Dear All,
I was notified today via an error message from a mail server that a domain/URL in the e-mail was on a blacklist somewhere. I took the time to check and sure enough our own domain is on that list with the note PH.
The problem is that our domain is hosted on a shared web host from what I believe to be a fairly reputable web host here in Montreal (iWeb.com.) We have no ability to control or monitor the servers at a level that would allow us to work on, modify, patch, or make any low- level changes that requested in the "Removal Request."
More importantly is why a domain isn't notified upon being blacklisted? (Via the info@... or abuse@.... mailboxes) I can understand the need for immediately blacklisting troublesome domains; with that I have no qualms. However it seems that, in the hope of weeding out false positives like our own, at least a note that the domain is being added to the blacklist would help in some kind of active response - instead of the reactive one where we start receiving cryptic messages from clients' servers indicating something is amiss.
That being said, thanks for all your hard work to keep this giant and messy infrastructure as clean as humanly possible.
Be well, Petros Kolyvas
Thanks for a good suggestion and for your kind words, but 99.99+% of the sites on SURBL lists likely have false contact information or are hosted on compromised computers, so it's often not feasible to contact them.
Probably the best approach is to follow the removal procedure at:
as you're doing.
On 7/2/09, Petros Kolyvas pk@shiftfocus.ca wrote:
Dear All,
I was notified today via an error message from a mail server that a domain/URL in the e-mail was on a blacklist somewhere. I took the time to check and sure enough our own domain is on that list with the note PH.
The problem is that our domain is hosted on a shared web host from what I believe to be a fairly reputable web host here in Montreal (iWeb.com.) We have no ability to control or monitor the servers at a level that would allow us to work on, modify, patch, or make any low- level changes that requested in the "Removal Request."
More importantly is why a domain isn't notified upon being blacklisted? (Via the info@... or abuse@.... mailboxes) I can understand the need for immediately blacklisting troublesome domains; with that I have no qualms. However it seems that, in the hope of weeding out false positives like our own, at least a note that the domain is being added to the blacklist would help in some kind of active response - instead of the reactive one where we start receiving cryptic messages from clients' servers indicating something is amiss.
That being said, thanks for all your hard work to keep this giant and messy infrastructure as clean as humanly possible.
Be well, Petros Kolyvas
-- ShiftFocus Media for Arts and Education
Phone: 514.667-9778 ext. 231 Fax: 866.850.5451
42 Milner Street Montreal, QC, H4X 2H5
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Thanks for the reply.
I would, however retort that if the contact info is faulty, and a message simply isn't delivered (hopefully you'll get a notification of an invalid address,) this could count as a further strike against a domain.
However, if the contact information is good, and a message is properly received, it does help speed along the process. We keep both info@shiftfocus.ca and abuse@shiftfocus.ca so that we can be notified of any trouble. The hope was that we might know about the trouble and take action before something like this occurs.
For example, until today we didn't know we were somehow (and mistakenly) on a blacklist. How long were we on the blacklist? It would certainly explain some odd behaviour of sent messages over the last couple of months.
Having completed another "lookup," no additional information is offered. We can't face our accuser so to speak or see how, why or when we were added in any detail.
Back to my original point, it seems to me the overhead for the simple e-mail notification would be quite low and the net effect would be some increased feeling of goodwill from those who might suffer from false positives. The increased level of openness could only help further the cause.
I am not saying this to criticise the effort, far from it. I still applaud the gargantuan and nearly impossible effort of keeping the streets "clean." At the same time, as an outsider who is suffering a little from the cleaning, these are my thoughts. They remain opinion and should be considered such.
I do wish you all the best, Petros Kolyvas
What happens if a spammer decides to use, say, abuse@shiftfocus.ca as the contact on their thousands of domains?
On 7/2/09, Petros Kolyvas pk@shiftfocus.ca wrote:
Thanks for the reply.
I would, however retort that if the contact info is faulty, and a message simply isn't delivered (hopefully you'll get a notification of an invalid address,) this could count as a further strike against a domain.
However, if the contact information is good, and a message is properly received, it does help speed along the process. We keep both info@shiftfocus.ca and abuse@shiftfocus.ca so that we can be notified of any trouble. The hope was that we might know about the trouble and take action before something like this occurs.
For example, until today we didn't know we were somehow (and mistakenly) on a blacklist. How long were we on the blacklist? It would certainly explain some odd behaviour of sent messages over the last couple of months.
Having completed another "lookup," no additional information is offered. We can't face our accuser so to speak or see how, why or when we were added in any detail.
Back to my original point, it seems to me the overhead for the simple e-mail notification would be quite low and the net effect would be some increased feeling of goodwill from those who might suffer from false positives. The increased level of openness could only help further the cause.
I am not saying this to criticise the effort, far from it. I still applaud the gargantuan and nearly impossible effort of keeping the streets "clean." At the same time, as an outsider who is suffering a little from the cleaning, these are my thoughts. They remain opinion and should be considered such.
I do wish you all the best,
Petros Kolyvas
-- ShiftFocus Media for Arts and Education
Phone: 514.667-9778 ext. 231 Fax: 866.850.5451
42 Milner Street Montreal, QC, H4X 2H5
On 2-Jul-09, at 2:13 PM, SURBL Role wrote:
Thanks for a good suggestion and for your kind words, but 99.99+% of the sites on SURBL lists likely have false contact information or are hosted on compromised computers, so it's often not feasible to contact them.
Probably the best approach is to follow the removal procedure at:
as you're doing.
On 7/2/09, Petros Kolyvas pk@shiftfocus.ca wrote:
Dear All,
I was notified today via an error message from a mail server that a domain/URL in the e-mail was on a blacklist somewhere. I took the time to check and sure enough our own domain is on that list with the note PH.
The problem is that our domain is hosted on a shared web host from what I believe to be a fairly reputable web host here in Montreal (iWeb.com.) We have no ability to control or monitor the servers at a level that would allow us to work on, modify, patch, or make any low- level changes that requested in the "Removal Request."
More importantly is why a domain isn't notified upon being blacklisted? (Via the info@... or abuse@.... mailboxes) I can understand the need for immediately blacklisting troublesome domains; with that I have no qualms. However it seems that, in the hope of weeding out false positives like our own, at least a note that the domain is being added to the blacklist would help in some kind of active response - instead of the reactive one where we start receiving cryptic messages from clients' servers indicating something is amiss.
That being said, thanks for all your hard work to keep this giant and messy infrastructure as clean as humanly possible.
Be well, Petros Kolyvas
-- ShiftFocus Media for Arts and Education
Phone: 514.667-9778 ext. 231 Fax: 866.850.5451
42 Milner Street Montreal, QC, H4X 2H5
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
The same issue would exist with any e-mail address though. It can happen with surbl.role@gmail.com. It doesn't seem like a logical reason.
Even if they did, we'd simply get 1000s of emails one day (or even every day) saying "[x domain] is blacklisted because of [y]." No sweat off our back unless [x domain] is my domain. I could even use any number of search functions to weed through them all fairly quickly; heck even a simple shell script to parse the messages as they come in would do.
But what I was implying below is that, for the blacklist sake, the owner, administrator or technical contact be sent a message.
I am only making these suggestions because I feel that, through no fault of our own, we've been attacked but with no defence. So in this equation the phisher wins because he's already done his work and moved on to a new server while our business suffers (without us knowing how or why.) It was iPowerWeb (of all places!) that sent a note this morning saying an address was blacklisted.
I will repeat that I am not trying to detract from such a badly needed effort. The feeling is just that it's a little heavy handed when you're on the other end.
Petros
On 7/2/09, Petros Kolyvas pk@shiftfocus.ca wrote:
The same issue would exist with any e-mail address though. It can happen with surbl.role@gmail.com. It doesn't seem like a logical reason.
Even if they did, we'd simply get 1000s of emails one day (or even every day) saying "[x domain] is blacklisted because of [y]." No sweat off our back unless [x domain] is my domain. I could even use any number of search functions to weed through them all fairly quickly; heck even a simple shell script to parse the messages as they come in would do.
But what I was implying below is that, for the blacklist sake, the owner, administrator or technical contact be sent a message.
Given that 99.99+% of the contact info is forged or from stolen identities, that seems highly inappropriate.
I am only making these suggestions because I feel that, through no fault of our own, we've been attacked but with no defence. So in this equation the phisher wins because he's already done his work and moved on to a new server while our business suffers (without us knowing how or why.) It was iPowerWeb (of all places!) that sent a note this morning saying an address was blacklisted.
I will repeat that I am not trying to detract from such a badly needed effort. The feeling is just that it's a little heavy handed when you're on the other end.
Cracked phishing sites often stay cracked and are used for repeated phishing or other crimes such as malware infection. How would someone whose life savings had been stolen feel if the phishing site were delisted before it was actually secured and they were defrauded as a result? How do you balance these? Is it reasonable to try to make sure that the cracked sites have been secured? That seems like the responsible thing to do in these cases.
Given that 99.99+% of the contact info is forged or from stolen identities, that seems highly inappropriate.
Again, the impropriety occurred on the part of the phisher. There's no reason a properly worded message wouldn't help things along.
Cracked phishing sites often stay cracked and are used for repeated phishing or other crimes such as malware infection. How would someone whose life savings had been stolen feel if the phishing site were delisted before it was actually secured and they were defrauded as a result? How do you balance these? Is it reasonable to try to make sure that the cracked sites have been secured? That seems like the responsible thing to do in these cases.
Let's take our case, because that's the only one I'm qualified to speak on.
1. Our domain was added to the blacklist. I don't know when or how or what the actual address of the phishing site was.
2. Since we were not notified of being added (again my main point contention,) no action could be taken to remedy the situation if there was, in fact, something we could do to secure the site.
Again, and here is why my argument takes hold, since we didn't know there was a possible issue, even if that issue was with our host's shared server, you're actually not stopping anything from happening. The majority of the e-mail we send is not blocked or bounced, even though we're on the blacklist. Until today, no action was taken by either us, or our web host (who are now "investigating.") At the cost of repeating myself ad-nausem, not being notified could actually mean a particular phishing site stays online for a far longer period of time and therefore remains accessible to anyone who doesn't subscribe to a given blacklist.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours."
And yet we were not removed from the list. We were asked for further proof that it would not happen again. Which I understand on one hand, but we are not the party that can provide said proof. Our only option would be to move our domain to another host.
I could not agree more that cracked servers should have to proved they are now secured. I do feel (somewhat) for all those people that may click on paypal.surbl.org/account_update and give in their confidential information. (Hopefully that example elicits a wry grin and is taken for the light-hearted phishing-related humour it was meant to be.)
However, and to take this back to the only case I'm qualified to talk about: from what I can gather from the lookup, because our domain is blacklisted and not an IP address (which is shared by a huge number of sites and would point to the possibly compromised server) we couldn't even move our domain to a new host that might be clean. From my understanding, we would then be in the position of trying to prove to SURBL that even the new server, one we don't own or have administrative access too and share with a huge number of other domains, has been secured when it may not have even been the compromised server in question!
I really am just trying to discuss these issues. Please do not, in any circumstances take this for an attack of it's own in any way. I understand that our case is but a tiny drop in a bucket of probably very effective saves. However it is the false positives that hurt the most.
We are just growing frustrated that we have taken such an active effort to clear our name to no avail.
I continue to wish you all the best, Petros Kolyvas
On 7/2/09, Petros Kolyvas pk@shiftfocus.ca wrote:
- Since we were not notified of being added (again my main point
contention,) no action could be taken to remedy the situation if there was, in fact, something we could do to secure the site.
To be clear, the owner of the phished brand usually makes very thorough efforts to contact the site owner or web host to let them know about it and to ask them to correct the problem.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours."
Which doesn't answer any of these probably important questions:
1. How was the server cracked? 2. How was the server fixed? 3. Is the phishing site down or still up? 4. Is the server now secure?
It would probably help to have answers to these questions.
To be clear, the owner of the phished brand usually makes very thorough efforts to contact the site owner or web host to let them know about it and to ask them to correct the problem.
If you've been reading the discussion, you'll know that's not the case in this case - and further points that our site was never used for any phishing.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours.
And again, obviously not reading the discussion since the server was not ours and we did everything we could, including asking our web host to fix the problem and to contact the SURBL whitelisters - who did not answer them.
The most nagging issues from my previous message were completely ignored.
That's fine. No one likes to be told their system is broken. "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." The famous Ben Franklin' quote used by OpenBSD team fits in quite nicely here.
I hope everyone understands how something like this can affect a small business. With a crew of just two we can't afford to spend this much time on a something we had no control over when we're trying our best to stay afloat in difficult times.
Clearly false positives are less of a concern that they should be.
Still wishing you all the best, Petros Kolyvas
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
To be clear, the owner of the phished brand usually makes very thorough efforts to contact the site owner or web host to let them know about it and to ask them to correct the problem.
If you've been reading the discussion, you'll know that's not the case in this case - and further points that our site was never used for any phishing.
That's not correct. The site reportedly appeared in phishing messages.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours.
Translation: your site was used for phishing, with a name like www.mydomain.com/~username
Your host is trying to tell you exactly that.
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
To be clear, the owner of the phished brand usually makes very thorough efforts to contact the site owner or web host to let them know about it and to ask them to correct the problem.
If you've been reading the discussion, you'll know that's not the case in this case - and further points that our site was never used for any phishing.
That's not correct. The site reportedly appeared in phishing messages.
To be clear, had some due diligence been done it would be noted that it was the shared server which was compromised and not the domain itself. I would suggest that some research would show that many domains on that shared host are on this particular blacklist and that it had nothing to do with the domains themselves. Which furthers my point that the domain owners, in this particular case, are being unfairly punished when a more direct solution — ie. contacting a shared host that has produced a large number of compromised domains — would have greater effect.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours.
Translation: your site was used for phishing, with a name like www.mydomain.com/~username
Your host is trying to tell you exactly that.
Actually that is what my host asked me to tell that to the SURBL whitelisters. Additionally, the host isn't saying our site was used for phishing but rather the shared sever allowed any site on it to appear to be the culprit when the domains themselves, in fact, were not.
Furthermore, they [our host] weren't trying to tell us anything. They were trying to tell SURBL something and it wasn't enough. So much so that despite being very proactive in this case, nothing at all has happened; with the exception of the creation of some interesting logical fallacies.
To be even clearer, this whole process is so obviously flawed we have spent the afternoon telling each of our clients that in order to continue working with us via e-mail they will need to stop using the SURBL lists. Thankfully this was not an issue and they were happy to comply.
When calm reasoning is not even considered, it's time to stop reasoning.
Despite all this, I continue to wish you all the very best.
Take care, Petros Kolyvas
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
To be clear, the owner of the phished brand usually makes very thorough efforts to contact the site owner or web host to let them know about it and to ask them to correct the problem.
If you've been reading the discussion, you'll know that's not the case in this case - and further points that our site was never used for any phishing.
That's not correct. The site reportedly appeared in phishing messages.
To be clear, had some due diligence been done it would be noted that it was the shared server which was compromised and not the domain itself. I would suggest that some research would show that many domains on that shared host are on this particular blacklist and that it had nothing to do with the domains themselves. Which furthers my point that the domain owners, in this particular case, are being unfairly punished when a more direct solution — ie. contacting a shared host that has produced a large number of compromised domains — would have greater effect.
The domain would not have been listed unless the site appeared in phishing messages.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours.
Translation: your site was used for phishing, with a name like www.mydomain.com/~username
Your host is trying to tell you exactly that.
Actually that is what my host asked me to tell that to the SURBL whitelisters. Additionally, the host isn't saying our site was used for phishing but rather the shared sever allowed any site on it to appear to be the culprit when the domains themselves, in fact, were not.
Furthermore, they [our host] weren't trying to tell us anything. They were trying to tell SURBL something and it wasn't enough. So much so that despite being very proactive in this case, nothing at all has happened; with the exception of the creation of some interesting logical fallacies.
To be even clearer, this whole process is so obviously flawed we have spent the afternoon telling each of our clients that in order to continue working with us via e-mail they will need to stop using the SURBL lists. Thankfully this was not an issue and they were happy to comply.
When calm reasoning is not even considered, it's time to stop reasoning.
We are waiting for the answer to two simple, reasonable questions:
1. Is the phishing site down? 2. Has the server been secured?
-- ShiftFocus Media for arts and education
Phone: 514.667.9778 ext. 231 Fax: 866.850.5451
42 Milner Street Montreal, Quebec H4X 2H5
On 2009-07-04, at 12:39 AM, SURBL Role surbl.role@gmail.com wrote:
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
To be clear, the owner of the phished brand usually makes very thorough efforts to contact the site owner or web host to let them know about it and to ask them to correct the problem.
If you've been reading the discussion, you'll know that's not the case in this case - and further points that our site was never used for any phishing.
That's not correct. The site reportedly appeared in phishing messages.
To be clear, had some due diligence been done it would be noted that it was the shared server which was compromised and not the domain itself. I would suggest that some research would show that many domains on that shared host are on this particular blacklist and that it had nothing to do with the domains themselves. Which furthers my point that the domain owners, in this particular case, are being unfairly punished when a more direct solution — ie. contacting a shared host that has produced a large number of compromised domain s — would have greater effect.
The domain would not have been listed unless the site appeared in phishing messages.
Please re-read what I wrote above. Read it again. Then read it once more. There are people who can help if English comprehension is something that needs to be worked on.
Do it for the children.
Our host even claimed that: The domain is not directly hosting the phishing attack. Due to the fact that the server is running UserDir functionality, other user accounts can be accessed through the / ~username path. My ISP has confirmed that the UserDir functionality will be removed from all server within 48 hours.
Translation: your site was used for phishing, with a name like www.mydomain.com/~username
Your host is trying to tell you exactly that.
Actually that is what my host asked me to tell that to the SURBL whitelisters. Additionally, the host isn't saying our site was used for phishing but rather the shared sever allowed any site on it to appear to be the culprit when the domains themselves, in fact, were not.
Furthermore, they [our host] weren't trying to tell us anything. They were trying to tell SURBL something and it wasn't enough. So much so that despite being very proactive in this case, nothing at all has happened; with the exception of the creation of some interesting logical fallacies.
To be even clearer, this whole process is so obviously flawed we have spent the afternoon telling each of our clients that in order to continue working with us via e-mail they will need to stop using the SURBL lists. Thankfully this was not an issue and they were happy to comply.
When calm reasoning is not even considered, it's time to stop reasoning.
We are waiting for the answer to two simple, reasonable questions:
- Is the phishing site down?
- Has the server been secured?
A broken record should be thrown away.
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
I still applaud the effort. I just cringe at the implementation.
Good night and good luck.
Petros Kolyvas
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
On 2009-07-04, at 12:39 AM, SURBL Role surbl.role@gmail.com wrote:
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
On 7/3/09, Petros Kolyvas pk@shiftfocus.ca wrote:
To be clear, the owner of the phished brand usually makes very thorough efforts to contact the site owner or web host to let them know about it and to ask them to correct the problem.
If you've been reading the discussion, you'll know that's not the case in this case - and further points that our site was never used for any phishing.
That's not correct. The site reportedly appeared in phishing messages.
To be clear, had some due diligence been done it would be noted that it was the shared server which was compromised and not the domain itself. I would suggest that some research would show that many domains on that shared host are on this particular blacklist and that it had nothing to do with the domains themselves. Which furthers my point that the domain owners, in this particular case, are being unfairly punished when a more direct solution — ie. contacting a shared host that has produced a large number of compromised domain s — would have greater effect.
The domain would not have been listed unless the site appeared in phishing messages.
Please re-read what I wrote above. Read it again. Then read it once more. There are people who can help if English comprehension is something that needs to be worked on.
What you wrote is incorrect. Your site appeared in phishes.
Hi!
Please re-read what I wrote above. Read it again. Then read it once more. There are people who can help if English comprehension is something that needs to be worked on.
The only thing you need help with is someone who can explain you what userdir is and that it was abused on YOUR domain, not on others on that server, YOUR domain was advertised in the spams.
That you rent a cheap colo server, and want a free ride with that, fine, but thats your choice. You also could have picked a more secure way to have a web precence. Not saying you should, but saying every hosting has its price. And this is what you get.
You can keep writing that we are wrong and more, but could it be you are wrong here, and not us. I have been silent all along but its getting embarasing now. Please stop writing more mails on the list here. Your delisting request is handled on the whitelist alias, thats where this discussion should take place. Not here.
We are not here to help you understand how hosting works, hire a security expert to do that. We do however have a pretty high understanding of what went wrong on your server. Telling it isnt you is simply not enough, sorry. If your domain was used in phish, and with your domain, on your server, its you! No matter how you like to turn away the issue on your hoster. You picked this hoster, you pay this hoster, we dont, you do.
In the end you are responsible for your domain, you pick the hosting. You dediced to put this on a shared server.
Talk to us on the whitelist alias, not here, talking here will not help you getting delisted at all. We asked two simple questions. Is the site secure now. Your hoster told he will disable userdirs, is this done allready? If not, write back to us on the whitelist alias, not here, i repeat, not here. The discussion list isnt for delisting request and you have been given showtime enough here now.
Thanks,
Raymond Dijkxhoorn - SURBL STAFF.