(no title)

I have been at the receiving end of German authorities reporting an uninfected server of mine to the hosting company as Avalanche-infected based on Shadowserver information. It was unpleasant, particularly because it happened a day before a family holiday, so my spouse was annoyed when instead of participating in preparations, I was researching what had happened and explaining my innocence.

Although my server wasn't infected, it had connected to a Shadowserver sinkhole.

While it's good that there are folks who work to sinkhole botnets, the next step of accusing others of being infected based of what the sinkhole sees needs more care. I'm disappointed that, evidently, my expression of these concerns to the German authorities three years ago hasn't lead to a substantial change at the Shadowserver end.

As can be seen from your case (and mine), you can get blamed even if the software at your end of the connection wasn't the botnet software. Considering how a basic premise of the Web is that it's safe to dereference a URL and everyone runs software that does so (Web browsers!), it's a bad idea that Shadowserver doesn't require a narrower indicator of compromise.

There'd be less chance of folks weaponising this system against bystanders by framing them as botnet-infected if the Shadowserver Foundation sinkhole required the other end of the connection to exhibit more specific hallmarks of the botnet software.

That is the purpose of sinkholes. That's why you don't just change the DNS record to 127.0.0.1 (or similar) - you want to log the traffic that you're seeing so that you know who is infected and can help them.

I'm unaware of this particular international cooperation arrangement but it's great to see.

I would say it should be concerning to you that your ISP is actually watching what DNS addresses you resolve. I'd either suggest using secure DNS or using your own DNS server or some DNS server not owned by your ISP.