False Positive | s3.us-east-005.backblazeb2.com #1067
Assignees
Labels
bug
Something isn't working
Comments
Verification Required@bbraji, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:
Important Notes
How to Check the TXT Record ?You can verify that the TXT record is properly set using:
Thank you for your cooperation! We will address your issue as soon as possible after verification. The Phishing.Database Project Team. |
|
Hi,
The record has been added and you can proceed with your verification
process.
Kindly inform us if you have any questions and provide an estimated
completion time.
Thanks,
Raji
…On Wed, Jan 29, 2025 at 2:04 PM Phishing Database ***@***.***> wrote:
Verification Required
@bbraji <https://github.com/bbraji>, thank you for submitting a false
positive report! To help us *verify* your ownership of the affected
domain(s), please complete the following steps:
1.
Set a *DNS TXT record* for the domain(s) listed in this issue with the
following details:
- *Record Name*: _phishingdb
- *Record Value*: antiphish-76598124061714af09432a7d2ec3c072eea4f17f
*Your Verification ID*:
antiphish-76598124061714af09432a7d2ec3c072eea4f17f
2.
Wait for DNS propagation (this may take a few minutes to a few hours).
3.
Reply to this issue once the TXT record has been set.
Important Notes
- *Verification does not guarantee whitelisting*. The
Phishing.Database team will review your report after verifying ownership,
but the decision to whitelist depends on further investigation and analysis.
- If the record cannot be set or you need alternative methods of
verification, please contact us at ***@***.*** - preferably
from the domain's official email address.
How to Check the TXT Record ?
You can verify that the TXT record is properly set using:
- Online tools like MXToolBox TXT Lookup
<https://urldefense.com/v3/__https://mxtoolbox.com/TXTLookup.aspx__;!!A7vfX_LdLUs!pYCOR-5l73VahDBvC5x2i26HRC9OULuUCJWH02E8qjrtPlYhNbGlIZIt4lS2RtCkYJHb3hWyJxKLrQYzUis83_sukA$>
.
- The command line:
dig TXT _phishingdb.example.com
Thank you for your cooperation! We will address your issue as soon as
possible after verification.
*The Phishing.Database Project Team.*
—
Reply to this email directly, view it on GitHub
<#1067 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A62Y4MKY72KNMXGKLI4NU3D2NFF5ZAVCNFSM6AAAAABWD4HPI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRSHE3DEMRYGY>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
This email, including its contents and any attachment(s), may contain
confidential and/or proprietary information and is solely for the review
and use of the intended recipient(s). If you have received this email in
error, please notify the sender and permanently delete this email, its
content, and any attachment(s). Any disclosure, copying, or taking of any
action in reliance on an email received in error is strictly prohibited.
|
|
Hmm I don't see the TXT record ptcheck s3.us-east-005.backblazeb2.com antiphish-76598124061714af09432a7d2ec3c072eea4f17f ptcheck backblazeb2.com antiphish-76598124061714af09432a7d2ec3c072eea4f17f ptcheck us-east-005.backblazeb2.com antiphish-76598124061714af09432a7d2ec3c072eea4f17f Thanks for using my tools. |
|
Hi, domain verifications are usually put into place on the base/root
domain, not the FQDN.
For instance:
% dig -t txt backblazeb2.com
; <<>> DiG 9.10.6 <<>> -t txt backblazeb2.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26593
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;backblazeb2.com. IN TXT
;; ANSWER SECTION:
backblazeb2.com. 300 IN TXT
"postman-domain-verification=58e583c8b0566bdeb2991a4c37285ac2cf3382faebf20a0afd0d79119b3b66307325aa18bcec24519fb45dbb7bcf123ef53cb6a09f1029bf583fee76bd2efc5a"
backblazeb2.com. 300 IN TXT "v=spf1 redirect=
backblazeb2.com.hosted.spf-report.com"
backblazeb2.com. 300 IN TXT "FAtENs5ngeYmE0ynyszm8o58Wg0RS1M"
*backblazeb2.com <http://backblazeb2.com/>. 300 IN TXT
"_phishingdb=antiphish-76598124061714af09432a7d2ec3c072eea4f17f"*
backblazeb2.com. 300 IN TXT "forward-email-site-verification=gzqwSdjK3I"
backblazeb2.com. 300 IN TXT
"google-site-verification=jgiutAgp_DXTW9Ib4Oc303deFWkcw6rRxHvpQfIEtks"
;; Query time: 9 msec
;; SERVER:
2604:9dc0:31fc:6d00:6662:66ff:fe21:bb56#53(2604:9dc0:31fc:6d00:6662:66ff:fe21:bb56)
;; WHEN: Mon Feb 03 09:14:33 PST 2025
;; MSG SIZE rcvd: 534
Please let us know if it has to be on a FQDN, such as
s3.us-east-005.backblazeb2.com
<http://phishingdb.s3.us-east-005.backblazeb2.com/> vs backblazeb2.com
<http://phishingdb.s3.us-east-005.backblazeb2.com/> ? Those hostnames
might change since that is a VIP that is load balanced.
Thanks,
Raji
…On Sun, Feb 2, 2025 at 10:34 AM spirillen ***@***.***> wrote:
Hmm I don't see the TXT record
ptcheck <https://github.com/foreign-affairs/ptcheck>
s3.us-east-005.backblazeb2.com
antiphish-76598124061714af09432a7d2ec3c072eea4f17f
Failed to query DNS TXT record for _
phishingdb.s3.us-east-005.backblazeb2.com
ptcheck <https://github.com/foreign-affairs/ptcheck> backblazeb2.com
antiphish-76598124061714af09432a7d2ec3c072eea4f17f
Failed to query DNS TXT record for _phishingdb.backblazeb2.com
ptcheck <https://github.com/foreign-affairs/ptcheck>
us-east-005.backblazeb2.com
antiphish-76598124061714af09432a7d2ec3c072eea4f17f
Failed to query DNS TXT record for _phishingdb.us-east-005.backblazeb2.com
Thanks for using my tools.
Please consider a sponsor ship at https://www.mypdns.org/donate
<https://urldefense.com/v3/__https://www.mypdns.org/donate__;!!A7vfX_LdLUs!rEzQSbgVyAYhFP-p1yscmU4GOTMQjfSlkULX6F7bDGKT9vRFeFduzEAaIhPnprrSlgXEZSC-__VhOYG-I98FqDMISQ$>
—
Reply to this email directly, view it on GitHub
<#1067 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A62Y4MLCGYJULECKSV3PW3T2NZQL5AVCNFSM6AAAAABWD4HPI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRZGUYDMMBUG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
This email, including its contents and any attachment(s), may contain
confidential and/or proprietary information and is solely for the review
and use of the intended recipient(s). If you have received this email in
error, please notify the sender and permanently delete this email, its
content, and any attachment(s). Any disclosure, copying, or taking of any
action in reliance on an email received in error is strictly prohibited.
|
|
As I show you I tested here???
I just tested it again, and it's still not working. Please follow the guide provided here; it will make things much easier than arguing about how you think it should be done. Use ptcheck to verify your records. It's straightforward—both ptcheck and the other small programs available at https://github.com/foreign-affairs/phishing-database-tools are designed to test and validate specific records for the PhishingDatabase. |
|
Hi @spirillen, I'm the network engineer who added the initial record. I want to make sure I understand your request. You're asking for a TXT record specifically for one host within our production network, "s3.us-east-005.backblazeb2.com." We have about 50 S3 endpoints under that domain. While we can create individual TXT records, doing so for each server would be quite cumbersome. Is your goal domain ownership verification? If so, a single TXT record at the root domain, "backblazeb2.com," should suffice. Could you clarify why you need a record for just this one specific host, rather than at the root domain level? Thanks, Matt |
|
Hi @spirillen after re-reading the original request, I might have gotten some facts mixed up. Per the instructions at the top, the DIG command now returns the data you seek. % dig TXT _phishingdb.backblazeb2.com +short If there's something amiss here, please let me know. Thanks, Matt |
|
ptcheck backblazeb2.com antiphish-76598124061714af09432a7d2ec3c072eea4f17f Thanks for using my tools. Let's move on,,, |
|
That's one huge list Details: 1301 records
|
|
@bbraji and @mattablaze After testing these with Pyfunceble,, I can see some of these are marked as active. Can you please follow up on them? Active urls by PyFuncebleFor the majority I'm pleased to see these phishing url is taken and you have been taking proper action 👍🏻 spent 30m |
|
We've added the DNS TXT record and addressed all the phishing URLs you
previously reported. To ensure we can promptly suspend any new malicious
accounts, please continue to send us any phishing links you find. Our
service level agreement (SLA) for removing phishing content is one hour.
While we've taken these steps, the Phishing flag remains active on
VirusTotal as of today.
Is there anything else we need to do to complete the whitelisting process?
Please let us know if you have any further questions.
Thanks,
Raji
…On Mon, Feb 3, 2025 at 9:16 PM spirillen ***@***.***> wrote:
ptcheck <https://github.com/foreign-affairs/ptcheck> backblazeb2.com
antiphish-76598124061714af09432a7d2ec3c072eea4f17f
The test value matches the DNS TXT record.
Thanks for using my tools.
Please consider a sponsor ship at https://www.mypdns.org/donate
<https://urldefense.com/v3/__https://www.mypdns.org/donate__;!!A7vfX_LdLUs!qtboyS20eTMWb2LOr5xjH2Z7_gY-QHwav6n_j579yhDAGuFt_ilKFs12HcPm3d1sWIsZNf-lHmFZa_XfAuJKSy9oaQ$>
------------------------------
Let's move on,,,
—
Reply to this email directly, view it on GitHub
<#1067 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A62Y4MIVOHM4356DIMNEH7T2OBEKJAVCNFSM6AAAAABWD4HPI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMZSHEYDAMZVGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
This email, including its contents and any attachment(s), may contain
confidential and/or proprietary information and is solely for the review
and use of the intended recipient(s). If you have received this email in
error, please notify the sender and permanently delete this email, its
content, and any attachment(s). Any disclosure, copying, or taking of any
action in reliance on an email received in error is strictly prohibited.
|
|
well, since you first reply about 30 minutes ago, I haven't touched the issue for a couple of days, next step is to find time to retest the records and then review the results The DNS TXT is confirmed, so it all is down to the test results if I pass you a place on the whitelist. spent 8m |
If you have an API for reporting, I think @g0d33p3rsec and @ninjacatcher might be interested. They are both experienced in phishing and could potentially integrate your service into their code. If you prefer a more private platform, I can offer you space at https://kb.mypdns.org, where you can discuss issues as privately as you need. |
|
Super, all seems in order. Next question, the domain rule you request to have added is in regex |
|
Hi @spirillen so the string you provided had one small error, seen in my regex tester (didn't escape the last /)
However, that search pattern is very specific to that server "s3.us-east-005" . As I mentioned earlier in this thread, it would be better to not limit it to the server hostname, since we have approx 50. How about this instead:
That way, any of these would match and be valid: |
|
Sure, throwing it in the pot right away... Here, Phishing-Database/phishing@60eec6d Then lets hope the backend actually can figure it out 😁 test it in a couple of hours or get back, I'll follow up on it tomorrow then, no promises about at which time as I have other arrangements tomorrow (CEST), so could be late evening night as now. |
Sure, please report any phishing reports to urlscan and we will take it from there. |
|
Hey @spirillen , is it possible just to add our entire *.backblazeb2.com domain here? |
|
How many (sub-)domains do you have that are facing the public? I’m open to your suggestions for adding them all to the falsepositive_all.list and the Phishing Database. However, by doing this (whitelisting too broadly), you may actually make yourself a bigger target for bad actors, as you could be seen as exempt from being marked for phishing. (spent 8m) |
|
@spirillen you bring up a good point. Ok how about this: |
|
Edited rexep above to match your pattern for beginning and end of urls. That should be complete. |
Kind of you, but I can make them in several ways, it mostly depends on the time of the day how cryptic I'm making them 😉 Shouldn't this just be This should match all of https://regex101.com/r/CDlJrQ/1 This one is even funnier https://regex101.com/r/6emxCA/1 Matches all of which of these are you most up for your self? or did you have a fun time too?
Could make fun with these as well, but I'm to tired... Just a bit of fun UPDATE: I made the last action before bed... Phishing-Database/phishing@61fdf0e You are free to make PR or come with other suggestion for the regex, then we can change them tomorrow. Sleep tight 😵 |
spirillen
added a commit
to Phishing-Database/phishing
that referenced
this issue
Feb 6, 2025
|
Ha, I played with that first one for a bit and kept wondering why I wasn't seeing a match for the unnumbered one and just realized there's a space at the end...doh. That first one is great since it matches all:
And just leave the original one (the east-west) one as we may add more regions. :) and they should just fall in line. I too had fun - love/hate regex and I was using the same tool to figure this out. :) |
|
oh and I just saw your commit and see you used that first one. I think we're good for now. Thanks for your help and patience while we figured this out. |
Know the feeling, hate to write, love it when it just works.
Your welcome and thanks for a nice dialog |
github-project-automation
bot
moved this from 🆕 New
to ✅ Done
in Phishing Database Backlog
|
@spirillen While we've taken these steps, the Phishing flag remains active on https://www.virustotal.com/gui/domain/s3.us-east-005.backblazeb2.com |
|
STD answer
Find the sun in the shadows... Alright, here’s the scoop: I’ve been getting a growing number of reports about issues we thought we had sorted out last week. It’s starting to feel like the system that’s supposed to keep you off the public lists is playing hide-and-seek again! As far as I know, the only one with access to the servers running this circus is @funilrys. And here’s the kicker—he’s becoming harder to reach than a unicorn at a petting zoo! We used to chat once or twice a week, but now it’s more like every two or three months. With only four of us in the group and me lacking an emergency key, it looks like we might be waiting a century for this to get fixed! 😬 |
github-project-automation
bot
moved this from ✅ Done
to 📋 Backlog
in Phishing Database Backlog
|
@funilrys more bugs 🐛
|
github-project-automation
bot
moved this from 📋 Backlog
to ✅ Done
in Phishing Database Backlog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What are the subjects of the false-positive (domains, URLs, or IPs)?
https://s3.us-east-005.backblazeb2.com
Why do you believe this is a false-positive?
Hello,
Our company offers computer backup and object storage/web hosting. We have found reports that the following domain[s] have been categorized as high risk and/or malicious by your service.
s3.us-east-005.backblazeb2.com
We are aware that bad actors are abusing our services. However, we are actively working on stopping their abuse and do take down reported accounts within an hour. The vast majority of accounts have legitimate use cases with legitimate websites that are affected when one or more of our domains are blocked.
Because this also affects our customers, we are reaching out to you to find out what actions we need to complete in order for the categorization to be removed or upgraded.
Thank you.
How did you discover this false-positive(s)?
VirusTotal
Where did you find this false-positive if not listed above?
I discovered this false-positive by...
Have you requested a review from other sources?
I have requested a review from...
Do you have a screenshot?
Screenshot
Additional Information or Context
I have also noticed that...
The text was updated successfully, but these errors were encountered: