Great Western Coffee Shop

Sideshoots - associated subjects => News, Help and Assistance => Topic started by: Marlburian on November 20, 2020, 16:54:28



Title: "Suspicious top level domain"
Post by: Marlburian on November 20, 2020, 16:54:28
This morning I had an update to my free Malwarebytes antivirus and when I tried to access the Coffee Shop I got a message "Website blocked due to a suspicious top level domain" with the advice not to proceed. No wimp I, and I pushed on regardless and here I am.


Title: Re: "Suspicious top level domain"
Post by: eXPassenger on November 20, 2020, 16:57:41
This morning I had an update to my free Malwarebytes antivirus and when I tried to access the Coffee Shop I got a message "Website blocked due to a suspicious top level domain" with the advice not to proceed. No wimp I, and I pushed on regardless and here I am.

Is this because it is a standard HTTP connection and not an encrypted HTTPS connection?  User software is becoming increasingly suspicious of non HTTPS connections.


Title: Re: "Suspicious top level domain"
Post by: grahame on November 20, 2020, 17:16:56
This morning I had an update to my free Malwarebytes antivirus and when I tried to access the Coffee Shop I got a message "Website blocked due to a suspicious top level domain" with the advice not to proceed. No wimp I, and I pushed on regardless and here I am.

Is this because it is a standard HTTP connection and not an encrypted HTTPS connection?  User software is becoming increasingly suspicious of non HTTPS connections.

1. The term TOP LEVEL domain indicates the bit in the end of the URL ...  we have various top levels here or hosted on the server, including .info, .chat, .am, .uk, .net and .xyz ; recently I released .fyi, and there are probably still the odd .com and .org.   We have lost / are loosing .eu, and I think the .biz I had has gone.   Malburian - did the message tell you which top level domain it was worried about as without that data I'm guessing ... rather like standing in Paddington, mobile network down, indicators boards not working and someone telling you that one of the IETs is the service you want for Hereford ...

2. Yes, we should move to https ... we have precious little data floating about that needs to be secured from "break ins to the stream between the server and your browsers, but upcoming convention suggest we add the security level. Now that we are on the new server seems a good time ... of course, confirmed certificates cost money and have to be renewed.


Title: Re: "Suspicious top level domain"
Post by: Marlburian on November 20, 2020, 18:07:40
No, all I got was "What is a suspicious top level domain (TLD)? Possible suspicious activity encompasses a variety of behaviors that are commonly attributed to technical support scams, cryptojacking, browser hijacking, and other types of harmful, risky, and potentially unwanted objects."

No problem for me, but it might deter a potential member?


Title: Re: "Suspicious top level domain"
Post by: grahame on November 20, 2020, 18:58:42
No, all I got was "What is a suspicious top level domain (TLD)? Possible suspicious activity encompasses a variety of behaviors that are commonly attributed to technical support scams, cryptojacking, browser hijacking, and other types of harmful, risky, and potentially unwanted objects."

No problem for me, but it might deter a potential member?

Yes, and that is why I am having a seriously heavy look at it and pressing you for all the evidence you have.

Looking at top level domain lists at https://www.spamhaus.org/statistics/tlds/

Their "top" ten
1. rest = 51.8% bad (score 3.75)
then .casa .tk .gq .ml .work .fit .gdn .London down to
10. cf = 31.6% bad (score 2.65)

So on .rest about a half of the sites are considered

For the domains we use ...
net = 7.4% bad (score 0.77)
info = 4.2% bad (score 0.36)
com = 3.7% bad (score 0.46)
xyz = 2.9% bad (score 0.25)
eu = 2.4% bad (score 0.16)
chat = 1.9% bad (score 0.06)
org = 1.4% bad (score 0.12)
uk = 0.6% bad (score 0.05)
am = 0.4% bad (score 0.00)

So 19 out of 20 sites at .info, and 49 out of 50 at .chat that have been looked at have come out clean.

A few of my own monitoring scripts on our server send me the occasional low level alert / warning - not because I really need them, but to re-assure me that the script is there and working.   I wonder if some antivirus and checking packages similarly rattle a little more than they should or need to just to remind their purchaser that they are there and running.


Title: Re: "Suspicious top level domain"
Post by: Red Squirrel on November 23, 2020, 13:48:51

2. Yes, we should move to https ... we have precious little data floating about that needs to be secured from "break ins to the stream between the server and your browsers, but upcoming convention suggest we add the security level. Now that we are on the new server seems a good time ... of course, confirmed certificates cost money and have to be renewed.


We use AutoSSL for DV certification, though this may be tied in with our cPanel/WHM subscription. I think you should be able to get free DV certification from someone like this: https://letsencrypt.org/docs/faq/


Title: Re: "Suspicious top level domain"
Post by: grahame on November 23, 2020, 15:35:41

2. Yes, we should move to https ... we have precious little data floating about that needs to be secured from "break ins to the stream between the server and your browsers, but upcoming convention suggest we add the security level. Now that we are on the new server seems a good time ... of course, confirmed certificates cost money and have to be renewed.


We use AutoSSL for DV certification, though this may be tied in with our cPanel/WHM subscription. I think you should be able to get free DV certification from someone like this: https://letsencrypt.org/docs/faq/

Thanks ... I will probably add a look at that and its implementation when I rattle the server add automated blacklisting of naughty remote computers.  Early work underway at http://vcrp.uk/running.php which I'm using to help learn pattern I need to block, and patterns that I must not block because they're real users.


Title: Re: "Suspicious top level domain"
Post by: Red Squirrel on November 24, 2020, 10:51:30
You may find the attached image mildly amusing...


Title: Re: "Suspicious top level domain"
Post by: Marlburian on November 24, 2020, 12:15:46
I can access the home page without problem but when I click on links to individual threads is when Malwarebytes blocks. Slightly irritating that it refuses to accept my tick-in-the-box to indicate "Do not block this site again for scam" - and that "allowing a website" in settings is only available now to "Premium" users. (In 20 years, I've never felt the need to pay for extra security.)


Title: Re: "Suspicious top level domain"
Post by: grahame on November 24, 2020, 12:21:22
I can access the home page without problem but when I click on links to individual threads is when Malwarebytes blocks. Slightly irritating that it refuses to accept my tick-in-the-box to indicate "Do not block this site again for scam" - and that "allowing a website" in settings is only available now to "Premium" users. (In 20 years, I've never felt the need to pay for extra security.)

I wonder if it something within the pages?

If you log out and visit / browse as a guest, does it still give the same message?


Title: Re: "Suspicious top level domain"
Post by: Marlburian on November 24, 2020, 17:52:18
Interesting. Just logged out, accessed the Coffee Shop as "Guest", and had no problems when clicking on the lines to threads.


Title: Re: "Suspicious top level domain"
Post by: grahame on November 25, 2020, 09:37:13
Interesting. Just logged out, accessed the Coffee Shop as "Guest", and had no problems when clicking on the lines to threads.

Interesting indeed ... and that's at the same top level domain.  Which gives an element of lie to the original message.

When users are logged in and moving from one page to another, the forum uses a tracking "session" which lets the software know where you are coming as you move around.  That's in addition to the cookie which remembers your login from one visit to the next.    In "real life" terms, this is rather like remembering who you are (cookie) and knowing what's in your shopping basket (session).

There is a concern that in some circumstances that people can do nasty things with shopping baskets - add things into them to get you to pay for things. A good example might be for a 14 year old to sneak a bottle of whiskey into your basket to get you to pay for it.   As our members post in public "after the checkout", there is no need for our under age drinker to steal the whiskey back - it's put on the bar by the "accidental" purchaser for anyone to read / drink with that purchaser's name re-assuring you that it really is whiskey and not something nasty.

I speculate that your "Malwarebytes" software uses a scoring system. A score for top level domain, a score for a session, perhaps a score for cookies and so on ... and if the score total passes a certain value, it flags a dangerous site.  And it is probable that it reports only one of the factors that influenced its decision and not all that have gone to the overall ranking.    Thus ... ".info" came out fine as a single uncooked, unseasoned visit, but got pushed over the software's concern threreshhold by the extra session / cookie stuff.

OK - I am aware of cookies and sessions and how they can be abused.  Our cookies provide a validation "this is my cart" at each stage and so the risk of cross site scripting (another long explanation) is minimised - however, that's something done on our server and the cautions / elements we have in place are not visible to your malware software  so your malware software is saying "you may have a problem" and I am saying "we are aware of the risk, and the code avoids it".

Having written all of that, there are clever people out there with too much time on their hands who will look for holes, and I'm not going to say "we are bomb proof" - there might be a weakness.  But it's not really been a problem over the years, and should a rogue post be made (for example) it would soon be spotted, cleaned up and analysed. Our server does NOT store you phone number, credit card details, NI number, home address, date of birth, inside leg measurement, etc ... so we have minimal personal details that could be stolen even if someone were to find a security hole in the main structure.

Which is all very well ... except it does not tell us how to reassure bits of software that tell you to "be careful with this site".   I hope at least my writeup re-assures members we have taken a look at these issues, that experience thus far has not shown any problems, and we don't have your secrets to disclose anyway!



Title: Re: "Suspicious top level domain"
Post by: Marlburian on November 25, 2020, 12:00:08
All good this morning! Dunno if Grahame worked some magic or Malwarebytes gave up warning me.

Thanks for your explanations.


Title: Re: "Suspicious top level domain"
Post by: grahame on November 25, 2020, 13:16:22
All good this morning! Dunno if Grahame worked some magic or Malwarebytes gave up warning me.

Thanks for your explanations.


No magic worked.  It could be that your software also gets reports back from your system and understands that we're a safe site based on your experience, or is that metrics have changed based on wider experience - perhaps a server at a "nearby" IP address had been blacklisted, but the recent problems had faded so it's no longer a worry. No unusual for reports to be transient.


Title: Re: "Suspicious top level domain"
Post by: Marlburian on November 25, 2020, 14:43:57
Damn. I spoke too soon. The warnings have resumed!


Title: Re: "Suspicious top level domain"
Post by: Clan Line on December 18, 2020, 16:55:02
For the last couple of days I too have been getting warnings from (free) Malwarebytes. I am not getting any warnings from my full (paid for) version of Bitdefender.

I have FVD Speed Dial working with Chrome. The URL which was in the speed dial ends with "/coffeeshop/": I have edited this URL and removed the "coffeeshop" bits - just left with "firstgreatwestern.info" - that works fine with Chrome. However - if I put that shortened URL into MS Edge Malwarebytes again comes up with the warning !!!

I am reasonably happy that this is a glitch inside Malwarebytes - producing "a false positive".  I'll just leave the shortened URL in the Speed Dial.


Title: Re: "Suspicious top level domain"
Post by: Marlburian on December 19, 2020, 11:03:19
Forlornly I removed Malwarebytes and then downloaded it again but with no difference, except that I got a month's free trial of the Premium version.  It's a minor irritation that ticking the "Do not block this site again for scam" box does not work.


Title: Re: "Suspicious top level domain"
Post by: Marlburian on December 30, 2020, 15:36:41
I've just discovered that, curiously, if I left-click on a post or thread title I don't have a problem being taken straight to it, but it's when I right-click to"open link in new tab" that Malwarebytes gets unhappy.


Title: Re: "Suspicious top level domain"
Post by: Clan Line on December 30, 2020, 17:57:46
I've just discovered that, curiously, if I left-click on a post or thread title I don't have a problem being taken straight to it, but it's when I right-click to"open link in new tab" that Malwarebytes gets unhappy.

(https://i.ibb.co/pK1W02k/stan-laurel-thicker-than-water.jpg) (https://imgbb.com/)



This page is printed from the "Coffee Shop" forum at http://gwr.passenger.chat which is provided by a customer of Great Western Railway. Views expressed are those of the individual posters concerned. Visit www.gwr.com for the official Great Western Railway website. Please contact the administrators of this site if you feel that content provided contravenes our posting rules ( see http://railcustomer.info/1761 ). The forum is hosted by Well House Consultants - http://www.wellho.net