GoDaddy And MySpace Suck
Saturday 27th January, 2007 23:54 Comments: 1
I'm not a fan* of MySpace (unencrypted logins, XSS problems, lack of proper control over adverts, paedophiles and minors doing lots of dodgy stuff), and I've heard bad press about GoDaddy in the past, but it's never really directly affected me. I don't have a MySpace account, and even if I did I doubt I'd fall any of the many phishing attacks. But it seems a lot of people did, as it was discussed on a few mailing lists (complete with links to the files) as well as covered by a few websites (one in particular, I'm sure used to link to the files, but later ont hat day removed the links without saying the post had been edited). It seems MySpace weren't happy, and with GoDaddy willing to roll over at the first sign of trouble (as usual), this led Fyodor (a really nice guy) to send out an email:
Hi everyone,
Many of you reported that our SecLists.Org security mailing list archive was down most of yesterday (Wed), and all you really need to know is that we're back up and running! But I'm going into rant mode anyway in case you care for the details.
I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy". And also "if the domain name(s) listed above are private, your Domains By Proxy(R) account has also been suspended." WTF??! Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh?
I called GoDaddy several times, and all three support people I spoke with (Craig, Ricky, then Wael) said that the abuse department doesn't take calls. They said I had email abuse@godaddy.com (which I had already done 3 times) and that I could then expect a response "within 1 or two business days". Given that tens of thousands of people use SecLists.Org every day, I didn't take that well. When they realized I was going to just keep calling until they did something, they finally persuaded the abuse department to explain why they cut me off: Myspace.Com asked them to.
Apparently Myspace is still reeling from all the news reports more than a week ago about a list of 56,000 myspace usernames+passwords making the rounds. It was all over the news, and reminded people of a completely different list of 34,000 MySpace passwords which was floating around last year. MySpace users fall for a LOT of phishing scams. They are basically the new AOL. Anyway, everyone has this latest password list now, and it was even posted (several times) to the thousands of members of the fulldisclosure mailing list more than a week ago. So it was archived by all the sites which archive full-disclosure, including SecLists.Org.
Instead of simply writing me (or abuse@seclists.org) asking to have the password list removed, MySpace decided to contact (only) GoDaddy and try to have the whole site of 250,000 pages removed because they don't like one of them. And GoDaddy cowardly and lazily decided to simply shut down the site rather than actually investigating or giving me a chance to contest or comply with the complaint. Needless to say,I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks. One who considers it their job just to refer people to the SecLists.Org nameserver at 205.217.153.50, not to police the content of the services hosted at the domains. The GoDaddy ToS forbids hosting what they call "morally objectionable activities".
It is way too late for MySpace to put the cat back in the bag anyway. The bad guys already have the file, and anyone else who wants it need only Google for "myspace1.txt.bz2" or "duckqueen1". Is MySpace going to try and shut down Google next?
For some reason, this is only one of a spate of bogus Seclists removal requests. I do remove material that is clearly illegal or inappropriate for SecLists.org (like the bonehead who keeps posting furry porn to fulldisclosure). But one company sent a legal threat demanding[1] that I remove a 7-year old Bugtraq posting which was a complaint about previous bogus legal threats they had sent. Another guy[2] last week sent a complaint to my ISP saying that an image was child porn and declaring that he would notify the FBI. When asked why he thought the picture was of a child, he tried a different tack: sending a DMCA complaint declaring under penalty of perjury that he is the copyright holder of the photo! Michael Crook told me on the phone that he sent the DMCA request, but when I forwarded the info to the EFF (who is already suing this guy for sending other bogus DMCA complaints), he changed his mind and wrote that "after further review, I can find no record" or mailing the complaint.
Most of the censorship attempts are for the full-disclosure list. It would be easiest just to cease archiving that list, but I do think it serves an important purpose in keeping the industry honest. And many good postings do make it through if you can filter out all the junk. So I'm keeping it, no matter how "morally objectionable" GoDaddy and MySpace may think it to be!
I've snipped the end, as it's mostly a plug for Nmap. Sorry that it's such a long email, but it's well written and puts everything into context. I shall continue to steer clear of GoDaddy and MySpace. I'd advise others to do the same.
* Okay, so when bands host music that I can preview, it can be quite useful
Hi everyone,
Many of you reported that our SecLists.Org security mailing list archive was down most of yesterday (Wed), and all you really need to know is that we're back up and running! But I'm going into rant mode anyway in case you care for the details.
I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy". And also "if the domain name(s) listed above are private, your Domains By Proxy(R) account has also been suspended." WTF??! Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh?
I called GoDaddy several times, and all three support people I spoke with (Craig, Ricky, then Wael) said that the abuse department doesn't take calls. They said I had email abuse@godaddy.com (which I had already done 3 times) and that I could then expect a response "within 1 or two business days". Given that tens of thousands of people use SecLists.Org every day, I didn't take that well. When they realized I was going to just keep calling until they did something, they finally persuaded the abuse department to explain why they cut me off: Myspace.Com asked them to.
Apparently Myspace is still reeling from all the news reports more than a week ago about a list of 56,000 myspace usernames+passwords making the rounds. It was all over the news, and reminded people of a completely different list of 34,000 MySpace passwords which was floating around last year. MySpace users fall for a LOT of phishing scams. They are basically the new AOL. Anyway, everyone has this latest password list now, and it was even posted (several times) to the thousands of members of the fulldisclosure mailing list more than a week ago. So it was archived by all the sites which archive full-disclosure, including SecLists.Org.
Instead of simply writing me (or abuse@seclists.org) asking to have the password list removed, MySpace decided to contact (only) GoDaddy and try to have the whole site of 250,000 pages removed because they don't like one of them. And GoDaddy cowardly and lazily decided to simply shut down the site rather than actually investigating or giving me a chance to contest or comply with the complaint. Needless to say,I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks. One who considers it their job just to refer people to the SecLists.Org nameserver at 205.217.153.50, not to police the content of the services hosted at the domains. The GoDaddy ToS forbids hosting what they call "morally objectionable activities".
It is way too late for MySpace to put the cat back in the bag anyway. The bad guys already have the file, and anyone else who wants it need only Google for "myspace1.txt.bz2" or "duckqueen1". Is MySpace going to try and shut down Google next?
For some reason, this is only one of a spate of bogus Seclists removal requests. I do remove material that is clearly illegal or inappropriate for SecLists.org (like the bonehead who keeps posting furry porn to fulldisclosure). But one company sent a legal threat demanding[1] that I remove a 7-year old Bugtraq posting which was a complaint about previous bogus legal threats they had sent. Another guy[2] last week sent a complaint to my ISP saying that an image was child porn and declaring that he would notify the FBI. When asked why he thought the picture was of a child, he tried a different tack: sending a DMCA complaint declaring under penalty of perjury that he is the copyright holder of the photo! Michael Crook told me on the phone that he sent the DMCA request, but when I forwarded the info to the EFF (who is already suing this guy for sending other bogus DMCA complaints), he changed his mind and wrote that "after further review, I can find no record" or mailing the complaint.
Most of the censorship attempts are for the full-disclosure list. It would be easiest just to cease archiving that list, but I do think it serves an important purpose in keeping the industry honest. And many good postings do make it through if you can filter out all the junk. So I'm keeping it, no matter how "morally objectionable" GoDaddy and MySpace may think it to be!
I've snipped the end, as it's mostly a plug for Nmap. Sorry that it's such a long email, but it's well written and puts everything into context. I shall continue to steer clear of GoDaddy and MySpace. I'd advise others to do the same.
* Okay, so when bands host music that I can preview, it can be quite useful
Robert - Wednesday 31st January, 2007 14:53 Fyodor has given a more detailed account, as there were discrepancies as to how much notice he'd been given:
They left me a voicemail at "9:39:31 AM PST" according to the time stamp from my voicemail provider. In the voicemail, they say my domain is "scheduled for suspension". Then at "9:40:23" (according to my time-synced mail server) they emailed me a "Domain Suspension Notice" saying that my "domain names have been suspended". So they only gave me 52 seconds to respond to their voicemail! Plus, their voicemail didn't include a phone number to reach them at! I have posted both the email and voicemail recording at http://NoDaddy.Com.
They left me a voicemail at "9:39:31 AM PST" according to the time stamp from my voicemail provider. In the voicemail, they say my domain is "scheduled for suspension". Then at "9:40:23" (according to my time-synced mail server) they emailed me a "Domain Suspension Notice" saying that my "domain names have been suspended". So they only gave me 52 seconds to respond to their voicemail! Plus, their voicemail didn't include a phone number to reach them at! I have posted both the email and voicemail recording at http://NoDaddy.Com.