cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1146
Views
5
Helpful
4
Replies
Highlighted
Beginner

How to report a false positive in the Web Reputation Score

I raised this issue already in the "Firewall" subtopic but apparently I was off-topic there ... so I dare to try again here:

An Ironport using the Web Reputation Score of websites is currently listing www.juliabase.org with a score of below -7.0.  This is a false positive due to the high traffic the website currently generates because -- well, it is simply popular at the moment (first public announcement was yesterday). There certainly is no malware on it.

How can we get rid of this bad reputation listing?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Engager

Senderbase.org has it at Zero

Senderbase.org has it at Zero, that's where you can request changes.

 

Right now my WSA returns -4.9...  So its probably just a matter of time before it comes up.  Ephemeral sites are typically bad, so it doesn't surprise me that they want you to stick around for a bit before they call you clean.

 

View solution in original post

4 REPLIES 4
Highlighted
Engager

Senderbase.org has it at Zero

Senderbase.org has it at Zero, that's where you can request changes.

 

Right now my WSA returns -4.9...  So its probably just a matter of time before it comes up.  Ephemeral sites are typically bad, so it doesn't surprise me that they want you to stick around for a bit before they call you clean.

 

View solution in original post

Highlighted
Beginner

Thank you, I filed a request

Thank you, I filed a request there.

However, I disagree that this strategy of reputation scoring is unsurprising.  We feel punished for the popularity of our project.  Only two ingredients were sufficient for our -7.0 scoring: popularity and dynamic IP.  And "popularity" meant a couple of hits per minute ... I fear the day when we are mentioned on "the register", "heise.de" or slashdot ...  ;-)

Highlighted
Beginner

Senderbase bases their score

Senderbase bases their score on several factors. You hit 2 of them, which when taken together, can be an indication of malicious activity. High traffic, with a "new" hostname or IP can represent a fast-flux DNS C&C. Its never good to have dynamic IP addresses for servers as often global DNS caches can not keep up with changing IPs resulting in disconnects for your clients.

Bookmark it, we can blow it up later.
Highlighted
Cisco Employee

The url is indeed false

The url is indeed false positive and at the moment the reputation score of the site has lifted to 5.4 and the risk of malware probability is quite low.

If the scoring has changed to bad score, would recommend to open a case to Cisco Web Security Team for them to analyse the url in depth