1

I have a personal website hosted using my provider's DNS name (i.e. myname.provider.com) on my personal hardware at home. The web server (both HTTP and HTTPS) is Apache on Debian Wheezy (which is rather dated), but I update it regularly. It has an OwnClound instance, a simple PHP form to send an SMS to my phone and my wife's, and a photo gallery with some art stuff my wife made. The site has an up to date Letsencrypt certificate. There's also an open SSH port for remote maintenance.

Recently, this website got classified as 'phishing' by Blue Coat Web Filter list, so neither me nor my wife can access it at work. Using the tool from this post shows no further problems.

I'm thinking about sending them a review request, but before I do, I would like to understand what could have gotten me blacklisted in the first place, to see if I can fix the problem beforehand. Is this because of OwnCloud? Web gallery? Letsencrypt certificate? Provider's DNS? Dated Apache? Open SSH port? Or do they just blacklists all URLs starting with 'D' because it's February?

What are the most common red flags which are used to blacklist websites?

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • 1
    Speculation, but probably because a user reported it as phishing. I suggest you send the review request, and see what happens – paj28 Feb 06 '19 at 14:20
  • @paj28 FYI, I tried contacting them via the review form (which states they reply within 1 business day). After one week with no answer and no changes to site's classification, I just changed the site's name via my provider's form (they applied changes in under 1 hour), got a new Letsencrypt certificate and moved on. – Dmitry Grigoryev Feb 13 '19 at 07:50

1 Answers1

2

This is not an answer but rather an experience I have been through when our company blocked websites like yours. What normally happened was that the legit site was vulnerable to a vulnerability called Cross Site Scripting.

Basically what it does is use your site for phishing attacks such as stealing passwords and usernames and etc. This is just a possibility because there is not any information on this case and I believe that your site was pointed out to be this way and someone has falled into the attack.

If this happened what would we do.

  1. Trigger a command called whois and report to the email provided.
  2. Wait for a time and investigate if it is really still there.
  3. If not tell the sites provider (e.g. HostGator) and the providers initiated the takedown.

What should you do.... If this happened.

  1. Crawl your website and see if there is any auckward page that you did not make someone could have access to the sites password entered and put a page for phishing.very good technique because you site is a good domain.
  2. Use a Security scanner like openvas and search for security vulnerabilities such as related above
  3. If any of this happened switch the sites password and patch all vulnerabilities including if you use opensource.

Then again a suggestion.

  • Thanks. I don't think I have any dynamic pages that are publicly accessible (except for Owncloud login page), but I'll double-check that. – Dmitry Grigoryev Feb 06 '19 at 14:49