Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31
  1. #1
    Untanglit
    Join Date
    Sep 2018
    Posts
    25

    Default Amazon FireTVs suddenly generating Phishing/Fraud emails

    Hi All,

    Starting today (Fri 10/5/18), just after midnight eastern time, I started getting intermittent email alerts from Untangle for my three Amazon FireTVs. Nothing has changed on my network or Untangle config. Here's a sample with sensitive info (internal IPs) as "xxx". Most of the FireTVs have had multiple attempts since then to various AWS IPs. Is this legit traffic? An issue with a web filter update/definition?

    The following event occurred on the Untangle Server @ 2018-10-05 00:10:15.737

    Phishing/Fraud website visit blocked:
    Web Filter blocked http://52.216.82.208/kindle-wifi/wifistub.html (Phishing/Fraud)

    Causal Event: WebFilterEvent
    {
    "timeStamp": "2018-10-05 00:10:15.737",
    "reason": "BLOCK_CATEGORY",
    "flagged": true,
    "blocked": true,
    "appName": "web_filter",
    "requestLine": "GET http://52.216.82.208/kindle-wifi/wifistub.html",
    "category": "Phishing/Fraud",
    "sessionEvent": {
    "entitled": true,
    "hostname": "xxx",
    "CServerPort": 80,
    "protocol": 6,
    "protocolName": "TCP",
    "serverLatitude": xxxx,
    "localAddr": "/xxx",
    "SServerAddr": "/52.216.82.208",
    "remoteAddr": "/52.216.82.208",
    "serverIntf": 2,
    "CClientAddr": "/xxx",
    "serverCountry": "US",
    "sessionId": 100803299464256,
    "SClientAddr": "/xxx",
    "clientCountry": "XL",
    "CClientPort": 36396,
    "policyRuleId": 0,
    "timeStamp": "2018-10-05 00:10:15.699",
    "serverLongitude": xxx,
    "clientIntf": 100,
    "policyId": 1,
    "SClientPort": 38304,
    "bypassed": false,
    "SServerPort": 80,
    "CServerAddr": "/52.216.82.208",
    "tagsString": ""
    }
    }

    This is an automated message sent because the event matched the configured Event Rules.

  2. #2
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    656

    Default

    Zvelo (the categorization service Untangle uses) currently categorizes 52.216.82.208 itself as malicious. Whether that's a mis-categorization or not, I can't say.

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,697

    Default

    Its an amazon IP, probably false positive.

    That specific url is not malicious for sure. Its just a basic html page that tests if they can reach amazon.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untanglit
    Join Date
    Sep 2018
    Posts
    25

    Default

    Thanks, guys! I had a feeling it was legit but its sudden appearance was concerning.

  5. #5
    Newbie
    Join Date
    Oct 2018
    Posts
    2

    Default Can't this alarm be filtered out?

    How do we stop this? I've already white listed six different IP addresses that Amazon uses for this, but every time the IP changes, I have to go have Zvelo white list another one, and this happens regularly. Is there no way to filter out alarms for "*/kindle-wifi/wifistub.html"?

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,560

    Default

    Change the settings on the alert to limit the generation of the alert.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler
    Join Date
    Jun 2015
    Posts
    148

    Default

    Quote Originally Posted by jcoffin View Post
    Change the settings on the alert to limit the generation of the alert.
    Running into the same issue. How do you do this under Web Filter? Don't want to turn off these web filter categories completely.

  8. #8
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    656

    Default

    Config -> Events. Edit the appropriate rule.

    Screenshot-2018-12-17 Graf Home Network - gateway.png

  9. #9
    Master Untangler
    Join Date
    Jun 2015
    Posts
    148

    Default

    Quote Originally Posted by Sam Graf View Post
    Config -> Events. Edit the appropriate rule.

    Screenshot-2018-12-17 Graf Home Network - gateway.png
    But how exactly would you modify Config > Events page to block all Fraud/Phishing with the exception of the alert detailed by the OP?

    I thought that would have to somehow be done under Apps > Web Filter.


    Sent from my iPhone using Tapatalk

  10. #10
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    656

    Default

    I understood jcoffin to be talking about reducing the frequency of the alert emails. The OP didn't appear to do anything. And I didn't understand why cshabazian didn't find that adding */kindle-wifi/wifistub.html to Web Filter's Pass Sites list works. I don't have any direct experience and there doesn't seem to me to be a single conversation in this thread.

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2