False Positive | hopp.bio

[shaulgo]

What are the subjects of the false-positive (domains, URLs, or IPs)?

• hopp.bio

https://phish.co.za/latest/phishing-links-ACTIVE.txt - (I can see that these are all already blocked. They were likely phishing accounts)

• http://hopp.bio/cavenewadminset
• http://hopp.bio/chasnfaay
• http://hopp.bio/facture
• http://hopp.bio/homeofdepartureaccount
• http://hopp.bio/latakoinono
• http://hopp.bio/lawhomeactsetin
• http://hopp.bio/lineuniversecentreactive
• http://hopp.bio/motasosanniyarobana
• http://hopp.bio/security0147
• http://hopp.bio/security20041
• http://hopp.bio/timernowbinerft
• http://hopp.bio/unvefreeniyrunberty

Why do you believe this is a false-positive?

hopp.bio, a link-in-bio service by wix.com. We are committed to maintaining a safe platform by actively detecting and blocking all malicious content.

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

N/A

Have you requested a review from other sources?

This is the only entity that I'm aware of that is flagging us.

Phishing-Database/Phishing.Database#786

Do you have a screenshot?

N/A

Additional Information or Context

hopp.bio has a large community of legitimate users, and it’s disheartening to see them blocked by their ISPs due to this.

[spirillen]

Hmm in Phishing-Database/Phishing.Database#786 I can see you are references to hopp.to which by the way you turned into a intranet side, are listed several times in PD. If you like me to help you with that domain as well, you should open a new issue, regarding this domain only.

kundenportal.hopp.to
magsimpacts.hopp.to
mistermiyagi22.hopp.to
paket.hopp.to
proposal.hopp.to
proposalpath.hopp.to
ravimaddila1.hopp.to
renachterme.hopp.to
sendungsnummer732941021.hopp.to
syvigobo.hopp.to
tedmatting.hopp.to
votrecaisseregionalepourvousetdemain.hopp.to
www.hopp.to

• [FALSE-POSITIVE]  Phishing.Database#786
• [FALSE-POSITIVE]  Phishing.Database#464
• hopp.to shouldn't be blocked nabeelxy/DomainBL#4
• whitelist hopp.bio drego85/PhishingArmyCore#4
• false positive - hopp.bio nextdns/metadata#1316
• hopp.to false positive  RPiList/specials#942
• whitelist hopp.bio RPiList/specials#1434
• [FALSE-POSITIVE]  Phishing.Database#786
• hopp.to is blocked by Threat Intelligence Feeds nextdns/metadata#1209
• false positive - secur.hopp.to StevenBlack/hosts#2372
• [FALSE-POSITIVE]  Phishing.Database#464
• Please add hopp.to PeterDaveHello/url-shorteners#22
• hopp.to shouldn't be blocklisted hagezi/dns-blocklists#489

---

hopp.bio

For hopp.bio I find these 52 records, which all gives me undesirable HTTP code 200 & 302, which clearly indicates the urls are active.

Do to the number of urls, you would have to drag the long hall of testing these before I spent more time on this issue, and please return a detail list of your believes in the records. You shall also ensure the domain is public, so we can test and verify your feedback on these urls, this includes and not limited to the safe and secure network of Tor

http://hopp.bio/cavenewadminset
http://hopp.bio/chasnfaay
http://hopp.bio/facture
http://hopp.bio/homeofdepartureaccount
http://hopp.bio/latakoinono
http://hopp.bio/lawhomeactsetin
http://hopp.bio/lineuniversecentreactive
http://hopp.bio/motasosanniyarobana
http://hopp.bio/security0147
http://hopp.bio/security20041
http://hopp.bio/timernowbinerft
http://hopp.bio/unvefreeniyrunberty
https://hopp.bio/cavenewadminset
https://hopp.bio/chasnfaay
https://hopp.bio/homeatttupdatesystem
https://hopp.bio/lineofhomellppmobser
https://hopp.bio/lineuniversecentreactive
https://hopp.bio/lpphproductaccountliservicehome
https://hopp.bio/mailboxaccessquicknotice
https://hopp.bio/maintaincurrentmailboxaccess
https://hopp.bio/messageee
https://hopp.bio/playaudiomesage
https://hopp.bio/secureattservicemanagement
https://hopp.bio/xentreservicelonelinerservice
https://www.hopp.bio/attyahoo
https://www.hopp.bio/currentlymail
https://www.hopp.bio/jfrac013049
https://www.hopp.bio/lawhousemanagementnotice
https://www.hopp.bio/masshiregreaterlowelll
https://www.hopp.bio/meta-support
https://www.hopp.bio/newmessagefrom
https://www.hopp.bio/sevenhansons
https://www.hopp.bio/tuesmembercentresampl
https://www.hopp.bio/vicjohnston11
http://www.hopp.bio/artixmailnerunal
http://www.hopp.bio/attselfcareservicenotice
http://www.hopp.bio/attyahoo
http://www.hopp.bio/currentlymail
http://www.hopp.bio/descher
http://www.hopp.bio/fitnesslenflores
http://www.hopp.bio/headlesschicken007
http://www.hopp.bio/homeatttupdatesystem
http://www.hopp.bio/lineofhomellppmobser
http://www.hopp.bio/managementsupportlawgovaza
http://www.hopp.bio/mobiletlymobileus
http://www.hopp.bio/opennewvoice
http://www.hopp.bio/servernet
http://www.hopp.bio/supperfastmasterslinesgj
http://www.hopp.bio/system802808
http://www.hopp.bio/v05gkzhd6gdg
http://www.hopp.bio/worldbt
http://www.hopp.bio/xentreservicelonelinerservice

[spirillen]

@funilrys where is the DNS TXT message from the @phishing-database-bot in this project, from where all whitelist issues should be handled?

[shaulgo]

@spirillen thanks for the response. We changed it so a blocked page will return a 403. Is there anything else that I should do?

[spirillen]

We changed it so a blocked page will return a 403. Is there anything else that I should do?

Hi @shaulgo,

Thank you for your response and for making the adjustments to your systems. I appreciate it! However, I would like to suggest a change regarding the response codes.

From my perspective, using a 403 status code can be quite challenging for establishing default trust, as it essentially communicates, "I don't like how you asked," or indicates that access is completely denied. This can create confusion for test results.

I would kindly encourage you to consider using a 410 status code for links that are no longer available, or alternatively, a 404 status code. Personally, I find 404 less preferable, as it merely states that the request cannot be fulfilled at the moment.

As a list maintainer, I have a strong preference for the 410 status code. While I respect your choice based on the project's approach, I kindly request that you consider this change for better alignment on a global scale.

Thank you!

[spirillen]

Ralated to #754, Phishing-Database/Phishing.Database#464

Previously whitelisted in Phishing-Database/Phishing.Database#786