Malc0de blacklist data removed from malicious blacklist due to false positives & lack of support.

Recently I became aware of a false entry located in malc0de ip blacklist which has been included with our ip blacklists for a while now, increasingly we have been having a high number of false entries with this blacklist. For example, today when attempting to download the latest OpenOffice binary installer from Sourceforge, we were blocked. The ip for the download server had erronously entered into malc0des blacklist db.

As a blacklist publisher we understand and emphasize, we know that false entries occur. However, when we attempted to contact malc0de to inform them of the false entries so that they could remove them. First issue comes to mind, there is no email contact or any contact method mentioned on their website. So we found them on twitter, and tweeted at them, informing them of the false entry, we got no response. And no changes were made to remove the entries. False entries will occur in this business, but ambivalence of the publisher is simply unacceptable.

Here are two of the ips found blocked today, 72.5.72.15 and 72.21.81.253 and the results of a quick search, we have a small list of the known websites affected.

Of course one could easily conclude that the single ip affecting Sourceforge likely would have had a negative impact on countless thousands of legitimate Sourceforge downloads. These are significant false entries.

    https://svwh.dl.sourceforge.net/project/openofficeorg.mirror/4.1.3/binaries/en-US/Apache_OpenOffice_4.1.3_Win_x86_install_en-US.exe,

    svwh.dl.sourceforge.net, 72.5.72.15
    adserver.viagogo.com, 72.21.81.253
    www.naturalnews.com, 72.21.81.253
    upgrade.bitdefender.com, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:2-01-2829-0010.cdx.cedexis.net, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:cdn.addictinggames.com, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:gpla1.wpc.v2cdn.net, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:gs1.wpc.v2cdn.net, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:shockrave.macromedia.com, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:static1.spilcdn.com, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:static2.spilcdn.com, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:static3.spilcdn.com, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:static.cdn.warpcache.net, 72.21.81.253
    /etc/squid3/scripts/removals/re-gaming/dg-gaming.data:wpc.147bd.gammacdn.net, 72.21.81.253
    /etc/squid3/scripts/removals/re-linuxos/linuxos.data:mirror.sjc02.svwh.net, 72.5.72.15

We would not have come to the conclusion that we had to remove them from the list of feeds if they had simply responded within a reasonable amount of time, but since they did not, clearly they are not a reliable provider of data at this time.

In any event, I hope this has cleared up, if we do receive communications from malc0de indicating some progress has been made, we will reconsider adding them back to the feed at such time, but until that happens, we have removed them to ensure reliable communications and service for our members and non members.

We believe that we can conclude with a high degree of confidence that there are very well other false entries which may have just as significant of a negative impact, so for that reason, we have removed the feed.

If you see an awkward looking entry for
/ip firewall address-list remove [find list="sbl malc0de"]
Its simply a courtesy weve placed in the blacklist for the next 24 hours to ensure the naughty data is purged from your systems without interruption, after 24 hours has passed, we will remove the line.

Apologies in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *

*