I notice from MXToolbox.com that your domain’s IP address is on the UCEPROTECTL3 blacklist. 

This is a notoriously evil blacklist that charges people for removal. This may be why Spectrum is blackholing your domain. Most respectable ISPs won’t use it. But Spectrum… 

There is no delisting procedure without making a “donation” to the UCEPROTECT3 black sparrow account. They’re famous for blacklisting large swaths of IP addresses that catch up innocent parties that have never spammed a flea.

-mel

On Apr 22, 2024, at 4:51 AM, Validin Axon <axon@validin.com> wrote:


Looking for some help/advice. Spectrum is sinkholing my company's domain, validin[.]com, to 127.0.0.54. The sinkhole responses come from their recursive DNS servers, 209.18.47.61 and 209.18.47.62, which are defaults for and in use by many of their customers and are only reachable from within the Spectrum network. I've had 4 people over the last week (think: customers, prospects, etc) who use Charter/Spectrum tell me that they have difficulty accessing my website as a result of this sinkhole behavior. This behavior is causing reputational harm to my company.

I've personally confirmed this behavior from the Spectrum network (I am also a customer) using dig to test their DNS servers:
```
$ dig +short @209.18.47.61 validin.com
127.0.0.54
$ dig +short @209.18.47.62 validin.com
127.0.0.54
```
 Using Cloudflare/Google/etc works correctly:
```
$ dig +short @1.1.1.1 validin.com
137.184.54.107
157.245.112.183
$ dig +short @8.8.8.8 validin.com
157.245.112.183
137.184.54.107
```

I suspect my domain was blocklisted last year when a threat researcher included my domain name in a blog post about a threat they were investigating and cited my company as the source for their data. Someone scraped that post, and my company's domain was accidentally added to two Alient Vault OTX pulses and at least one collection on Virus Total. I removed the domain via false positive reporting from everything I could. However, it appears that being added to Spectrum's DNS sinkhole list is effectively permanent and there's no clear path for false positive remediation.

I've tried the official Spectrum support lines for months to no avail, and recently tried reaching out on Twitter, but have had no success there either. I'm clearly not able to find the right people through these routes, as none of the people I reach understand the difference between a DNS sinkhole and an IP block list and don't appear to be aware that DNS blocklisting is a separate behavior from their opt-in content filtering via Security Shield.

So, if someone could please help me find the team or individual responsible for Spectrum's DNS sinkhole behavior, I would be exceptionally grateful. :-)

As I mentioned, this is causing reputation harm, so switching my own DNS servers is not sufficient. People who need to reach me, can't. So, I would appreciate any other help or advice you have,

Kenneth