search

RPiList / specials

Schutz vor Fakeshops, Werbung, Tracking und anderen Angriffen aus dem Internet
Other
1.44k stars 240 forks source link

False positives: Various Japanese government services #706

Closed sellth closed 2 years ago

sellth commented 2 years ago

There are various *.go.jp domains on the Corona & Malware lists, which is the second level domain reserved for Japanese government organisations. I would assume none of these distribute malicious content and especially https://corona.go.jp is very important nowadays.

Domains in question:

Corona

   auth-stg.covid19.mhlw.go.jp 
   bancovid.nih.go.jp 
   corona.go.jp 
   covid-registry.ncgm.go.jp 
   stg.covid19.mhlw.go.jp

Malware

   directml.jfc.go.jp 
   jcb.jnto.go.jp 
   kitaosaka-cci.go.jp 
   www.enecho.meti.go.jp 
   www.jcb.jnto.go.jp
RPiList commented 2 years ago

Hi,

thank you for letting us know. It is fixed now and should roll out to all pi-hole users with the next update.

But...

while the Corona list is of our own making, the Malware list is not. We just crawl a few malware-services on the internet which will still feature those urls. A few of those malware-services don't take their job lightly. When they say there is malware, there is malware. We have complaints about the malware-list regulary. In almost each case, it turned out to be true. It's just that the framing as malware is different for everybody out there. Some see "malware" only if it is virus.exe on the server. But that's not true of course. It only takes a stupid admin to create an XSS on the website and you are on the malware list.

Anyway... in this case I found numerous .go.jp domains on a number of "No-Tracking" sites. There are services on the internet that see extensive tracking as an act of aggression and put them on the malware list.

But since it is a goverment site, tracking is kind of a given I guess.

Greetings

sellth commented 2 years ago

Thank you for the swift response. I'm not even based in Japan and only found this by chance while looking up how they're handling this pandemic.

While I appreciate your sarcasm, here's an alternative explanation for the blocks: There are ~2.3k variants of the go.xyz.tld subdomain on the Malware list to block Salesforce's Pardot cloud marketing tool. Maybe these go.jp domains are genuine false positives due to this similarity?

RPiList commented 2 years ago

No, that's not the case.

Usually, it works like this: There are spiders/crawlers out there looking for samples. Once a sample has been found, the complete URL is listed by the service.

Pi-hole (or we) cut the complete URL down to its domain. The domain is listed in our list and only the domain is blocked by pihole.

Domains that "sound" almost the same are not affected, since pi-hole is only checking the list/directory it has.

The point you suggested might be achieved using a different blocking tool, like so called "reg-ex" expressions. There you can tell your pi-hole to block domains within a certain "range". For example ".ru$" would block every russian domain. But in that case, your pi-hole would tell you that there are not listings in your blocklists, your domain was blocked because of a reg-ex expression.

Since we can rule out pi-hole as a source of error... you could be right, that the internet service, listing these domains does a lot of collateral damage by listing everything that's even remote similar to the domain in question. But such a bad service would not last very long.

In case of go.jp on the malware list - as already said - was a case of tracking, it's easy to verify. It's not hard to find since tracking leaves traces in the html-code. So you just have to search on google for those traces. Thats why the search engine duckduckgo.com has its own tacking-service.

Greetings.