Jump to content

64.202.189.170 - GoDaddy Forwarder - http://pwfwd-v01.prod.mesa1.secureserver.net/

Jesse Fenwick

By Jesse Fenwick
in Website Blocking

 Share

Recommended Posts

Jesse Fenwick

Jesse Fenwick

Posted
  • Author
Posted
Sadly, there are also over 200 malicious domains resolving to this domain.

Sadly, GoDaddy uses this server to handle ALL forwarding for ALL their domains.

Should I take your reply to mean that you intend to continue to BLOCK ALL GODADDY SITES that use forwarding within GODADDY?

I would think that blocking one of the largest registrars in the world would cause many to have to stop using your software.

I called GoDaddy support back when you posted our reply and thier answer was to stop using MalwareBytes.

Is there a war of which I am unaware?

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

There's no war, no. We (myself and other researchers) have tried numerous times, to get GoDaddy to respond to abuse reports and/or take action against malicious domains resolving to their IP range, and thus far, all attempts have failed. Calling their support line only results in their telling me to e-mail their abuse dept ....

/edit

Just to be clear btw, the IP is not a forwarder, sites I've seen resolving to this IP use a frameset to load the target URL, not a redirect.

Link to post
Share on other sites
Jesse Fenwick

Jesse Fenwick

Posted
  • Author
Posted

The final resolution of the malicious domains is not to THEIR forwarding IP address, though.

Their IP address/Domain forwards to request to the final IP.

Can you not block the ultimate IP of the malicious domain instead of the GoDaddy forwarder? Why block 500,000 sites at a forwarding point instead of the ultimate destination IP of the few bad apples?

This is a serious issue for several banks and lending brokers with branches in 9 states. I do not want to spend Sunday looking for a replacement and then Monday morning uninstalling MalwareBytes and installing something else to protect from malicious ULTIMATE IPs. That will tie up my entire call center (which also uses MalwareBytes) (Paid).

Link to post
Share on other sites
Jesse Fenwick

Jesse Fenwick

Posted
  • Author
Posted
There's no war, no. We (myself and other researchers) have tried numerous times, to get GoDaddy to respond to abuse reports and/or take action against malicious domains resolving to their IP range, and thus far, all attempts have failed. Calling their support line only results in their telling me to e-mail their abuse dept ....

/edit

Just to be clear btw, the IP is not a forwarder, sites I've seen resolving to this IP use a frameset to load the target URL, not a redirect.

While there is the choice to maintain YOUR domain name, the address of the ULTIMATE content should be blocked, not the forwarder for hundreds of thousands of domains.

Just like when you block a FRAMESET ad on 411.com from a particular IP, you could block the FRAMESET IP content instead of everything. We get the 411.com site, just not the add from an IP with a problem.

BTW, my domains are FORWARDED, not frameset.

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

I do understand the frustration, and can assure you, the decision to block this IP was not taken lightly. However, whilst the IP itself may not be the actual "host" of the target content (in most cases, we do also block the target aswell), it is a middle man, and as such, is subject to the same standards we hold every other hosting company to. If they want to allow the malicious behaviour to go through their network, then we'll simply block it.

I'm a little curious however, as to why any professional company would be using forwarders or frameset loads to begin with, rather than simply pointing the hostnames A record, directly to the location it's hosted at?

Link to post
Share on other sites
exile360

exile360

Posted
Posted
Now I have lots of MalwareBytes to uninstall and developer forums to post in with warnings. Seems to be the only solution.

Why would you need to uninstall Malwarebytes' when you can simply roll out a reg fix through a script (assuming you're a sysadmin) as documented in this post to avoid the problem by disabling the IP Protection component?

Link to post
Share on other sites
Jesse Fenwick

Jesse Fenwick

Posted
  • Author
Posted
I do understand the frustration, and can assure you, the decision to block this IP was not taken lightly. However, whilst the IP itself may not be the actual "host" of the target content (in most cases, we do also block the target aswell), it is a middle man, and as such, is subject to the same standards we hold every other hosting company to. If they want to allow the malicious behaviour to go through their network, then we'll simply block it.

I'm a little curious however, as to why any professional company would be using forwarders or frameset loads to begin with, rather than simply pointing the hostnames A record, directly to the location it's hosted at?

The master domain name has an A record. All other domain names, by product, loan company and bank, use forwarding or frameset. I then only have to change one A record to make a change to site. Private sites for bank/loan company employees use forwarding and they see the ultimate master domain name. Public sites for customers of those companies use frameset so only bank/loan company specific domain name is seen.

Modifying 219 (currently) domain names would be a pain anytime I change servers or move something.

And again, you block specific content on 411.com and still allow the site. The site comes up minus the offending ad.

Link to post
Share on other sites
Jesse Fenwick

Jesse Fenwick

Posted
  • Author
Posted

Using your 'hold hosting company to the same standard' logic, you should also block most search engines, social sites, and many others that host display ADS.

It is often the AD content that is the offending party. Yet, for some, you block only the ultimate IP and allow the site.

Sorry to take your time. Replacement found.

Much posting to do.

Goodbye MalwareBytes.

Link to post
Share on other sites
exile360

exile360

Posted
Posted
Using your 'hold hosting company to the same standard' logic, you should also block most search engines, social sites, and many others that host display ADS.

It is often the AD content that is the offending party. Yet, for some, you block only the ultimate IP and allow the site.

The difference is, when a malicious Ad gets reported to the search engines, they generally remove it, these sites have been reported to the hosting companies many times and they don't respond.

Link to post
Share on other sites
nweissma

nweissma

Posted
Posted
Using your 'hold hosting company to the same standard' logic, you should also block most search engines, social sites, and many others that host display ADS.

It is often the AD content that is the offending party. Yet, for some, you block only the ultimate IP and allow the site.

i just want to add my 2 cents. i attempted to visit http://www.aroid.org/horticulture/zonemap/index.html. This site has to be as innocuous as a newborn baby, yet MBAM blocked it, identifying 68.180.151.74 . WHOIS identified 68.180.151.74 as Yahoo. I note also that the page does not load.

How do I get around this? I don't want to infect my computer, but by the same token MBAM is blocking sites that I need to visit. If MBAM produces the balloon, is it expressly disallowing the site to load? what is the worst that can happen if i suspend MBAM and load a url that i am certain is safe but MBAM identifies as a malicious server?

I hope you address this.

Link to post
Share on other sites
Jesse Fenwick

Jesse Fenwick

Posted
  • Author
Posted
i just want to add my 2 cents. i attempted to visit http://www.aroid.org/horticulture/zonemap/index.html. This site has to be as innocuous as a newborn baby, yet MBAM blocked it, identifying 68.180.151.74 . WHOIS identified 68.180.151.74 as Yahoo. I note also that the page does not load.

How do I get around this? I don't want to infect my computer, but by the same token MBAM is blocking sites that I need to visit. If MBAM produces the balloon, is it expressly disallowing the site to load? what is the worst that can happen if i suspend MBAM and load a url that i am certain is safe but MBAM identifies as a malicious server?

I hope you address this.

If you suspend the IP Blocking component of MBAM, you will then be able to load malicious sites... as well as the site you need.

OR, , even sites like facebook and 411.com that offer banner and display ads that are sometimes placed by users with malicious intent will then load WITH the malicious ad content!

However, for Facebook, 411, et al, MBAM has chosen only to block the ultimate IP of the malicious ads, NOT the entire SITE. This is the primary value for me and many others of the IP blocking feature and the reason we have REQUIRED it of users of our systems that we support.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.