Flag malware C2 domains and prevent testing

[gwire]

We should have a mechanism to prevent, or restrict, retesting of former malware command and control domains.

Currently, what I believe is currently happening is

• for whatever reason, someone submits a malware domain to blocked.org.uk to test its availability from UK networks
• that domain later comes into the control of another party, e.g. via Shadowserver, that uses it as a sinkhole to gather information about how many infections are still active
• the blocked probes retest the malware domains and are inadvertently assumed to be hosting malware
• the date/IP address combinations are provided to large ISPs and national CERTs (in the case of the UK, NCSC) who forward them on to network operators
• the ISP sends the customer for the network that the probe was on an email informing them of a malware infection

For the tests originating on the linux VMs, it's been easy to ignore warnings about Windows malware infections - but someone running a Pi-based probe on a mixed-use network may not be aware of this as a side-effect. (This risk should be made clear to volunteers using probes.)

[dantheta]

There is now a "restricted-malware" status for URLs in the control panel (/control/urls). Setting this status will remove the URL from the retesting cycle and will disallow the submission of live checks through the frontend.

[JimKillock]

I think we need to do some text changes to finish @gwire's request, so the risk is clear to users. I received a letter from Virgin for instance. People may worry that the probes have been compromised.

Also @gwire did you mean for us to do large scale imports to check?

[edjw]

Where would the text changes be? In the information we send to potential probe owners?