False positive: yellowscribe.xyz

[ThePants999]

My website yellowscribe.xyz requires the user to upload a file, and this is getting blocked:

{"@timestamp": "2023-07-06T17:17:16.599Z", "session": "1688656901676", "message": "BTW: POST issued, checking suspicious activity...", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.599Z", "session": "1688656901676", "message": "BTW: POST issued, checking suspicious activity...", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.599Z", "session": "1688656901676", "message": "BTW: http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer 40k_Grey Knights_Army.regiztry is not in the white listed entries", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.599Z", "session": "1688656901676", "message": "BTW: http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer 40k_Grey Knights_Army.regiztry is not in the white listed entries", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.599Z", "session": "1688656901676", "message": "BTW: suspicious request made to high risk TLD, possible phishing!", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.599Z", "session": "1688656901676", "message": "BTW: suspicious request made to high risk TLD, possible phishing!", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.600Z", "session": "1688656901676", "message": "OS: (PAGE_BLOCK) phishing attempt found on http://yellowscribe.xyz/ for http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer 40k_Grey Knights_Army.regiztry", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.600Z", "session": "1688656901676", "message": "OS: (PAGE_BLOCK) phishing attempt found on http://yellowscribe.xyz/ for http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer 40k_Grey Knights_Army.regiztry", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.601Z", "session": "1688656901676", "message": "SCA: Redirecting http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer 40k_Grey Knights_Army.regiztry to block page for scam detection", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.601Z", "session": "1688656901676", "message": "SCA: Redirecting http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer 40k_Grey Knights_Army.regiztry to block page for scam detection", "level": "INFO"}
{"@timestamp": "2023-07-06T17:17:16.602Z", "session": "1688656901676", "message": "SCA: About to flag url 'http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer%2040k_Grey%20Knights_Army.regiztry' on tab with url http://yellowscribe.xyz/", "level": "DEBUG"}
{"@timestamp": "2023-07-06T17:17:16.602Z", "session": "1688656901676", "message": "SCA: About to flag url 'http://yellowscribe.xyz/getFormattedArmy?filename=Warhammer%2040k_Grey%20Knights_Army.regiztry' on tab with url http://yellowscribe.xyz/", "level": "DEBUG"}

I'm a little surprised to hear that .xyz is a "high risk TLD", but my website is certainly not phishing, please whitelist it.

Particularly annoyingly, there is no indication to the user that Malwarebytes is blocking this upload unless they happen to spot the "1" on the extension icon - because it's a script on the page generating the POST and waiting for the response, it just never gets the response it expects and appears to have hung. It took us a fair while to figure out that Malwarebytes was the reason the site was working fine for most people but completely nonfunctional for others!

[Porthos]

Added info for staff

[thisisu]

Hello,

The site has been whitelisted. Please allow 15-30 minutes for the changes to take effect.

 

[ThePants999]

Thanks, appreciated.