Krisk_C19 list unreliable

BBcan177

@p_bear
Thanks, Its hard to keep vetting all these feeds for FPs. It would become a full time job :) I have seen multiple complaints about that feed tho, has anyone tried to reach out to them to report these issues, and see if they rectify them. Its typically a good sign when they have a way to report FPs, and act on them in a reasonable time frame. Otherwise, its best to not utilize them at all.

Gertjan

@p_bear said in Krisk_C19 list unreliable:

Yes, but it's the creator who decide which lists are included in the feeds tab. If today, you or me decide to create our own list based on our personal browsing problems, and we contact the creator to ask him to add our list, it would still be his decision to add it or not.

That 'list' is just a suggestion. It should be there, actually.
If it wasn't, this forum would be filled up with "what to do ?"

We all have the liberty to whatever we want.

And as usual, what works today is abandoned tomorrow.

Btw : the list you $$ for tend to be more stable.

Lists from 'others' have to be checked.
It does happen from time to time that IP's like '8.8.8.8' sneak in on a list. You can imagine what happens as there are 'admins' out there who are really convinced ** that every DNS request has to be forwarded to Google (= 8.8.8.8). The result is that with 'an update' of a feed your entire network break, aka name resolution falls in the water.

** I'm not promoting some conspiracy here. Just that I never saw that message from that important guy that explained why I should do so.

pfBlockerNG-devel isn'ta pfSense package you can install and walk away from. See it like a troublesome kid. You can love it, and you have to stay on it.
Because, if not .... just just created yourself a shoot in the foot situation.

p_bear

Is it me or there is something completely f*ed with this Krisk_C19 list ?

My pfsense cannot download it anymore.

The address of the list is: https://kriskintel.com/feeds/ktip_covid_domains.txt

But when I check my DNSBL logs, I see:

kriskintel.com,127.0.0.1,Python,TLD_A,DNSBL_Malicious,kriskintel.com,Krisk_C19,+

So I understand wrong or this list blacklisted itself ?!

p_bear

I've disabled this list, I can now reach their own website ...
They still blacklist github.com by the way.

I've tried to contact them but when I click any of them, nothing happen. It looks like something is broken on their page:

the link is, for the 4 guys: https://kriskintel.com/#home;

Gertjan

@p_bear said in Krisk_C19 list unreliable:

The address of the list is: https://kriskintel.com/feeds/ktip_covid_domains.txt

Didn't find any "kriskintel.com" on that list.
=> Click on the link, hit Ctrl-F, type kriskintel.com and hit enter.
<< not found >>

@p_bear said in Krisk_C19 list unreliable:

kriskintel.com,127.0.0.1,Python,TLD_A,DNSBL_Malicious,kriskintel.com,Krisk_C19,+

Hummm. Strange format. My dnsbl.log file look diffferent.

@p_bear said in Krisk_C19 list unreliable:

They still blacklist github.com by the way.

Doesn't that trigger that feeling inside yourself that says : "danger, danger, stay away from this one " ?????
The list is free. Nothing has been said about 'quality' ;)

p_bear

@gertjan said in Krisk_C19 list unreliable:

Didn't find any "kriskintel.com" on that list.
=> Click on the link, hit Ctrl-F, type kriskintel.com and hit enter.
<< not found >>

Yes I’ve seen it’s not on the list anymore. They probably corrected it. I couldn’t get the update until I’ve disabled the list. The serpent that bites its own tail...

Cabledude

It just happened again, krisk web site unreachable. disable, update, voila there it is again.
There may be useful domains in this list, but to me it's too much hassle to keep correcting it.

One option we might revert to is copy a last-known good list to host on your own server and use that snapshot. It won't be updated but it may be better than disabling it altogether.

p_bear

I repeat myself but this list should be removed from the proposed list of pfblockerNG. It is definitely not reliable at all and even harmful for newcomers.
At this point, it looks like pfblockerNG advices a list written on the back of an enveloppe.

Gertjan

@p_bear

There is a to-do list here.

jdeloach

@p_bear said in Krisk_C19 list unreliable:

I repeat myself but this list should be removed from the proposed list of pfblockerNG. It is definitely not reliable at all and even harmful for newcomers.
At this point, it looks like pfblockerNG advices a list written on the back of an enveloppe.

Have you contacted the author of that list and told them what you have found wrong, if not, they probably don't know what issue your having with it? Contacting the owner/maintainer of each list is the only way to get errors/problems resolved with the lists. The maintainer's contact info of each list can usually be found in the header of each list. Neither Netgate nor the maintainer of this package maintain these lists.

Really if this list is blocking something that you want access to, just don't use this list. These lists are provided as a convenience for you so new folks don't have to search the internet for lists to use.

I hope you do realize that most of these lists are maintained by folks like you and me as a hobby. They do it for FREE and as the old saying goes, you get what you pay for.

No one says you have to use these lists. If the list doesn't work for you then the easy solution is to just not use it. I use some of these lists but don't use the one that you are complaining about, in fact most the lists I use are not the ones included with the pfBlockerNG package.

Cabledude

I agree with both of you, though I must express my deepest appreciation for the author of pfBlockerNG and his good work and continued support. It is up to us as users to give (friendly) feedback to him about possible improvements.

@jdeloach I would be very very interested to hear which lists you use and about your findings with them. In fact, i would expect a sticky would be in place for this discussion.

Kind regards,
Pete

p_bear

@gertjan
Thks

@jdeloach

if this list is blocking something that you want access to, just don't use this list

You misunderstood the troubles we report here. Yes of course if it’s a list that is dedicated to block public dns and you want to reach them, we can advice you not to use this list
But here we re talking about a “not normal” blocking. Like when they block GitHub or, worse, their own website which is stopping us to follow your advice … to report to them.

When it reaches a so low level of conscientiousness you can’t justify that saying it’s done by folks for free. It’s insulting for all the others who do the same, for free, but seriously.

But as @BBcan177 said, he has to include a list in his plugging but he can’t keep vetting every list every time. It would be a full time job. That’s why we report. Since you say you use others lists, if you know good lists don’t hesitate to suggest some. Maybe he can swap in the list included in the package. He cannot be aware of every existing lists.