Is this a false positive? ip block

[whatmeworry?]

Today, MBAM (v. 1.75.0.1300, database 2013.04.30.05) started sending me warnings that it was blocking a malicious IP. Apparently most of the attempts to reach this IP were via Firefox. I eventually realized that the warnings came only when I was trying to connect to my Lycos email account, an account I've had for many years with no problems. I ran a malware scan: it came up clean. I checked the IP number in a whois, but that just told me about some company here in the USA that has a a large number of IP numbers that it probably distributes. The IP number MBAM was blocking is 204.145.83.230. How am I supposed to determine what site is using this IP number? Is it possible that MBAM is blocking this because it belongs to a link on the Lycos login page and, if so, can I tell MBAM to ignore it, since I'd never click on any of those links and don't even pay attention to them? I'm not sure how useful it is for MBAM to tell me it's blocking an IP address if there's no way for me to know whose IP address it is, or even if Firefox is really trying to reach this IP number (i.e., could MBAM be blocking it simply because there's a link on Lycos' page to some company that uses this IP?). The fact that the attempts are via several different ports does concern me, though I'm quite sure that I'm not infected. Here are the entries from the protection log:

2013/04/30 15:32:49 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 51155, Process: firefox.exe)

2013/04/30 15:32:49 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 51157, Process: firefox.exe)

2013/04/30 15:34:09 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 137)

2013/04/30 15:34:09 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 137)

2013/04/30 15:37:30 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 51284, Process: firefox.exe)

2013/04/30 15:37:30 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 51285, Process: firefox.exe)

2013/04/30 15:37:30 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 51287, Process: firefox.exe)

2013/04/30 15:58:51 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 51444, Process: firefox.exe)

2013/04/30 15:58:51 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 51445, Process: firefox.exe)

Since it doesn't look as if anyone has looked at this message, I'll add to it rather than start a new one. What I want to add is that I've found it's not just when I go to my Lycos email account that I get these warnings. A short while ago, I went to http://members.tripo..._g/espanol.html , which is a dictionary of Alternative Spanish (i.e., slang, etc.), and it too triggered these warnings. For example:

2013/04/30 17:27:29 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 52338, Process: firefox.exe)

2013/04/30 17:27:29 -0400 JSK-XPS [username] IP-BLOCK 204.145.83.230 (Type: outgoing, Port: 52339, Process: firefox.exe)

Both a quick scan and a full scan by MBAM reveal no problems, nor do I see anything peculiar in the way my computer is functioning. And the warnings only appear when I go to these two sites.

Thanks in advance for your help.

[MysteryFCM]

Sorry for the delay. This isn't an F/P. The IP is blocked due to its being a known malvertising server.

[whatmeworry?]

Thanks very much, Steven, for your reply. I'm still trying to understand better what's going on. Since the MBAM warning/blocking occurs each time I go to two different web sites (neither of which have the bad IP address), am I right in assuming that what triggers the warning is the presence of some link on both of these sites? If so, is there a way to determine which link it is?

Also, though the warning/blocking occurs when I go to these sites using Firefox, it does not occur when I use Opera to go to these sites. Doesn't MBAM work with Opera? Please understand that this isn't a criticism; I'm merely trying to understand.

[Dagger]

I have been getting these blocks as well. I had a malwarebytes tech look over my logs, and use combofix to check and clear my stuff, and everything came back good. I've gotten these IP blocks before he had me do these things, and I'm getting them after.

Help me understand how this works. I am not going onto that website. So what is triggering it? And why did nothing show up in my logs or when combofix ran?

[Dagger]

Also, on proboards, they are saying it's a false positive. One of the admins downloaded malwarebytes and got the same thing.

[MysteryFCM]

The browser used is irrelevant. The reason it occurs in Firefox and not Opera, is the same reason it occurs with some users and not others (geo targeting).

It's not the sites themselves that are serving these, but the ad networks being used that they're coming via.

[whatmeworry?]

Thanks, Steven. I'm not sure I understand your explanation about why the warnings appear when I use Firefox but not when I use Opera. How does geo targeting explain this? Both browsers are being used in the same location, and in both cases my IP address will be the same.

[MysteryFCM]

The IP etc will be the same, yes, but the browsers identifiers aren't (certain malware only targets certain browsers, and some even then, only when certain things are enabled (e.g. Flash, Java etc))

[whatmeworry?]

The IP etc will be the same, yes, but the browsers identifiers aren't (certain malware only targets certain browsers, and some even then, only when certain things are enabled (e.g. Flash, Java etc))

Oh, OK, that's good to know. Thanks very much for explaining, and for all your good work for MBAM.