none
My company's legitimate websites have been blocked by SmartScreen RRS feed

  • Question

  • Hi guys,

    I have quite a serious problem going on at the moment. My company's legitimate websites have been blocked by Internet Explorer's "SmartScreen" and our end users are complaining.

    The two sites in question are:

    • http://www.endeavour.edu.au
    • http://learn.endeavour.edu.au

    I find it hard to believe, that our websites can simply be blocked by this SmartScreen filter, without providing us with any evidence, or even contacting us to verify the legitimacy of our website.

    We are an educational institution and are obviously in no way affiliated with any malware or phishing and in no way have our websites been spreading malware or phishing attacks.

    How can Microsoft simply add our site to a "blacklist" of sorts, without properly and correctly reviewing our site to confirm what has been reported? I find this to extremely unprofessional and even be classed as defamation.

    The fact that we can only "Report that this site does not contain threats" and not even contact anyone at Microsoft to confirm any details is astounding.

    Does anyone know how to quickly get these false positives reversed?

    Thanks,

    Nino

    Wednesday, April 22, 2015 1:53 AM

Answers

  • Hi Rob,

    Yes it is all fixed now, but Microsoft's reply is far from acceptable. I think it started happening just yesterday.

    Below was their response.

    Hello Mr Iaccarino,

     

    While we understand your desire to ensure that your site is not incorrectly tagged in the future, per policy Microsoft does not discuss specific details around our protection technologies or services. So, we are not able to provide any further information outside of what has been sent in our previous messages. 

     

    False warnings, while rare, do occasionally occur.  This is why a key design goal of the Microsoft SmartScreen® Filter escalation process is to help ensure that we adjust any false warnings in an extremely quick and efficient manner. 

     

    Given the scale of the Microsoft SmartScreen® Filter service, we’ve found that site owners are most satisfied when we point them to the following sources of information:

     

    The Microsoft SmartScreen® Filter uses a combination of our built-in-filter, an on-line service and a built in mechanism to report suspected Phishing sites as well as false warnings.  A block experience is typically based on the various data providers and end-user feedback to the on-line service.  More details about the data providers we work with can be found here:

    http://www.microsoft.com/security/resources/providers.aspx

     

    You can find more information about the filter as well as best practices at: 

    SmartScreen® Filter Frequently Asked Questions

     

    In addition to the FAQ best practices, we have further content providing information on how to prevent false warnings and blocks in a preemptive way, as well as practices to help ensure that your site isn’t compromised by a would be Phisher. Pointers to these links are below:

     

    Information about how to recognize phishing scams:

    http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

     

    Phishing Filter White Paper: http://www.microsoft.com/downloads/details.aspx?FamilyId=B4022C66-99BC-4A30-9ECC-8BDEFCF0501D&displaylang=en

     

    SmartScreen Filter and Resulting Internet Communication:

    http://technet.microsoft.com/en-us/library/jj618329.aspx 

     

     

    Thank you,

    Microsoft SmartScreen® Filter Support

    Thursday, April 23, 2015 12:25 AM

All replies

  • Looks to be an issue with .edu.au domains, maybe?

    • http://www.myfuture.edu.au/
    • http://www.unimelb.edu.au/
    • http://www.latrobe.edu.au/
    • https://www.uow.edu.au/index.html
    • http://bond.edu.au/
    • http://www.usc.edu.au/
    • http://www.vit.vic.edu.au/

    All showing as unsafe to me.

    Wednesday, April 22, 2015 3:04 AM
  • Hi,

    from what I can see

    https://learn.endeavour.edu.au/login/index.php is leaking user details to third-parties via the social networking buttons (which are not using the https protocol)

    f12>Console tab, refresh the page...to display the error messages for the page.

    DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
    File: index.php
    SCRIPT16389: Unspecified error.
    File: index.php, Line: 1, Column: 1
    HTML1300: Navigation occurred.
    File: index.php
    HTML1508: Unmatched end tag.
    File: index.php, Line: 78, Column: 1
    SEC7111: HTTPS security is compromised by http://learn.endeavour.edu.au/_files/images/HE.png
    File: index.php
    SEC7111: HTTPS security is compromised by http://learn.endeavour.edu.au/theme/image.php?theme=essential2&component=theme&rev=1429666221&image=bg%2Fbody
    File: index.php
    SEC7111: HTTPS security is compromised by http://cld-vid02.endeavour.edu.au/p/104/sp/10400/embedIframeJs/uiconf_id/6709411/partner_id/104
    File: index.php
    SEC7111: HTTPS security is compromised by http://learn.endeavour.edu.au/local/kaltura/js/frameapi.js
    File: index.php

    It looks like you are using a WordPress theme that may be malware.... what is HE.png?

    http://vet.endeavour.edu.au/login/index.php on the other hand does not invoke the SmartScreenFilter.

    f12>Console tab.....

    DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337
    File: index.php
    SCRIPT16389: Unspecified error.
    File: index.php, Line: 1, Column: 1
    HTML1300: Navigation occurred.
    File: index.php
    HTML1508: Unmatched end tag.
    File: index.php, Line: 78, Column: 1
    Kaltura HTML5 Version: 1.7.0.8

    My guess is......

    1. Get your site verification code from Google https://support.google.com/webmasters/answer/35179?hl=en

    and add the appropriate meta tag to your landing page. (actually you should clear up your dns records first, so that you have the one IP address with several aliases.)

    2. Remove your 'social' buttons and other third-party content from your sign-in pages. You should not use unsecured content from third parties on login pages. (google analytics.... do you really need to know how many visitors bounced on your login pages?)

    3. contact your hosting provider.... the who-is records look out of date/incorrect... I would expect the same IP address for your sub-domains, but they have been mapped to different IP addresses.

    I would expect the ONE IP address for endeavor.com.au with records for the several aliases that you are using on the sub-domains.

    Address lookup

    canonical name endeavour.edu.au.
    aliases www.endeavour.edu.au, + learn.endeavour.edu.au, vet.endeavour.edu.au etc.
    addresses 117.20.11.60

    (you sites are using different IP addresses for each sub-domain).

    see
    http://centralops.net/co/DomainDossier.aspx?addr_lkup=1&dom_whois=1&net_whois=1&dom_dns=1&traceroute=1&svc_scan=1&addr=www.endeavour.edu.au

    and

    http://centralops.net/co/DomainDossier.aspx?addr_lkup=1&dom_whois=1&net_whois=1&dom_dns=1&traceroute=1&svc_scan=1&addr=learn.endeavour.edu.au

    BUT!

    these are peer to peer support forums... we do not work for nor represent MS.

    Your best option is to submit a request via the Fishing Filter link or to contact MS Australia (support.microsoft.com) who MAY be able to give you more concrete reasons why the site(s) are being reported as unsafe.
    Regards.


    Rob^_^

    Wednesday, April 22, 2015 3:23 AM
  • We are getting all sorts of false positives today, this is a one our company uses: www.confirm.citec.com.au

    The fix is...use Google Chrome or alternative!

    Wednesday, April 22, 2015 4:29 AM
  • Hi Rob,

    Thanks for taking the time to look at that for us. We're fixing up the mixed content on the HTTPS page.

    We dont use Wordpress, this is a straight Moodle site and that image is now HTTPS.

    Our Web Servers (Website) are different to our Moodle instances so the different IP's are fine.

    Thanks again for looking at our sites, really appreciate it !

    Wednesday, April 22, 2015 5:42 AM
  • Hi Nino,

    when did this start happening? yesterday? or the day before?

    It appears to be fixed now. http://www.endeavour.edu.au

    there were a few au domains that were showing the same symptoms (showing the Smart Screen prompt)... I can only guess that it had something to do with the extreme weather in Sydney (MS has data centers in Sydney and Melbourne... I presume they may have had to re-rout their traffic to Melbourne. I would guess that your hosting provider is using their web farms.)

    Regards.


    Rob^_^

    Wednesday, April 22, 2015 11:55 PM
  • Hi Rob,

    Yes it is all fixed now, but Microsoft's reply is far from acceptable. I think it started happening just yesterday.

    Below was their response.

    Hello Mr Iaccarino,

     

    While we understand your desire to ensure that your site is not incorrectly tagged in the future, per policy Microsoft does not discuss specific details around our protection technologies or services. So, we are not able to provide any further information outside of what has been sent in our previous messages. 

     

    False warnings, while rare, do occasionally occur.  This is why a key design goal of the Microsoft SmartScreen® Filter escalation process is to help ensure that we adjust any false warnings in an extremely quick and efficient manner. 

     

    Given the scale of the Microsoft SmartScreen® Filter service, we’ve found that site owners are most satisfied when we point them to the following sources of information:

     

    The Microsoft SmartScreen® Filter uses a combination of our built-in-filter, an on-line service and a built in mechanism to report suspected Phishing sites as well as false warnings.  A block experience is typically based on the various data providers and end-user feedback to the on-line service.  More details about the data providers we work with can be found here:

    http://www.microsoft.com/security/resources/providers.aspx

     

    You can find more information about the filter as well as best practices at: 

    SmartScreen® Filter Frequently Asked Questions

     

    In addition to the FAQ best practices, we have further content providing information on how to prevent false warnings and blocks in a preemptive way, as well as practices to help ensure that your site isn’t compromised by a would be Phisher. Pointers to these links are below:

     

    Information about how to recognize phishing scams:

    http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

     

    Phishing Filter White Paper: http://www.microsoft.com/downloads/details.aspx?FamilyId=B4022C66-99BC-4A30-9ECC-8BDEFCF0501D&displaylang=en

     

    SmartScreen Filter and Resulting Internet Communication:

    http://technet.microsoft.com/en-us/library/jj618329.aspx 

     

     

    Thank you,

    Microsoft SmartScreen® Filter Support

    Thursday, April 23, 2015 12:25 AM
  • Hi,

    you can't blame the support ppl.... in the first instance, they will use scripted replies... I doubt that individually they would have the expertise to provide on the spot advise or troubleshooting skills to debug a Smart Screen issue... I would have asked them also if they had any disruptions to their Sydney data center because of the extreme weather... how that would affect their Smartscreen algorithms I can only guess... I presume if Sydney was down (or the node with your sites on it) they would be routed to the Melbourne center ... maybe they need to tweak their holistic to cope with such instances. You could ask your hosting provider also if they are using MS's data centers or if they themselves had any outages during the past few days. 

    I had a response from Redmond that did not include an explanation (as in all security related issues, working knowledge is keep close to their chests)...

    That the events coincided with the coming and going of the extreme weather suggest it may have been the ultimate cause.


    Rob^_^

    Thursday, April 23, 2015 3:28 AM
  • I have just had this happen to my business website (law firm) today. Of course my first instinct is to sue for defamation. Dis you manage to get them to stop bad-mouthing your site? How did you get it "all fixed"?
    Saturday, November 18, 2017 12:39 AM