##########################################################################################

       ADBLK-13: Block Grapeshot.co.uk

##########################################################################################


Issue Type: Improvement 
-----------------------------------------------------------------------------------------

Issue Information
====================

Priority: Major					Status:      Closed
Resolution:  Done (2019-09-09 16:19:51)
Project: Adblock Lists (ADBLK)


Reported By: btasker					
Assigned To: btasker





Time Estimate: 0 minutes
Time Logged:   0 minutes


-----------------------------------------------------------------------------------------

Issue Description
==================

Seen being referenced by eadt.co.uk

Grapeshot is an analytics/tracking/"customer engagement" system. They have a page at
www.grapeshot.co.uk but the bare domain generates a warning from Ublock origin.

Their synopsis for themselves is

-- BEGIN QUOTE --

Grapeshot uses Advanced Keyword Technology to segment inventory and improve targeting,
making advertising welcome.

-- END QUOTE --

Worth noting, they've been bought by Oracle at some point too, so are likely to become
extremely consumer hostile if they are not already.

They use a subdomain per customer, so various upstream lists contain various subdomains,
but some are always going to be missed.

Given the only non-tracking usage of the domain seems to be their WWW selling their wares,
seems like should just block the zone entirely

-----------------------------------------------------------------------------------------

Activity
==========

	
-----------------------------------------------------------------------------------------
2019-06-21 12:47:27              btasker
-----------------------------------------------------------------------------------------

The way they handle the underlying routing varies by sub-domain as well.

The one seen being referenced from eadt.co.uk - mediaforce.grapeshot.co.uk is CNAME'd out


-- BEGIN SNIPPET --

ben@thor:~$ host mediaforce.grapeshot.co.uk
mediaforce.grapeshot.co.uk is an alias for atom.pool.gscontxt.net.
atom.pool.gscontxt.net has address 148.64.56.32
atom.pool.gscontxt.net has address 148.64.56.33

 -- END SNIPPET --

Whereas an existing entry on upstream blocklists appears to just return an A record

-- BEGIN SNIPPET --

ben@thor:~$ dig @8.8.8.8 reed-cw.grapeshot.co.uk

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 reed-cw.grapeshot.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;reed-cw.grapeshot.co.uk.	IN	A

;; ANSWER SECTION:
reed-cw.grapeshot.co.uk. 29	IN	A	148.64.56.56

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 21 12:36:36 BST 2019
;; MSG SIZE  rcvd: 68

 -- END SNIPPET --

Looking at the target of that CNAME the domain gscontxt.net appears to be owned by
Grapeshot too and has a similar history of being subdomain happy -
https://www.threatcrowd.org/domain.php?domain=kargo.gscontxt.net 

The IPs that CNAME resolve to are in a Grapeshot owned AS, so it's not like they're
CNAMEing out to a hosting service.


	
-----------------------------------------------------------------------------------------
2019-06-21 12:55:12              btasker
-----------------------------------------------------------------------------------------

gscontxt.net doesn't appear to be on any of the existing blocklists, but it looks like
they are sometimes referred to directly. This article -
https://palant.de/2014/06/27/third-party-javascript-more-critical-than-ever/ - would
suggest Reuters reference them directly, and it looks like Auntie does too -
https://urlscan.io/domain/bbc.gscontxt.net

I'm going to block their zone as being related. They have no documents on either the bare
or www domains. It looks like they've made it into other people's lists too (just
apparently not any of the ones I consume) -
https://github.com/drduh/config/blob/master/domains/ads#L239


	
-----------------------------------------------------------------------------------------
2019-06-21 12:56:46              git
-----------------------------------------------------------------------------------------


-- BEGIN QUOTE --


Repo: adblocklists
Commit: ef7d1e890a1014ee45bb3ef197968b83f952ea9a
Author: B Tasker <github@<Domain Hidden>>

Date: Fri Jun 21 12:55:44 2019 +0100
Commit Message: ADBLK-13 Block Grapeshot related domains

Grapeshot is an analytics/tracking/"customer engagement" system

They appear to use a subdomain per customer, so block the entire zone - does mean their
www goes inaccessible, but it's fairly minor as collateral damage goes



Modified (-)(+)
-------
config/manualzones.txt



-- END QUOTE --

*Webhook User-Agent*


-- BEGIN SNIPPET --

GitHub-Hookshot/81d186e
 -- END SNIPPET --

https://github.com/bentasker/adblocklists/commit/ef7d1e890a1014ee45bb3ef197968b83f952ea9a


	
-----------------------------------------------------------------------------------------
2019-09-09 16:19:51              
-----------------------------------------------------------------------------------------

btasker changed status from 'Open' to 'Resolved'
	
-----------------------------------------------------------------------------------------
2019-09-09 16:19:51              
-----------------------------------------------------------------------------------------

btasker added 'Done' to resolution
	
-----------------------------------------------------------------------------------------
2019-09-09 16:19:57              
-----------------------------------------------------------------------------------------

btasker changed status from 'Resolved' to 'Closed'