Blacklisted with subdomains that I can't find in my CF DNS or elsewhere

My website partnercapital.org is being blacklisted by various services:

The AlienVault listing above shows associated subdomain URLs that look phishy, but my host Flywheel and registrar GoDaddy do not show any subdomains on the accounts or servers associated to partnercapital.org.

Is there a way to see if these subdomains are coming through via CloudFlare? Would setting up the DNSSEC help alleviate this, or the DS record too? This previous closed thread seemed similar to what I’m dealing with but I don’t have a cPanel for my website.

This is new territory for me with blacklistings, so any help is much, much appreciated!
Laurel

1 Like

That looks bogus. First, there are 77 Clean responses. And when I look at Alienvault, they say it’s flagged by Akamai and Google. Akamai isn’t listed on your Virustotal link, but Google is…and marked Clean.

Such as?

1 Like

@sdayman thanks for the super speedy reply.

I have AlienVault on my list to contact today, bc I can’t figure out how to update the domain listing with them (given the exact thing you see, where Google Safe Browsing is coming up green and clear). The trouble is further down the page on AlienVault’s listing, under Associated Urls:

My host/Flywheel noted these as well as one additional one from their sources that point them/us to why we were blacklisted:

This is what Flywheel told me:

I checked these subdomains to see if there are any DNS records exist and none came up. Flywheel isn’t hosting the domains. Therefore, even if the server is infected, there’s no way attackers would be able to create these subdomains and cause trouble. I’d suggest checking with the domain registrar (domain hosting) of the domain partnercapital.org` if they were able to identify any malicious activity creating the subdomains between July 10th and July 20th.

I’ve since checked with GoDaddy/registrar, and they didn’t show any subdomains or malicious activity on their end. So, now I’m here, playing the role of Sherlock.

1 Like

Those hostnames don’t even resolve. AlienVault even admits as such for one of them with a NXDOMAIN higher on the page. And the two entries they list show connection errors. How on earth are they declaring malware on a hostname that doesn’t exist and they can’t connect to?

When I see 77 Clean results and 2 highly questionable warnings, I don’t consider it the least bit actionable.

Even Spamhaus, of all places, mark it as Clean. If you do a search around here, they flag collateral damage at the drop of a hat.

1 Like

Alas, that is the ultimate question that I and my vendors haven’t been able to resolve. We’ve worked through over a dozen other companies to request listing updates to the false positive on this, but given that AlienVault is a biggie with AT&T, I’m trying my darnest to get everything clean. (And I couldn’t agree more, 2 super questionable amongst 77 seems like a win!)

I am new here and new to CloudFlare…when you’re saying collateral damage, what are ou referring to?
Thanks again for the swift help!

1 Like

Specifically, if someone spams and includes a link to a website that shares your site’s IP address, your entire domain is on some people’s email blacklist because of this. And it has absolutely zilch to do with your email.

1 Like

It’s not just email blacklists though: these are website blacklists. It seems their Microsoft 365 emails were getting blocked just at the mention of “partnercapital[.]org” in their signatures or email body copy. Their IT is working through that ish thankfully as it’s not my problem beyond the URL relation.

Thanks for exploring and clearing this out for me!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.