Enhancing filtering proactivity with reverse IP and reverse Whois queries

Claudiu Musat BitDefender
Alin Octavian Damian BitDefender

The presented work outlines a system that employs reverse IP and reverse Whois queries to proactively detect malicious domains in an industrial manner.

The main advantage and also main novelty of the technique is that it is able to block spam, fraud and malware even for the recipients of the first instances of an outbreak. Most threat detection techniques are only mildly proactive in a sense that their detection is based on previous malicious activity, which means some users will have been affected by the wrongdoing prior to the threat being identified.

The aim of the presented filtering technique is to identify a new campaign at the first hints of future malicious activity - the registration of the domain that will be used in said outbreak. The idea of using reverse IP queries is not new in itself, however its usage alongside reverse Whois queries in an automated process is. We prove that host IPs and emails used in the registration process are reused, and compute the ratio of threats that can be filtered in their incipient phase. Our results also show a significant interconnection of various malicious domain types, which underlines the benefits of an integrated protection system.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.