QFEED helps business IT departments to set up a list of risky sites. If employees can freely open any link, they're vulnerable to attempts at deception. They could open a spoofed website and enter their login credentials. Some sites can infect desktop machines just by being opened. "Malvertising" and cross-site scripting can infiltrate even sites with good reputations. Blocking all material from known hostile sites is the best protection against them.

Depending on the severity of their status and the company's policies, the company's filters can block them completely or issue a warning when employees try to access them. Preventing inadvertent access to those sites will decrease the chances of infection through the browser.

The IT department can use the information in spam filters, rejecting or flagging all mail which comes from a malicious or blacklisted IP address. This will reduce the amount of phishing mail and other spam that gets to people's inboxes. They'll save time, and there will be less risk of opening harmful attachments or visiting dangerous websites.

QFEED doesn't list sites on the basis of inappropriate content, only risk. IT departments can take whatever measures are appropriate for allowing or blocking kinds of content.

The feed data is useful for security analytics. A large number of packets from a known malicious domain could indicate an attack in progress. Early detection of those attempts lets administrators take any necessary countermeasures.

A firewall's functions include blocking known malicious domains and IP addresses. This information is constantly changing. Criminals can acquire previously legitimate domains. Other sites get cleaned up and become safe again. The best firewalls maintain a list of untrusted domains and regularly get updates for it.

Malicious packets and DDoS attacks often come from sites which are known to be dangerous. Disallowing packets from blacklisted or malicious sites reduces the number of attempts that get through.

Packet blocking should cover both incoming and outgoing traffic. Outgoing packets to a malicious domain can be the result of mistakes or malware. People may access a dangerous website through a browser. Content from a malicious site can infiltrate otherwise safe pages. In addition, malware tries to contact command and control servers, downloading additional software or sending stolen data.

An up-to-date list of sites to block, downloaded to each installed firewall at regular intervals, keeps it effective at stopping dangerous traffic.

A domain registrar should keep track of which customers are flagged as untrustworthy. Ignoring them will drive the registrar's reputation downhill before long. At the same time, it shouldn't assume the customer is doing nefarious things simply because it's on the list.

The first step is to notify the customer. It could be listed because of content which was already found and removed. The malicious content could be from one of the customer's users or from a drive-by file upload. In many cases, the customer will be able to identify and correct the problem.

Some customers really set up domains for malicious purposes, and catching them is important. If a customer doesn't respond, or if the problem persists, the registrar has to take additional steps. The domain's listing in QFEED is one indicator, but registrars need to do their own investigation.

Whenever it's possible, the registrar should work with the customer. The notification that it's listed in QFEED may be the first indication the customer has that anything is wrong. Some customers, though, just let their domains run and don't do any maintenance. In the case of persistent problems, suspending their domain may be the only thing that gets their attention.

ISPs and hosting providers are in a situation similar to domain registrars, but they have more ways to identify problems. By the same token, an ISP's reputation will suffer even more than a registrar's if it doesn't deal with dangerous content.
The basic situation is similar: if customer sites are flagged, the provider needs to make sure the customer fixes the situation or else cut off the offending site. In many cases it's possible to monitor the site and find out exactly what is happening. Some customers may be malicious, but a larger number are the victims of malware or hostile redirection. With some assistance, they should be able to clean up the problem.

The problem isn't always with the customer. If a number of customers are listed and have similar problems, the ISP or host should check whether its own software has vulnerabilities that need fixing.

QFEED helps ISPs to identify problem customers, but it shouldn't be taken as a definitive indication of a malicious site. The service provider should use its information as the starting point in mitigating problems.