Re: Help with removing DNS shinkhole FP from Charter/Spectrum

[Validin Axon <axon () validin com>]

Hi Mel,

I appreciate the suggestion. During my earlier research, I'd noticed that
as well. However, the DNS block includes all validin.com subdomains, covering
those on completely different ASNs. It also does NOT affect other domains
that resolve to the exact same IP addresses (e.g., validin.net). So, I'm
inclined to think it's not that simple, unfortunately.

I'd considered switching domains, but that doesn't guarantee the problem
wouldn't just reappear again, and it'd impact the search engine ranking
we've built up. We rely 100% on inbound, so that'd be a big set back.

Warm regards,

Kenneth

On Mon, Apr 22, 2024 at 10:29 AM Mel Beckman <mel () beckman org> wrote:

> UCEPROTECTL3 137.184.54.107 was listed
>
> I notice from MXToolbox.com that your domain’s IP address is on the
> UCEPROTECTL3 blacklist.
>
> This is a notoriously evil blacklist that charges people for removal. This
> may be why Spectrum is blackholing your domain. Most respectable ISPs won’t
> use it. But Spectrum…
>
> There is no delisting procedure without making a “donation” to the UCEPROTECT3
> black sparrow account. They’re famous for blacklisting large swaths of IP
> addresses that catch up innocent parties that have never spammed a flea.
>
> -mel
>
>
> On Apr 22, 2024, at 7:24 AM, Mel Beckman <mel () beckman org> wrote:
>
>  I notice you’re on the UCEPROTECT3 blacklist:
>
> <logo_square_1900.png>
> Network Tools: DNS,IP,Email
> <https://mxtoolbox.com/SuperTool.aspx?action=mx%3aValidin.com&run=toolpage>
> mxtoolbox.com
> <https://mxtoolbox.com/SuperTool.aspx?action=mx%3aValidin.com&run=toolpage>
> <https://mxtoolbox.com/SuperTool.aspx?action=mx%3aValidin.com&run=toolpage>
>
> UCEPROTECTL3 137.184.54.107 was listed
>  This is a notoriously evil blacklist that charges people for removal.
> This may be why Spectrum is blackholing your domain. Most respectable ISPs
> won’t use it. But Spectrum…
>
> There is no delisting procedure without making a “donation” to the UCEPROTECT3
> black sparrow account. They’re famous for blacklisting large swaths of IP
> addresses that catch up innocent parties that have never spammed a flea.
>
> -mel
>
> On Apr 22, 2024, at 4:51 AM, Validin Axon <axon () validin com> wrote:
>
> 
> Looking for some help/advice. Spectrum is sinkholing my company's domain,
> validin[.]com, to 127.0.0.54. The sinkhole responses come from their
> recursive DNS servers, 209.18.47.61 and 209.18.47.62, which are defaults
> for and in use by many of their customers and are only reachable from
> within the Spectrum network. I've had 4 people over the last week (think:
> customers, prospects, etc) who use Charter/Spectrum tell me that they have
> difficulty accessing my website as a result of this sinkhole behavior. This
> behavior is causing reputational harm to my company.
>
> I've personally confirmed this behavior from the Spectrum network (I am
> also a customer) using dig to test their DNS servers:
> ```
> $ dig +short @209.18.47.61 validin.com
> 127.0.0.54
> $ dig +short @209.18.47.62 validin.com
> 127.0.0.54
> ```
>  Using Cloudflare/Google/etc works correctly:
> ```
> $ dig +short @1.1.1.1 validin.com
> 137.184.54.107
> 157.245.112.183
> $ dig +short @8.8.8.8 validin.com
> 157.245.112.183
> 137.184.54.107
> ```
>
> I suspect my domain was blocklisted last year when a threat researcher
> included my domain name in a blog post about a threat they were
> investigating and cited my company as the source for their data. Someone
> scraped that post, and my company's domain was accidentally added to
> two Alient Vault OTX pulses and at least one collection on Virus Total. I
> removed the domain via false positive reporting from everything I could.
> However, it appears that being added to Spectrum's DNS sinkhole list is
> effectively permanent and there's no clear path for false positive
> remediation.
>
> I've tried the official Spectrum support lines for months to no avail, and
> recently tried reaching out on Twitter, but have had no success there
> either. I'm clearly not able to find the right people through these routes,
> as none of the people I reach understand the difference between a DNS
> sinkhole and an IP block list and don't appear to be aware that DNS
> blocklisting is a separate behavior from their opt-in content filtering via
> Security Shield.
>
> So, if someone could please help me find the team or individual
> responsible for Spectrum's DNS sinkhole behavior, I would be exceptionally
> grateful. :-)
>
> As I mentioned, this is causing reputation harm, so switching my own DNS
> servers is not sufficient. People who need to reach me, can't. So, I would
> appreciate any other help or advice you have,
>
> Kenneth