Incident report - False Phising accusation 2012.06. WWW.Smythies.com

Incident report - False Phising accusation 2012.06. WWW.Smythies.com

On 2012.06.20 there was a false phishing site accusation against a web page on this site.
The site administrator only became aware of the issue on 2012.07.06 after noticing apache log entries about abuse@telus.net poking around with an odd referal URL. Following the referral link revealed an open report about the web page, expecting some sort of follow up action by abuse.telus.net. What was done:

An e-mail was written to abuse@telus.net
Raw packet logs were examined for any oddities. There were none.
The IP address of the inquiring site was determined ( 195.214.79.22 ). An iptables rule was written to block that IP address. The next time the inquiring web site checked, it decided the web page was down and closed the issue.
There was another annoying IP address ( 12.94.27.194 ) that would read the web page many times in a row. It was blocked also.

It is outrageous that a site can find itself on some bad guy list without any justification. If one follows the "why" link, it goes nowhere.

Some Screen Shots:

Phishing listing on site.

Phishing denied on another site.

Some rough notes, probably of no interest to anyone else:

Apache log entries from the inquiring web site before it was blocked.
Apache log entries from the annoying IP address before it was blocked.
portion of iptables showing blocking counters.
Apache log entries from Telus, with the odd referral address that originally brought the issue to our attention.
The raw packets from the original inquires that led to the false acusation.
Some odd accesses noticed. The web page is not fetched completely, as only the HTML is fetched, but not the png files. Notice all the Russian Federation (.ru) referrals. Yet, of the ones I checked, they do not contain a link to the web page (i.e. the referer seems to be forged). I do not understand what could possibly be the purpose here.
A wireshark screen shot of an example from the odd accesses There is nothing odd, but the connection is reset which a little out of the ordinary. The packets are always the same, with the reste and a varying gap in time before the seuqence repeats for the second time. Interesting to note is the incease in PID number between the two tcp sessions, indicating a rather busy client.

Links:

Inquiring web site listing.
PhishTank opinion for #1465377.
Another PhishTank opinion for #1465377.
Some list where page is listed.

Incident report - False Phising accusation 2012.06. WWW.Smythies.com emaildoesnotwork@smythies.com 2012.07.23 Updated 2012.08.03