Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Sep 2018
    Posts
    10

    Default Amazon FireTVs suddenly generating Phishing/Fraud emails

    Hi All,

    Starting today (Fri 10/5/18), just after midnight eastern time, I started getting intermittent email alerts from Untangle for my three Amazon FireTVs. Nothing has changed on my network or Untangle config. Here's a sample with sensitive info (internal IPs) as "xxx". Most of the FireTVs have had multiple attempts since then to various AWS IPs. Is this legit traffic? An issue with a web filter update/definition?

    The following event occurred on the Untangle Server @ 2018-10-05 00:10:15.737

    Phishing/Fraud website visit blocked:
    Web Filter blocked http://52.216.82.208/kindle-wifi/wifistub.html (Phishing/Fraud)

    Causal Event: WebFilterEvent
    {
    "timeStamp": "2018-10-05 00:10:15.737",
    "reason": "BLOCK_CATEGORY",
    "flagged": true,
    "blocked": true,
    "appName": "web_filter",
    "requestLine": "GET http://52.216.82.208/kindle-wifi/wifistub.html",
    "category": "Phishing/Fraud",
    "sessionEvent": {
    "entitled": true,
    "hostname": "xxx",
    "CServerPort": 80,
    "protocol": 6,
    "protocolName": "TCP",
    "serverLatitude": xxxx,
    "localAddr": "/xxx",
    "SServerAddr": "/52.216.82.208",
    "remoteAddr": "/52.216.82.208",
    "serverIntf": 2,
    "CClientAddr": "/xxx",
    "serverCountry": "US",
    "sessionId": 100803299464256,
    "SClientAddr": "/xxx",
    "clientCountry": "XL",
    "CClientPort": 36396,
    "policyRuleId": 0,
    "timeStamp": "2018-10-05 00:10:15.699",
    "serverLongitude": xxx,
    "clientIntf": 100,
    "policyId": 1,
    "SClientPort": 38304,
    "bypassed": false,
    "SServerPort": 80,
    "CServerAddr": "/52.216.82.208",
    "tagsString": ""
    }
    }

    This is an automated message sent because the event matched the configured Event Rules.

  2. #2
    Master Untangler
    Join Date
    Feb 2016
    Location
    Michigan
    Posts
    611

    Default

    Zvelo (the categorization service Untangle uses) currently categorizes 52.216.82.208 itself as malicious. Whether that's a mis-categorization or not, I can't say.

  3. #3
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,595

    Default

    Its an amazon IP, probably false positive.

    That specific url is not malicious for sure. Its just a basic html page that tests if they can reach amazon.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Newbie
    Join Date
    Sep 2018
    Posts
    10

    Default

    Thanks, guys! I had a feeling it was legit but its sudden appearance was concerning.

  5. #5
    Newbie
    Join Date
    Oct 2018
    Posts
    1

    Default Can't this alarm be filtered out?

    How do we stop this? I've already white listed six different IP addresses that Amazon uses for this, but every time the IP changes, I have to go have Zvelo white list another one, and this happens regularly. Is there no way to filter out alarms for "*/kindle-wifi/wifistub.html"?

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,348

    Default

    Change the settings on the alert to limit the generation of the alert.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2