This is my first post here. The same post can be found from medium as well. I wanted to tell this story because I thought it would be worth sharing. This story is about how I “lost” my domain because of poor code and not enough maintenance on the app.
It all started around 4 years ago. I bought a domain from Namecheap.com with an ending .xyz. Lets call my domain now as secretdomain.xyz as I am not sure I want to tell what domain it really is. I might update the story later if I feel relevant telling the real domain name.
I bought the xyz domain as it was on sale for first year. Only one dollar. It was a pretty new domain at that time. I set the A records pointing on my virtual server which was running on www.hetzner.com VPS. No issues here. Then I uploaded my own hobby project which was a copy or my own version of tinyurl. I just called my hobby project as ShortUrl. Simple as that. The project only consisted from a index.php file, single database table and Apache redirect file. Three different files in total. It was a very simple project and I was happy because it actually worked.
I thought no one would ever upload their URLs in my app or not even find the site as my domain was so absurd. I was wrong. So wrong. Of course internet is polluted by robots and all kind of scammers. My urlshortener app lived probably three years its own life. I didn’t check the database once during that time. I just let the app be online and even used it few times.
However things changed after three years. One day I woke up to a message from my monitoring systems that my websites are down. I thought this problem must be from the VPS provider and I opened the console. I noticed there was a new message saying something like: “Your VPS is not following our rules and is therefore shutdown”. Hetzner had shutdown my server because it was violating the rules. I then followed the problem and found out that somebody had put a malicious URLs in my app. I opened the database tool and found out that multiple porn- and other scam sites were uploaded to my URL shortener hobby app. I was very unaware that robots had found my site. Fine. I just selected all records and proceeded to delete them. Its my hobby project and I don’t care if there are any real links in use. So I just destroyed everything. After deleting the records I updated my app after three years and added Google robot verification to my app. Now it is not possible to insert URLs without telling you are a human. I thought this security measurement would be enough. I was wrong again.
I posted an explanation to Hetzner what I have done with my server and in an hour they responded that my server is back online. All good! I was happy with the service and actually happy that they noticed I have bad links in the app. This is how things should work. I let the app live again for around one year until shit hit the fan.
Couple of weeks ago in the early 2020 my monitoring systems again informed that my website is unreachable. I then proceeded normal checks what is going on. My other domains that point to the same server however worked. I found out that only my xyz domain is down. I then thought this must be an issue with Namecheap as my browsers error message was the following:
“This site can’t be reached. server IP address could not be found. DNS_PROBE_FINISHED_NXDOMAIN” its pretty self explanatory. Domain can’t be found. I sent message to Namecheap support and after a few minutes they told me that issue is not on their end. It is the xyz register holder that had shutdown my domain. I was very surprised. But no worries as the Aussies say I thought.
I then went to the domain registrar website and checked the status of my site. It was the exact same reason as one year ago. Somebody had put a malicious link in my app again. I thought its not a big deal. I will just delete all the database records and proceed with more security measurements. And I did that.
I cleaned the whole database of my server again and added new security questions in addition to the Google verification. This should now leave all robots out of my app. It would need a human to enter the URLs. And as I was aware of the problem I thought it should be better to either remove the app completely or start keeping an eye on the URLs inserted to the app. Or maybe even delete them after a certain time, but it was too late.
I sent an explanation to domain registrar explaining the situation and what I have done for security measurements. I thought this would be fine as it was last time but no. I was so wrong again. This is what they replied to my unsuspension request:
This domain has been flagged for violating our anti-abuse policies. Evidence and instructions for delisting this domain can be found below:
https://www.virustotal.com/
You must contact the blacklist(s) flagged on the list(s) provided to have the domain reviewed/reassessed.
Once you have removed this domain from the blacklist(s), please reply to this support ticket at www.gen.xyz/abuse with evidence of the delisting and we may unsuspend the domain.
So it wasn’t enough to do the additional security measurements and clean the database. I now had to contact at least ten different virus scanner companies to get my domain off from their lists. This was a problem I just couldn’t handle anymore as a single developer. But I tried. Here is what I did.
I started to Google like a madman how to report false positive to these companies. I put on many many hours finding emails and forms to fill about the problem. I sent all the possible evidence and filled all the forms I could find to report a false positive. I probably even sent couple of emails and messages to sales people to get my issue solved. It was super hard to find proper forms or information how to send the false report messages on certain companies. Even some required me to create new user in their system in order to send a ticket. That took even more time to register and send a ticket.
I even did that. I created a new account and sent this message to explain my situation.
Hi.
My domain secretdomain.xyz and secretdomain.xyz/bkeo were blacklisted because I have a hobby project “urlshortener” similar to tinyurl and somebody has put malicious links in my shortener which then redirects to a malicious site through my domain.
I have now deleted all malicious records from the server database and added extra security layer to prevent malicious urls to be inserted in the system.
I have taken action on securing my site by using Google robot verification and custom security question to prevent harmful links.
Could you please mark my domain safe again so that VirusTotal shows the domain as green.
In the meanwhile my site is down and domain can’t be used.
Report can be found here: “link to virustotal”
I actually managed to remove the blacklist record from few of the companies but after one week I got very frustrated. Here is what QuickHeal replied to me.
Greetings from Quick Heal!
Requesting you to provide your contact number and convenient time for further communication regarding reported issue.
Awaiting for your valuable reply.
In case of any difficulty, kindly contact us. Regards, Quick Heal Support Team.
Is there something to further communicate about this? I think no. It should be pretty clear that there is nothing from my side what I can do. I got similar response from few other companies saying that they still find the malicious evidence on my site. HOW? I cleared the database and my domain is down. It is not accessible by anyone. How can you still find the records? Are you retarded or what? Should I blame them? Probably not. It was my poor code and site in the end, but still. You understand how I feel.
After two weeks of sending multiple emails and filling the forms I just decided to give up. I am a single developer and it was just a hobby project. I don’t have the strength anymore to try get it unsuspended. I have lost all hope. I liked my domain. It was very nice, but now I feel it is easier to just let it go and buy a new one.
What I learned
There was no single message from the register holder that they are going to suspend my domain. If they sent me a warning message I could have taken action to prevent this happening. On the other hand I was very unaware of these virus scanners as well. Imagine this happening to your production server with a real customer base. What would you do? If there was a team behind the product they could probably get the domain back but still it would take weeks to contact all the companies and remove blacklists. The site would be down weeks or even months. As a single developer I feel its too much of struggle to get it back. It’s just easier to buy a new domain. And all of this because of a hobby project with poor code.
So basically I just lost my domain because somebody else decided to do so. Of course it was also because of the poor code but in the end how could I have known it would be this hard to get the domain back? It was only a hobby project. The actions to get my domain back are too much for me to handle. I have now cancelled my domain and will be buying a new one soon. At least I will get a discount for new domain as xyz domain prices jump from one dollar to over ten dollars after first year.
Also I think there should be a centralized way to submit your website as false positive. It would be huge amount of work to send requests for dozens of companies.
Thank you for reading.
Top comments (2)
Thank you for sharing your experience.
I am currently going through a similar situation with a .xyz domain and the explanations are not clear.
The website involved is a WordPress website that is only used to publish blog posts and landing pages. There is no app or unusual code. So I would not have imagined or expected this kind of issue.
Were you eventually able to get your domain name back, maybe after a long while?
Sorry for late reply. After hard work and many days I finally managed to get my domain back. I had to remove the website completely: take it down for a while. Then I started messaging all the virus scanner sites asking to re-scan my website. After hundreds of emails I got my site cleared and xyz finally released my domain. Some of the sites allow you to re-scan by yourself by inserting the domain. For some sites it was easy process and for some it took weeks and a lot of emails explaining the situation.