search

publicsuffix / list

The Public Suffix List
https://publicsuffix.org/
Mozilla Public License 2.0
2k stars 1.2k forks source link

Remove `awsmppl.com` to rollback #900 (expired domain, malicious) #2070

Closed groundcat closed 1 month ago

groundcat commented 1 month ago

Creating this PR to remove awsmppl.com (rollback #900) for the following reasons:

WHOIS

Per whois Creation Date: 2022-12-28T19:04:02Z is later than the date of inclusion: sleevi merged commit 4e84d8b into publicsuffix:master on Dec 5, 2019

Please read the original WHOIS records below:

   Domain Name: AWSMPPL.COM
   Registry Domain ID: 2747658378_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.web.com
   Registrar URL: http://www.networksolutions.com
   Updated Date: 2023-12-26T14:32:45Z
   Creation Date: 2022-12-28T19:04:02Z
   Registry Expiry Date: 2024-12-28T19:04:02Z
   Registrar: Slamdunk Domains LLC
   Registrar IANA ID: 2881
   Registrar Abuse Contact Email: abuse@web.com
   Registrar Abuse Contact Phone: +1.8003337680
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientHold https://icann.org/epp#clientHold
   Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: NS1.PARKLOGIC.COM
   Name Server: NS2.PARKLOGIC.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2024-07-25T02:41:54Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

Sources: whois utility generated at 2024-07-24 22:42:17

VirusTotal Check

To check for possible security issues, we used VirusTotal and here are the obtained observations:

image

Sources:

Organization Website and Nature Check

Sources:

_psl TXT Record

Responses from multiple DNS servers for the _psl TXT record of the domain:

Response from 8.8.8.8: empty

Response from 1.1.1.1: empty

Response from 208.67.222.222: empty

Sources: dig command using DNS servers: Google (8.8.8.8), Cloudflare (1.1.1.1), OpenDNS (208.67.222.222)

Root-level Domain Usage Scan

As a potential indicator of domain usage, we scan the following records:

NS records (awsmppl.com) returns empty NXDOMAIN

Additionally, we scan the following records for possible website usage at the root level:

A record (awsmppl.com) returns empty

A record (www.awsmppl.com) returns empty

MX records (awsmppl.com) returns empty

Sources: dig command for A, NS, and MX records

Search Engine Checks

For possible website usage, we queried multiple different search engines:

image

image

image

Found few, but none accessible:

image

Sources:

Subdomain Discovery

For potential usage of subdomains that are not discovered by the search engines, we used the following tools and here are the obtained observations:

Found 72, but none with IP

image

Found none:

image

Conclusion: possibly none subdomain is in use.

Sources:

crt.sh Certificate Transparency Logs

For potential website usage of subdomains that are not discovered by the search engines, we checked the Certificate Transparency Logs and here are the obtained observations:

There are SSL certs valid for 1 year not expired.

image

Sources:

dnsguru commented 1 month ago

good catch, @groundcat - I think it is relatively safe to say that if creatonDate > prior PR that it is a re-reg of expired requestor debris