search

Ultimate-Hosts-Blacklist / whitelist

The whitelist of the Ultimate Hosts Blacklist project, infrastructure and beyond.
MIT License
50 stars 13 forks source link

[FALSE-POSITIVE] paycount.com #145

Closed ghost closed 4 years ago

ghost commented 4 years ago

@spirillen commented on Jun 12, 2020, 4:23 PM UTC:

Describe the subjects (domains) Dead phish parsing the PyFunceble testing to domain(0|1).lists

pyfunceble --dns 192.168.1.5 -t 0 -vsc --no-whois --filter 'paycount.com' -f hosts.ubuntu101.co.za.tmp

Status      Percentage   Numbers     
----------- ------------ ------------
ACTIVE      0%           1           
INACTIVE    99%          267         
INVALID     0%           0

See also https://www.mypdns.org/T883 for in depth documentation

This issue was moved by funilrys from mitchellkrogza/Ultimate.Hosts.Blacklist#587.

spirillen commented 4 years ago

https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist/issues/587#issuecomment-643374002

/move to Ultimate-Hosts-Blacklist/whitelist

Aaahhh wouldn't whitelist it :smiling_imp: but only keep paycount.com & www.paycount.com

dnmTX commented 4 years ago

so what exactly you reporting here?

spirillen commented 4 years ago

so what exactly you reporting here?

Good question :smile: , but as it was time for some food, I update this issue a bit late in consensus to your question. But it was never a white-listing question from my side it was intentionally a FP report of a lot of (do to wrong test string) FP, which shouldn't have been in the list

As I've found a bug in my test string the results turns out differently, which is shown in this gist, and this might justify the complete long list in a host file based concept

https://gist.github.com/spirillen/094e5a20a34e6168232003a5e70cc0dd

The right string should have been 

pyfunceble --dns 192.168.1.105

not 

pyfunceble --dns 192.168.1.5

However, a dig +short @192.168.1.105 -f paycount.com.test is proving all of the third level domains are directed to 825610.parkingcrew.net. which is a provider who withheld domains in hostage and of the free marked.

Conclusion

If you likes to block this kind of "business" then you should keep most of these records (hosts file based)

On the other hand, I would cut it down to paycount.com & www.paycount.com as that actually is sufficient and would save a bunch of records ~266 and then add *.parkingcrew.net. (825610.parkingcrew.net.) instead.

Other notes

As this concept relays on others lists the above conclusion can be hard to accomplice without writing some code which would run at the end of each test cycle. However that might actually be a good idea to shopt the lists sizes.

Have a look at the gist, and see what you might come up with :smiley: Keep up the good work.

DNS backend servers used for querying image