False Positive | https://eu.jotform.com #1091
Comments
Verification Required@gorkemfilizoz, thank you for submitting a false positive report! To help us verify your ownership of the affected domain(s), please complete the following steps:
Important Notes
How to Check the TXT Record ?You can verify that the TXT record is properly set using:
Thank you for your cooperation! We will address your issue as soon as possible after verification. The Phishing.Database Project Team. |
|
So you admit the rest of these records are phishing?? |
|
Hi, |
|
ptcheck Thanks for using my tools. You forgot to set up the TXT record to verify your association with this domain. |
|
Hi, |
|
ptcheck jotform.com antiphish-7e9aeb8ebbc041e8cb59fe8530d93717e684927b Thanks for using my tools. |
|
Not good enough.... |
|
Hi, |
|
I cannot proceed with any testing without access to your network. If you want me to continue addressing this issue, you need to make your network publicly available. Otherwise, I will have to step back and let someone else take over.
|
|
Hi, |
Thank you for your response. However, I would like to clarify that I have been receiving multiple HTTP status codes of 200. In accordance with the specifications outlined in RFC 7231, I would expect to see status codes in the following order of preference: 410 (Gone), 404 (Not Found), and ideally not 403 (Forbidden), as this indicates that the URI is still active. Your attention to this matter would be greatly appreciated. # Generated by PyFunceble (v4.3.0a15.dev) / https://pyfunceble.github.io
# Date of generation: 2025-02-07T12:31:44.618689+00:00
Subject Status Source Expiration Date Registrar HTTP Code Checker Tested At
---------------------------------------------------------------------------------------------------- ----------- ---------- ----------------- ------------------------------ ---------- ------------- -------------------
http://form.jotform.com/210947733721053 ACTIVE HTTP CODE Unknown Unknown 200 AVAILABILITY 07. Feb 2025 12:31:43
https://app.jotform.com/250042702567148 ACTIVE HTTP CODE Unknown 200 AVAILABILITY 07. Feb 2025 12:31:46
http://form.jotform.com/paiement0leboncoin/leboncoin/* ACTIVE HTTP CODE Unknown 302 AVAILABILITY 07. Feb 2025 12:31:47
http://jotform.com/Willingcalvin/government-pandemic-stimulus-bonus- ACTIVE HTTP CODE Unknown 301 AVAILABILITY 07. Feb 2025 12:31:47
https://app.jotform.com/250152435283552 ACTIVE HTTP CODE Unknown 200 AVAILABILITY 07. Feb 2025 12:31:47
https://app.jotform.com/250197208695566 ACTIVE HTTP CODE Unknown 200 AVAILABILITY 07. Feb 2025 12:31:48
https://form.jotform.com/210947733721053 ACTIVE HTTP CODE Unknown 200 AVAILABILITY 07. Feb 2025 12:31:48
https://eu.jotform.com/app/250234036167349 ACTIVE HTTP CODE Unknown 200 AVAILABILITY 07. Feb 2025 12:31:48
https://form.jotform.com/22309 ACTIVE HTTP CODE Unknown 200 AVAILABILITY 07. Feb 2025 12:31:55
https://www.jotform.com/app/243137631990156 ACTIVE HTTP CODE Unknown 200 AVAILABILITY 07. Feb 2025 12:32:00 |
|
Hi @spirillen, I am Cigdem and I work for Jotform. Can we kindly stay in the "phishing" context and not dive into RFC specifications? If a URI returns 200, it does not mean that the "unwanted" content is still available and in this case the content was the problem, not the status code. Since we care about our platform we are constantly monitoring it and hence why we wanted to create an issue here to see what more we can do. I believe we have done our part here so let's not complicate things with bureaucracy. We appreciate your help to improve our platform reputation and I thank you in advance. We would also much appreciate if you can contact us at abuse[@]jotform[.]com in the future. |
Yes, we can stay on topic, but it's important to note that the RFC serves as the standard for the internet and is integral to our testing process (https://github.com/Phishing-Database/Phishing.Database?tab=readme-ov-file#automated-testing). We adhere to the guidelines outlined in RFC 7231.
Actually, you're mistaken; a 200 status code indicates that the page is indeed active. If you're not familiar with the basics of HTTP status codes, please feel free to ask. It's not advisable to instruct someone who has been working with the HTTP protocol for over 25 years on how it should function. If you have a different perspective, you might consider submitting your comments to the RFC.
Unfortunately, I can't provide better support than this unless you manage to get the RFC revised. HTTP status codes have been established for decades and are fundamental to how the HTTP protocol processes and interprets requests.
Not gonna happen, this is a open source project, we keep thing in the open, mostly to later be phasing false accusations. |
|
I'm sorry, but can we please move on from this? Hey @cigdemtosun, I've been reflecting on our conversation from yesterday, and I think I may have misunderstood your message. It seems there might have been some miscommunication regarding my response about the list of HTTP 200 codes. To clarify, I intended to return the registered URIs in the PD project with that list, and I was hoping you could provide some insights on whether those links should be there or not. Could you please take a moment to double-check the lists? As we've learned, it's always good to verify things, and I would appreciate your feedback on this. Thank you! |
|
Hi @spirillen, Thank you for your reply! I have checked the latest list you have shared with us and I can say that apart from "https://form.jotform.com/22309" all URIs are valid. For the remaining, the potential scam content in the URIs are removed as the owners of the resources have been suspended. And now they look like this: 
(Related URI: https://www.jotform.com/app/243137631990156)
Or like this: 
(Related URI: http://form.jotform.com/210947733721053)
Since the content that put the URIs in your list has been removed, I am hoping you can remove the URIs from PD. Kind regards. |
This issue will whitelist `.jotform.com` Closes Phishing-Database/Phishing.Database#1091 Signed-off-by: spirillen <[email protected]>
|
Dear @cigdemtosun Thanks for your reply. I wanted to take a moment to discuss the HTTP status codes used on your website, particularly in relation to the RFC standards. As we have some time to address this matter, I would like to understand the reasoning behind the decision not to adhere to the RFC guidelines regarding HTTP responses. Specifically, the links you provided should ideally return a 410 status code, as this aligns with the intended use of HTTP codes. Implementing this change would not only enhance the accuracy of your responses but also streamline the process of identifying and removing false positives, both manually and through automated testing. While I have cleared your records for now, I believe that updating your HTTP code responses in accordance with the RFC would greatly benefit your website. This adjustment would not only improve functionality but also enhance user experience. Thank you for considering this suggestion. I look forward to your thoughts on the matter. Best regards, PS: I am transferring this discussion regarding the server response code to the merge request. Phishing-Database/phishing#751 |
|
You are definitely right about the status codes but unfortunately my department is not a stakeholder of this issue. However, I know that there are some internal discussions regarding the status codes so I believe we will see some improvements in the future. Thank you for your efforts on this issue. |
|
Please feel free to direct them here if it can assist in your development efforts to align with the RFC and reduce false positives in the future. I will keep this issue open until there is no further hope for resolution. Otherwise, you may face challenges with blacklists due to incorrect HTTP codes. Let me know if/when the "battle is lost" |
You did not remove these: This one is an active redirector: active phish
The rest is now marked as offline on Phishtank. |
|
@emidaniel Please read the thread, I do know it have grown, but in the comments above ⏫ you will find a reference to Phishing-Database/phishing#749 and some letters, you know those funny things jumping around the screen making words... actually tries to spell to some words letting you all know, that the whitelisting process is broken... 🤷🏻 |
What are the subjects of the false-positive (domains, URLs, or IPs)?
https://eu.jotform.com
Why do you believe this is a false-positive?
I believe this is a false-positive because Jotform is a product that allows users to easily create forms and collect data. We have both automated and manual processes to prevent and mitigate abuse on our service. Also, abuse reports sent to [email protected] e-mail address or the abuse reports sent via our Report Abuse form (https://www.jotform.com/report-abuse/) are actively monitored by our security and reviewers team.
Our customers are experiencing access issues due to this URL being blocked by your service.
How did you discover this false-positive(s)?
VirusTotal
Where did you find this false-positive if not listed above?
I discovered this false-positive by VirusTotal
Have you requested a review from other sources?
No.
Do you have a screenshot?
Additional Information or Context
At Jotform, we take the privacy and security of our users very seriously. We have taken all necessary measures to ensure that our platform adheres to the highest security standards and that our users' data is protected at all times.
We kindly request that you remove the block on Jotform URLs and allow our users to continue using our platform without any interruptions. If you require any further information or assistance from our team, please do not hesitate to reach out to me directly.
The text was updated successfully, but these errors were encountered: