Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Message 11 of 15

Re: My site has been blacklisted please fix!

Wow- Thanks for the insight!  Not sure exactly what the charts are but interesting.  I appreciate you trying to get to the bottom of this! I hope you get it figured out! Thank you so much.


Reliable Contributor
Reliable Contributor
Message 12 of 15

Re: My site has been blacklisted please fix!

I think I've got it, but if not then I'll have to call it a night.

Before I go into the site detail, I think you should check the old site, which appears to have (or probably had) a connection with a name server (ns1.ipage.com) with IP address, whose ISP is The Endurance International Group; this name server has a number of really strange entries associated with it, all of them apparently ridiculing someone by the name of "Robert M Stanley" who has a connection with something called "Unicus". It looks as if someone has hacked a server, or poisoned a DNS server, to create these entries. I absolutely don't want to go into this any further than I have to, so a couple of those entries will serve as an example -

- unicus.iamtoodumbtosetupdns.

- robert-m-stanley-unicus-foundation-scammer-spammer-fraudster.are-we-having-fun-yet-robert-backstabbing-liar-stanley.unicus.iamtoodumbtosetupdns.

According to the most reliable tracers both of your sites now come under Incapsula, so perhaps this no longer affects your site. If you don't have any connection with that ISP, all of this is irrelevant to the enquiry - just another of those false leads. However, it's a salutary reminder that information about websites in different places on the internet may show discrepancies because some organisations are not very good at updating their records. When TrustedSource receives input from third-parties about a website those third-parties could be accessing stale data.

So now to the chase. Here are the most probable causes of the Red rating.

1. TrustedSource has flagged the site as Malicious, and that rating has been passed on to SiteAdvisor. "Malicious" means it's a problem on the site itself. The Red rating seems to have been in effect for the past month or so, and thus has nothing to do with the WordPress security plugin which you say was only recently installed. The rating details are the same for justkeepblogging and www.justkeepblogging, but the rating page for the first site includes details of a mail server. The email reputation shows no warning spikes, so you're not being flagged for sending spam; this is a Web reputation problem. Note especially that the First Seen/Last Seen dates for both of them are 2009, so you've not been assessed since then; and the DNS server information is out of date. Re-submitting your site to SiteAdvisor for re-checking is therefore essential to re-establish the site's credentials. A lot can change in four years. (And I know SiteAdvisor is supposed to come back and re-check automatically from time to time, but it doesn't. There are just too many sites.)



2. Sucuri, one of the first tools I use to check a site for problems, was unable to scan your site properly. That is only to be expected with the WordPress plugin, but it may also be that Incapsula is blocking automated scanning tools from functioning correctly. And, guess what, some at least of the TrustedSource web reputation feedback comes from automated site scanners which crawl all over the web looking for problems (creepy, isn't it?). So maybe, just perhaps, there was a flag raised because your site suddenly became unscannable. Not grounds enough for a Red rating, but it may have put your site on a Watch list.

3. Sucuri, however, did detect at least one iframe on the site. And Quttera, another site scanner, detected three. (Oh, and Quttera thinks your "www." site is in Israel - more confusion). Now, iframes are inherently suspicious (another black mark for the site) because they are very often used to deliver malware dynamically. They provide a window into some other site which cannot be scanned by anti-virus software until whatever code is in the iframe does its job, and then it's often too late. Quttera says the 3 iframes it found are all Hidden, and all link to "my.incapsula.com". One of those iframes (the third one) is flagged by Quttera as Suspicious. So Incapsula is now in the frame as the chief suspect ...

Quttera justkeepblogging report.JPG

Quttera justkeepblogging file report.JPG

4. I submitted the "jstest.html" file to jsunpack to see if there was anything there worth noting. The report that came back included a listing of the page, which says, basically,

"Hello, I am a java script test analytics page".

- so no joy there.

5. However, the results from jsunpack for your site as a whole were most interesting.

Somewhere on your site there are two blocks of javascript code which have been obfuscated - heavily disguised. That is going to ring alarm bells when an anti-virus scanner or page scanner encounters them. One is in CharCode (...38,100,61,34,43,101,110,99,111,100 ...), the other is in Hexadecimal (... D3D22723A222B286E65 ...). When I passed them through translators, the CharCode turned into "function getSessionCookies()" / "function setIncapCookie()";  the hex code turned into something that included the fragment in the screenshot below - I'm not taking the risk of putting it into this web page, just in case.

obfuscated javascript 1.JPG

It's creating a new ActiveXObject on the fly? I'm not sure that's really approved. And they both have a reference to an image, also created dynamically :


Whatever it's doing, it's all part of the Incapsula service, but it's all hidden and disguised. And that could look suspicious - although jsunpack classed it all as Benign.

6. I confirmed the presence of the obfuscated javascript by examining the Javascript eval sections of the reports from Urlquery. These reports also included the HTTP Transactions, and these indicated another possible cause for the rating. They show three GET requests to 'forms.aweber.com' - two of which return an image, the third a javascript file. I thought this worth following up, so I checked the domain and its reputation. The site provides "Email marketing and autoresponder software" which looks innocent enough, but the reviews are extremely mixed. Those who don't like the company are extremely hostile. SiteAdvisor says it's Green, but some of the reviewers say the site spams and/or hosts malware. Google Safe Browsing finds no fault with the site, nor does SiteAdvisor, but the javascript file indicates that aweber.com is dropping tracking cookies onto my system, and (if I read the HTML correctly) placing hidden elements onto the web page for tracking purposes. None of which is going to bother TrustedSource, but site reviewers tend to notice that sort of thing.





So, a provisional and tentative conclusion. The Red rating is probably being triggered by obfuscated javascript which may be embedded in the web page by Incapsula, even though I've checked the Home page's source code in Chrome and I can't see it anywhere. (Which is why this is tentative). TrustedSource pays no attention to user reviews anywhere, so the AWeber connection can be ruled out. The suspicious iframes looked promising, but are not definitely harmful. That leaves Incapsula, and whatever it does to protect your site, as the chief suspect.

That was quite a journey of exploration. I'm sorry I can't be more definite about the reason for your site's rating, and I realise that I may have missed something crucial which is the real reason for the rating; but that's about as much as I can do. You'll have to wait now for the results of any re-rating request that you've made.

If you want to open a ticket with TrustedSource about this, here's how to go about it.

If you want to address an issue with a web site in Site Advisor, that is based on McAfee's Trusted Source Web Reputation, please go to  http://www.trustedsource.org/en/feedback/url and use the web form to contact the Trusted Source team.

If you want to track your requests or be notified via email, you can register for a free TrustedSource.org account.

Former Member
Message 13 of 15

Re: My site has been blacklisted please fix!

This all reads like a bad spy novel...First off I just got this domain name on 9-4-13 only a month ago from Godaddy...

Is all the information tied to the domain name or the server which is ipage hence the ns1.ipage.com

I went ahead and submitted a request with trusted source.  When you buy a domain isn't it supposed to be clear of everything? Anyone else I could go to about this?  Maybe Godaddy?



Reliable Contributor
Reliable Contributor
Message 14 of 15

Re: My site has been blacklisted please fix!

nole99 wrote:

This all reads like a bad spy novel...

Hey, I've just been promoted to the ranks of bad-spy-novel writer, now I can rub shoulders with the likes of Dan Brown

I had to go back into the past history of justkeepblogging.com to check whether TrustedSource was holding onto some old rating data, which took a while. Answer : no, I don't see anything.

What I see is that on May 17 2009 the domain name expired. That ties in with the last-seen date on TrustedSource. There are no historical records on Clean-MX for that domain name, so it is unlikely that the site was rated Unsafe during its previous incarnation.

In the week before September 17 2013 the domain name was transferred from WildWestDomains (a GoDaddy re-seller) to iPowerWeb. That company is related to StartLogic, and does not appear to be part of GoDaddy : it's a web hosting company and is a subsidiary of Endurance International Group.

On September 17 the domain name was transferred into iPage.com, so the name servers are ns1.ipage.com and ns2.ipage.com; compare those to the name server details that TrustedSource still holds for the site and you'll see the possibility for false reporting if they're still checking the old name servers.

When you buy a domain name that's had a previous existence a conscientious re-seller ought to carry out some checks at least to make sure that any blacklisting of the domain as a result of its previous activities has been lifted, or at the very least that the new owner is told about it. I don't think GoDaddy (and others, probably) do that, so some new owners inherit the past bad reputation of the site they've bought. You at least don't seem to have that problem.

As far as I can see the rating is caused by obfuscated javascript inserted into your site pages by Incapsula, for reasons of their own. Heavily disguised inserted page scripts are highly suspicious, as they often indicate a malware attack. If the decoded script is innocuous (and I think it may be) then I wonder why Incapsula encoded it in the first place.

The people from either TrustedSource or SiteAdvisor will need to look at this and decide whether it's okay. If it is, you should get a Green rating pretty soon.

In the meantime you might want to weigh up whether you need the protection Incapsula offers, if it's going to cause this sort of problem. I can't offer any advice because I've never come across them before. But they're in Wikipedia, and reviews are mostly favourable.

Sources -





http://whois.domaintools.com/justkeepblogging.com  (WhoIs record and Server Stats)


Message was edited by: Hayton on 06/10/13 20:38:32 IST
Message 15 of 15

Re: My site has been blacklisted please fix!

Just a quick note, Incapsula is a security proxy and their main offices are in Israel. To protect against bots etc. they test all access to protected wesite to see if they accept cookies and understand javascript. Bots usually do not accept cookies, so this is one way they flag the bots.

If Incapsula is unsure about a visitor's status, they will throw out a javascript captcha challenge for the visitor to enter. Bots fail these too and so bots are kept out of the protected site.

It is possible to whitelist "good" bots and security scanners can be whitelisted and I seem to rememer Securi, McAfee etc. are all listed in Incapsula.

If these challenges have been coming up on a protected website, the blocked access attempts, including all details will be listed in the Incapsula dashboard.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community