Our nemesis revealed!


Our hosting company has received a complaint that freethoughtblogs.com has been engaging in fraudulent activities by scamming individuals out of their money and personal information. They provide no specifics.

Also, they name of the complainant is Deathlord Al-Zawahiri. I tremble in fear.

I do not see how Bluehost could possibly take this bullshit seriously, but now I get to try and resolve the potential problem. If we suddenly go offline, blame Deathlord Al-Zawahiri.

Comments

  1. says

    Well, this is fun. I’m trying to respond to this complaint before we get shut down, and am apparently chatting with someone from India very very slowly. While they sent the complaint to me at my address, they are now trying to confirm it’s me by pinging Ed Brayton’s email account.
    I hope it works, it’d be nice to say hi to Ed again, even if he is going to be pissed about being resurrected by a South Asian call center.

  2. lanir says

    Looks like a DNS issue at the moment.

    If you know how you can check the “whois” for the domain. I did just to see if it expired and got bought by scammy people. But it also has DNS servers listed for the domain. Those are cloudflare systems that give the right IP address. But even cloudflare’s 1.1.1.1 public DNS server doesn’t relay these IP addresses. So yeah, someone doesn’t like you and DNS is just how they’re yanking your chain.

    You can reach the site like I did by linking the hostname to the correct IP in a hosts file but I’d be surprised if very many people did that. It’s a bit convoluted.

  3. Allison says

    You can reach the site like I did by linking the hostname to the correct IP in a hosts file but I’d be surprised if very many people did that. It’s a bit convoluted.

    Yeah, that’s how I got here. Using the IP address as a URL doesn’t work, though — cloudflare doesn’t like it.

  4. Owlmirror says

    According to the freethoughtblogs whois record, the name servers are:

    Name Server: DINA.NS.CLOUDFLARE.COM
    Name Server: MATT.NS.CLOUDFLARE.COM

    And those name servers resolve just fine:

    $ nslookup DINA.NS.CLOUDFLARE.COM

    Non-authoritative answer:
    Name: DINA.NS.CLOUDFLARE.COM
    Address: 173.245.58.107
    Name: DINA.NS.CLOUDFLARE.COM
    Address: 172.64.32.107
    Name: DINA.NS.CLOUDFLARE.COM
    Address: 108.162.192.107
    Name: DINA.NS.CLOUDFLARE.COM
    Address: 2803:f800:50::6ca2:c06b
    Name: DINA.NS.CLOUDFLARE.COM
    Address: 2606:4700:50::adf5:3a6b
    Name: DINA.NS.CLOUDFLARE.COM
    Address: 2a06:98c1:50::ac40:206b

    $ nslookup MATT.NS.CLOUDFLARE.COM

    Non-authoritative answer:
    Name: MATT.NS.CLOUDFLARE.COM
    Address: 172.64.33.131
    Name: MATT.NS.CLOUDFLARE.COM
    Address: 173.245.59.131
    Name: MATT.NS.CLOUDFLARE.COM
    Address: 108.162.193.131
    Name: MATT.NS.CLOUDFLARE.COM
    Address: 2a06:98c1:50::ac40:2183
    Name: MATT.NS.CLOUDFLARE.COM
    Address: 2606:4700:58::adf5:3b83
    Name: MATT.NS.CLOUDFLARE.COM
    Address: 2803:f800:50::6ca2:c183

    And DINA (172.64.32.107, among other addresses) knows how to resolve freethoughtblogs.com:

    $ nslookup freethoughtblogs.com 172.64.32.107
    Server: 172.64.32.107
    Address: 172.64.32.107#53

    Name: freethoughtblogs.com
    Address: 104.21.234.50
    Name: freethoughtblogs.com
    Address: 104.21.234.51

    I put the above address for DINA in my router DNS settings, and that’s how I got here.

    … Are you sure the problem is with Bluehost, and not with Cloudflare? Maybe the false claim to Bluehost was itself a red herring, or only one prong of the attack.

  5. Owlmirror says

    Holy shit.
    I just went back and checked the WHOIS record.

    I’m not pasting the whole thing, but:

    Domain Name: FREETHOUGHTBLOGS.COM
    Registry Domain ID:
    Registrar WHOIS Server: whois.fastdomain.com
    Registrar URL: http://www.fastdomain.com
    Updated Date: 2024-02-25T16:18:31Z
    Creation Date: 2011-02-17T16:31:40Z
    Registrar Registration Expiration Date: 2026-02-17T16:31:40Z
    Registrar: FastDomain Inc.
    Registrar IANA ID: 1154
    Reseller:
    Domain Status: clientHold https://icann.org/epp#clientHold
    Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

    … You might want to check that “clientHold” link

    clientHold
    client hold

    This status code tells your domain’s registry to not activate your domain in the DNS and as a consequence, it will not resolve. It is an uncommon status that is usually enacted during legal disputes, non-payment, or when your domain is subject to deletion.

    Often, this status indicates an issue with your domain that needs resolution. If so, you should contact your registrar to resolve the issue. If your domain does not have any issues, but you need it to resolve, you must first contact your registrar and request that they remove this status code.

    Legal disputes?

  6. Owlmirror says

    The whois record has PZ’s contact details for both Registrant and Admin. The Registrant name does say
    -PLEASE SELECT-,
    but the other details match.

    Ed Brayton left Freethoughtblogs for Patheos many years ago (2015, I think), and I would have thought that the freethoughtblogs domain handover to PZ was done at that time.

  7. xohjoh2n says

    @7:

    You can reach the site like I did by linking the hostname to the correct IP in a hosts file but I’d be surprised if very many people did that. It’s a bit convoluted.

    Well, the hardest bit (after it was indicated that this is only a DNS issue) was finding the right IP to put in there. I figured that finding what anyone else using cloudlare gets would be a good start, but then you have to find someone else that uses cloudflare, and while cloudflare errors are relatively frequent I don’t remember exactly where I’ve seen them before… I tried goodling “blogs that use cloudflare” not really expecting to get very far, but the #2 hit on that was “The Cloudflare Blog” (doh!) and they dogfood.

  8. Hj Hornbeck says

    Dang, that last link is quite handy. Thanks for sharing! In case anyone hasn’t figured out the /etc/hosts entries by now, they’re:

    104.21.234.50 freethoughtblogs.com
    104.21.234.51 freethoughtblogs.com

    Not much to report from this side of the fence. Bluehost is not budging, and PZ continues to work the case. Grabbing another domain and pointing it to the hardware is only a partial solution, as parts of the site could break, but that’s still an option.

  9. xohjoh2n says

    “not budging” in the sense of upholding the complaint, or in the sense of quibbling about who has authority to even make the argument?

  10. xohjoh2n says

    Also, it can work for Windows users too: the file is C:\Windows\System32/drivers/etc/hosts (assuming you’re installing on C: and under a directory called Windows, both of which are negotiable but you would probably know that if you chose differently…)

  11. lanir says

    It looks like PZ is setup as the admin contact for the domain as far as I can tell. I don’t see anything about Ed Brayton in the whois data. I’ve never had to do this myself but it looks like PZ could just reach out to the registrar at http://www.fastdomain.com and get them to fix it. They have can reach out using the admin contact info in the whois record.

    Of course if bluehost are being jerks they could always stop the site at the webserver. But regaining control of the domain to use elsewhere would not be an issue. Just have to make sure to either manually remove bluehost as the tech contact on the domain or ask fastdomain to do it ASAP.

    In short if problems persist it looks like the domain could be salvaged even if working with the hosting provider proves to be a dead end.

  12. xohjoh2n says

    @19:

    Bluehost appear to be the registrar who have placed the block on the domain – hosting is elsewhere and I doubt they have any influence over that at all. Bluehost and FastDomain are both subsidiaries of EIG, but for certain functions (like I suspect domain registration) they are going to be effectively the same thing.

    Unfortunately that means bluehost are absolutely the ones you need to play ball on this and if they don’t, taking it to ICANN might be the only avenue.

    More unfortunately, the complaint letter shows both a lack of English and a lack of thinking which makes achieving anything at the very least within their customer support function unlikely.

  13. Owlmirror says

    Only problem with that is if you actually go to the fastdomain website, you will see, in the corner: “Powered by Bluehost.

    Still, it might be worth trying to contact them anyway. Maybe the problem really is with a different department, and a different technical support line will be able to connect to someone who can actually fix things.

    https://www.fastdomain.com/contact_us

    Technical Support
    Help Center: Click here
    Telephone: 888-210-3278
    Outside the U.S.: +1801-765-9400
    Telephone support is available
    24 hours a day 7 days a Week

  14. Owlmirror says

    Sudden horrible paranoid thought:
    It couldn’t be possible that “Deathlord Al-Zawahiri” is in fact an employee of Bluehost, and he is deliberately keeping the issue open and the domain in “Client Hold” state, could it?

  15. Owlmirror says

    Has anyone pointed out to PZ, and the Pharyngula bloggers, that they can get back in to the server here using the hosts file or adding the cloudflare name server to their own router DNS config? I thought he knew, but it occurs to me that perhaps he doesn’t.

  16. Hj Hornbeck says

    It couldn’t be possible that “Deathlord Al-Zawahiri” is in fact an employee of Bluehost, and he is deliberately keeping the issue open and the domain in “Client Hold” state, could it?

    I doubt it, the dates in the WHOIS records point to some automated process causing the issue. Still, stranger things have happened.

    Has anyone pointed out to PZ, and the Pharyngula bloggers, that they can get back in to the server here using the hosts file or adding the cloudflare name server to their own router DNS config?

    Yep, I did it four days ago, and he picked up what I was putting down.

  17. raven says

    A miracle has occurred.

    Pharyngula has been resurrected from the dead.
    And, this time there are a lot of witnesses and documentation.

    I have no idea how PZ Myers did it but congratulations.

  18. Hj Hornbeck says

    Bad news, it seems the domain is out of our control for some time. In the meantime, I’ve set up a temporary workaround: proxy.freethought.online takes advantage of nginx’s ability to act like a proxy, and essentially does a Mallory-in-the-middle attack on FtB’s webserver. All links are re-written on-the-fly, and I’m even able to log into my account and post comments.

    I’ll pitch PZ on something less duct-tape and bailing wire, reconfiguring FtB’s servers to work with another domain name, but this’ll do temporarily.

  19. raven says

    Has anyone pointed out to PZ, and the Pharyngula bloggers, that they can get back in to the server here using the hosts file or adding the cloudflare name server to their own router DNS config?

    Yep, I did it four days ago, and he picked up what I was putting down.

    I’m sure this is a good idea.

    Well, almost sure.
    Is there any way to translate this to English for people like myself who aren’t internet experts.

    What are hosts files, where do I find the “cloudflare name server”, and where do I find my router DNS config?

  20. raven says

    Ayman Mohammed Rabie al-Zawahiri 19 June 1951 – 31 July 2022), was an Egyptian-born militant and physician who served as the second general emir of al-Qaeda from June 2011 until his death in July 2022.

    Ayman al-Zawahiri – Wikipedia

    Wikipedia https://en.wikipedia.org › wiki › Ayman_al-Zawahiri

    As most have picked up, the troll Deathlord Al-Zawahiri is claiming to be an al-Qaeda Islamic terrorist.
    He is named after al-Zawahiri, the previous leader of al-Qaeda, killed by US forces in 2022.

    If you can’t trust an Islamic terrorist, who can you trust?

  21. StevoR says

    @ ^ raven : Trust to do what?

    Our nemesis defeated..

    At least for now..

    Here’s hoping he stays defeated. Anything we can do to help it stay that way?

  22. drivenb4u says

    So what was that all about? Anyone care to give a TLDR?

    I know it’s not PZ’s fault but it’s kind of annoying when FtB goes down for days at a time.

  23. Silentbob says

    I take it issues are ongoing but Hornbeck’s done some magic as a temporary fix. (Thanks Hornbeck.) See # 26.

  24. Silentbob says

    Maybe he’ll do a post on his own blog to explain what’s going on. (Reprobate Spreadsheet)

  25. Matthew Currie says

    A little clarification would be appreciated. I tried just entering the numerical address in the browser, and got a message from Cloudflare that it could not be accepted. If I enter the number and domain name in the browser, it sends me to an information site, but not to freethoughtblogs itself. I added the number and the domain name to the Hosts file, but since now everything is working again I’m not sure whether this would work by itself or whether something else would be required.

    It’s been a long time since I played with hosts. Long ago I had DNS server issues, and added a few sites to the file for when the servers got messed up, and had a few dead-ends for off-site advertisers that hung up the browser, but haven’t needed to do it recently.

  26. xohjoh2n says

    @33:

    I added the number and the domain name to the Hosts file, but since now everything is working again I’m not sure whether this would work by itself or whether something else would be required.

    Nope, that is enough to bypass the failing DNS.

  27. Owlmirror says

    A little clarification would be appreciated. I tried just entering the numerical address in the browser, and got a message from Cloudflare that it could not be accepted.

    I think that the reason that the numerical address doesn’t work is because a browser sends a “Host” string as part of the request. Websites are virtualized, and I suspect that the numerical address might serve more than one virtualized website running on their internal network. Without the correct Host string, the server can’t know which server you actually want.

    Another possibility is that a DDOS might be based on just the IP address. So a cheap DDOS safeguard is to reject bare IP address requests. It’s obviously not perfect, since the DDOSers can add the Host header as well, but it’s something.

  28. Owlmirror says

    @Hj Hornbeck: It looks like the ClientHold status is no longer on the domain, so why are any workarounds needed?

  29. Matthew Currie says

    Thanks for the clarification. With luck the host file will not be needed anyway, but it’s good to know.

  30. Owlmirror says

    What are hosts files, where do I find the “cloudflare name server”, and where do I find my router DNS config?

    1) Hosts files are simple text files that contain the numerical addresses that the internet routing system uses, and a text string that corresponds to the server that you want.
      1a) On Unix(-like) systems, this file is located at /etc/hosts

      1b) On Windows(-like) systems, this file is located at
    C:\Windows\System32\drivers\etc\hosts
    It even has brief header explaining what the file is and how entries should look.

    As noted, adding these entries will allow connections to freethoughtblogs to be made:

    104.21.234.50 freethoughtblogs.com
    104.21.234.51 freethoughtblogs.com

      1c) Doing this on an Android or IOS tablet or phone is possible but very painful, involving rooting/jailbreaking the device.

    3) “router DNS config”
      3a) Note that the details I give below can vary! Don’t assume that everything I write applies to your network. You should have manuals or other materials that describe how your internal network is configured.
      3b) Generally speaking, if you want multiple computers/tablets/phones to all connect to the server without needing to edit the hosts file, it’s better to modify the DNS settings of the router that all them are using. You can’t do this for a network that you don’t own, obviously, but at home, you should have a router that connects your computer and other devices to the internet. There is usually a way to configure it from a computer that is connected to it. Most use a web server. The internal network is usually set up to use the address of 192.168.1.* (where the “*” represents a number that is assigned to various computers on the network), and the router itself is usually 192.168.1.1. You would connect to the router by putting the following in your browser address bar: http://192.168.1.1/
    It will probably prompt you for a username and password. These can vary based on the router model and manufacturer. The manual that came with your router may have the default password; other routers have the passwords on stickers that are on the routers themselves. Note that there may be a different administrative username and password as well.

    Once you are connected in to your router, there should be a way to configure networking. By and large, the system will be set up to accept the default configuration provided by your ISP, and changes will not need to be made. But if you do want to connect to a server that is up, but not being resolved properly, you can change the DNS settings of your network. What you would have needed to do in this case is add the server that knows the freethoughtblogs domain as your DNS, putting in those numbers in the DNS section.

    Which brings me to:
    2) where do I find the “cloudflare name server”

    I ran the “whois freethoughtblogs.com” command (you can also to a web search, which should bring up similar information). It’s a long block of technical text, but the important part here are these entries:

    Name Server: DINA.NS.CLOUDFLARE.COM
    Name Server: MATT.NS.CLOUDFLARE.COM

    Those are the Cloudflare DNS servers that know how to resolve freethoughtblogs.com. Those servers did not go down or have problems — they just weren’t talking to the rest of the DNS system about freethoughtblogs.com. If you look up at comment #10, you can see that I ran the nslookup command on both of those servers. Any of the IP addresses returned should work (use the addresses with periods rather than with colons) — you would just put that address as the DNS server in your router, and it should work to resolve the non-resolving domain.

    I think. As usual, I don’t know everything, and it’s possible that some configuration change may mess something else up.

  31. says

    I run my own local BIND instance, which is not entirely truthful about certain domains I don’t want bothering me; so I can just add a zone file for FTB.

  32. lanir says

    Thanks to those who noticed my technically correct answer was not very high on practical usefulness what with two things with different names being subsidiaries of the same corp. My inner cynical monopolist slash capitalist pig was asleep at the wheel (if I have one).

    As far as editing hosts files… My advice differs depending on how technically adept you are in this particular area.

    If you could follow along pretty easily with a description simply saying to grab the whois info, use the cloudflare DNS providers in it to get the IP for freethoughtblogs.com and put it in your hosts file then do whatever you like. If you screw something up you’ll figure it out sooner or later. :)
    For everyone else, I would put a number symbol (the # to be specific) at the front of the line. Doesn’t matter what OS you’re on, it works the same.

    Where before they looked like this:

    104.21.234.50 freethoughtblogs.com

    Now they should look like this:

    #104.21.234.50 freethoughtblogs.com

    If you added two lines for freethoughtblogs.com do the same for both lines.

    WHAT THIS MEANS:

    The # symbol tells your system to ignore the rest of that line. So in this case, all of it. You’re using DNS when navigating to freethoughtblogs.com again. However you still have that information there and if it goes down again you can do an internet search to find your hosts file again, edit it to remove the # in the line(s) with freethoughtblogs.com, save it (don’t forget this part!), and you’ll no longer require DNS to find the site. As long as it’s up and remains at the same place (a near certainty unless they move hosting providers).

    Congratulations, you’re now using one of the same tricks system or network administrators use when they mess up and break DNS. :)

  33. Hj Hornbeck says

    Silentbob:

    Maybe he’ll do a post on his own blog to explain what’s going on.

    I should, actually. It’s often very helpful to do a post-mortem after any event like this, and it would give non-technical readers an idea of what’s happening behind the scenes.

    Owlmirror:

    It looks like the ClientHold status is no longer on the domain, so why are any workarounds needed?

    It’s not! As luck would have it, I only figured out the secret sauce to make that workaround work an hour or two before Bluehost gave in, and the last messages I got from PZ were pessimistic about the domain being released. The only cost of the workarounds was an hour or two of time as I poked away at an nginx configuration file, though, so I don’t have much incentive to tear them down.

    Thanks for commenting on the technical details, as well.

  34. rietpluim says

    If it’s really Al-Zawahiri then he truly is a deathlord.
     
    But seriously, I doubt that a Muslim would choose “Deathlord Al-Zawahiri” as their nickname. I suspect it’s some Christian conservative extremist with an unhealthy obsession for Islam.