Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive | files.umso.co #1241

Open
fourlexifive opened this issue Mar 12, 2025 · 3 comments
Open

False Positive | files.umso.co #1241

fourlexifive opened this issue Mar 12, 2025 · 3 comments
Assignees
@mitchellkrogza @funilrys @g0d33p3rsec

Comments

@fourlexifive
Copy link

What are the subjects of the false-positive (domains, URLs, or IPs)?

Why do you believe this is a false-positive?

tl;dr: files.umso.co is a shared cdn domain of the website builder umso.com onto which malicious actors previously uploaded html files.

  • We have a CDN url “files.umso.co” which is used to host files by customers of our service.
  • We used to allow html uploads on that domain which caused some malicious files to be uploaded.
  • This has led to the domain being flagged which harms hundreds of our customers who are simply using it to host image files.
  • We’ve taken the following steps to prevent future misuse:
    • We no longer allow html file uploads to that domain
    • We have reviewed all html files and removed problematic content
    • We will soon stop supporting html files altogether on that domain once we’ve helped legitimate users migrate their content

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

Customer reports

Have you requested a review from other sources?

No response

Do you have a screenshot?

Screenshot

Additional Information or Context

I have also noticed that...
@phishing-database-bot
Copy link
Member

Verification Required

@fourlexifive, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:

  1. Set a DNS TXT record for the domain(s) listed in this issue with the following details:

    • Record Name: _phishingdb
    • Record Value: antiphish-4011cd49a58e932f9efa38e731c59a3c5b7d7731

    Your Verification ID: antiphish-4011cd49a58e932f9efa38e731c59a3c5b7d7731

  2. Wait for DNS propagation (this may take a few minutes to a few hours).

  3. Reply to this issue once the TXT record has been set.

Important Notes

  • Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis.
  • If the record cannot be set or you need alternative methods of verification, please contact us at [email protected] - preferably from the domain's official email address.

How to Check the TXT Record ?

You can verify that the TXT record is properly set using:

Thank you for your cooperation! We will address your issue as soon as possible after verification.

The Phishing.Database Project Team.

@fourlexifive
Copy link
Author

done!

@spirillen
Copy link
Contributor

Comments

DNS Check

ptcheck umso.co antiphish-4011cd49a58e932f9efa38e731c59a3c5b7d7731
The test value matches the DNS TXT record.

Thanks for using my tools.
Please consider a sponsor ship at https://www.mypdns.org/donate

Known phishing records

What can you tell me about these records, known to us from the PD project?

Subject                                                                                              Status      Source     Expiration Date   HTTP Code  Checker       Tested At          
---------------------------------------------------------------------------------------------------- ----------- ---------- ----------------- ---------- ------------- -------------------
https://metaverificationcenter.umso.co                                                               INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  18. Mar 2025 01:10:57
https://files.umso.co/lib_HvoHRDYMulemPnfM/fu4y48q7sz16nbrv.html                                     INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  18. Mar 2025 01:10:57
http://lib.umso.co/lib_wSQecNftrNahlZkx/otjjqicgbq0y2zg2.html                                        INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  18. Mar 2025 01:10:57
https://4f3blz84z38n.umso.co                                                                         INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  18. Mar 2025 01:10:57
https://kqups1ie5i2v.umso.co                                                                         INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  18. Mar 2025 01:10:57
https://29blywm8icf716hq.umso.co                                                                     INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  18. Mar 2025 01:10:57
https://x72hvomevzz6.umso.co                                                                         INACTIVE    STDLOOKUP  Unknown           404        AVAILABILITY  18. Mar 2025 01:10:57

Execution Time: 00:00:00:1.427461



Status      Percentage   Amount      
----------- ------------ ------------
ACTIVE      0%           0           
INACTIVE    100%         7           
INVALID     0%           0

Verdict

I do prefer 410...

Not touching this

DNS Servers

ns-1432.awsdns-51.org.
ns-15.awsdns-01.com.
ns-1794.awsdns-32.co.uk.
ns-900.awsdns-48.net.
NetRange:       75.2.0.0 - 75.2.191.255
CIDR:           75.2.0.0/17, 75.2.128.0/18
NetName:        AMAZO-4

Thank you for reaching out. I want to clarify that I am not the owner of this project nor user of it. I assist with the whitelisting of domains to the best of my ability, but I do this as an unpaid volunteer in my free time. Your understanding and patience are greatly appreciated.
Additionally, I would like to share that I occasionally struggle with a mild degree of PTSD, which means I tend to forget even small details, like did I have breakfast this morning. So please bare with me, if I'm loosing the thread sometimes. Your understanding and patience in this matter are greatly appreciated.

If you feel inclined to buy me a cup of coffee, it would certainly help speed up the process, but please know that it will not influence my decisions or verdicts in any way.

Additionally, I want to be very clear: I do not access any Cloudflare, CloudFront, or Google networks. This is a matter of principle for me, as I believe in upholding human rights, the right to online privacy, and network security. These services often intercept traffic to collect personally identifiable information (PII), which I believe compromises our autonomy and makes us all puppets to the big tech puppeteers.

Thank you for your understanding!

Best regards.

@spirillen spirillen removed their assignment Mar 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchellkrogza mitchellkrogza

@funilrys funilrys

@g0d33p3rsec g0d33p3rsec

Labels
None yet
Projects
Phishing Database Backlog
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fourlexifive @mitchellkrogza @funilrys @spirillen @g0d33p3rsec @phishing-database-bot