Cloudflare mistakenly flagged my website as phishing, now shows a warning and misinforms my users

I’m posting this here to hopefully get a quicker resolution to my issue.

On April 22 I got an email that Cloudflare received a phishing report about my website.

Cloudflare received a phishing report regarding:

xxxxxxxxxxxx.com

Below is the report we received:

Reporter: Anonymous
Reported URLs:

http://xxxxxxxxxxxx.com/xxxxx.exe

Logs or Evidence of Abuse: Hello,

You are currently hosting a site which is associated with an ongoing malware attack. The malware is either spread via an email with a malicious attachment, which when run, appears to communicate with the following links; or it is spread directly using the following malicious links:

hxxp://xxxxxxxxxxxx[.]com/xxxxx.exe [12.34.56.78]

More information about the detected issue is provided at https://incident.netcraft.com/xxxxx/xxxxx

Would it be possible to have this URL taken down as soon as possible?

Many thanks,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: xxxxx

We have provided the name of your hosting provider to the reporter. We have forwarded this complaint to your hosting provider. We have restricted access to the phishing-related content until it has been removed.

Regards,

Cloudflare Abuse

For some reason Cloudflare automatically regarded it as credible information without checking, even though my software is signed and is being published for more than a decade, and now greeted all my users with a full screen phishing website warning like this:

I contacted Cloudflare and Netcraft. Netcraft admitted their mistake:

Hi,

We have reviewed this detection and have classified the report as a false
positive and informed Cloudflare of this incorrect classification.

We have also taken steps to improve our detection and prevent this happening
in future.

Kind Regards,
Netcraft.

Even though both me and Netcraft contacted Cloudflare (I did multiple times), and even though almost a month passed, the error is still shown on my website, and my software is not accessible. Not only that, it leads visitors and users to believe that I spread malware or that my website was hacked and that they might be compromised, none of which is true.

Please remove the false block page or help me contact to those who can help me.

Did you receive a ticket number?

What is the domain in question? I do not see any phishing flags on the sites associated with the account you are using here.

If you contacting our trust & safety team, when you submit an abuse report at cloudflare.com/abuse you will receive a confirmation email with a confirmation code in the Subject. While the Trust and Safety team reviewed the details of your report, that may be the only reply you receive. We do not have visibility into these reports.

Did you receive a ticket number?

I replied to the email that was sent to me from [email protected].
The email title is “[ec435ee64cec1a9c]: Cloudflare received a phishing report regarding your site”, so perhaps ec435ee64cec1a9c is the ticket number.

What is the domain in question?

The URL that was flagged is:
hxxps://rammichael.com/downloads/7tt_setup.exe

when you submit an abuse report at cloudflare.com/abuse

I saw this link, but I didn’t find a “false positive” abuse type. My understanding is that it’s for reporting abuse, not abuse false positives. When I selected “Phishing & Malware”, it didn’t include any option for a false positive report, and I didn’t want to make things worse. Should I use this form?

I sent another email last week and got another id, 67ea7add95c1f19e, but no human reply. Please help.

I already posted this here before, but my website is falsely blocked for more than a month already, and I got no help here and via support tickets. I don’t know what else to do, so I’ll keep posting here until I get help.

I’m posting this here to hopefully get a quicker resolution to my issue.

On April 22 I got an email that Cloudflare received a phishing report about my website.

Cloudflare received a phishing report regarding:

xxxxxxxxxxxx.com

Below is the report we received:

Reporter: Anonymous
Reported URLs:

http://xxxxxxxxxxxx.com/xxxxx.exe

Logs or Evidence of Abuse: Hello,

You are currently hosting a site which is associated with an ongoing malware attack. The malware is either spread via an email with a malicious attachment, which when run, appears to communicate with the following links; or it is spread directly using the following malicious links:

hxxp://xxxxxxxxxxxx[.]com/xxxxx.exe [12.34.56.78]

More information about the detected issue is provided at https://incident.netcraft.com/xxxxx/xxxxx

Would it be possible to have this URL taken down as soon as possible?

Many thanks,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: xxxxx

We have provided the name of your hosting provider to the reporter. We have forwarded this complaint to your hosting provider. We have restricted access to the phishing-related content until it has been removed.

Regards,

Cloudflare Abuse

For some reason Cloudflare automatically regarded it as credible information without checking, even though my software is signed and is being published for more than a decade, and now greeted all my users with a full screen phishing website warning like this:

I contacted Cloudflare and Netcraft. Netcraft admitted their mistake:

Hi,

We have reviewed this detection and have classified the report as a false
positive and informed Cloudflare of this incorrect classification.

We have also taken steps to improve our detection and prevent this happening
in future.

Kind Regards,
Netcraft.

Even though both me and Netcraft contacted Cloudflare (I did multiple times), and even though almost a month passed, the error is still shown on my website, and my software is not accessible. Not only that, it leads visitors and users to believe that I spread malware or that my website was hacked and that they might be compromised, none of which is true.

Please remove the false block page or help me contact to those who can help me.

When I tried going to your site, it loaded and redirected with a 301 to the one in the screen capture below:

I didn’t get any warning messages. It looks like both domains are proxied through Cloudflare. If it’s being flagged, I should’ve gotten a warning before the redirection? Or were you only getting that warning interstitial with the one individual URL?

I don’t get any warning when visiting that website either

The following URL is blocked, not the whole website:
hxxps://rammichael.com/downloads/7tt_setup.exe
Thanks.

I can confirm this URL is blocked for me also.

What I am suspecting happened is that something reported the EXE as being malicious, as the installed program does perform some suspicious actions, which make sense in the context of the software, but a automated analysis engine may have found as malicious and automatically reported the URL to the hosting provider. I have seen this happen before with actual malware that does some similar things and they automatically get reported to the hosting provider.

As to why it has not yet been unblocked, I am not entirely sure.

Hope this helps!

Mistakes happen, but I’m very disappointed with the way Cloudflare handled it. First, the way the URL was blocked without any checking on their part and without prior notice. Second, the fact that it stays blocked for more than a month, even thought the company that reported it admitted that it was a mistake, and even though I contacted Cloudflare multiple times, via tickets and here on the forum. Luckily, this website doesn’t pay my bills and food, but now I’m much more hesitant to use or recommend Cloudflare for anything important. That’s a pity, because in general the product is great.

It sounds to me like you have already been contacting the appropriate team at Cloudflare to assist. I do not see Support tickets under the account you are using here @michael.cloud, but that is normal and to be expected for questions when they are escalated to the Trust & Safety team. That team has it’s own confirmation number for tracking.

Yes, that is the confirmation number in the Subject. While the Trust and Safety team will review the details of your report, that may be the only reply you receive.

It won’t. We’d like to help, but only the Trust & Safety team can assist with this, not Support nor the Community.

1 Like