[SURBL-Discuss] Notification of Blacklist Status

Petros Kolyvas pk at shiftfocus.ca
Fri Jul 3 08:39:29 CEST 2009

> Given that 99.99+% of the contact info is forged or from stolen
> identities, that seems highly inappropriate.

Again, the impropriety occurred on the part of the phisher. There's no  
reason a properly worded message wouldn't help things along.

> Cracked phishing sites often stay cracked and are used for repeated
> phishing or other crimes such as malware infection.  How would someone
> whose life savings had been stolen feel if the phishing site were
> delisted before it was actually secured and they were defrauded as a
> result?  How do you balance these?  Is it reasonable to try to make
> sure that the cracked sites have been secured?  That seems like the
> responsible thing to do in these cases.

Let's take our case, because that's the only one I'm qualified to  
speak on.

1. Our domain was added to the blacklist. I don't know when or how or  
what the actual address of the phishing site was.

2. Since we were not notified of being added (again my main point  
contention,) no action could be taken to remedy the situation if there  
was, in fact, something we could do to secure the site.

Again, and here is why my argument takes hold, since we didn't know  
there was a possible issue, even if that issue was with our host's  
shared server, you're actually not stopping anything from happening.  
The majority of the e-mail we send is not blocked or bounced, even  
though we're on the blacklist. Until today, no action was taken by  
either us, or our web host (who are now "investigating.") At the cost  
of repeating myself ad-nausem, not being notified could actually mean  
a particular phishing site stays online for a far longer period of  
time and therefore remains accessible to anyone who doesn't subscribe  
to a given blacklist.

Our host even claimed that: The domain is not directly hosting the  
phishing attack. Due to the fact that the server is running UserDir  
functionality, other user accounts can be accessed through the / 
~username path. My ISP has confirmed that the UserDir functionality  
will be removed from all server within 48 hours."

And yet we were not removed from the list. We were asked for further  
proof that it would not happen again. Which I understand on one hand,  
but we are not the party that can provide said proof. Our only option  
would be to move our domain to another host.

I could not agree more that cracked servers should have to proved they  
are now secured. I do feel (somewhat) for all those people that may  
click on paypal.surbl.org/account_update and give in their  
confidential information. (Hopefully that example elicits a wry grin  
and is taken for the light-hearted phishing-related humour it was  
meant to be.)

However, and to take this back to the only case I'm qualified to talk  
about: from what I can gather from the lookup, because our domain is  
blacklisted and not an IP address (which is shared by a huge number of  
sites and would point to the possibly compromised server) we couldn't  
even move our domain to a new host that might be clean. From my  
understanding, we would then be in the position of trying to prove to  
SURBL that even the new server, one we don't own or have  
administrative access too and share with a huge number of other  
domains, has been secured when it may not have even been the  
compromised server in question!

I really am just trying to discuss these issues. Please do not, in any  
circumstances take this for an attack of it's own in any way. I  
understand that our case is but a tiny drop in a bucket of probably  
very effective saves. However it is the false positives that hurt the  

We are just growing frustrated that we have taken such an active  
effort to clear our name to no avail.

I continue to wish you all the best,
Petros Kolyvas

More information about the Discuss mailing list