Customer webmail site false positive

Hi,

I’m one of the admins responsible for the http://linksmail.libertypr.net website. We are a cable-based ISP in Puerto Rico and this website is the webmail portal for our customers. We have checked time and again both the code on the website and the server its hosted on and have not found any trace of infection. As such, we would like to know what the process is to get the website removed from Avast’s URL blocking feature and/or get more information as to exactly what was detected and where.

Thanks,
Esteban Santana Santana
IT Procedures & Planning

IT Department
Liberty Cablevision of Puerto Rico, Ltd.
a Liberty Global Company

It is not on any of these blacklists, but blacklisted here: http://www.rfc-ignorant.org/tools/lookup.php?domain=mail.libertypr.net

The reason the URL is flagged by avast I do not know, but found JavaScript
error: line:25: SyntaxError: missing ; before statement:
error: line:25: hide from non JavaScript Browsers
error: line:25: …^
error: line:4: SyntaxError: missing = in XML attribute:
error: line:4:
error: line:4: …^ could be part of the reason

There is script hidden from non-javascript users and obfuscation used,

polonus

Hi polonus,

Concerning the rfc-ignorant blacklist, the test that led to our inclusion in that list was done back in 2006. I’ve requested removal from that list. However, I think this blacklist is irrelevant since the block message our customers are receiving indicates that our website supposedly is infected when it is not, not an issue with our email servers.

Regarding your point about obfuscation and non-javascript users, allow me to paste the entire contents of the blocks in question.

<!DOCTYPE HTML PUBLIC "-//W3C//Dtd HTML 4.0 transitional//EN" > 
<html> 
  <head> 
		<title>Login</title> 
		<meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> 
		<meta content="C#" name="CODE_LANGUAGE"> 
		<meta content="JavaScript" name="vs_defaultClientScript"> 
		<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema"> 
		<script type="text/javascript"> 
			<!-- hide from non JavaScript Browsers
			//This will pre-cache the login screen image and allow it to load faster.
			//If you have made your own custom image and altered the stylesheet, you will want
			//to remove this or alter the image name to reflect your new image name.
			Image1= new Image()
			Image1.src = "images/LoginBg.jpg"
			// End Hiding -->
		</script> 

As the snippet clearly shows, the presence of the “<!–” tag although no longer strictly valid HTML, its a perfectly valid way to support ancient non-javascript browsers who do not understand the meaning of the and tags commonly used today. These old browsers would just print anything inside of the tags to the page, which is something we don’t want in this case. Modern browsers don’t need this, but like I said before this specific piece of code is there for pre-javascript browsers (think IE2 or an old version of Netscape).

Your other point about the page code, line 4 (the first line in my code dump) is a simple DOCTYPE tag, perfectly valid in an HTML document and does not mean any obfuscation is taking place at all.

Thanks,
Esteban Santana Santana
IT Procedures & Planning

IT Department
Liberty Cablevision of Puerto Rico, Ltd.
a Liberty Global Company

Sorry, your site got to block db by mistake, it’ll be removed in the next update.