[rudra]

Today i came to know a phishing site from an article on a renowned security blog that was talking about how sophisticated phishing site makers have become lately. it was a url that looked almost like the original site url except it had a curious mark over the i. Not a dot but a comma there. 

We have a bank: SBI. I thought what if someone made a phishing site with that letter in place of i. We usually look for https padlock and the url. But i guess even i could easily miss that..i say "even i" cause i am hyper paranoid. If i get fooled i am sure many regular folks will get it wrong if not most.

So i decided to do a little survey kind of thing and post the url here openly asking people whether they can see the difference from the original url. 

As a result i got a 30 percent warning... as a member and wellwisher of this community, i would like to point out that it was a bad use of the forum rules here. 

I didn't hide that it was a phishing site. Also i was not trying to get people into trouble.

Winning a vps is not the most important thing here...it is my reputation. How i appear in the eyes of my friends and peers around here is what at stake here.

I appealed our founder and the staff responsible ..hope they see my point and respond. Here is the text.

Please pardon the mistakes in english. Thanks.

Dear rudra

You have received a warning from the staff of Post4VPS Forum | Free VPS Provider.
--
You've received warning level 30% for a month because of sharing phising site which is against forum rule #14
--

You can't participate in any giveaway until your warning level expire.

I am appealing to you guys against the punishment. (If it is not a punishment then a warning is ok i guess. Even though it still feels bad. I have never been warned on any sites so far. )
I posted cause people are not aware of punycode and internationalized domains. They make phishing site urls look so similar to the original. So it was the start of an effort to increase awareness... it is not like i didnt mention that one of them was a phishing site and copy of the other...
Also is it not better to work against and talk about phishing than to do hush hush. 

( edit..The punishment feels like ) Like carpet bombing or like getting killed by swatting.

Here in india, most of us are taught to not talk about sex and sexual organs. I dont think that has helped much when it comes to sexual crimes and women safety. 

Not saying bad words, being gentle and polite wont help you when you are in trouble from one who does. I think it is better to know what to expect and prepare for it. Also many phishing sites are increasingly using https and showing green padlock in the process. So we need to raise awareness.
The rule is here so people do not promote bad things. But writing to raise awareness and promoting are not the same thing...
I would very much appreciate if you guys reconsider the warning.
Thanks.
Rudra..

[deanhills]

@rudra  You know how much I like you and I'll stand behind you in every issue you take up, but in this case I disagree.  Perhaps you could have made the presentation of the URL as a non-URL presentation so it wouldn't be a link.  Like you inadvertently and without bad intent became guilty of phishing.  

You can't imagine how challenging it has become for Forum owners and shared web hosts to not get blacklisted for phishing that has nothing to do with them.  These days there are so many automatic bots that go the rounds for triggering phishing complaints, that before you know it your IP is blacklisted and you have to go through lots of trouble to get it unlisted. You should really click around Spamhaus just to get an idea. I speak from experience at Gigarocket.  Compared to when it was Stonerocket in 2005 when it first started to now, the owner and our technical admin have become vigorously protective of our IP to the extent of creating all kinds of screens and filters and scripts to ensure there are no phishing incidents or if they are detected to immediately contain them.  They are also super strict with no second chance when the phishing incident has been discovered.  Person gets an instant ban without any warning.  

Now of course if you were Rudra and you were a member at Gigarocket with the same high regard that I hold you at post4vps, I'd have just removed the link from your post and given you the above detailed explanation in a PM - I'd have gone a million miles so you wouldn't be publicly embarrassed, as I'd have regarded you as a valuable asset of the Forum - which you indeed are.  Not sure whether I'd have been able to protect you if the "test phishing" URL would have been discovered on a Website of yours that is in a Gigarocket hosting account - as the hosting account would have received an immediate suspension as a result of a screen filter.  However, if your hosting account would have been suspended, I'd have pleaded your case to get it unsuspended and I think the owner would have been sympathetic - but urging you to use caution in future.  I'd hope that if this happened to you here at post4vps.com that @Dynamo will show you the same courtesy.

[arsalahmed786]

Well that's not a good idea to quote PM here in thread, It was my fault or maybe i say i was to earlier because when i visit your thread there wasn't edited message that you edit later when page almost opened on my side. I've read your thread and issue warning level because it was promoting Phishing stuff, i agree you wasn't meant that you had to spread awareness but later when i receive PM from you which is also written after next after my PM quote that same thing you PM'ed me. I visit your thread again and i found edited message

Edit...i got them from phishtank at https://www.phishtank.com . They are the very same guys behind opendns. Thanks

then i decide to restore your thread and remove URLs you shared on it, i know it was an example but message you attach image as example then adding phishing sites and i have already revoke your warning level.

If you still think it was my fault then you can report me to seniors of Post4VPS. I gave my perspective that edited message wasn't appear when your thread loaded on my side.

[rudra]

no need to apologize man ! you are doing a much harder job which benefits all of us here. I think I should apologize if what i wrote in pm somehow came as accusatory. i guessed what you did was done in a hurry and so i was trying to draw your attention and let you know what i did and why.

Also i was trying to mentally prepare myself to accept it if nothing came out of the appeal. but it seems life may not be fair, but good men are still out there doing the best they can.

thanks a lot for clearing things here. I so love my reputation with my friends and acquaintances. I was feeling like a felon all naked and standing in the open field while everyone else was looking down upon me...yuk...may be a bit too vivid.

please have a good day.

thanks again

edit. first i added a double bracket around the dots in those urls. but then i saw it would not be a good test. so i edited and removed the brackets to make it look like url. @deanhills, i totally agree with you on this. but the argument in my mind was, so many blogs focused on security out there use these urls openly on their pages. so why not us. may be that was silly.

edit. @arsal
no man. i never wanted to accuse you. it was never in my mind. it was not like an eye for an eye crusade. i totally understood why you did it and i think if you hold your position even now, i dont see how i can find fault in your decision if the rule is interpreted verbatim.
i tried to appeal on grounds that i was a good guy with no bad intentions in posting that thread and certainly no priors. thanks for listening to the appeal and a big thanks for walking the extra mile and more than what is expected of you in your position.

Have a good day !

[Manal]

Looks like you guys are not aware of phonetic domains. You won't believe how professional social engineers can easily troll you. They can clone "apple.com" into "apple.com". See, does it make any changes? No, not here. Neither in URL box(unless you look very closely and investigate hard to know if its real). A hacker can register a domain name with phonetic technique where he can register apple.com(not real one, but with same text by some deep techniques on which I am going to write article soon). As @deanhills said the comma thing, yup, it can be more worse then a comma.

Didn't understood it yet? Let me show you real examples.
xn--pple-43d.com
is
apple.com
If pasted in Firefox(since Google Chrome has fixed it).

For better explanation, I'll write the whole article on my website.

---

My bad, Google Chrome is yet to fix the "Did you mean". However, the URL is the same as pasted.

[rudra]

it is being called internationalized domain or something similar. they have extended the usable characters to the whole available bunch worldwide. so i with a dot on the line has a brother with a comma like thingy on a stick that almost looks like a twin.

very easy to overlook when you are in a hurry. you click a link, the padlock in your field of view gives you assurance and you move on to check the page and think ... yes , the familiar page i am so used to use when ordering this or logging in. you proceed to enter the detailed and next thing you know, BOOM. no..nothing bursts. just you account gets hijacked or credit card maxed out.


in firefox there is a way to disable the rendering and easily catch the offender with its original representation. go to about:config and search punycode and toggle.

i didnt find any way to do it in chrome. i need to search if there are any extensions in chrome that does that.

[Manal]

Yup, @rudra. That's right. But you stole some page views from my upcoming article ;__;.

*coughs*

[TrK]

@rudra you are right the domains that support punycodes are internationalized domains and characters in used the so called variations are known as Diacritics however if you have enabled punycode detection in your browser(i know i have on my firefox) its quite easy to differentiate with them. If you want to enable punycode detection just headover to about:config accept the risk and then search for IDN_show_punycode then set it true and you are good to go. I am a firefox user so i only know how to do it in firefox and forefox based browsers please don't ask me to do it in chrome i honestly don't know about it working on chrome.

[deanhills]

You did good @arsalahmed786. No worries. Bottom line, it's alerted us to the potential of how easy phishing has become without even phishing. Scary in fact.

Thanks to @TrK for the tip about Firefox. However, I was unable to find IDN_show_punycode. Closest I got was network.IDN_show_punycode. I guess this is the one I should make true then?

When I search the about.config on punycode it also comes up with:
network.standard-url.punycode-host which is set to default "true".

Just want to make sure I did the right thing. I only changed the network.IDN_show_punycode to "true" - so both the above to do with punycode is true.

---

Follow up:  I changed it back after I read the Mozilla Firefox KB article about it:
http://kb.mozillazine.org/Network.IDN_show_punycode

Looks as though Mozilla Firefox has taken care of the problem in its "false" (default) toggle:

Even if this preference is false, only top-level domain that are whitelisted will be displayed in Unicode.

This makes me feel a little better.

Must say this warning in this thread really "spooked" me. Particularly when my Bank seems to be a target and even warning me in its literature. So I guess I should only use Mozilla Firefox when I do my banking?

[TrK]

@deanhills i can't say about chrome since i stopped using chrome after its 29th version update since it was hogging my resources i switched to firefox and i am still using it you did the right thing it was in fact network.IDN_show_punycode but i guess i didn't thought of network part much, after enabling that if you can easily identified the shared links too.