ADBLK-13: Block Grapeshot.co.uk

Issue Information

Issue Type: Improvement
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: Adblock Lists (ADBLK)
Resolution: Done (2019-09-09 16:19:51)

Created: 2019-06-21 12:40:40
Time Spent Working


Description
Seen being referenced by eadt.co.uk

Grapeshot is an analytics/tracking/"customer engagement" system. They have a page at www.grapeshot.co.uk but the bare domain generates a warning from Ublock origin.

Their synopsis for themselves is
Grapeshot uses Advanced Keyword Technology to segment inventory and improve targeting, making advertising welcome.


Worth noting, they've been bought by Oracle at some point too, so are likely to become extremely consumer hostile if they are not already.

They use a subdomain per customer, so various upstream lists contain various subdomains, but some are always going to be missed.

Given the only non-tracking usage of the domain seems to be their WWW selling their wares, seems like should just block the zone entirely


Toggle State Changes

Activity


2019-06-21 12:47:27
The way they handle the underlying routing varies by sub-domain as well.

The one seen being referenced from eadt.co.uk - mediaforce.grapeshot.co.uk is CNAME'd out 
ben@thor:~$ host mediaforce.grapeshot.co.uk
mediaforce.grapeshot.co.uk is an alias for atom.pool.gscontxt.net.
atom.pool.gscontxt.net has address 148.64.56.32
atom.pool.gscontxt.net has address 148.64.56.33


Whereas an existing entry on upstream blocklists appears to just return an A record 
ben@thor:~$ dig @8.8.8.8 reed-cw.grapeshot.co.uk

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 reed-cw.grapeshot.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;reed-cw.grapeshot.co.uk.	IN	A

;; ANSWER SECTION:
reed-cw.grapeshot.co.uk. 29	IN	A	148.64.56.56

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 21 12:36:36 BST 2019
;; MSG SIZE  rcvd: 68


Looking at the target of that CNAME the domain gscontxt.net appears to be owned by Grapeshot too and has a similar history of being subdomain happy - https://www.threatcrowd.org/domain.php?domain=kargo.gscontxt.net

The IPs that CNAME resolve to are in a Grapeshot owned AS, so it's not like they're CNAMEing out to a hosting service.


2019-06-21 12:55:12
gscontxt.net doesn't appear to be on any of the existing blocklists, but it looks like they are sometimes referred to directly. This article - https://palant.de/2014/06/27/third-party-javascript-more-critical-than-ever/ - would suggest Reuters reference them directly, and it looks like Auntie does too - https://urlscan.io/domain/bbc.gscontxt.net

I'm going to block their zone as being related. They have no documents on either the bare or www domains. It looks like they've made it into other people's lists too (just apparently not any of the ones I consume) - https://github.com/drduh/config/blob/master/domains/ads#L239


2019-06-21 12:56:46

Repo: adblocklists
Commit: ef7d1e890a1014ee45bb3ef197968b83f952ea9a
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jun 21 12:55:44 2019 +0100
Commit Message: ADBLK-13 Block Grapeshot related domains

Grapeshot is an analytics/tracking/"customer engagement" system

They appear to use a subdomain per customer, so block the entire zone - does mean their www goes inaccessible, but it's fairly minor as collateral damage goes



Modified (-)(+)
-------
config/manualzones.txt




Webhook User-Agent 

GitHub-Hookshot/81d186e


View Commit


2019-09-09 16:19:51
btasker changed status from 'Open' to 'Resolved'

2019-09-09 16:19:51
btasker added 'Done' to resolution

2019-09-09 16:19:57
btasker changed status from 'Resolved' to 'Closed'