Results 1 to 9 of 9
  1. #1
    Newbie
    Join Date
    May 2019
    Posts
    2

    Default Netflix address repeatedly triggering "Phishing and Other Frauds" block alert

    I'm perplexed. An old Sony Android TV recently started triggering alerts every minute. I have tried blocking its MAC address in the firewall settings, disabling the Alert, allowing the domain and IP in the Filter... yet I still get sent these emails constantly. I searched for the domain nflxvideo.net, it's legitimate and only appears in the Filter List query under Streaming Video, not Phishing. What else can I try here? (Obviously I can unplug the TVs internet, but I'd rather a solution where it still retains internet access!)

    Code:
    Event: WebFilterEvent
    
    Event Time: 2022-01-12 18:11:19.67.
    
    Event Summary:
    Web Filter blocked hxxp://ipv4-c003-lhr006-bt-isp.1.oca.nflxvideo.net/ (Phishing and Other Frauds)
    
    Event Details:
    app name                          = web_filter
    blocked                           = true
    category                          = Phishing and Other Frauds
    category id                       = 57
    flagged                           = true
    reason                            = BLOCK_CATEGORY
    request line                      = GET hxxp://ipv4-c003-lhr006-bt-isp.1.oca.nflxvideo.net/
    rule id                           = 57
    session event                   
     bypassed                         = false
     c client addr                    = 192.168.0.145
     c client port                    = 47334
     c server addr                    = ###.###.###.###
     c server port                    = 443
     client country                   = XL
     client intf                      = 1
     entitled                         = true
     hostname                         = android-479d0b3b62cd7b3e
     local addr                       = 192.168.0.145
     policy id                        = 1
     policy rule id                   = 0
     protocol                         = 6
     protocol name                    = TCP
     remote addr                      = 81.130.98.37
     s client addr                    = ###.###.###.###
     s client port                    = 47929
     s server addr                    = ###.###.###.###
     s server port                    = 443
     server country                   = GB
     server intf                      = 2
     server latitude                  = 51.472
     server longitude                 = -0.2204
     session id                       = 107478987851235
     tags string                      =
     time stamp                       = 2022-01-12 18:11:19.665
    time stamp                        = 2022-01-12 18:11:19.67
    
    This is an automated message sent because this event matched Alerts Rule "Phishing and Other Frauds website visit blocked".
    (Edited http to hxxp to allow me to post this)

  2. #2
    Newbie
    Join Date
    Jul 2017
    Posts
    4

    Default

    Got same problem yasterday. Temporay solution, in web filter app. add as "Pass Sites" the value "nflxvideo.net". Could be that the domain went in some blacklist. Sorry for my english and let me know if it work please.

  3. #3
    Master Untangler
    Join Date
    Jul 2010
    Location
    Nanaimo B.C
    Posts
    436

    Default

    Could create a bypass rule for the tv.
    Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
    https://www.youtube.com/channel/UCa6...vrywIaGtDXOlSQ

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,393

    Default

    On Web Filter's advanced tab is a clear category URL cache button...

    I suggest smashing it before you lose your mind!
    soldier likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    May 2019
    Posts
    2

    Default

    Quote Originally Posted by sky-knight View Post
    On Web Filter's advanced tab is a clear category URL cache button...

    I suggest smashing it before you lose your mind!
    Thank you, that seems to have worked! Is this extra step required for the Pass Sites addition to actually apply?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,393

    Default

    Quote Originally Posted by petecloss View Post
    Thank you, that seems to have worked! Is this extra step required for the Pass Sites addition to actually apply?
    No, the pass site configuration you created was simply wrong. I'm not sure exactly how, but it wasn't working.

    What that button does is force the system to get a fresh list of answers from the upstream database, if you have a false positive caught due to an error of some sort, that's how you clear it.

    So in the future if you have this alert firing, you can check the site being caught here: https://www.brightcloud.com/tools/url-ip-lookup.php

    If things look good on the BrightCloud website, when you mash that button all the problems go away. If the site is categorized as malware on the BrightCloud site well... there are false positives in there from time to time, but generally I say leave it. Sites get tossed in there for good reason and even highly trusted sites can sometimes be compromised.
    soldier likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Jul 2017
    Posts
    4

    Default

    Quote Originally Posted by sky-knight View Post
    On Web Filter's advanced tab is a clear category URL cache button...

    I suggest smashing it before you lose your mind!
    Thanks for the help, I deleted the pass rule and now all work correctly
    dashpuppy likes this.

  8. #8
    Newbie
    Join Date
    Jan 2022
    Posts
    1

    Default

    Thank you!!!

    My kids Amazon Fire tablets have been triggering this alert for a few days now. So, 1600 emails later... I have a solution!!

  9. #9
    Newbie
    Join Date
    Jan 2022
    Posts
    5

    Default

    I had the same problem with another website, not Netflix, but the solution is still working. Thx)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2