Skip to content

ultraculture.org — false positive in Threat Intelligence Feeds #10474

Open
Open
ultraculture.org — false positive in Threat Intelligence Feeds#10474
Assignees
hagezi
Labels
allowAllow domain(s)scheduled-next-releaseScheduled for the next release
@magickme

Description

@magickme
magickme
opened on Jun 11, 2026

Prerequisites

  • I use the current version of the lists.
  • Disabling these lists resolves the issue.
  • I do not utilize a dedicated block page (e.g. NextDNS or ControlD block page) or a block mode that returns a custom IP for blocked domains. In my environment, blocked domains return a zero/null IP, or result in status NXDOMAIN, REFUSED, NODATA for DNS resolutions.

What is the operating system of the device?

Linux

Which blocklist(s) caused the issue?

Threat Intelligence Feeds

Where does the issue occur - on which website or in which app?

The website ultraculture.org and its booking subdomain schedule.ultraculture.org. The block is zone-wide (ultraculture.org including subdomains), so customers who follow a booking link get a dead page if their resolver uses TIF.

Which domain(s) need to be unblocked?

ultraculture.org

Why should the domain(s) be unblocked?

I own this domain. ultraculture.org is a magick and spirituality blog that has been online since 2013 (WordPress behind Cloudflare), and schedule.ultraculture.org is the page my customers use to book appointments.

I looked for a reason it might have been listed and found nothing:

  • Google Safe Browsing: no unsafe content found
  • urlscan.io: 12 public scans from 2020 to 2026, all normal site content, no defacement or phishing
  • Not on oisd (it was, but oisd has since removed it), Phishing Army, or your Multi lists. Only TIF full carries it (domains/tif.txt line 1478780 in version 2026.0611.1850.29; TIF medium and mini do not have it).

To reproduce: resolve ultraculture.org through any resolver that uses TIF full (verified on Pi-hole v6) and it returns a null/NXDOMAIN answer. Allowlisting the domain locally restores the site.

If the listing came from a specific upstream source or report, I would appreciate a pointer to it so I can fix whatever triggered it.

Confirmation

  • I have verified that the domain(s) are blocked by these blocklists and that the issue is not caused by any other additional blocklists in use. The behavior is also not caused by a browser content blocker or similar browser add-ons, nor by browser settings such as an enhanced/strict tracking protection.
  • I have verified that the unblocking of the domain(s) has not been declined in any existing issue.
  • I have provided sufficient details to verify the need for unblocking the domain(s), including the steps to reproduce the issue.
  • I did not answer truthfully to any of the above checkboxes.

Terms

  • I confirm that the request does not contain any sexually explicit material or private/sensitive information.

Metadata

Metadata

Assignees

Labels

allowAllow domain(s)scheduled-next-releaseScheduled for the next release

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions