Description
To check
VirusTotal
- For https://opendrr.github.io: https://www.virustotal.com/gui/url/419e325c8aac45e2422075e15c3561c00ea43e4683ae6c955afefec5a1ef4f81?nocache=1
- For http://opendrr.github.io: https://www.virustotal.com/gui/url/5df3642a4c13b0da3a8e84b4f133a4885a2690cb2d89681fe75827c4f74f8463?nocache=1
Microsoft Defender SmartScreen
Check from Microsoft Edge or Internet Explorer 11
Progress
TODO (as of 2023-03-08):
No more blockers! Hurray!
Resolved
-
Google Safe Browsing ("Deceptive site", fixed in Google Safe Browsing falsely determines opendrr.github.io as "Deceptive site" (detected phishing) #119)
-
CIRA Canadian Shield DNS (reported on 2021-04-14; fixed in June or July? Found out it was fixed in August 2021)
-
Webroot BrightCloud ("Malicious", fixed on 2021-04-15)
-
Microsoft Defender SmartScreen (reported by @jvanulde on 2021-10-18, and fixed by Microsoft a week later?)
-
CRDF ("Malicious", fixed 2022-11-28)
-
BitDefender ("Phishing", fixed as of 2022-11-29)
- reported via https://www.bitdefender.com/site/Main/automaticSampleUploader/ → https://www.bitdefender.com/consumer/support/answer/29358/ on 2022-11-28
-
Emsisoft ("Phishing", fixed as of 2022-11-29)
- emailed [email protected] on 2022-11-28)
-
Fortinet ("Phishing", fixed as of 2022-11-28; access from within VPN restored on 2022-11-29 morning)
- reported on 2022-11-28; supposedly fixed in 5 minutes; actually working in about 3 hours; see comment for details.
-
G-Data ("Phishing", fixed as of 2022-11-29)
- reported at https://www.gdatasoftware.com/faq/consumer/submit-a-suspicious-file-app-or-url on 2022-11-28
-
Netcraft ("Malicious", fixed as of 2022-11-29)
- check at https://sitereport.netcraft.com/?url=https%3A%2F%2Fopendrr.github.io
- reported mistake to https://report.netcraft.com/report/mistake on 2022-11-28
-
Sophos ("Phishing", fixed as of 2022-11-29)
-
Viettel Threat Intelligence ("Phishing", fixed as of 2022-11-29)
- emailed [email protected] on 2022-11-28
-
Avira ("Phishing", fixed as of 2022-11-30)
- reported at https://www.avira.com/en/analysis/submit-url on 2022-11-28
-
VIPRE (as listed by VirusTotal)
- Reported to VIPRE via online form on 2023-02-03, see comment below
-
Microsoft Defender SmartScreen (relapse in 2022, but no longer blocking in February 2023?)
-
McAfee/Trellix: Request submitted on 2023-03-03 at https://sitelookup.mcafee.com/, see comment below. Resolved on 2023-03-07 and confirmed again on 2023-03-08.
Original message
At today's meeting (April 14), I failed to open Joost's latest super-fast Elasticsearch based dynamic map web page on https://opendrr.github.io/, and then I discovered I couldn't open any pages under that domain.
It was due to the CIRA Canadian Shield "Projected" DNS servers that I was using (149.112.121.20 and 149.112.122.20), see https://www.cira.ca/cybersecurity-services/canadian-shield
Normally, opendrr.github.io points to GitHub IP addresses:
opendrr.github.io. 3464 IN A 185.199.108.153
opendrr.github.io. 3464 IN A 185.199.110.153
opendrr.github.io. 3464 IN A 185.199.111.153
opendrr.github.io. 3464 IN A 185.199.109.153
But 149.112.121.20 and 149.112.122.20 ("Protected") and 149.112.121.30 and 149.112.122.30 ("Family") point opendrr.github.io to:
$ dig @149.112.121.20 opendrr.github.io
...
;; ANSWER SECTION:
opendrr.github.io. 0 IN A 75.2.78.236
opendrr.github.io. 0 IN A 99.83.179.4
Both 75.2.78.236 and 99.83.179.4 302 redirect to https://www.cira.ca/CanadianShield/Active/MalwareBlock
Switching to the less protective "Private" DNS, i.e. 149.112.121.10 and 149.112.122.10, or switching to Google's Public DNS, for example, unblocked opendrr.github.io for me personally.
But yeah, the main point is how to take our website off their blacklist, and hopefully find out how we got on their blacklist in the first place.
According to https://www.cira.ca/cybersecurity-services/canadian-shield/faq-public:
How do you prevent false positives (i.e. accidentally blocking a legitimate domain)?
CIRA Canadian Shield leverages a threat feed that is global and used by ISPs around the world and is designed to have a very low false positive rate. The threat feed is used for the CIRA DNS Firewall that currently protects 1.8 million Canadian users and the rate of false positives to legitimate queries is something very close to zero. Please use our support form if you believe we are blocking a domain in error.
How do I report a false positive or a previously infected domain that has been cleaned up?
Based on our experience running a commercial version of the service, CIRA Canadian Shield has a very low false positive rate having only lodged a handful of requests on over 1.8 million users. Most times, domains that are reported to us as a false positive are found to be hosting malicious content without the knowledge of the domain owner. If you believe that your domain is being blocked incorrectly by CIRA Canadian Shield then please visit our support page to lodge the request for review.
If your site has been hijacked or misused by hackers and as a result has been placed on block lists (including ours) then you are in a very difficult situation. Once the problem has been rectified on your end you can request a review using our support page. This can involve multiple global vendors and so we cannot provide a time-frame for when the review will be complete.
I will be filing a support request here:
P.S. Related to to #119.
Activity