Train Graphic
Great Western Passengers' Forum [home] and [about]
November lockdown advice
Forum in and beyond Coronavirus
DfT Covid Travel Advice
Read about the forum [here].
Register [here] - it's free.
What do I gain from registering? [here]
 08/12/20 - Tuesday Club - ONLINE
09/12/20 - Community Rail Network Awards
13/01/21 - Melksham RUG - ONLINE
Random Image
Train Running Polls Acronyms/Abbreviations Station Comparator Rail news GWR co. site Site Style 1 2 3 4
Next departures • Bristol Temple MeadsBath SpaChippenhamSwindonDidcot ParkwayReadingLondon PaddingtonMelksham
Exeter St DavidsTauntonWestburyTrowbridgeBristol ParkwayCardiff CentralOxfordCheltenham SpaBirmingham New Street
December 05, 2020, 06:01:37 pm *
Welcome, Guest. Please login or register.

Login with username, password and session length
Forgotten your username or password? - get a reminder
Most liked recent subjects
[121] A place in the country - Advent quiz, 5th December 2020
[93] A novel way of returning home from work
[56] Getting gifts to people - Advent quiz, 4th December 2020
[49] Bristol Clean Air Zone proposals
[42] WECA Rail Plan
[38] Request stops - new technology to stop just in case slow downs...
News: A forum for passengers ... with input from rail professionals welcomed too
 
   Home   Help Search Calendar Login Register  
Pages: [1]
  Print  
Author Topic: "Suspicious top level domain"  (Read 430 times)
Marlburian
Hero Member
*****
Posts: 314


View Profile
« on: November 20, 2020, 04:54:28 pm »

This morning I had an update to my free Malwarebytes antivirus and when I tried to access the Coffee Shop I got a message "Website blocked due to a suspicious top level domain" with the advice not to proceed. No wimp I, and I pushed on regardless and here I am.
Logged
eXPassenger
Transport Scholar
Hero Member
******
Posts: 316


View Profile
« Reply #1 on: November 20, 2020, 04:57:41 pm »

This morning I had an update to my free Malwarebytes antivirus and when I tried to access the Coffee Shop I got a message "Website blocked due to a suspicious top level domain" with the advice not to proceed. No wimp I, and I pushed on regardless and here I am.

Is this because it is a standard HTTP connection and not an encrypted HTTPS connection?  User software is becoming increasingly suspicious of non HTTPS connections.
Logged
grahame
Administrator
Hero Member
*****
Posts: 31390



View Profile WWW Email
« Reply #2 on: November 20, 2020, 05:16:56 pm »

This morning I had an update to my free Malwarebytes antivirus and when I tried to access the Coffee Shop I got a message "Website blocked due to a suspicious top level domain" with the advice not to proceed. No wimp I, and I pushed on regardless and here I am.

Is this because it is a standard HTTP connection and not an encrypted HTTPS connection?  User software is becoming increasingly suspicious of non HTTPS connections.

1. The term TOP LEVEL domain indicates the bit in the end of the URL ...  we have various top levels here or hosted on the server, including .info, .chat, .am, .uk, .net and .xyz ; recently I released .fyi, and there are probably still the odd .com and .org.   We have lost / are loosing .eu, and I think the .biz I had has gone.   Malburian - did the message tell you which top level domain it was worried about as without that data I'm guessing ... rather like standing in Paddington, mobile network down, indicators boards not working and someone telling you that one of the IETs is the service you want for Hereford ...

2. Yes, we should move to https ... we have precious little data floating about that needs to be secured from "break ins to the stream between the server and your browsers, but upcoming convention suggest we add the security level. Now that we are on the new server seems a good time ... of course, confirmed certificates cost money and have to be renewed.
Logged

Coffee Shop Admin, Vice Chair of Melksham Rail User Group, and on the board of TravelWatch SouthWest.
Marlburian
Hero Member
*****
Posts: 314


View Profile
« Reply #3 on: November 20, 2020, 06:07:40 pm »

No, all I got was "What is a suspicious top level domain (TLD)? Possible suspicious activity encompasses a variety of behaviors that are commonly attributed to technical support scams, cryptojacking, browser hijacking, and other types of harmful, risky, and potentially unwanted objects."

No problem for me, but it might deter a potential member?
Logged
grahame
Administrator
Hero Member
*****
Posts: 31390



View Profile WWW Email
« Reply #4 on: November 20, 2020, 06:58:42 pm »

No, all I got was "What is a suspicious top level domain (TLD)? Possible suspicious activity encompasses a variety of behaviors that are commonly attributed to technical support scams, cryptojacking, browser hijacking, and other types of harmful, risky, and potentially unwanted objects."

No problem for me, but it might deter a potential member?

Yes, and that is why I am having a seriously heavy look at it and pressing you for all the evidence you have.

Looking at top level domain lists at https://www.spamhaus.org/statistics/tlds/

Their "top" ten
1. rest = 51.8% bad (score 3.75)
then .casa .tk .gq .ml .work .fit .gdn .London down to
10. cf = 31.6% bad (score 2.65)

So on .rest about a half of the sites are considered

For the domains we use ...
net = 7.4% bad (score 0.77)
info = 4.2% bad (score 0.36)
com = 3.7% bad (score 0.46)
xyz = 2.9% bad (score 0.25)
eu = 2.4% bad (score 0.16)
chat = 1.9% bad (score 0.06)
org = 1.4% bad (score 0.12)
uk = 0.6% bad (score 0.05)
am = 0.4% bad (score 0.00)

So 19 out of 20 sites at .info, and 49 out of 50 at .chat that have been looked at have come out clean.

A few of my own monitoring scripts on our server send me the occasional low level alert / warning - not because I really need them, but to re-assure me that the script is there and working.   I wonder if some antivirus and checking packages similarly rattle a little more than they should or need to just to remind their purchaser that they are there and running.
« Last Edit: November 20, 2020, 07:33:31 pm by grahame » Logged

Coffee Shop Admin, Vice Chair of Melksham Rail User Group, and on the board of TravelWatch SouthWest.
Red Squirrel
Administrator
Hero Member
*****
Posts: 3998


There are some who call me... Tim


View Profile
« Reply #5 on: November 23, 2020, 01:48:51 pm »


2. Yes, we should move to https ... we have precious little data floating about that needs to be secured from "break ins to the stream between the server and your browsers, but upcoming convention suggest we add the security level. Now that we are on the new server seems a good time ... of course, confirmed certificates cost money and have to be renewed.


We use AutoSSL for DV certification, though this may be tied in with our cPanel/WHM subscription. I think you should be able to get free DV certification from someone like this: https://letsencrypt.org/docs/faq/
Logged
grahame
Administrator
Hero Member
*****
Posts: 31390



View Profile WWW Email
« Reply #6 on: November 23, 2020, 03:35:41 pm »


2. Yes, we should move to https ... we have precious little data floating about that needs to be secured from "break ins to the stream between the server and your browsers, but upcoming convention suggest we add the security level. Now that we are on the new server seems a good time ... of course, confirmed certificates cost money and have to be renewed.


We use AutoSSL for DV certification, though this may be tied in with our cPanel/WHM subscription. I think you should be able to get free DV certification from someone like this: https://letsencrypt.org/docs/faq/

Thanks ... I will probably add a look at that and its implementation when I rattle the server add automated blacklisting of naughty remote computers.  Early work underway at http://vcrp.uk/running.php which I'm using to help learn pattern I need to block, and patterns that I must not block because they're real users.
Logged

Coffee Shop Admin, Vice Chair of Melksham Rail User Group, and on the board of TravelWatch SouthWest.
Red Squirrel
Administrator
Hero Member
*****
Posts: 3998


There are some who call me... Tim


View Profile
« Reply #7 on: November 24, 2020, 10:51:30 am »

You may find the attached image mildly amusing...
Logged
Marlburian
Hero Member
*****
Posts: 314


View Profile
« Reply #8 on: November 24, 2020, 12:15:46 pm »

I can access the home page without problem but when I click on links to individual threads is when Malwarebytes blocks. Slightly irritating that it refuses to accept my tick-in-the-box to indicate "Do not block this site again for scam" - and that "allowing a website" in settings is only available now to "Premium" users. (In 20 years, I've never felt the need to pay for extra security.)
Logged
grahame
Administrator
Hero Member
*****
Posts: 31390



View Profile WWW Email
« Reply #9 on: November 24, 2020, 12:21:22 pm »

I can access the home page without problem but when I click on links to individual threads is when Malwarebytes blocks. Slightly irritating that it refuses to accept my tick-in-the-box to indicate "Do not block this site again for scam" - and that "allowing a website" in settings is only available now to "Premium" users. (In 20 years, I've never felt the need to pay for extra security.)

I wonder if it something within the pages?

If you log out and visit / browse as a guest, does it still give the same message?
Logged

Coffee Shop Admin, Vice Chair of Melksham Rail User Group, and on the board of TravelWatch SouthWest.
Marlburian
Hero Member
*****
Posts: 314


View Profile
« Reply #10 on: November 24, 2020, 05:52:18 pm »

Interesting. Just logged out, accessed the Coffee Shop as "Guest", and had no problems when clicking on the lines to threads.
Logged
grahame
Administrator
Hero Member
*****
Posts: 31390



View Profile WWW Email
« Reply #11 on: November 25, 2020, 09:37:13 am »

Interesting. Just logged out, accessed the Coffee Shop as "Guest", and had no problems when clicking on the lines to threads.

Interesting indeed ... and that's at the same top level domain.  Which gives an element of lie to the original message.

When users are logged in and moving from one page to another, the forum uses a tracking "session" which lets the software know where you are coming as you move around.  That's in addition to the cookie which remembers your login from one visit to the next.    In "real life" terms, this is rather like remembering who you are (cookie) and knowing what's in your shopping basket (session).

There is a concern that in some circumstances that people can do nasty things with shopping baskets - add things into them to get you to pay for things. A good example might be for a 14 year old to sneak a bottle of whiskey into your basket to get you to pay for it.   As our members post in public "after the checkout", there is no need for our under age drinker to steal the whiskey back - it's put on the bar by the "accidental" purchaser for anyone to read / drink with that purchaser's name re-assuring you that it really is whiskey and not something nasty.

I speculate that your "Malwarebytes" software uses a scoring system. A score for top level domain, a score for a session, perhaps a score for cookies and so on ... and if the score total passes a certain value, it flags a dangerous site.  And it is probable that it reports only one of the factors that influenced its decision and not all that have gone to the overall ranking.    Thus ... ".info" came out fine as a single uncooked, unseasoned visit, but got pushed over the software's concern threreshhold by the extra session / cookie stuff.

OK - I am aware of cookies and sessions and how they can be abused.  Our cookies provide a validation "this is my cart" at each stage and so the risk of cross site scripting (another long explanation) is minimised - however, that's something done on our server and the cautions / elements we have in place are not visible to your malware software  so your malware software is saying "you may have a problem" and I am saying "we are aware of the risk, and the code avoids it".

Having written all of that, there are clever people out there with too much time on their hands who will look for holes, and I'm not going to say "we are bomb proof" - there might be a weakness.  But it's not really been a problem over the years, and should a rogue post be made (for example) it would soon be spotted, cleaned up and analysed. Our server does NOT store you phone number, credit card details, NI number, home address, date of birth, inside leg measurement, etc ... so we have minimal personal details that could be stolen even if someone were to find a security hole in the main structure.

Which is all very well ... except it does not tell us how to reassure bits of software that tell you to "be careful with this site".   I hope at least my writeup re-assures members we have taken a look at these issues, that experience thus far has not shown any problems, and we don't have your secrets to disclose anyway!

Logged

Coffee Shop Admin, Vice Chair of Melksham Rail User Group, and on the board of TravelWatch SouthWest.
Marlburian
Hero Member
*****
Posts: 314


View Profile
« Reply #12 on: November 25, 2020, 12:00:08 pm »

All good this morning! Dunno if Grahame worked some magic or Malwarebytes gave up warning me.

Thanks for your explanations.
Logged
grahame
Administrator
Hero Member
*****
Posts: 31390



View Profile WWW Email
« Reply #13 on: November 25, 2020, 01:16:22 pm »

All good this morning! Dunno if Grahame worked some magic or Malwarebytes gave up warning me.

Thanks for your explanations.


No magic worked.  It could be that your software also gets reports back from your system and understands that we're a safe site based on your experience, or is that metrics have changed based on wider experience - perhaps a server at a "nearby" IP address had been blacklisted, but the recent problems had faded so it's no longer a worry. No unusual for reports to be transient.
Logged

Coffee Shop Admin, Vice Chair of Melksham Rail User Group, and on the board of TravelWatch SouthWest.
Marlburian
Hero Member
*****
Posts: 314


View Profile
« Reply #14 on: November 25, 2020, 02:43:57 pm »

Damn. I spoke too soon. The warnings have resumed!
Logged
Do you have something you would like to add to this thread, or would you like to raise a new question at the Coffee Shop? Please [register] (it is free) if you have not done so before, or login (at the top of this page) if you already have an account - we would love to read what you have to say!

You can find out more about how this forum works [here] - that will link you to a copy of the forum agreement that you can read before you join, and tell you very much more about how we operate. We are an independent forum, provided and run by customers of Great Western Railway, for customers of Great Western Railway and we welcome railway professionals as members too, in either a personal or official capacity. Views expressed in posts are not necessarily the views of the operators of the forum.

As well as posting messages onto existing threads, and starting new subjects, members can communicate with each other through personal messages if they wish. And once members have made a certain number of posts, they will automatically be admitted to the "frequent posters club", where subjects not-for-public-domain are discussed; anything from the occasional rant to meetups we may be having ...

 
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC Valid XHTML 1.0! Valid CSS!
This forum is provided by a customer of Great Western Railway (formerly First Great Western), and the views expressed are those of the individual posters concerned. Visit www.gwr.com for the official Great Western Railway website. Please contact the administrators of this site if you feel that the content provided by one of our posters contravenes our posting rules (email link). Forum hosted by Well House Consultants

Jump to top of pageJump to Forum Home Page