Possible false positive? Ip block

[Evolvingdoor]

Hello,

I sent this request to MB's support contact and they said I need to post this in the forum, so here I am.

Since I started using MB in real time (as opposed to occasional scans), I've been getting warning messages that a "malicious" IP has been blocked from an outgoing call from my browser (it happened for all different browsers I tried it with, so it's not browser-specific). Here is a sample line of a log for this with the actual IP (although it tries many different port numbers):

2012/05/09 18:54:50 -0400 MYCOMPUTER Owner IP-BLOCK 109.163.230.92 (Type: outgoing, Port: 55152, Process: firefox.exe)

This was only happening when I accessed my own website, and after a lot of time and effort I finally found out where this was coming from. It was from a widget that I created at buttonshut.com, and the code was pulling in an image from their website.

I did some research into these guys and they seem to be a conglomerate of "hut" sites on a variety of topics. The domain is held by GoDaddy, the company that owns it seems to be in the UK, and it seems their servers are located in Moscow.

I haven't found anything online about problems with this IP address when I've searched about it, so I'm wondering why MB has it on their list of malicious websites? I found one site that listed several domains hosted at that IP address, and it included at least one X-rated site. Could this be why MB considers that IP to be "malicious?"

I would like to know the basis for this IP's designation as malicious. It just seems a bit strange that if it's so malicious, I wasn't able to find any reports about this from other webmasters complaining about problems with them. Has anyone else heard of problems with this IP? I'm wondering if it might be a false positive, or possibly some over-caution on MB's part, or if there really is a concrete threat that has been traced back to this IP address?

Thanks very much for your help.

[MysteryFCM]

Nothing to do with any other sites listing anything on the range - it's blocked due to a plethora of malicious content across Voxility/Limehost IP space, and their deciding they don't want to deal with it, and deciding they don't want to boot blackhat hosts reselling their space to criminals.

[Evolvingdoor]

Hi MysteryFCM, thanks for your reply. So it's not necessarily the "hut" websites, as such; they're being painted with the same brush as other ne'er-do-wells who inhabit the same server?

[MysteryFCM]

Not quite, no. It's not a case of being painted with the same brush - it's a case of the ASN refusing to deal with abuse, and the risks of not blocking, being far out weighed by the benefits of a blanket block, plain and simple.

[Evolvingdoor]

Thanks Steven.