151.139.128.11 c2u7f8y9.stackpathcdn.com

[chrisnewcomb]

151.139.128.11 c2u7f8y9.stackpathcdn.com and stackpath.com
I believe I got all of the feeds but I could have missed one. This is apparently causing false positives for our customers. Can you remove the above from the feeds?

feeds/domainC2swithURLwithIP-30day.csv
Line 134 and 135
feeds/domainC2swithURLwithIP.csv
Line 73, 368
feeds/domainC2swithURLwithIP-filter-abused.csv
Line 65
feeds/domainC2swithURLwithIP-30day-filter-abused.csv
Line 125 and 126
feeds/domainC2swithURL.csv
Line 71 and 341
feeds/domainC2swithURL-filter-abused.csv
Line 63
feeds/domainC2s-30day-filter-abused.csv
Line 116 and 117
feeds/domainC2s-30day.csv
Line 110
feeds/domainC2swithURL.csv
Line 71 and 341

[drb-ra]

Thank you for the feedback, there was indeed an issue that was addressed recently with 2 of those values.

The IP and stackpatch[.]com have been removed from the IP and filter abused feeds which ideally are the ones you should be using.

In regards to c2u7f8y9[.]stackpathcdn[.]com that is actually a C2 Host Header being used as part of a domain fronting setup through the CDN for which you can find the details on the C2_configs data. It seems the CDN may have recently blocked that and eventually that will clear itself out but for now I don't think it would be wise to remove that entry.

Hope that helps clarify your issue! I will leave the issue open for now.

Thank you!

[chrisnewcomb]

As the manager of the the Trust and Safety department for StackPath, we applied our AUP to the host shortly after the tweet went live that let us know of the issue. I appreciate the quick reply to this issue.

Thanks.

[drb-ra]

Excellent! My pleasure!

The C2 IP ( 147[.]182[.]205[.]32 ) behind that configuration still seems to be live, it's the IP on the 30 day JSON file but clearly it will fail. So the configuration may linger for a bit longer, if it causes issues I can look at possible options.