Jump to content
GLESgunn

FALSE POSITIVE: 67.212.94.146

Recommended Posts

The IP Address 67.212.94.146 was repeatedly blocked by Malwarebytes.

Further it was blocked without any warning or bubble to tell me that it was being blocked. All I knew was my browser repeatedly failed to load it. I spent over a month trying to resolve the problem without a clue that it originated with Malwarebytes.

I have since put the IP address on the ignore list for the IP Protection feature. But you should know that it should not have been blocked in the first place.

Share this post


Link to post
Share on other sites

Greetings :)

What was the actual URL of the site in question that you were trying to load (ie www.websitename.com)? I ask so that the developers can investigate the issue further and determine whether or not the IP needs to be removed from Malwarebytes' IP Block List.

Thanks :)

Share this post


Link to post
Share on other sites

The URL is wchq.org (Wisconsing collaborative for Heathcare Quality). I have checked the site and didn't found any issue. Could you please let us know the reason this IP is blocked and how can we prevent this site from being blocked.

Best regards

Share this post


Link to post
Share on other sites

The IP is blocked because the IP range (67.212.94.) from Netelligent Hosting Services Inc. is host to malicious sites. If they clean up the malware sites they are hosting, the block will be removed.

Share this post


Link to post
Share on other sites

Hello,

I'm Maykel Rodriguez, co-founder and CEO of Speedyrails.com. We manage the C Class 67.212.94.0/24 which we acquired from Netelligent Hosting Services Inc.:

http://www.dnsstuff.com/tools/whois/?ip=67.212.94.0

Netelligent Hosting Services Inc. NETEL-ARIN-BLK02 (NET-67-212-64-0-1)

67.212.64.0 - 67.212.95.255

Speedyrails SPEEDYRAILS-CA-1 (NET-67-212-94-0-1)

67.212.94.0 - 67.212.94.255

We have zero tolerance for Malicious Sites, Malicious Attacks, including but not limited to introducing malicious programs (such as viruses, worms and other programs intended to inflict harm) in Speedyrails

Share this post


Link to post
Share on other sites

I can assure you, it's not "without proof" as far as Netelligent ranges are concerned (myself and several others have blogged/reported many times concerning them). For example;

http://hphosts.blogspot.com/2010/01/yet-an...g-campaign.html

http://hphosts.blogspot.com/2009/10/crimew...etelligent.html

http://www.google.com/safebrowsing/diagnostic?site=AS:10929

http://hphosts.blogspot.com/2009/10/capthc...chastopcom.html

http://blog.fireeye.com/research/2009/10/g...-not-gumby.html

http://malwareint.blogspot.com/2009/06/rec...careware-x.html

http://hphosts.blogspot.com/2009/05/liveco...artuz-isnt.html

http://malware-web-threats.blogspot.com/20...tivirus-p4.html

etc etc etc

And finally;

http://hostexploit.com/index.php?option=co...&Itemid=106

As far as this specific range goes, the following is the only one I can find on your network, and is carrying an exploit and was reported to your abuse dept in December (I've had no response thus far, including so much as an auto-response).

http://www.corners.in/applications/adverts/1generic/fox/ad301.htm

If this is cleaned up/removed, I can modify the filter to unblock your /24.

Share this post


Link to post
Share on other sites

Hello MysteryFCM,

We have not received any email from Malwarebytes in the past. We store a copy of every email received in a gmail account and there is absolutely no email from Malwarebytes.

It's easy to note that there were no proof, no good faith and no investigation in the comment from SpySentinel, since the network 67.212.94.0/24 is not operated by Netelligent as stated by SpySentinel, it's operated by Speedyrails as you can see in the ARIN registry:

http://www.dnsstuff.com/tools/whois/?ip=...=whois.arin.net

Please note that accusing a company of been "host to malicious sites" is pretty serious if there is no way to probe it. Showing one link to a page with content published by a member of one of our customers is pretty ridiculous, as you said, this link "is the only one I can find on your network" and you are considering that we are "host to malicious sites" based on this single page (from thousands or millions hosted by us).

Could you please confirm if you emailed Netelligent or corners.in instead of Speedyrails about this issue last December? Can you send me a copy of the email? My address is maykelrr at "the speedyrails domain".

I'll contact our customer immediately to investigate this issue and make sure this page is removed after confirming it's actually a malicious page.

Thanks,

Maykel

Share this post


Link to post
Share on other sites

I believe you've misunderstood what I wrote - it's not SpeedyRails that I am accusing of anything - it's Netelligent (your company just sadly happens to be one of their customers, and hence, why your range was included to begin with).

As far as corners.in, an e-mail was fired off to the address listed in the domains WhoIs records (namrata @ invivosoft.com) in December, to alert them to the malicious content on their site. To date I've not had a response. I also e-mailed the ISP listed in the domains IP WhoIs (support @ speedyrails.com and abuse @ netelligent.ca) at the same time (I'll dig out the e-mail and forward you a copy).

In the meantime, I'll get the filter modified to unblock your range.

Share this post


Link to post
Share on other sites

I understand you didn't accuse Speedyrails, but the post was done before even checking the ARIN information and therefore it wasn't clear for our customers whether Speedyrails was or not involved in this issue.

It happens all the time that an ISP or larger collocation/hosting company reassigns a group of IPs to other entity, this is done filing a ARIN-REASSIGN-DETAILED-4.2 template. In this case, we should not be responsible for issues that are not in our network or group of IP addresses.

We will post an update in this thread within 72 hours regarding this issue. We have already contacted our customer (corners.in) and will work with them to investigate the page in their site that you sent and get this solved.

I'll appreciate if you DM a copy of the original email sent last December, we have not found any copy of this email in either support@ or abuse@ or maykelrr@ or sales@, which are all redirected to a backup account in gmail.

Thanks for unblocking our range.

Best regards,

Maykel

Share this post


Link to post
Share on other sites
It's easy to note that there were no proof, no good faith and no investigation in the comment from SpySentinel, since the network 67.212.94.0/24 is not operated by Netelligent as stated by SpySentinel, it's operated by Speedyrails as you can see in the ARIN registry:

I don't believe I ever said that Speedyrails was to blame. Like MysteryFCM and I both stated, it's Netelligent. Its like you said, there is no proof, no good faith and no investigation in a comment like the one you posted.

Regardless, like MysteryFCM said, your range was unblocked which is good.

Share this post


Link to post
Share on other sites

SpySentinel, it makes no sense to continue arguing about this issue. I think you guys should take the feedback positively since your accusations can do more bad than good. A user posted a message about an issue with an IP address operated by Speedyrails and you didn't investigate before posting a serious accusation, this only caused confusion and definitely didn't help.

I would love to put this issue to rest. You guys already have my email address (maykelrr at "the speedyrails domain") and you are always welcome to email me (and abuse@, support@ too) about any detected issue involving our IP ranges, rest assured we will always respond promptly and will be glad to collaborate, we proud ourselves for offering a first class support and trustworthy hosting to our customers.

Have a great weekend!

Maykel

Share this post


Link to post
Share on other sites
SpySentinel, it makes no sense to continue arguing about this issue.

I absolutely agree with you.

I think you guys should take the feedback positively since your accusations can do more bad than good.

I think you guys should be a little more patient with this process and let MBAM do their job.

Since you have ran this topic to an end, this topic has been closed.

You have a wonderful week

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.