What are the subjects of the false-positive (domains, URLs, or IPs)?
Why do you believe this is a false-positive?
thedividendtracker.com is a legitimate SaaS application (a dividend/portfolio tracker) and has never hosted phishing content.
The listed URL was an email-link-tracking endpoint provided by the third-party Laravel package "jdavidbakr/mail-tracker". That endpoint acted as an open redirect (/email/n?l=), and attackers abused it to bounce victims from our trusted domain to phishing pages they hosted elsewhere (e.g. the IPFS URL in the listed entry). The phishing content was never on our domain — only the redirect hop was.
The vulnerable package has since been fully removed. The /email/n route no longer exists and now returns HTTP 404:
$ curl -sI "https://thedividendtracker.com/email/n?l=https://example.com"
HTTP/2 404
Because the redirect is gone, the domain can no longer be used as a phishing hop. Requesting that this entry be re-scanned and moved to the inactive list.
How did you discover this false-positive(s)?
Other (Please fill out the next box)
Where did you find this false-positive if not listed above?
We are the owners/operators of thedividendtracker.com. We became aware of the listing after users reported that their ISPs and browsers were showing security warnings for our site. Investigating, we found the URL in this project's phishing-links-ACTIVE.txt feed, and in AlienVault OTX pulses tagged "phishing-database" and "threatfox". Tracing it back, we identified the removed mail-tracker open-redirect as the cause.
Have you requested a review from other sources?
Google Search Console → Security & Manual Actions → Security issues currently reports "No issues detected" for the domain (screenshot available on request), confirming Google Safe Browsing does not flag it.
We are also submitting a re-scan request to VirusTotal and a false-positive report to abuse.ch ThreatFox (which the OTX pulses mirror).
Do you have a screenshot?
Screenshot
Additional Information or Context
No response
What are the subjects of the false-positive (domains, URLs, or IPs)?
Why do you believe this is a false-positive?
thedividendtracker.com is a legitimate SaaS application (a dividend/portfolio tracker) and has never hosted phishing content.
The listed URL was an email-link-tracking endpoint provided by the third-party Laravel package "jdavidbakr/mail-tracker". That endpoint acted as an open redirect (/email/n?l=), and attackers abused it to bounce victims from our trusted domain to phishing pages they hosted elsewhere (e.g. the IPFS URL in the listed entry). The phishing content was never on our domain — only the redirect hop was.
The vulnerable package has since been fully removed. The /email/n route no longer exists and now returns HTTP 404:
Because the redirect is gone, the domain can no longer be used as a phishing hop. Requesting that this entry be re-scanned and moved to the inactive list.
How did you discover this false-positive(s)?
Other (Please fill out the next box)
Where did you find this false-positive if not listed above?
We are the owners/operators of thedividendtracker.com. We became aware of the listing after users reported that their ISPs and browsers were showing security warnings for our site. Investigating, we found the URL in this project's phishing-links-ACTIVE.txt feed, and in AlienVault OTX pulses tagged "phishing-database" and "threatfox". Tracing it back, we identified the removed mail-tracker open-redirect as the cause.
Have you requested a review from other sources?
Google Search Console → Security & Manual Actions → Security issues currently reports "No issues detected" for the domain (screenshot available on request), confirming Google Safe Browsing does not flag it.
We are also submitting a re-scan request to VirusTotal and a false-positive report to abuse.ch ThreatFox (which the OTX pulses mirror).
Do you have a screenshot?
Screenshot
Additional Information or Context
No response