MemoryLeech
Ian CampbellFor those playing along at home, just an observation that as of today:
breachforums[.]info
has spun up as new on DDoS-Guard, registered through Nicenic yesterday.
recent background: https://therecord.media/france-breachforums-suspects-arrests
Also, seeing dozens and dozens of garbage .top domains being spun up on pananames[.]com nameservers, registered through URL Solutions (same company as pananames), and then transferred into storm-pro[.]net. Started Monday 2025-06-24.
J Wolfgang Goerlich@neurovagrant is there anything legit or valid on a .top domain these days? It’s wild.
@jwgoerlich Not that I've seen. I block .top at the DNS level for my home network and have never encountered a need to allowlist something.
B'ad Samurai 🐐@neurovagrant @jwgoerlich I have never received a single ticket request to allow a .top domain.
Taggart 
@badsamurai @neurovagrant @jwgoerlich We block .top, .xyz, .zip, and .biz globally at our (rather large) org. No complaints.
NosirrahSec 🏴☠️ guillotine enthusiast@mttaggart @badsamurai @neurovagrant @jwgoerlich I CANT DO THIS AND IT ENRAGES ME
We have several clients in the biotech space that use .xyz
I'm not fucking kidding.
@NosirrahSec @mttaggart @badsamurai @jwgoerlich yeah, xyz did some great marketing to impressionable people that it could be their cheaper .com - I think maybe 5% aren't obviously malicious?
@neurovagrant @NosirrahSec @badsamurai @jwgoerlich I would still shoot for the global deny and let folks request exceptions. Painful, but the threat reduction is worth it imo
@mttaggart @neurovagrant @badsamurai @jwgoerlich This is what I am trying to push for. It just makes sense.
@mttaggart @neurovagrant @NosirrahSec @jwgoerlich you can front-load some of the exception work if you have decent proxy/web logs. HTTP referer was useful to see if it was blank or my own domains. Then we would fast-track any requests for the first few weeks.
Security Writer@neurovagrant @NosirrahSec @mttaggart @badsamurai @jwgoerlich same. There’s no reason to allow these. Tens of thousands of seats and I’ve never seen one valid reason to allow them. Nor any request to.
@SecurityWriter @neurovagrant @NosirrahSec @badsamurai @jwgoerlich Sorta related: do y'all buy sus domains up yourselves? Like fire up DNSTwister and then get out the credit card? That's my next ask.
@mttaggart @SecurityWriter @NosirrahSec @badsamurai @jwgoerlich what're you, a cop?
🤨
@mttaggart @neurovagrant @NosirrahSec @badsamurai @jwgoerlich like homoglyph domains orrr…?
Usually no, there’s too many possible whack-a-moles for us to make that viable
Viss@SecurityWriter @mttaggart @neurovagrant @NosirrahSec @badsamurai @jwgoerlich i have one customer in the .xyz tld. outside of that ive never seen a 'legit' site using it
@Viss @SecurityWriter @mttaggart @NosirrahSec @badsamurai @jwgoerlich also fwiw i have bought a few sus domains ;)
if i can't take inspiration from my work for other creative endeavours, why stay there?
(i work for DomainTools, who do a lot of domain/DNS threat intel stuff)
@neurovagrant @SecurityWriter @mttaggart @NosirrahSec @badsamurai @jwgoerlich i have a gaggle of absolutely sus domain names i used to use for redteaming - for when i WANTED the blueteam to catch me, so they knew it was me :D
CatSalad🐈🥗 (D.Burch) 
@Viss @SecurityWriter @mttaggart @neurovagrant @NosirrahSec @badsamurai @jwgoerlich I don't think I have ever seen a legit .xyz or .zip domain.
Bálint Magyar
mei | 絶望動物@catsalad @Viss @SecurityWriter @mttaggart @neurovagrant @NosirrahSec @badsamurai @jwgoerlich from my browser history, legitimate .xyz domains:
- pwnable.xyz
- netboot.xyz
- zksecurity.xyz
- hacktricks.xyz (old domain, apparently)
- sam.zeloof.xyz
- mcyoung.xyz
- radicle.xyz
- mathstodon.xyz
- chitter.xyz
- syzito.xyz
seems like a significant amount to me
- pwnable.xyz
- netboot.xyz
- zksecurity.xyz
- hacktricks.xyz (old domain, apparently)
- sam.zeloof.xyz
- mcyoung.xyz
- radicle.xyz
- mathstodon.xyz
- chitter.xyz
- syzito.xyz
seems like a significant amount to me
@mei @NosirrahSec @SecurityWriter @badsamurai @catsalad @jwgoerlich @mttaggart @Viss I'd encourage every legit xyz site you know of to migrate off.
It's a bad neighborhood, and it brings users to a bad neighborhood.
@neurovagrant @mei @SecurityWriter @badsamurai @catsalad @jwgoerlich @mttaggart @Viss exactly.
The whole TLD is tainted. Any legitimate site in it, or service, is a rare exception compared to the bulk.
@NosirrahSec @neurovagrant @SecurityWriter @badsamurai @catsalad @jwgoerlich @mttaggart @Viss what makes it so? is it because it happens to be quite cheap? or is it that they aren't responding to abuse reports?
@mei @NosirrahSec @SecurityWriter @badsamurai @catsalad @jwgoerlich @mttaggart @neurovagrant
from what i can tell its two things:
1) the domains are cheap, so they can be bought in bulk
2) most of the people buying bulk domains are malware threat actors or spammers
so those TLDs very quickly get a reputation for being "mostly bad"
@Viss @mei @NosirrahSec @SecurityWriter @badsamurai @catsalad @jwgoerlich @mttaggart https://domainnamewire.com/2025/06/10/icann-study-links-low-cost-automated-registrations-to-phishing-abuse/
ICANN study links low-cost, automated registrations to phishing abuse - Domain Name Wire | Domain Name News
Study shows reactive takedowns have little impact on deterring phishing. An ICANN-funded study has identified which registrar practices are most associated with phishing-related domain name abuse. Unsurprisingly, registration cost is one of the top factors associated with maliciously registered domain names. The research, known as INFERMAL (Inferential Analysis of Maliciously Registered Domains), was conducted by […]
🧮CatSalad🐈🥗️〰️𝕄ᵃᵗʰ⁄𖾗𖾓៰𖾜៰៷@mei @NosirrahSec @SecurityWriter @badsamurai @catsalad @jwgoerlich @mttaggart @neurovagrant @Viss I completely forgot about mathstodon.xyz 😅
@mei @NosirrahSec @SecurityWriter @catsalad @jwgoerlich @mttaggart @neurovagrant @Viss But in this context it's Enterprise where most of those may be blocked under a commonly blocked categorization (such as hacking) anyhow.
@mei @NosirrahSec @badsamurai @catsalad @jwgoerlich @mttaggart @neurovagrant @Viss that is, objectively and statistically a very insignificant amount. And nobody is going to use them in 99.9999% of use cases.
Block them, and let the legitimate owners do the math. Not my problem.
irelephantlemmy.zip is a fairly popular lemmy (fediverse reddit) server.
Fedi, atproto, and personal sites are the only legit sites that use those domains.
I've never seen a legit .pro or .top though.
Oh, bluesky has some official emails at blueskyweb.xyz.
Its the scammiest sounding domain I have ever heard, but its real.
Its the scammiest sounding domain I have ever heard, but its real.
@SecurityWriter @neurovagrant @NosirrahSec @badsamurai @jwgoerlich Yeah you're never gonna get everything. But like, the nearby ones on other TLDs maybe.
@mttaggart @SecurityWriter @NosirrahSec @badsamurai @jwgoerlich I think practice has moved more to monitoring for active lookalikes and smushing them as possible.
(but given my employer, that's very Company Guy of me)
@neurovagrant @SecurityWriter @NosirrahSec @badsamurai @jwgoerlich Yeah we do that as well of course. I just like the idea of getting out ahead of it when, say, you're spinning up a new legit domain.
@mttaggart @SecurityWriter @NosirrahSec @badsamurai @jwgoerlich i love prophylactic registration, but it gets expensive fast.
Typically if we're doing a thing we'll do a handful of preventative registrations on the top 6-10 TLDs.
@mttaggart @neurovagrant @SecurityWriter @NosirrahSec @jwgoerlich for a mere $227k you can apply for a TLD. Just don't pull a Patagonia.
@mttaggart @SecurityWriter @neurovagrant @NosirrahSec @jwgoerlich I do not. Too many TLDs and that buy-in is a long haul--near free as a puppy. But I have a custom script to generate domain variations for technology, sector, my subdomains, locations, common threats: sso-domain, auth-domain brand-usa, brand-service-now, etc Then I block all those, if they exist or not. 🔨 ⌚
GeneralX ⏯️@mttaggart @badsamurai @neurovagrant @jwgoerlich
Umm IT department, I can't access https://omemo.top! Halp!
Umm IT department, I can't access https://omemo.top! Halp!
@badsamurai you guys block it for the Enterprise network?
That's interesting. I wonder why it's not in the top 10 malicious TLDs of Spamhaus:
https://www.spamhaus.org/reputation-statistics/cctlds/domains/
I'm going to give a try to see if my employer also blocks it. I only know that they block the whole .app TLD...
Chilly 
@neurovagrant
I think I've seen like... two over my entire career and non of them were important.
@jwgoerlich
I think I've seen like... two over my entire career and non of them were important.
@jwgoerlich