scorecard/postepay.it.online.cgkdhu.aguabomba.cl

(do note: I didn't rate it on purpose)
[url=http://tinypic.com?ref=29pvkwl t=_blank][img]http://i49.tinypic.com/29pvkwl.png[/img][/url]

as far as I remember c۞g noticed it once, I cannot recall where, though

RE: sub-domains reputation

Posted: Wed Aug 22, 2012 9:33 pm
by Sami
When a subdomain inherits the parent domain's reputation, the confidence level decreases to half on each hierarchy level. Depending on how reliable the parent domain's reputation is, at some point the confidence for the inherited reputation falls below the minimum threshold and the subdomain is shown as unrated. Here's an example, look at the confidence indicators:

http://www.mywot.com/scorecard/google.com
http://www.mywot.com/scorecard/1l.google.com
http://www.mywot.com/scorecard/2.1l.google.com
http://www.mywot.com/scorecard/3.2.1l.google.com
http://www.mywot.com/scorecard/4.3.2.1l.google.com
http://www.mywot.com/scorecard/5.4.3.2.1l.google.com
http://www.mywot.com/scorecard/6.5.4.3.2.1l.google.com

So, currently the 6th level subdomains of google.com have no reputation in any rating component. If one of the parents lower in the hierarchy later receives ratings and gets a reputation of its own, the higher level subdomains will inherit its reputation instead.

RE: sub-domains reputation

Posted: Thu Aug 23, 2012 1:25 pm
by th3br41n
Thanks for the reply,
now the inheritance mechanism is perfectly clear...

Obviuosly this information is available even to phishing makers...

May I suggest to introduce a RegEx (or something less complex) rating tool available to high level users. This tool should allow to rate all possible subdomains and could be usefull to protect WOT users from dangerous subdomains...

RE: sub-domains reputation

Posted: Thu Aug 23, 2012 3:48 pm
by NotBuyingIt
<quote user="th3br41n">
May I suggest to introduce a RegEx (or something less complex) rating tool available to high level users. This tool should allow to rate all possible subdomains and could be usefull to protect WOT users from dangerous subdomains...
[/quote]\

Good heavens! Taken literally, "all possible" sub-domains would be an astronomical number, almost none of which actually ever existed. I suspect that high-level users who are competent to use regular expressions as they investigate domains have already coded their own and simply paste the results, up to 100 entries at a time, into the current MRT.

Some phishing scams use massive spams where each email message has a different deceptive URL, pointing to the same site but with a different (superfluous) sub-domain. I strongly doubt that rating each of the tens of thousands of those sub-domains for a single scam would help WOT users. OpenDNS, which sponsors WOT trusted source PhishTank.com, has a much more efficient approach for blocking malicious and fraudulent sites via its (free) DNS service.


RE: sub-domains reputation

Posted: Thu Aug 23, 2012 5:13 pm
by th3br41n
<quote user="notbuyingit">
[...]an astronomical number[...]
[/quote]

For this reason I suggested a RegEx tool, simple and effective. (In my idea it is not a mass rating tool)

<quote user="notbuyingit">
[...]I strongly doubt that rating each of the tens of thousands of those sub-domains for a single scam would help WOT users[...]
[/quote]

With a RegEx tool there is no need to actually rate all possible subdomains. If a subdomain matches the regular expression then the WOT addon returns its rating accordingly.

RE: sub-domains reputation

Posted: Thu Aug 23, 2012 6:26 pm
by NotBuyingIt
<quote user="th3br41n">
If a subdomain matches the regular expression then the WOT addon returns its rating accordingly.
[/quote] \

So, is this correct? You are proposing that a privileged user be able to submit something like a regular expression that gets attached to a base domain name along with the user's ratings. Whenever anybody accesses a subdomain that matches the expression, WOT dynamically recalculates the reputation for the subdomain to include the privileged user's ratings with an undiminished confidence level.


RE: sub-domains reputation

Posted: Fri Aug 24, 2012 10:32 am
by th3br41n
<quote user="notbuyingit">
\

So, is this correct? You are proposing that a privileged user be able to submit something like a regular expression that gets attached to a base domain name along with the user's ratings. Whenever anybody accesses a subdomain that matches the expression, WOT dynamically recalculates the reputation for the subdomain to include the privileged user's ratings with an undiminished confidence level.
[/quote]

Yes, perfectly explained... :)



RE: sub-domains reputation

Posted: Fri Aug 24, 2012 11:08 pm
by c۞g
@ Sami - [url=https://www.mywot.com/forum/26218-sub-domains-reputation?comment=158716#comment-158716 t=_self]explanation[/url] added to the Wiki [url=https://www.mywot.com/wiki/Rating_subdomains t=_self]Rating subdomains[/url] article; verbatim.

Many spamvertised links use 4 / 5 / 6 level subdomains that, when the parent [example.com] is rated, the lower levels have no rating [buy.our.ed.pills.example.com], it's always been stressed to post _all_ levels backtracking to parent domain, especially in MRT "lists."
buy.our.ed.pills.example.com
our.ed.pills.example.com
ed.pills.example.com
pills.example.com
example.com


RE: sub-domains reputation

Posted: Sat Aug 25, 2012 4:42 pm
by NotBuyingIt
<quote user="c۞g"> it's always been stressed to post _all_ levels backtracking to parent domain, especially in MRT "lists."[/quote] \

I hadn't read that, but it makes very good sense usually. One common exception is the scam emails that generate a different sub-domain for each instance of the spam messages. E.g.

Code: Select all

paypal.com.AbCdEfG.14159.26535.89793.238462.643383.27950.28841.97169.39937.51058.20974.944592.example.com
paypal.com.hIjKlMn.82148.08651.32823.06647.09384.46095.50582.23172.53594.08128.48111.74502.example.com
paypal.com.OpQrStU.44288.10975.66593.34461.284756.482337.86783.16527.12019.09145.64856.69234.example.com

In such cases, any fully qualified URL that is detected will not help any WOT users because nobody will encounter the exact URL except the person who reported it as suspicious. On the other hand, a regular expression ([url=http://en.wikipedia.org/wiki/Regular_expression t=_self]wikipedia[/url]) might work; e.g.,

Code: Select all

paypal\.com\.*\.example\.com

The best known problem with using regular expressions, of course, is that they may produce unexpected results unless they are written very carefully. The following is an example of a terrible mistake

Code: Select all

paypal*\.altervista\.org

I am not expressing either a favorable or unfavorable opinion about th3br41n's proposal.