"It's a trap! Reported phishing or malware site" : who?

[digitalbitstream]

Dane;
The new message is an improvement, but a very modest one. Imagine your bank sent this message:

"This is an important message from Your Bank".

It would have no credibility: many many people would assume it's fake. Similarly with the mousetrap message. It really needs to identify the ISP involved, and include contact information. Else it just looks and feels like something scummy.

New message sonic.net

Its_a_trap_malware.png (43.83 KiB) Viewed 6199 times

Old version of trap message

Its_a_trap_malware_old.png (145.26 KiB) Viewed 6199 times

[jrodman]

I have been a Sonic.net customer for twenty years. But this is a complete betrayal of trust. This is not filtering, this is censorship. You guys never asked my permission or got my consent to do this. You never even admitted to me that you were doing it until I ****ing tracked the attack down MYSELF, and called you on it! And now with your crippled "opt-out" offer you're making DNSSEC unavailable to me unless I allow random internet trolls and scammers to censor the sites I'm allowed to read by reporting them as malware sites?

What the hell, dudes? Who are you and what have you done to the honorable people I used to deal with?

Hi there Bear, I am sorry we've left you feeling this way.

We work hard every day to deliver a reliable service and to protect our customers from a broad array of threats. We block millions of emails every day in our SpamAssassin service. We reject thousands of telemarketing spam calls to Fusion customers. And the firewalls deployed in every Sonic customer router and at our edge block tens of millions of direct attacks on our customer IPs every day. Finally, we DNS block phishing destinations and virus distribution sources, which present a threat to our customers, their privacy, their banking and other login credentials.

This DNS blocking is similar and complimentary to the blocking done today by most browsers, including both Chrome and Internet explorer.

But based upon the feedback here, we have now made changes to the "It's a trap!" page to make clearer WHO is doing the blocking. This is somewhat challenging because the Sonic infrastructure is utilized by about seventy ISPs, each of whom must support their customers, but we have now updated the page to make clear that the blocking is done for and by the ISP, and that the end-user can contact the ISP for opt-out information.

Additionally, based upon the input that the opt-out servers are inferior because they do not include DNSSEC, we will be enabling DNSSEC on that array early next week. Note that this may result in some challenges when a remote site makes a configuration error, which is why those servers didn't include DNSSEC, but we'll have to work around those issues as they occur concurrently on both platforms.

Finally, I'd like to acknowledge that the commercial blacklist service that we use for DNS filtering is not perfect. Like our anti-spam efforts, sometimes a target is wrongly listed and blocked. It happens to email (which ends up in Graymail), and to websites (which end up at the "It's a trap" page.) In both cases members can act to engage manual intervention and whitelisting. But, we will be looking at statistics for reported bad listing over the past few months to more closely analyse the scope of that issue and the quality of the blacklist, and we'll have more data to report on that next week.

I hope these changes and my response assists in your understanding of the position we are in: It is an arms race between spammers and those who seek to abuse and compromise our customers, and we work hard to deliver the best protection that we can to all of our customers.

Sorry, this response, while a step in the right direction, is not acknowledging what you are actually doing.

Your blocking service is clearly not actually blocking purely on DNS traffic, but on other traffic as well, as I already discussed in my post above. Therefore, you are feeding traffic with which you have a priveledged relationship to a third party service without consent. Given that I spent many hours analyzing the behavior, I'm not going to believe "we weren't doing that". You really need to step up, admit your errors, and promise to never do something like this again.

[dane]

@jrodman,

No, this is DNS resolution only. You can opt out by using the "no phishing protection" DNS servers which we provide if you prefer not to have this level of protection. The how-to is here: https://wiki.sonic.net/wiki/DNS_Opt-Out

You are also welcome to use any DNS servers you like with our service - we provide the connection, but how you resolve domain names to IPs is up to you! For example, some folks choose to use Google DNS, or OpenDNS. There are tons of free options to choose from.

[cdkeen]

You can opt out by using the "no phishing protection" DNS servers which we provide..

Now with DNSSEC!

[bear]

Thank you. That makes your opt-out offer a lot more meaningful.

At this point I think I'm reasonably satisfied. Three tests.

First, the In-channel notification says who's diverting it, so customers know how (or at least where) to fix it if it's being used in an attack. So people in the future won't waste six hours (and lose a lot of money) tracking down the MITM like I did.

Second, there is now a viable opt-out with full services, which can be located once a customer knows what the hell they need to look for. It's not as good as a click-through that can be used immediately, but at least it exists.

Third: Prior notice and permission are still sort of absent... but with in-channel notification that says WHERE it's happening, and a meaningful opt-out that someone can find when they search there, that can be lived with. I would very much like to have known about this potential for being blocked from access long before a site I needed to use IMMEDIATELY came under attack by a false phishing report.

[mball]

I will add my objection after a late night debugging what turned out to be this problem. Breaking the internet in a way a politian would dream up. Like the UK trying to protect the world from porn.

"The Internet" != "The Web"

As a previous post illustrated with ssh, hijacking DNS breaks everything.

Even if a connection is to port 80 does not mean the expected response is HTML.

Even if a connection is to port 80 does not mean that what made it is a web browser.

As a previous post illustrated with "Your Bank", the "It's a Trap!!!" page reads exactly like the thing it's warning about. It needs to specify who, what, why, and how.

shell.sonic.net uses the filtered nameservers. Seems like there were some environment variables that could influence the resolver, but nothing I've found so far allows overriding what's in /etc/resolv.conf.

[digitalbitstream]

No, this is DNS resolution only. You can opt out by using the "no phishing protection" DNS servers which we provide if you prefer not to have this level of protection. The how-to is here: https://wiki.sonic.net/wiki/DNS_Opt-Out

Meh. A true opt-out would be a nice shiny button in the customer portal.

[seanl]

End of the year and your blocking message STILL gives no indication of who is doing the blocking ("contact your ISP,"), nor a link to any other pages about it. And right now you're blocking washingtonpost.com, with no way to bypass it other than to go manually enter new DNS into my router.

[John Nagle]

Yes, today you are blocking "washingtonpost.com". It looks like your phishing-detection service has been hacked.

[fmc]

Or, rather than "hacked", it could be that the Post sold webby ad space to something that tastes like malware. It's hard to tell, since the mousetrap page doesn't show the tastes-like-malware bits in text/defanged/safe form or provide a link to another page that does. Yeah, I think this may be a hard problem. It used to be considered solvable for spam delivered by e-mail.