Given that 99.99+% of the contact info is forged or from stolen identities, that seems highly inappropriate.
Again, the impropriety occurred on the part of the phisher. There's no reason a properly worded message wouldn't help things along.
Cracked phishing sites often stay cracked and are used for repeated phishing or other crimes such as malware infection. How would someone whose life savings had been stolen feel if the phishing site were delisted before it was actually secured and they were defrauded as a result? How do you balance these? Is it reasonable to try to make sure that the cracked sites have been secured? That seems like the responsible thing to do in these cases.
Let's take our case, because that's the only one I'm qualified to speak on.
1. Our domain was added to the blacklist. I don't know when or how or what the actual address of the phishing site was.
2. Since we were not notified of being added (again my main point contention,) no action could be taken to remedy the situation if there was, in fact, something we could do to secure the site.
Again, and here is why my argument takes hold, since we didn't know there was a possible issue, even if that issue was with our host's shared server, you're actually not stopping anything from happening. The majority of the e-mail we send is not blocked or bounced, even though we're on the blacklist. Until today, no action was taken by either us, or our web host (who are now "investigating.") At the cost of repeating myself ad-nausem, not being notified could actually mean a particular phishing site stays online for a far longer period of time and therefore remains accessible to anyone who doesn't subscribe to a given blacklist.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours."
And yet we were not removed from the list. We were asked for further proof that it would not happen again. Which I understand on one hand, but we are not the party that can provide said proof. Our only option would be to move our domain to another host.
I could not agree more that cracked servers should have to proved they are now secured. I do feel (somewhat) for all those people that may click on paypal.surbl.org/account_update and give in their confidential information. (Hopefully that example elicits a wry grin and is taken for the light-hearted phishing-related humour it was meant to be.)
However, and to take this back to the only case I'm qualified to talk about: from what I can gather from the lookup, because our domain is blacklisted and not an IP address (which is shared by a huge number of sites and would point to the possibly compromised server) we couldn't even move our domain to a new host that might be clean. From my understanding, we would then be in the position of trying to prove to SURBL that even the new server, one we don't own or have administrative access too and share with a huge number of other domains, has been secured when it may not have even been the compromised server in question!
I really am just trying to discuss these issues. Please do not, in any circumstances take this for an attack of it's own in any way. I understand that our case is but a tiny drop in a bucket of probably very effective saves. However it is the false positives that hurt the most.
We are just growing frustrated that we have taken such an active effort to clear our name to no avail.
I continue to wish you all the best, Petros Kolyvas