Re: Help with removing DNS shinkhole FP from Charter/Spectrum

[Mel Beckman <mel () beckman org>]

I notice from MXToolbox.com that your domain’s IP address is on the UCEPROTECTL3 blacklist.

This is a notoriously evil blacklist that charges people for removal. This may be why Spectrum is blackholing your 
domain. Most respectable ISPs won’t use it. But Spectrum…

There is no delisting procedure without making a “donation” to the UCEPROTECT3 black sparrow account. They’re famous 
for blacklisting large swaths of IP addresses that catch up innocent parties that have never spammed a flea.

-mel

On Apr 22, 2024, at 4:51 AM, Validin Axon <axon () validin com> wrote:


Looking for some help/advice. Spectrum is sinkholing my company's domain, validin[.]com, to 127.0.0.54. The sinkhole 
responses come from their recursive DNS servers, 209.18.47.61 and 209.18.47.62, which are defaults for and in use by 
many of their customers and are only reachable from within the Spectrum network. I've had 4 people over the last week 
(think: customers, prospects, etc) who use Charter/Spectrum tell me that they have difficulty accessing my website as a 
result of this sinkhole behavior. This behavior is causing reputational harm to my company.

I've personally confirmed this behavior from the Spectrum network (I am also a customer) using dig to test their DNS 
servers:
```
$ dig +short @209.18.47.61 validin.com<http://validin.com>
127.0.0.54
$ dig +short @209.18.47.62 validin.com<http://validin.com>
127.0.0.54
```
 Using Cloudflare/Google/etc works correctly:
```
$ dig +short @1.1.1.1<http://1.1.1.1> validin.com<http://validin.com>
137.184.54.107
157.245.112.183
$ dig +short @8.8.8.8<http://8.8.8.8> validin.com<http://validin.com>
157.245.112.183
137.184.54.107
```

I suspect my domain was blocklisted last year when a threat researcher included my domain name in a blog post about a 
threat they were investigating and cited my company as the source for their data. Someone scraped that post, and my 
company's domain was accidentally added to two Alient Vault OTX pulses and at least one collection on Virus Total. I 
removed the domain via false positive reporting from everything I could. However, it appears that being added to 
Spectrum's DNS sinkhole list is effectively permanent and there's no clear path for false positive remediation.

I've tried the official Spectrum support lines for months to no avail, and recently tried reaching out on Twitter, but 
have had no success there either. I'm clearly not able to find the right people through these routes, as none of the 
people I reach understand the difference between a DNS sinkhole and an IP block list and don't appear to be aware that 
DNS blocklisting is a separate behavior from their opt-in content filtering via Security Shield.

So, if someone could please help me find the team or individual responsible for Spectrum's DNS sinkhole behavior, I 
would be exceptionally grateful. :-)

As I mentioned, this is causing reputation harm, so switching my own DNS servers is not sufficient. People who need to 
reach me, can't. So, I would appreciate any other help or advice you have,

Kenneth