False Positive | cdpn.io

[smed79]

What are the subjects of the false-positive

• cdpn.io

Why do you believe this is a false-positive?

cdpn.io embed code from codepen.io

How did you discover this false-positive(s)?

Other (Please fill out the next box)

Domain is blocked by Ultimate Hosts Blacklist DNS

Where did you find this false-positive if not listed above?

I discovered this false-positive at

• https://rtlstyling.com/posts/rtl-styling/
• https://codepen.io/tinymce/pen/QWNpjbg

[phishing-database-bot]

Verification Required

@smed79, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:

1. Set a DNS TXT record for the domain(s) listed in this issue with the following details:

   • Record Name: _phishingdb
   • Record Value: antiphish-37c7f74f6c41e5733d3dea4d73b41669f480c3e5

   Your Verification ID: antiphish-37c7f74f6c41e5733d3dea4d73b41669f480c3e5

2. Wait for DNS propagation (this may take a few minutes to a few hours).

3. Reply to this issue once the TXT record has been set.

Important Notes

• Verification does not guarantee whitelisting. The Phishing.Database team will review your report after verifying ownership, but the decision to whitelist depends on further investigation and analysis.
• If the record cannot be set or you need alternative methods of verification, please contact us at [email protected] - preferably from the domain's official email address.

How to Check the TXT Record ?

You can verify that the TXT record is properly set using:

• Online tools like MXToolBox TXT Lookup.
• The command line:

  dig TXT _phishingdb.example.com
  

Thank you for your cooperation! We will address your issue as soon as possible after verification.

The Phishing.Database Project Team.

[spirillen]

Search results

Lookup provided by My Privacy DNS

Hosts-Sources

External Hosts-Sources can be found here

Ultimate.Hosts.Blacklist1.csv:cdpn.io

Sorted result

EasyList

easylist/easylist_allowlist.txt:@@||cdpn.io^$generichide

Matrix blacklist project

Matrix blacklist project, Filtered

Response Policy Zone - RPZ

Did not find any matching RPZ records

Known Issues

• There are no known issue for cdpn.io in My Privacy DNS
• There are no known issue for cdpn.io in My Privacy DNS (Issue Backup)
• There are no known issue for cdpn.io in GitHub:Matrix
• There are no known issue for cdpn.io in phishing (Database)
• False Positive | cdpn.io #1208

DNS lookup

albert.ns.cloudflare.com.
kristin.ns.cloudflare.com.

HTTP header

HTTP response, click to expand

HTTP/2 301 
date: Mon, 03 Mar 2025 15:22:48 GMT
content-type: text/html
location: https://codepen.io/
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
cache-control: no-cache
x-request-id: c883273c-2c02-457b-b65f-769fa0cc709a
x-runtime: 0.001508
cf-cache-status: DYNAMIC
strict-transport-security: max-age=31536000; includeSubDomains; preload
set-cookie: __cfruid=9cc735e83b29c7c9db88ff3a64767248ee883c65-1741015368; path=/; domain=.cdpn.io; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 91aa21a5cc0cfe94-AMS

HTTP/2 403 
date: Mon, 03 Mar 2025 15:22:49 GMT
content-type: text/html; charset=UTF-8
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="91aa21a96b621c7c"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: PZ28PYR/D+m5T5uMWAeyXD9JBMJzKW+oba4+PLYOJuaS8cn/Az55Ql2/YC/OI4fQO8asoWyWLwt8x3quKYoenNAtiwfdc24iW1wCF9Ua5SFd0qU1BEVI/z6zI70PzDYKFhUyQj5KfnAEL4+ZdynLfw==$C+PPfmoCmTg0Pe1pkFv7CQ==
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
set-cookie: __cf_bm=UpQSGRnlU9rV9tmN1s6TP4H1jDIY2vrnrasL89TH3uk-1741015369-1.0.1.1-Z3PUdwk5sEthe2cKtxRgZuAABa.L.QgLUhsttrWzTwwL53ev32ESXbERdevIG9qyz1wzRSWaph1zF2FXqJq5rOuG94oWGF99cQLm9KlTEoQ; path=/; expires=Mon, 03-Mar-25 15:52:49 GMT; domain=.codepen.io; HttpOnly; Secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
server: cloudflare
cf-ray: 91aa21a96b621c7c-AMS
alt-svc: h3=":443"; ma=86400

[spirillen]

@smed79 thanks for your contribution and continued work in making the internet a safer place to be.

In this case, I can't find the domain in the PD project at time of testing, and as you can see in the search result above, UHB is the only stakeholders of the domain in question. and that whitelist is yours to manage 😜

:~$ pyfunceble $(sd cdpn.io)
:~$ 

[smed79]

cdpn.io is found in mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt

I have already whitelisted the domain in Ultimate-Hosts-Blacklist/whitelist@17782c8

[spirillen]

cdpn.io is found in mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt

Hmm that one should not be used do to the new structures, then only list hosted via phish.co.za should be considered active.

My search library just updated ~2 hours ago, and I still only find this record on UHB

Ultimate.Hosts.Blacklist1.csv:cdpn.io

But searching the list manually.. hrmm

So https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-domains-ACTIVE.txt are not in https://phish.co.za/latest/ALL-phishing-domains.lst

And new knowledge... the PD is still hosted on GH as usual...

https://phish.co.za/latest/ = https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/

[spirillen]

And it is also on the phishing-links-ACTIVE.txt list, but no on ALL-phishing-links.lst??? seems like a BUG to me

[spirillen]

Opened this bug to the issue Phishing-Database/dev-center#21

[spirillen]

DNS lookup

albert.ns.cloudflare.com.
kristin.ns.cloudflare.com.

HTTP header

HTTP response, click to expand

HTTP/2 301 
date: Mon, 03 Mar 2025 23:22:19 GMT
content-type: text/html
location: https://codepen.io/
x-frame-options: SAMEORIGIN
x-xss-protection: 0
x-content-type-options: nosniff
x-download-options: noopen
x-permitted-cross-domain-policies: none
referrer-policy: strict-origin-when-cross-origin
cache-control: no-cache
x-request-id: c9f73dbb-5e38-42be-9abf-ef25e2f9e62a
x-runtime: 0.001159
cf-cache-status: DYNAMIC
strict-transport-security: max-age=31536000; includeSubDomains; preload
set-cookie: __cfruid=3972c91c45c46e2081de855c6937bbca918b9461-1741044139; path=/; domain=.cdpn.io; HttpOnly; Secure; SameSite=None
server: cloudflare
cf-ray: 91ace00c6f8f9912-ARN

HTTP/2 103 
link: <https://cpwebassets.codepen.io/assets/global/global-0aafd1a51fca612512fd0a53633bbb6b309bc333556e228c2d825840dc2907f0.css>; as=style; nopush; rel=preload, <https://cpwebassets.codepen.io/assets/page/page-5b7ce149f53f8ac582c4c77b6021bb7d2a6c76dd6534e38eb5103a815483401e.css>; as=style; nopush; rel=preload, <https://cpwebassets.codepen.io/assets/packs/css/everypage-a4fd3487.css>; as=style; nopush; rel=preload, <https://cpwebassets.codepen.io/assets/common/browser_support-2c1a3d31dbc6b5746fb7dacdbc81dd613906db219f13147c66864a6c3448246c.js>; as=script; nopush; rel=preload, <https://cpwebassets.codepen.io/assets/packs/js/vendor-6885699fa9cd41b45132.chunk.js>; as=script; nopush; rel=preload, <https://cpwebassets.codepen.io/assets/packs/js/3-31ec70b7e16c94036f8e.chunk.js>; as=script; nopush; rel=preload, <https://cpwebassets.codepen.io/assets/packs/js/everypage-15d781ae685be328ff21.js>; as=script; nopush; rel=preload, <https://cpwebassets.codepen.io/assets/packs/js/referrer-tracking-fc194a7add89b04aded3.js>; as=script; nopush; rel=preload

HTTP/2 403 
date: Mon, 03 Mar 2025 23:22:19 GMT
content-type: text/html; charset=UTF-8
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cf-mitigated: challenge
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
server-timing: chlray;desc="91ace00f6e065f14"
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-chl-out: 089A3yVzaVjyNzD1fH8lL2mRvEhvob02Vn49NkIIehcROwoyHX+pkKj/NljuyJKw7KEauAy1wljOTuBEcKcztFsRsxfuU0agL5Ts/AVBS6bL8+ptFON3r6Q2ZKK0+btsAXNsh/XitzPkCxiyfia5IQ==$umgf6w4XEQ7wWmLLesMwgg==
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
set-cookie: __cf_bm=nuEhDP9VjqzxGPEqa4eiQOofkA7kCpSdipyb1T0RjtQ-1741044139-1.0.1.1-Kjm8Br3ugPEA6dHJt9xYhXaCNbUp3zYs_MTIkrASb5Gki.BKmiVhqz7N59uocBRuuPgexzBnbh98K4HF7I.BDCVhoqc0F.WXiDsoDISW5Jg; path=/; expires=Mon, 03-Mar-25 23:52:19 GMT; domain=.codepen.io; HttpOnly; Secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
server: cloudflare
cf-ray: 91ace00f6e065f14-ARN
alt-svc: h3=":443"; ma=86400

[smed79]

@funilrys Input sources for Ultimate Hosts Blacklist Hosts are outdated and need to be rethinked as they become unreachable, dead or not maintained.

e.g.

inaccessible
BadIPs.com_Level_3
BadIPs.com_Level_4
BadIPs.com_Level_5
malc0de.com

obsolete
justdomains_mirror1.malwaredomains.com
MalwareDomainList.com

self deleted
ZeroDot1_CoinBlockerLists
ZeroDot1_CoinBlockerLists_browser
see info.txt

[spirillen]

see info.txt

@smed79 does that mean you have stopped maintaining al your lists projects?

[smed79]

I still help for maintaining "NoCoin adblock list" and other projects.

CoinBlockerLists, It's not my list and was not maintained by me but by ZeroDot1.

See WaLLy3K/wally3k.github.io#215 (comment)

[spirillen]

I still help for maintaining "NoCoin adblock list" and other projects.

CoinBlockerLists, It's not my list and was not maintained by me but by ZeroDot1.

See WaLLy3K/wally3k.github.io#215 (comment)

Your right, it was just, that you posted the linked to that post 😉

[phishing-database-bot]

Closing.

Domain(s) or IP(s) not found in the Phishing.Database project: cdpn.io, rtlstyling.com, codepen.io.

-- We appreciate your help in refining this. Please let us know if anything seems incorrect.