Moodle Site Blacklisted for Phishing

Moodle Site Blacklisted for Phishing

by Harry Dickinson -
Number of replies: 5

I have found that our site is starting to pop up on RBL Blacklists claiming our site is Phishing.

This seems to be related to our use of Microsoft's OpenID Connect Authentication/ MS Integration. The problem seems to be that our URL redirects to the Microsoft OIDC login page. This appears to be interpreted as a Phishing scam by some RBL sites. As a result some Anti-virus apps, and other security software, are blocking students from using the login page.

Would really appreciate any suggestions as to how we can prevent this misinterpretation, and therefore stop an escalation and complete blacklisting.

Any suggestions would be greatly appreciated

URL: https://students.ichas.net

Moodle 3.10.5+ (Build: 20210728)

Average of ratings: -
In reply to Harry Dickinson

Ri: Moodle Site Blacklisted for Phishing

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
AFAIK, RBL blacklists are for protecting email communications, not websites. You are talking about phishing which is an attack through a specially crafted email.
I believe that your redirection to MS OpenID it's not part of the problem, maybe you host an SMTP server on the same system/IP or the emails you're sending are considered harmful (for phishng).
Did you check if there are any moodle forums open to bots or there are bad users accounted in your moodle?
Average of ratings: -
In reply to Sergio Rabellino

Re: Ri: Moodle Site Blacklisted for Phishing

by Harry Dickinson -
Thanks Sergio. Normally what you have said would be true, but in this instance Phishing refers to the process of directly personating a website and redirecting to a bogus login page. We are being listed despite the fact that it is a false positive. We use Exchange365 for all communications so no SMPT server to spam from.
Average of ratings: -
In reply to Harry Dickinson

Ri: Re: Ri: Moodle Site Blacklisted for Phishing

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
I don't understand who (the hell) is blacklisting an HTTP/303 which is purely normal in the web protocol... Anyway, you should identify which RBL is listing you and contact them directly. Usually, these blacklisting tools admit a removal form where you can submit your evidence.
Average of ratings: -
In reply to Sergio Rabellino

Re: Ri: Re: Ri: Moodle Site Blacklisted for Phishing

by Harry Dickinson -
Yes I agree, unusual. It is only one RBL currently blacklisting us: uceprotect.net. Not sure if it is a scam or not. They look for a substantial "donation" to remove your listing. Problem is that it is beginning to impact access Moodle. Very frustrating.
Average of ratings: -
In reply to Harry Dickinson

Ri: Re: Ri: Re: Ri: Moodle Site Blacklisted for Phishing

by Sergio Rabellino -
Picture of Particularly helpful Moodlers Picture of Plugin developers
This is one problem:

Reverse DNS (PTR) exists and claimes to be: do1.ichas.net
WARNING: No matching A-Record exists for your Reverse-DNS.
DNS is INCONSISTENT.
Please request your Admin or Provider to fix this.
But your big problem is your AS (autonomous system) which is the Digital Ocean one.
Uceprotect says: "We saw that many hosts in AS14061 are (mostly) bad and sends spam (yes, it's mail-related, as I stated before) to the world, then all the IP under this AS are blacklisted".
So you can't do anything else than move your moodle out of this provider ...
BTW, but which browser uses Uceprotect in accessing websites?

This is what I understood.
Average of ratings: Useful (1)