cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1572
Views
5
Helpful
4
Replies

How to report a false positive in the Web Reputation Score

t.bronger
Level 1
Level 1

I raised this issue already in the "Firewall" subtopic but apparently I was off-topic there ... so I dare to try again here:

An Ironport using the Web Reputation Score of websites is currently listing www.juliabase.org with a score of below -7.0.  This is a false positive due to the high traffic the website currently generates because -- well, it is simply popular at the moment (first public announcement was yesterday). There certainly is no malware on it.

How can we get rid of this bad reputation listing?

1 Accepted Solution

Accepted Solutions

Senderbase.org has it at Zero, that's where you can request changes.

 

Right now my WSA returns -4.9...  So its probably just a matter of time before it comes up.  Ephemeral sites are typically bad, so it doesn't surprise me that they want you to stick around for a bit before they call you clean.

 

View solution in original post

4 Replies 4

Senderbase.org has it at Zero, that's where you can request changes.

 

Right now my WSA returns -4.9...  So its probably just a matter of time before it comes up.  Ephemeral sites are typically bad, so it doesn't surprise me that they want you to stick around for a bit before they call you clean.

 

Thank you, I filed a request there.

However, I disagree that this strategy of reputation scoring is unsurprising.  We feel punished for the popularity of our project.  Only two ingredients were sufficient for our -7.0 scoring: popularity and dynamic IP.  And "popularity" meant a couple of hits per minute ... I fear the day when we are mentioned on "the register", "heise.de" or slashdot ...  ;-)

Senderbase bases their score on several factors. You hit 2 of them, which when taken together, can be an indication of malicious activity. High traffic, with a "new" hostname or IP can represent a fast-flux DNS C&C. Its never good to have dynamic IP addresses for servers as often global DNS caches can not keep up with changing IPs resulting in disconnects for your clients.

Bookmark it, we can blow it up later.

The url is indeed false positive and at the moment the reputation score of the site has lifted to 5.4 and the risk of malware probability is quite low.

If the scoring has changed to bad score, would recommend to open a case to Cisco Web Security Team for them to analyse the url in depth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: