My IP is blocked at kleinanzeigen.de - allegedly!

weka · October 5, 2023, 12:55pm

Hello!

I am using KDE Neon, and for a few days now I’ve been trying to solve a strange problem that’s starting to drive me crazy:

Every time I try to log into my account at “kleinanzeigen.de” (part of ebay), I am told that my IP has been blocked due to several unsecure login attempts.

And this where it gets fishy:

This message only(!) appears when I use my PC to connect to that site!

If I use my tablet or a note book, it does not appear and I can log in without any problem.

All these devices are using the same internal home network, and thus they all appear as the same IP to the outside world. I am using IP4 only, there’s no IP6 involved. The only difference between these devices: my PC is using a cable, the other devices are using wifi.

Here’s what I tried so far:

First, I thought my Firefox profile was corrupted, but: new profile, same problem!
Tried another browser: same problem.
Created a new system user: same problem.
Tried my notebook, tablet, smartphone: they all work fine.
Booted my PC from USB, using a different Linux system: WORKS FINE!!

To quote The Doctor: “WHAT???”

Unfortunately, I don’t own a sonic screwdriver to fix my system…

What is wrong with my system?

One more strange thing occurs: when I use my notebook, every now and then I get an e-mail from ebay, asking if it is really me who is trying to log in. I can then open this e-mail on my PC, acknowledge that question, and log into ebay ON MY PC. But as soon as I log off and try to log in again right away, it’s back to square one.

I have no more ideas what to try, so I’d appreciate any help!

skyfishgoo · October 5, 2023, 2:36pm

stop clicking on those random emails, you could be getting phished

log into ebay using one of your other devices and change the password.

delete all the cookies on linux browser and clear the cache

otherwise it might be some networking router issue, maybe try a wifi connection from linux to see of that makes a difference.

weka · October 5, 2023, 5:54pm

I don’t click an “random emails” or pages.

I set FF to delete all cookies and cache when closing.

I set FF to use cache in a RAM disk, that will definitely be empty at next boot.

Other browsers, like konqueror, are also effected, like I said before.

If it was a router or a network issue, I should be facing the same problem when I boot another system from USB. See above.

The same system on a USB stick, that works when booting natively, is also effected when I boot it inside a VM on my normal system. Meaning: I start Neon, start VirtualBox, boot the USB system, and no browser can log into my account.

If someone did hack my account at kleinanzeigen, they haven’t changed or done anything to it yet: everything is still as I left it.

Most important: this problem was not present a couple of days before. And I have reasons to believe it started after I ran the last system upgrade.

So, from my point of view, this question rises: could there be some faulty system component, that is involved in network traffic and / or network encryption, that causes this effect?

skyfishgoo · October 5, 2023, 6:11pm

do you have timeshift install or can you restore your system to the state it was in a couple of days ago?

weka · October 5, 2023, 6:33pm

I do a daily backup of /etc and of $HOME, but not of the whole system. If everything else will fail, I am able to set up a new system without loosing my data. But I would very much prefer solving this mystery.

It really is a mystery: right now I am logged into my account on my notebook, while at the same time I get the described error when I try to log in at my pc.

weka · October 6, 2023, 8:03am

The strangest thing about this issue is the fact that the blocking message appears after I hit “login”: I can put in my credentials, solve the captcha, hit “login”, and then there’s this message:

IP range temporarily blocked.
There have recently been several unsafe attempts to use our platform in the IP range xxxx.xxxx.xxxx.xxxx.

This may also have been attempted by other people. Therefore, this IP range was temporarily excluded from the use of classified ads to prevent fraud. Please just try again later.

(This is a translation of the original German text.)

The “ip range” given in that message includes exactly one ip: my ip.

There are no “other people” using my pc, I am the only person living in my flat.

And this message appears no matter which browser I use: FF, konquerer, even “links2”, you name it.

And this message also appears when I try to log in as a newly created system using with a clean and fresh home directory.

From my point of view, all these facts would suggest that there is some system wide and user independent cache that every browser uses, or that there is something wrong with the kernel’s network stack or something like that. I am no kernel expert, so please excuse my inaccuracy there.

redstrate · October 6, 2023, 12:03pm

I’m not sure if this is the best place to ask the question, yes this is on KDE Neon but this has nothing to do with KDE software

Anyway, let me clear some things up and propose my idea:

None of this exists.

I highly doubt it’s something faulty there.

Here’s what I think what’s going on, you mention this:

This is not the issue but I wanted to clarify that this doesn’t really mean much. Unless your cable runs directly into your router that is. In my apartment, it’s all built before I lived here of course so I have no control over their networking Our Wi-Fi and cabled networks are almost two separate entities, they’re completely isolated from each other.

In point, I wouldn’t trust that they both have the same external IP address, and you don’t mention checking for this.

Here’s what I think what’s going on: Your computer is running on a VPN of some sort (maybe even without your knowledge, but I think that’s unlikely).

If I’m understanding that correctly, you’re saying the login works if you boot from a live system on a USB stick, but not when you try booting that same live system inside of a VM? That sounds like a VPN, since it should also tunnel your VM traffic.

A VPN would also explain the block from eBay, since the IP ranges are typically blocked because of VPN abuse. It would also help explain why you’re getting “suspicious login” emails because you’re technically logging in from another IP address

Franken14679 · October 6, 2023, 5:34pm

I’m noticing something similar when logging in to LinkedIn – with this machine –

Operating System: openSUSE Leap 15.5
KDE Plasma Version: 5.27.4
KDE Frameworks Version: 5.103.0
Qt Version: 5.15.8
Kernel Version: 5.14.21-150500.55.28-default (64-bit)
Graphics Platform: X11
Processors: 8 × AMD Ryzen 5 3400G with Radeon Vega Graphics
Memory: 29.3 GiB of RAM
Graphics Processor: AMD Radeon Vega 11 Graphics
Manufacturer: ASUS

Via a FRITZ!Box DSL router connected to the the German ISP 1&1 (United Internet) – who assign a new IPV6 address to the router once every 24 hours and, IPV4 is via a DS-Lite Tunnel.

I suspect that, my IPv4 address is shared with other 1&1 customers and, that, therefore, it changes as the IPv4 load changes – across their customer base …

For the last few days, every time I log in to LinkedIn, they inform me that, my login is “suspicious” and then they send a unique transaction number to the “online.de” e-Mail address associated with my LinkedIn account – the same e-Mail account that I use for this Forum and another Forum and, my Bug Reporting activities.

Basically, the same procedure as that used by online-banking activities – a “TAN” number …

Whether or not, the LinkedIn mother concern – Microsoft – is worried that, ISPs who change their customer’s IP addresses on a regular basis (for security reasons – unwanted, unnoticed, IP data streams will be broken when an IP address suddenly changes) are “suspicious” or, that they’re worried because I’m using Linux (a favourite hacker OS ) – also suspicious – no idea …

In the mean time, I’ll play their game and only access LinkedIn when logged into a KDE session where my e-Mail system is running …

By the way, I’m a customer of an Insurance company who send a TAN to my pocket telephone via SMS whenever I log in to my account there …

By the way, both Google and Microsoft get jumpy whenever I login to my pocket telephone’s account or my Microsoft license account, from this Linux box …

weka · October 6, 2023, 8:01pm

I do think it does, for two reasons:

It started after the last update.
I can boot my pc using a live USB memory, and everything works fine.

The pc is assigned the same internal IP from the router, regardless which system is booted, because I bound a static lease to the MAC. I can switch between the live USB and the installed Neon as often as I like, and the results will always be the same: the USB system is not being blocked, the installed Neon system is being blocked.

If there was a faulty setting on the router, that makes my wifi devices work and make the cabled pc being blocked, this faulty setting could neither influence nor determine between two different systems being booted on the same machine.

Logically, when system A on a certain machine is not working, while system B on the same machine does work perfectly, there’s not much space for the faulty part.

No, it isn’t. I never set up any VPN, and never clicked “yes” to let the system install one for me.

Yes: the live USB, that works when booted on the physical machine, faces the same problem when booted inside a VM on Neon.

Again: I never set up any VPN. So where should a VPN suddenly appear from out of the blue?

That sounds reasonable, but it’s not possible in my case, for three reasons:

I am on IP4 exclusively, and my router uses the same WAN IP4 permanently.
Like said above, a live USB works perfectly.
I can log in to my account using my notebook or a tablet, they don’t get blocked. And all my devices appear as the same IP to the outside world, according to pages like “showmyip”. The server at “kleinanzeigen.de” should not be able to determine, which device I am using to log in, and should not make any difference in which device to block and which not to block.

And this difference is driving me nuts. I did not change anything to my entire internal network for at least half a year. The only changes that happened were updates to the Linux system.

I took the time today to search through every directory called “cache” on my hard disk and wiped it, using the live USB system. I ran “etherape” to look for any connection to “kleinanzeigen.de” prior to before I actually call the URL. But all this was for nothing.

Supplement:

The error message from the platform I want to log into says:

IP range temporarily blocked.
There have recently been several unsafe attempts to use our platform in the IP range...

The first sentence is untrue, because I can log into from other devices. See above.

The second sentence raises the question: what is an “unsafe” attempt, when is an attempt “unsafe”?

I am using the same credentials each time, on every device. So, if ebay tells me that my log in attempts are “unsafe” when I am using my pc, and they are “safe” when I use any other device, something must be happening after I typed in my credentials. To me, this looks very much like a faulty network traffic of some kind. Maybe some wrong encryption algorithm is used, that ebay does not recognize?

mlincett · October 7, 2023, 3:30pm

Coincidentally, I started experiencing this on a Fedora 38 installation a couple of days ago.
Occurs both on Firefox and Chrome, both IPv6 and IPv4.

My laptop connected to the same network does not have issues. Laptop is running GNOME and possibly a bit behind in updates (I’d say the second factor should be the most relevant here).

I am running out of ideas.

weka · October 7, 2023, 4:01pm

Please, please, tell me more about it: which web sites are effected on your machine?

mlincett · October 7, 2023, 4:29pm

The same website you reported in the original post, and I am confident I get the exact same error message (in German) as you.

My hypotheses are:

some underlying issue resulting in a high number of connection retries from the browser (thinking of redirect loops, but those result in “visible” browser activity);
an actual blocking system aimed at individual clients and based on some sophisticated fingerprinting.

I guess I am going to sit on it for a few days.

Franken14679 · October 7, 2023, 4:52pm

Or, the issues mentioned above are, an attempt by various companies to force multi-factor authentication (two-factor authentication) for some of the methods used to access their services …

weka · October 7, 2023, 4:54pm

No offence meant, but you can not imagine how relieved I feel to hear this! Now I know I am not loosing my mind!

That could be the case if just one browser was effected. But here at my site, every browser is effected. Have you also tried other browsers? Have you tried booting a different system, e.g. a live USB Linux? I bet that will work!

This sounds more likely. But if that is the case, we will never be able to use that site again, because there is just no customer care at that site you can turn to.

That will be in vain: I have been waiting for the issue to disappear now for weeks!

mlincett · October 7, 2023, 9:52pm

Tried two browsers. Tried also different DNS servers. I suppose they may have some fuzzy logic / machine learning classifier in place so that changing the browser is not enough?

I also guess a password change won’t fix it (?)

@Franken14679 what you are experiencing seems normal / common: major platforms are indeed implementing some form of MFA one way or another. OP’s problem is different.

nclarius · October 7, 2023, 11:31pm

Fwiw Kleinanzeigen is no longer part of ebay. So if you’re getting E-Mails from someone claiming to be “ebay” about Kleinanzeigen that’s strange.

nclarius · October 7, 2023, 11:35pm

Have you read IP eingeschränkt? In particular, try resetting your password.

kenning · October 8, 2023, 12:29am

Your Firefox Browser is deleting Cookies.

And no, Kleinanzeigen is not a part of Ebay anymore, and the platform sucks so much. It blocks VPNs, maybe you have a VPN configured just on your KDE Neon?

My way is to use Vanadium on my phone, but could be firefox too. I use a seperate browser, as on mobile there are no profiles, and save the cookies. Log in, and works normally. Interestingly I think it blocked my IP via VPN on Firefox, but not on Vanadium or something.

They sucks, try to block hardened Browsers

weka · October 8, 2023, 8:13am

So, there are other users who suffer the same problem. Don’t get me wrong, but I am pleased by that fact. It proves that I am not too dump to solve this problem.

Maybe we really should be discussing this issue on a more global scale, on a different forum or web page, that is read by more people than this one. It’s highly likely many users of different OS will be affected, too. But I don’t know such a forum or web page, so I am open to suggestions.

Did you also try to boot a different OS? Did you try different devices connected to your home network?

Are you using a stationary desktop pc or are you using a portable computer, a notebook or similar? If you use a portable computer: do you have access to a different network, like at work, and could you try it there?

If you can: please do so and tell me the result. I bet it will work.

I know. But on the one hand “ebay” slipped my fingers, so to say, on the other hand, I am pretty sure, ebay is still the main owner of that brand.

Been there, done that!

If this was the case: what could we do against it?

If booting a different OS or using a different device that is connected to the same home network does break this evil magic spell, there should also be some measures that can be taken to modify the original system to make it unrecognizable to the target size.

Are there any effective add-ons for FF that can fool the target site by pretending to be a different OS?

One more question to all users who are effected by this error: which ISP are you using?

I am hooked to Vodafone. Anyone else?

mlincett · October 8, 2023, 8:54am

I agree this is pretty much off-topic for this platform. I am happy to discuss further in private.