The website iwcp.co.uk has been blocked by your Umbrella service- why?

Comments

24 comments

  • Avatar
    rotblitz

    This is not related to Umbrella, but OpenDNS generally blocks this site as malware site:

    nslookup www.iwcp.co.uk. mypc
    Server:  UnKnown
    Address:  192.168.2.11

    Nicht autorisierte Antwort:
    Name:    www.iwcp.co.uk
    Address:  67.215.66.149

    nslookup  67.215.66.149
    Server:  UnKnown
    Address:  192.168.2.11

    Name:    hit-malware.opendns.com
    Address:  67.215.66.149

    You better open a support ticket, or use the dedicated channels for Umbrella customers.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Btw, as always in such cases, a first measure would be to add iwcp.co.uk to your "never block" list, and flush both, your local resolver cache and your browser cache. Then it becomes accessible for you.

    0
    Comment actions Permalink
  • Avatar
    maintenance

    nslookup www.icwp.co.uk.
    Server:  resolver2.opendns.com
    Address:  208.67.220.220

    Non-authoritative answer:
    Name:    www.icwp.co.uk
    Address:  67.215.65.132

     

    I get servfail. Hm.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "has been blocked by your Umbrella service"

    Oops no, thanks, but this great service is not my service. And it is blocked because of your settings, because you opted to get malware sites blocked. You really get what you opted for. And "It's a genuine perfectly normal local news website" is in no way a justification if a site has been compromised and infected.

    0
    Comment actions Permalink
  • Avatar
    maintenance

    And that would be my fault! <facepalm>

     

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    @maintenance, I used DNSCrypt for this, maybe it's different then. See attached.

     




    malware.jpg
    0
    Comment actions Permalink
  • Avatar
    danwav

    Not sure I really follow the comments above.  I'm not a OpenDNS user generally, and am not an Umrbella customer. But being in charge of the server for IWCP.co.uk and having had reports on the IWCP twitter and FB accounts saying people can't get on the website I've had to use OpenDNS to check.

    When not using OpenDNS for my DNS my nslookup returns a perfectly normal result and resolves to 91.151.208.79 - which is the IP of the server.  But when doing the same task when on OpenDNS I get the same result as maintenance above.

    Adding iwcp.co.uk to my own "don't block" list is not a solution - I need anyone in the public to be able to view this site regardless of their DNS provider - this just seems completely mad - how does a site like this get blocked?

    0
    Comment actions Permalink
  • Avatar
    danwav

    And no it hasn't been compromised - I've used every scanner I can think of on the server and nothing has shown up!

    0
    Comment actions Permalink
  • Avatar
    maintenance

    rotblitz: I borked the domain name, which is why I failed to receive the same response.

    danwav: you should open a support ticket: contact OpenDNS. Fora are generally not good for one business to contact another regarding operations.

    How such a thing happens: Generally, it is reported somewhere that OpenDNS draws data from regarding malware sites. For instance, your domain might somehow be one that was generated by e.g., Conficker, which is reported ahead of time by the Conficker Working Group to the industry. "False positives" can occur this way. (A real, in-use domain name randomly generated by malware command and control functions.)

     

    0
    Comment actions Permalink
  • Avatar
    maintenance

    edit to add for convenience:

    http://www.opendns.com/about/contact/

    https://dashboard.opendns.com/support/

    https://support.opendns.com/requests/new

    Three avenues. I would try them in that order.

    0
    Comment actions Permalink
  • Avatar
    danwav

    Hi maintenance - thanks for that - I did email the security-block address that's shown in the browser when you try to visit the site and have heard nothing back - will add a support ticket via this website too.

    Does OpenDNS / Umbrella realise what damage it can do to a business with this kind of report? It seriously must damage the users trust of the site and therefore the information contained within.  I'm shocked there isn't an obvious part of this website for domain/website owners to raise queries over spurious blocks!

    0
    Comment actions Permalink
  • Avatar
    danwav

    Thanks again for links - will do them all as suggested.

    0
    Comment actions Permalink
  • Avatar
    maintenance

    "I did email the security-block address that's shown in the browser when you try to visit the site"

    I believe your email went to the administrator of that Umbrella account. Not likely helpful there, so indeed, follow one or more of the links.

     

    Re: Damage.  This happens with many other systems beside OpenDNS, because they get information from a variety of blocking lists. I'm not sure where OpenDNS gets all their information, but the standard malware blocking covers Conficker domains and sites identified as hosting IE zero-day exploit malware. Note also that the information may be technically correct, yet still unfair to a legitimate site hosting no actual malware. It happens. Spurious (or otherwise) blocking is generally handled through the ticketing system, but they could have a more accessible and clearly demarcated contact page for site/sysadmins.

    Hopefully, they will soon have your request checked and addressed. Best wishes.

    0
    Comment actions Permalink
  • Avatar
    maintenance

    Ah, I have seen that the Umbrella Labs claims to have discovered this (or the sentence is needlessly broad). So yes, Umbrella should be treated as directly accountable, and the email address there should be a (the) valid reporting method. (I wasn't getting a block page to come up at all using a browser.)

    But I see the site is unblocked now. Isle of Wight News. Very good! 

    0
    Comment actions Permalink
  • Avatar
    danwav

    Yay! Thanks for your thoughts - it is still quite frustrating for me - have been building and hosting websites for over 11 years now and as far as I'm aware none have ever been blocked by this kind service. Hope this isn't a sign of things to come.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "have ever been blocked by this kind service"

    How can you know? What if I had iwcp.co.uk or even co.uk blocked?  You cannot know!

    You seem to miss the major point: OpenDNS is an optional DNS service you can use or even not. More than 95% of the internet community don't use OpenDNS. And those who are using it use it purposely, e.g. to get protected from malware and other malicious sites. And this setting is to be seen more individually than generally. Every user can opt in or opt out from everything, as they want.

    Same I could have blocked you with a hosts file entry:    0.0.0.0 iwcp.co.uk www.iwcp.co.uk
    It's gone then for me, and you wont have any control over it...

    And OpenDNS users would know how to access it immediately, as I have described above. As I said, as they want.

    0
    Comment actions Permalink
  • Avatar
    danwav

    rotblitz - you seem to miss the major point of people asking questions - that they'd like answers not narky ranting responses.

    If someone chooses to use OpenDNS they're probably doing so as they've been told it's faster and they can set some filters to block certain types of sites. Fine.  What isn't good is if an automatic blocking service makes that user then distrust a website that has absolutely nothing wrong with it.  And also what isn't good is that the owners of the website aren't informed or given any kind of simple method to prove nothing is wrong and get unblocked.  This creates distrust from a users point of view of a service/product/brand whatever it is, that the brand shouldn't have to deal with.  Those users then go onto social media and start going on about not being able to access a certain site, which then spreads the distrust further.

    I'm not saying your precious OpenDNS service isn't useful, I'm just saying it should be a whole lot more careful about how it operates, and be a whole lot more transparent for website/business owners.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "your precious OpenDNS service"

    It's not my service. I'm just a user, so I know what I'm speaking about. And no, I'm not going "onto social media and start going on about not being able to access a certain site", definitely not. That would be the wrong approach, generally anyway, because it's not OpenDNS blocking it, but my individual settings I'm in charge for. I simply added that site to my "never block" list at my OpenDNS dashboard, or I temporarily used another DNS service. That's it.

    0
    Comment actions Permalink
  • Avatar
    danwav

    With respect - you're "just" a user - so you probably don't know what your talking about beyond how you choose to use it.  People did go onto social media and raise the issue - that is the point - that is why it potentially causes more harm than it could save.  Just because you feel you know the in's and outs of this service and are happy to run your own block list / safe list etc... I doubt that counts for most users.  In fact those who were on social media talking about this block clearly didn't have much technical nous. I expect someone suggested they use OpenDNS - either set it up for them or they followed a simple tutorial - and ever since then they've thought nothing about it and wouldn't think to query seeing a message like this, and would assume that the IWCP had a malware issue, can't be trusted, and will revert to using a different news source instead.  Customer lost - harm done.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "People did go onto social media and raise the issue"

    LOL. First blocking something themselves and then complaining somewhere else about what they did...

    "In fact those who were on social media talking about this block clearly didn't have much technical nous."

    Who would be simple-minded enough to believe those hoaxes such users tend to populate? The internet is full of hoaxes, probably far more than 50% of its content...

    Whatever, it's pretty clear that I cannot help you with your concerns. You had to directly contact OpenDNS staff to get an official answer and maybe to get something changed.

    And, as you may know, "false positives" with every appliance of any filtering or blocking services and software are rather usual. There's nothing fault-free in this area. And as you have seen, OpenDNS solved your issue within less than 18 hours, far quicker as most other appliances would be able to react.

    0
    Comment actions Permalink
  • Avatar
    danwav

    I got no official response - it just started working again - I'm still awaiting any kind of answer.

    And why do you keep saying the users blocked it themselves - the users did nothing other than use the OpenDNS servers.  I switched my DNS to OpenDNS opened up a browser typed in www.iwcp.co.uk and was presented with the malware block (as in maintenance's attachment earlier).  They then started posting on social media "ha ha look, the iwcp have a problem", "looks like the IWCP might be infecting everyone" etc... causing the harm.  They didn't post a hoax as you put it.

    I'm aware false positive occur - but it should be an area that OpenDNS openly admin and they should provide simple clear guidelines for addressing the issue.  It took over 24hrs and at no point in that time was I confident I'd placed a message in the right place.  I'm just asking for more clarity.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "And why do you keep saying the users blocked it themselves - the users did nothing other than use the OpenDNS servers."

    Already this decision to use OpenDNS is to get something blocked, as you said yourself: "If someone chooses to use OpenDNS they're probably doing so as they've been told it's faster, and they can set some filters to block certain types of sites. Fine."
    And yes, they really get what they expected to get. And they should make themselves aware to opt out from certain blocking if needed.
    And they don't have to go somewhere else to complain of what they did and experienced through it. That is plain stupid, the wrong approach as I already said..

    "you're "just" a user"

    This meant to say that I'm not staff or otherwise affiliated with OpenDNS. It did not mean that I'm the simple average normal OpenDNS user.

    "so you probably don't know what your talking about beyond how you choose to use it."

    Be ensured, I know what I'm talking about. My horizon is wider than you ever would imagine it is.

    It is clear that your interest as domain owner is to not get your domain blocked and to keep its reputation up. No need to emphasize this, everybody would do.

    Same as OpenDNS are trying to protect their users from malicious activity and content as they want. And if they get reported from one or more sources they collaborate with that a domain is malicious, then they block it automatically until it is proved that it is (no longer) malicious. This is the most efficient way to do it in this case. If they struggled around with domain owners or what then there would be no protection and prevention, just discussion. It could be also (and was) your domain this time, or could be one of my domains, or any other. So what? I don't care.

    Ever heard about a conflict of interests? Some of them are not solvable, or only in view of one side. You simply have to accept it as fact of life.

    Given that less than 5% of the internet community uses OpenDNS, and only people actively searching for the reputation of your site may have become aware that it has been blocked temporarily, there's no measurable harm. Especially your main audience and clients are most likely not congruent with the audience and clients of OpenDNS, making any impact even more unlikely. Stay with the facts.

    I reimburse you the theoretical 10 cent loss you made if you donate me the 200 dollar profit you made by the advertising effect of this incident. Yes, this was in fact an advertisement effect, driving more visitors to your site, believe me. Think about only the readers of this thread which may have visited your site, including me and maintenance. Check your stats, and stop complaining. Else I must assume you want to drive even more visitors to your site with this...

    Nuff said, I drop out of this fruitless discussion.

    0
    Comment actions Permalink
  • Avatar
    jedisct1

    Every day, the Conficker worm builds a list of 50,000 pseudorandom domains that it will use as a C&C server.

    Most of these are nonexistent. Other ones might be benign or malicious.

    The list changes every day. The algorithm is simple and widely documented, so OpenDNS automatically blocks these domain names for the period Conficker will contact them. They are automatically removed afterwards.

    0
    Comment actions Permalink
  • Avatar
    danwav

    Hi jedisct1 - so I really don't understand all this Conficker stuff - it's a virus yes? It can get on unprotected computers? Is produces a list of domain names randomly - to do what with?  So is it just bad luck that a genuine domain got on it's list?  Probably because it's a 4 letter domain?

    I just don't understand the purpose of the conficker list and why OpenDNS blocks it in its entirety without carrying out any checks themselves?

    Thanks for trying to explain though.

    0
    Comment actions Permalink

Please sign in to leave a comment.