Blocklists don’t keep up with domain names as their use changes.
Michael Sumner, a partner at domain name sales data site NameBio, had a rough start to November. He woke up on November 2 to find a message from PayPal in his inbox with the subject “You can no longer use PayPal.”
In a follow-up communication, PayPal explained to him that some transactions were flagged because they mentioned domain names that have previously been used for malicious purposes. He wrote:
Imagine this… Example.tld is used for a file sharing site for years. That domain expires, one of you knuckleheads buys it, and then months later you try to auction it off. “I’ll buy a featured listing to promote the auction!” you say. Getting smarter, but not smart enough.
Now there is a PayPal transaction with the title “Example.tld featured listing for 7 days.” PayPal then implements a new system that flags transactions to/from file sharing sites. Only the list is out of date and Example.tld is still on it even though it expired months ago and hasn’t been used in that capacity since. Now PayPal thinks we’re involved with that file sharing site and taking payments on its behalf.
PayPal maintains blocklists of domains that set off alarm bells. To what extent it investigates the transactions before suspending an account is unclear. (PayPal did not respond to a request for comment for this story.) But it’s clear that PayPal uses domain blocklists to flag transactions and decides to suspend accounts before contacting the account owner for clarification. It also freezes funds in suspended accounts for 180 days.
It turns out this isn’t the first time that NameBio has faced a problem due to domains on blocklists. Its Mailchimp account was suspended earlier this year for a similar reason. Domain names it included in its daily emails were on blocklists at Mailchimp.
Like PayPal, Mailchimp operates with a “suspend first, ask questions later” policy. A Mailchimp spokesperson told Domain Name Wire:
Mailchimp uses a combination of third party and internally-maintained domain block lists. We use automated systems to check domains against the various lists, and we may automatically suspend an account or flag it for review when we find a match. If an account is flagged by our automated systems, and it’s from a legitimate research organization, news outlet, or another type of account with a valid reason to use or reference that domain name, our Compliance team will work with them to address the issue.
While I’ve never personally run into this issue writing about domains on Domain Name Wire, I take some precautions if I’m worried about how a domain might have been used in the past — or how it will be used in the future. I often add a space between the second level domain and .TLD.
Brian Krebs of Krebs on Security writes about lots of malicious websites. He uses the format secondleveldomain[.]topleveldomain.
The problem with domain blocklists is that a domain’s use and ownership changes. These blocklists can quickly become stale and outdated. If service providers use blocklists to flag “bad” domains, they owe it to their customers to research how it’s being used before suspending an account.