Adult dating content website falsely labeled “URL:Scam” with blocked access

[hp01]

Hello


I am facing an unfortunate false positive issue with my URL


This is a simple php informational & content website. We educate users on various adult products and services and provide affiliation links if they are interested to learn more.


We are not a “Scam” URL. Kindly note the following


 -   Our website’s Privacy Policy which clarifies we do not collect or store user information of any kind.
 -   Our website is free to access. There is no cost to the user as described in our Terms of Use.
 -   We do not offer any downloadable software of any kind, or any malicious links or programs that may harm a user’s device.


Additional supporting information for false positive detection:


“CLEAN” as reported by all vendors on VirusTotal and Sucuri -

https://www.virustotal.com/gui/url/748fad24b2ae583763c786238317c6b0a43e1bbbe32f5ec34a596ce5ff7fe00f

https://unmask.sucuri.net/security-report/?page=send2dates.com/lorsus/ibi-nb24.php


We have already reported the false positive to Avast team. They have indeed confirmed it is a false positive and have claimed to remove it from their database, twice. But, the changes seem to have not taken effect yet for some reason. The last update from Avast team was around 5 business days ago. Our URL is still being blocked.


We take malware prevention and website security very seriously. I am hoping somebody from Avast team finds this post and is able to help us resolve in the soonest.


Thank you and Kind Regards,

[polonus]

Wait for a final verdict from the Avast team.

This is probably the reason the website was being blocked: https://www.malwarebytes.com/blog/detections/165-227-177-96

Abuse found on IP: https://www.abuseipdb.com/check/165.227.177.96

polonus

[DavidR]

Not sure why VT does the scan on the redirect to PHP when Avast alerts on the main domain name for http and https

-  Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.

[hp01]

Thank you for the replies.

Not sure why VT does the scan on the redirect to PHP when Avast alerts on the main domain name for http and https

-  Reporting a Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php.
You should get a response in a day or two.

DavidR - we did in fact report the false positive, and Avast team had already agreed to the file status as an FP. They cleared the FP from their database, atleast as per them (I had mentioned this in the original post as well).

However, after their first clearance, there was no change in fact reflecting yet, neither in WebShield nor in their Online Security browser extension.

I had requested them to recheck, at which point they mentioned they had fully cleared the URL and files a second time. Still no changes reflected.

I had requested them to recheck a third time, due to the still existing FP. No response as of yet (5 business days).

Is there anyone from Avast's team we could contact directly here to resolve this for good? This issue has been in support limbo for close to 3 weeks and we are eager to help restore full access to our website.

Thank you,

[DavidR]

I would contact them again using the report form, I would give a link back to this topic URL.

As I mentioned.

Not sure why VT does the scan on the redirect to PHP when Avast alerts on the main domain name for http and https

I just wonder if this might have an impact as 3rd party connections would be alerted on main domain.

As the related IP give by Polonus gave is flagged by VT.
https://www.virustotal.com/gui/url/8bf370c2b41119b7b97b9bdb8b6b2fd41e080effccb2e4d235bcb5e08666b640/detection

[polonus]

And there is also this: https://www.malwarebytes.com/blog/detections/165-227-177-96
blocked as associated with a trojan.

polonus

[hp01]

I would contact them again using the report form, I would give a link back to this topic URL.

I will do this now, thank you.

And there is also this: https://www.malwarebytes.com/blog/detections/165-227-177-96
blocked as associated with a trojan.

polonus

We have a new mirror site at 167.71.182.100 which was not found in any abuse databases, yet the mirror is also still being blocked by Avast.

[hp01]

Update: The false positive for the URL in my original post was cleared today by the Avast Malware Analysis Team.

Within 4 hours of the cleared false positive, Avast Webshield & browser extension are now once again blocking access to our site due to the same FP detection. Note, this is after 3 weeks of back and forth related to the repeated clearings of our sites from Avast’s database not having any effect. This is the third such occasion where they have been unable to fix the false positive.


I will keep this thread updated until our issue is thoroughly and fully resolved.

[Pondus]

As @Polonus hinted, it may be your IP adress that is the problem

https://www.virustotal.com/gui/url/673d20296231a97bd612dc8bedbcfa27708935c1cf713a31407e6b4fffbb04f5?nocache=1

[polonus]

Also consider: https://radar.cloudflare.com/scan/cf49092e-651e-409d-9769-90b52160bebb/security
Risk found.

polonus