I have removed app.espace[.]cool/account/login from our blacklist 
;D ;D ;D ;D - Thank you!
If Avast is reporting MAL:URL on the basis of the domain name being on a blacklist would you PLEASE, PLEASE display the name of the blacklist on which it was found?
When the Avast popup says “…because it was infected with URL:Mal”, if it is really just reporting that the target website is being blocked because it is listed on a blacklist, then why not display “…because it is listed on the Barracuda blacklist” (or whatever blacklist)?
Or display “…because it is listed on the one or more blacklists” and list the blacklists in the “details” section.
If I have not understood URL:Mal then I apologize but it seems to get a lot of people running around wondering how to remove the “URL:Mal infection”. Again, if URL:Mal is simply indicating a blacklist entry then calling it an infection causes a waste of time and effort.
Blacklisted infection entries are there for your protection. Sometimes, but not often, these blocks are false positives, but these can occur when a known blacklisted site shares an IP address with many websites and is itself not infected with malware.
Some real-time security websites are listed below to verify an URL:Mal block:
https://www.virustotal.com/#/home/url
https://sitecheck.sucuri.net/
http://urlquery.net/
Please treat blacklisted sites with due care and caution, always.
If Avast is reporting MAL:URL on the basis of the domain name being on a blacklist would you PLEASE, PLEASE display the name of the blacklist on which it was found?Avast is using there own Blacklist
If I have not understood URL:Mal then I apologize but it seems to get a lot of people running around wondering how to remove the "URL:Mal infection". Again, if URL:Mal is simply indicating a blacklist entry then calling it an infection causes a waste of time and effort.You can only remove it if you own the website, and there are many reasons why a website is blacklisted, it does not have to be infected
Domain probably blocked by avast because of malware on that particular IP: https://www.threatcrowd.org/ip.php?ip=64.37.52.189
Also in attack archive: http://overflowzone.com/archive/geoip/64.37.52.189/
Only avast team members can unblock or exclude your domain from a general IP block,
wait for one to appear and give the final verdict.
We here are just volunteers with relevant knowledge, but cannot unblock,
polonus (volunteer website security analyst and website error-hunter)
mchain, I get a clean report for my daughter’s web site, www.katinaarnott[.]com, from your suggested web sites:
I have also run tests on several other sites like pentest-tools.com and webinspector.com with no issues. Also I have a blacklist monitor at mxtoolbox.com and it shows no entries on 103 blacklists. But still Avast insists on aborting connections to www.katinaarnott.com “because it is infected with URL:Mal”.
Now, of course I want get a clean bill of health for this website but I’m also concerned as to why Avast calls it an infection (URL:Mal) and just leaves it at that. I have googled URL:Mal extensively and cannot find a definition of a virus/infection of this name. I do, however, see posts like these:
- What is URL:MAL and How to remove URL:mal virus from Windows
- Remove URL:Mal Virus Infection (Uninstall Guide)
Both of these posts just give a generic description of how to clean up a pc.
So, if we can agree that “because it is infected with URL:Mal” means that Avast has detected an issue on the target website, then for goodness sake, Avast, tell us what the issue is.
As for my specific web site, the only issue of which I’m aware is the lack of SPF/DKIM/DMARC. This is a problem I’m having with GoDaddy because they used to be set up ok. I still have absolutely no idea what Avast thinks is wrong at my website.
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Hi, this was caused because the IP (50.116.55.30) was blocked due to Blackhole EK.
I hope the IP is clean now, and I am unblocking it.
Hi HonzaZ, I am very grateful for your input. Can you please tell me how you found out that my site was blocked due to Blackhole EK? Like I’ve been saying, the Avast warning just says the site is blocked (URL:Mal) but doesn’t say why. More importantly, how can I determine what the cause was?
And thank you for unblocking. I also “hope the IP is clean now” but I have run checks from just about every web site I can find plus I have installed and run the AntiVirus and ExploitScanner WordPress plugins. No problems reported.
Again,many thanks and I look forward to your response.
IP history >> https://www.virustotal.com/#/ip-address/50.116.55.30
click on items for details
Cannot add much more than what Pondus already said/linked, but if you have other questions, feel free to ask 
HonzaZ,
There is still my main point, which is that the Avast warning just says the site is blocked (URL:Mal) but doesn’t say why. If it is Avast that has determined there is a problem then Avast knows what the problem is (e.g. Blackhole EK) so why not display that information? It would save people like me (and many others) from having to bother you guys by asking over and over “what caused the URL:Mal”.
In other words, just displaying the cause of the issue would save everybody time and effort.
But again, thanks for all your help.
Hi zapappa,
Little old me was abroad and away for a week without my regular laptop and only on android, so when I saw this thread, I performed a few third part scans to make you feel more comfortable with the avast alert and to help and amend issues.
In addition to what has been said in the thread above, which of course is right, I add the following:
First a retirable and vulnerable jQuery script running: http://retire.insecurity.today/#!/scan/c807bedbcf04aa0acd86b08811f455bbabb6ebc4433266431625a22828d30b5a
See that the site has been banned here: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.katinaarnott.com&ref_sel=GSP2&ua_sel=ff&fs=1
Reason:
Your IP address has been automatically flagged as abusive. You are currently banned from viewing this site. To remove the ban, please < a href=“https://app.getflywheel.com/unban?name=fw071912&error=481”> visit the un-ban page< /a> .< /p>
The ban should be lifted here
Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Compromised Hosts: OK
Dshield Blocklist: OK
Shadowserver C&C: OK
Web Server:
nginx/1.12.1 + Phusion Passenger 5.1.8
X-Powered-By:
Phusion Passenger 5.1.8
IP Address:
-54.243.154.12
Hosting Provider:
Amazon.com
Shared Hosting:
2 sites found on -54.243.154.12
Also consider:
Loaded ResourcesCompromised sites will often be linked to malicious javascript or iframes in an attempt to attack users of your WordPress installation. Look over the listed resources, you should be familiar with all scripts and investigate ones you are not sure. In addition removal of unneeded javascript will speed up your website.
-https://app.getflywheel.com/unban?name=fw071912
GoogleSafe:
OK Load:
111ms Server: -54.225.179.161
nginx/1.12.1 + Phusion Passenger 5.1.8 ASN: 14618 United-States
Amazon.com, Inc. Reverse DNS:
-ec2-54-225-179-161.compute-1.amazonaws.com
-http://fonts.googleapis.com/css?family=Source+Sans+Pro:200,300,700,900
GoogleSafe:
OK Load:
20ms Server: -172.217.7.138
ESF ASN: 15169 United-States
Google Inc. Reverse DNS:
iad30s08-in-f10.1e100.net
-https://js-agent.newrelic.com/nr-1071.min.js
GoogleSafe:
OK Load:
25ms Server: -151.101.34.110
AmazonS3 ASN: 54113 United-States
Fastly Reverse DNS:
-http://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3ik4zwlxdo.woff
GoogleSafe:
OK Load:
17ms Server: -172.217.7.131
sffe ASN: 15169 United-States
Google Inc. Reverse DNS:
iad30s08-in-f3.1e100.net
-http://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3i94_wlxdo.woff
GoogleSafe:
OK Load:
17ms Server: -172.217.7.131
sffe ASN: 15169 United-States
Google Inc. Reverse DNS:
-iad30s08-in-f3.1e100.net
h-ttp://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdo.woff
GoogleSafe:
OK Load:
18ms Server: -172.217.7.131
sffe ASN: 15169 United-States
Google Inc. Reverse DNS:
-iad30s08-in-f3.1e100.net
-http://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3iu4nwlxdo.woff
GoogleSafe:
OK Load:
19ms Server: 172.217.7.131
sffe ASN: 15169 United-States
Google Inc. Reverse DNS:
-iad30s08-in-f3.1e100.net
-https://bam.nr-data.net/1/d31ab27ce7?a=23297107&v=1071.385e752&to=Jg1YQBRcCVpdS0taUwwMGUEIUQRYF0wKVVML&rst=190&ref=-https://app.getflywheel.com/unban&qt=1&ap=5&be=108&fe=160&dc=159&af=err,xhr,ins&perf={"timing":{"of":1519556150832,"n":0,"f":0,"dn":0,"dne":0,"c":0,"ce":0,"rq":0,"rp":0,"rpe":111,"dl":102,"di":159,"ds":159,"de":160,"dc":160,"l":160,"le":161},"navigation":{}}&jsonp=NREUM.setToken
GoogleSafe:
OK Load:
194ms Server: 162.247.242.20
ASN: 23467 United-States
New Relic Reverse DNS:
-bam-8.nr-data.net
Login for
To fix it you can:
1. In the Slider Settings → Troubleshooting set option: Put JS Includes To Body option to true.
2. Find the double jquery.js include and remove it. Your client address was checked by-> https://toolbar.netcraft.com/site_report?url=https://l2.io
More issues and recommendation: https://observatory.mozilla.org/analyze.html?host=www.katinaarnott.com
Issue should be taken up with the AS - Net Access Corporation e.q. Flywheel, comsider Linode abuse.
Re: https://urlquery.net/report/51cf5840-4139-456a-b321-93773bccf4c1
Netcraft risk score 9 red out of 10: https://toolbar.netcraft.com/site_report?url=http://50.116.55.30
polonus (volunteer website security analyst and website error-hunter)
You are a very rare user though. We block thousands of URLs a day and you are one of the few who cares, and even of those who care and want their website without any warnings, most people don’t know or care what happened earlier. They will just wipe it, update it, change passwords, and that’s it. I am literally talking about one person a week who wants to know what happened and knows what “being infected by an exploit kit” means.
And even if there were many people who cared, it would be difficult to change the GUI, and I am not even talking about all the trouble with localization…
All in all, I understand, but I feel like it is too much effort for too little gain.
Hi polonus, that was some very useful input. Thanks very much!
HonzaZ, fair comment, thanks for your help.
My web site www.gamereplays[.]org is experiencing the same problem. Many users that have been able to contact me through other means are reporting that they are being presented with the same message and are unable to access the site. They say they are unable to over-ride the block.
We are a respectable site. Please fix this obviously spurious problem and unblock our site.
Well according to Sucuri your website containe spam >> https://sitecheck.sucuri.net/results/www.gamereplays.org
Malware entry: spam-seo.spammy_keywords
http://labs.sucuri.net/db/malware/spam-seo.spammy_keywords?3.14
Hi [GR]ToxicShock,
Nothing flagged: http://isithacked.com/check/http%3A%2F%2Fwww.gamereplays.org%2F
& https://urlquery.net/report/ec516cc4-4ecb-4803-a193-29b062e0b26f
What can be flagged is a second redirect via http - https → to: hxtp://www.gamereplays.org/portals.php → htxps://www.gamereplays.org/portals.php
See sources and sinks here: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.gamereplays.org%2Fportals.php
uMatrix blocks: -http://cdn.assets.craveonline.com/comscore_branding/cr-branding.js?useDarkLogo=true
(bug-hunter’s) script error on site
-cdn.assets.craveonline.com/branding/cr-branding.js?useDarkLogo=trueAlso see here: https://www.scamadviser.com/check-website/gamereplays.org
info: [decodingLevel=0] found JavaScript
error: undefined variable clearTimeout
error: undefined function d[m]
error: undefined variable d
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD XHTML 1.0 Transitional/EN" error: line:3: ...............^
Last update of your website → 2017-11-27 16:36:03 (6 months & 1 day ago) according to your WHOIS data
- Cxxxs Dxxxk, : Array, London, W1G8RJ, GB , hosted by GoDaddy on wXw.pir.org server
We are just volunteers with relevant knowledge, unblocking can only be performed by avast team members.
Wait for one to arrive here in this thread and give the final verdict on your website.
polonus (volunteer website security analyst and website error-hunter)
Today have been getting URL:Mal threat detection alerts from Web Shield for all attachments, images or links in emails on Shaw webmail:
Sucuri site checker doesn’t show any problems. I added the site to exclusions in Avast settings so I can access my email, but wondering why it has been blocked?