173.244.198.143

[DougCuk]

Running v1.46 with database version 4207

Attempts to update the spyware blocking program SpywareBlaster (javacoolsoftware.com) trigger an IP block on 173.244.198.143

This appears to one of the servers hosting the update files for this security software.

This IP has been blacklisted from at least database version 4201.

[MysteryFCM]

Just installed SB and it's updating fine from here? Can you give me the hostname of the update server it's using please?

I can't unblock this one for two primary reasons, one being the sites on the range, and the second being it's SoftLayer, an ISP known for allowing criminals on their network.

[Wide_Glide]

@MysteryFCM

Having the same issue here also. I have posted this at the Wilders Security Forum to see if we can get this resolved

Link to Wilders HERE

Regards

Wide Glide

[MysteryFCM]

I need to know the server hostname involved as I can't reproduce it on either my primary machine, or my test machine.

/edit

Only update server I can get SB to use (I've no choice in the matter) is update1.*, there doesn't seem to be an option to change it that I can find.

[Wide_Glide]

How would I go about getting the "server hostname" info for you?

[MysteryFCM]

You can use either your firewalls log, or Wireshark, to identify it

[Wide_Glide]

All that is beyond my technical ability. Going to bed. Maybe it will all come out in the wash

Regards

Wide Glide

[TeMerc]

No issues here downloading SpywareBlaster updates with 4208 db

[MysteryFCM]

Sadly, yep. Others have done testing and they've noticed it's blocking one minute, and not the next, which suggests SB is using a CDN that's using geo-tracking and load balancing. Still not been able to reproduce it myself though.

[DougCuk]

Seems this is dependant on geographic location and load balancing server allocation.

However I have not had any successful update from London UK

I am seeing two server names for this IP

An IP trace shows the name as - 173.244.198.143.static.midphase.com

The SpywareBlaster program (Manual Update - Free version) shows - updates1.spywareblaster.net

[DougCuk]

Just had a successfull update!!

So something must have swapped me to a different server.

The address updates1.spywareblaster.net has a totally different IP - so is obviously not the real server being used.

However a port monitor utility shows SpywareBlaster accessing the following address:

206-55-108-109.global11325.loc45.simplecdn.net

Not exactly sure what that means but it does include the term CDN - which was mentioned.

[MysteryFCM]

Thanks for letting us know (I'm in the UK too, so it had me puzzled)

[Wide_Glide]

Still getting the block here or should say was, uninstalled it(SpywareBlaster) after the comment made at Wilders

"hopefully Mbam will unblock the ip address (if possible)"

Regards

Wide Glide

[MysteryFCM]

I can't unblock the IP unfortunately (not until SoftLayer and Midphase get their acts into gear)

[YoKenny1]

No problem here in Canada with 4211 db

[DougCuk]

To paraphrase the response on the Wilders Forum from "Javacool" a SpywareBlaster tech:

Full posting click here

SpywareBlaster uses a CDN (content distribution network) to serve the update content from the closest of many servers distributed worldwide, to ensure the fastest possible updates. The specific IP address .... will indeed vary depending upon your geographic location, ISP, and other factors. [The blocked] .. IP address is a CDN "edge"/cache server, which caches + serves content for multiple users of our CDN provider. There's a seamless mapping from ... our update server domain name, to ... the CDN edge server that's closest to you.

Thank you for reporting this issue to MBAM. It looks like they (MBAM) mistakenly caught a CDN edge/cache server in their IP blocks. It should be simple enough for them to fix.

Best regards, -Javacool

At present I am no longer being sent to the blocked update server - not sure if it got removed from the pool - or if it's just the luck of the draw.

Both sides are obviously aware of the issue but it looks like Javacool are expecting MBAM to fix this one.

I will report back if the blocked server re-appears.

[Wide_Glide]

I tried reinstalling and upon updating again received the block from Mbam. Uninstalled SpywareBlaster again and will not use it until like MysteryFCM said

"(not until SoftLayer and Midphase get their acts into gear)"

Update;

Reinstalled SpywareBlaster It did update but Mbam blocked

Windows Firewall log

Download from Cnet

2010-06-19 08:46:07 DROP TCP 216.239.122.40 192.168.1.65 80 51327 1420 A 3541684468 3518662903 29862 - - - RECEIVE

2010-06-19 08:46:07 DROP TCP 216.239.122.40 192.168.1.65 80 51327 1420 A 3541685848 3518662903 29862 - - - RECEIVE

2010-06-19 08:46:07 DROP TCP 216.239.122.40 192.168.1.65 80 51327 1420 A 3541687228 3518662903 29862 - - - RECEIVE

2010-06-19 08:46:07 DROP TCP 216.239.122.40 192.168.1.65 80 51327 1420 A 3541688608 3518662904 29862 - - - RECEIVE

Update went to a Black Hole

2010-06-19 08:46:14 ALLOW UDP 127.0.0.1 239.255.255.250 57869 1900 0 - - - - - - - RECEIVE

[YoKenny1]

Wide Glide

Maybe Louisiana, USA is covered by sludge from the BP oil disaster

[abuaufa]

mine still blocked today. I'm from Jakarta,Indonesia.

SpywareBlaster can't run updater

thank

[DougCuk]

I am also being blocked again today.

We know that this IP address is in a block owned by a hosting company with a suspect reputation - midphase.com.

However this specific IP address appears to be a fixed IP for a legitimate CDN (Content Distribution Network) server.

The server name for this IP comes back as - 173.244.198.143.static.midphase.com

Browsing to the IP - http://173.244.198.143/ gives a 404 server response with the following name: SimpleCDN Upload Bucket

MBAM at present seem unlikely to remove this IP from its standard blacklist - however the program does allow you to add individual blocked IP addresses to the Ignore List - so at present I have selected that option to get around this problem. The risk posed by unblocking this single IP appears to be minimal - as it is a known CDN server used by a trusted security application.

The problem appears to be caused by a change within the network used by Javacool to supply updates - with the inclusion of a server hosted by a suspect company (midphase.com) - this is obviously not ideal for a security app designed to block suspect websites. A complaint to the CDN service would seem sensible, to get this server removed from the pool. I have posted this suggestion on the Spyware Blaster forum.

[calintexas]

Mine blocks as others have stated, but after several seconds, Spywareblaster switches over to updates2.spywareblaster.net (from updaes1) which then downloads the update.

I'm in North Texas using Verizon FIOS for reference.

[mynorgeek]

however the program does allow you to add individual blocked IP addresses to the Ignore List - so at present I have selected that option to get around this problem.

Sorry for my ignorance. Can someone tell me how to add blocked IP addresses to the Ignore List?

Thanks so much.

[TeMerc]

Sorry for my ignorance. Can someone tell me how to add blocked IP addresses to the Ignore List?

Thanks so much.

To access a site that is currently blocked that you wish to view, you may add it to the IP Protection ignore list(v1.42 required) as described below:

Navigate to the page, right-click the Malwarebytes system tray icon(near clock) and select an IP or all IPs listed and they will now be added to the ignore option and listed in the 'Ignore' tab. You may need to refresh the page to access the site.

[mynorgeek]

Perfect! That's what I needed. Thank you.

Btw, where does one find that info, for future reference?

[TeMerc]

Perfect! That's what I needed. Thank you.

Btw, where does one find that info, for future reference?

Please see the link below which contains our FAQ's on this feature for more information:

http://www.malwarebytes.org/forums/index.p...t=0#entry107310