New Contributor
•
7 Messages
False-positive security block (Akamai / Comcast Business SecurityEdge)
I'm a Comcast Business customer and the owner/operator of weatherboard.net, a legitimate weather-dashboard service. SecurityEdge on my Business line is blocking my own domain, weatherboard.net, as malware/phishing. It's a false positive, and I'd like the classification corrected at the source not just self-allowed on my own account. This false classification has poisoned the following downstream from Akamai security vendors who have added the domain to their block lists completely blocking potential customers and testers from even accessing the account or sending me email. (for example other comcast customers can't validate my _dmarc records):
alphaMountain.ai
T-Mobile
MalwareBytes
CDRF
Certgo
Gridinsoft
Fortinet (FortiGuard)
I expect to find out several others add us to their list because we are on the Akami list in their next update - this damage took less than 10 hours.
I traced what triggered it. I run a personal weather station (an Ecowitt console) that posts its readings to my service once a minute, via HTTP POST to ingest.weatherboard.net/ecowitt/<token>.
That regular once-a-minute POST to a token path is the kind of pattern an automated classifier can mistake for C2/beaconing — but it's ordinary weather telemetry (temperature, wind, rain), validated by token and stored. Nothing is ever sent back to the device, and the endpoint serves no executable content. After approximated 12 hours, SecurityEdge flagged this as potentially malicious.
I've already hardened the endpoint so it's clearly benign on inspection: it now presents a publicly-trusted Let's Encrypt certificate and a plain landing page explaining what it is (previously
it only exposed the POST path). Ecowitt consoles can't do HTTPS upload on their current firmware, so the endpoint must accept plain-HTTP POSTs for the hardware to work — a vendor limitation, not a shortcut. There is no way for the tens of thousands of PWS users using this brand to submit weather condition updates to a custom endpoint over https, only over http.
Honestly, part of why I'm posting here is that there's no real way to *report* this. I spent nearly an hour on the phone, and the only path offered was to open a support ticket and then wait
for someone to circle back and ask for the details, there's no self-service false-positive form or direct line to the SecurityEdge team. For a product that can block a legitimate business's own
domain, a simple "report a false positive" submission would save everyone a lot of time. Looking through your forum, I have seen customers saying resolving this type of issue take 4-6 WEEKS, that is life or death of a business in 2026.
With no usable way to report this and a business to run, I ultimately had to disable SecurityEdge entirely on my account just to function — which removes that protection from my whole network and should never be the only option left to a customer. The underlying SecurityEdge/Akamai classification is still flagged, which affects every SecurityEdge customer, so it still needs to be corrected at the source. Could a moderator help escalate this to the SecurityEdge team for a proper reclassification? I'm happy to verify domain ownership and share my account details by private message.
alphaMountain.ai
T-Mobile
MalwareBytes
CDRF
Certgo
Gridinsoft
Fortinet (FortiGuard)
I expect to find out several others add us to their list because we are on the Akami list in their next update - this damage took less than 10 hours.
I traced what triggered it. I run a personal weather station (an Ecowitt console) that posts its readings to my service once a minute, via HTTP POST to ingest.weatherboard.net/ecowitt/<token>.
That regular once-a-minute POST to a token path is the kind of pattern an automated classifier can mistake for C2/beaconing — but it's ordinary weather telemetry (temperature, wind, rain), validated by token and stored. Nothing is ever sent back to the device, and the endpoint serves no executable content. After approximated 12 hours, SecurityEdge flagged this as potentially malicious.
I've already hardened the endpoint so it's clearly benign on inspection: it now presents a publicly-trusted Let's Encrypt certificate and a plain landing page explaining what it is (previously
it only exposed the POST path). Ecowitt consoles can't do HTTPS upload on their current firmware, so the endpoint must accept plain-HTTP POSTs for the hardware to work — a vendor limitation, not a shortcut. There is no way for the tens of thousands of PWS users using this brand to submit weather condition updates to a custom endpoint over https, only over http.
Honestly, part of why I'm posting here is that there's no real way to *report* this. I spent nearly an hour on the phone, and the only path offered was to open a support ticket and then wait
for someone to circle back and ask for the details, there's no self-service false-positive form or direct line to the SecurityEdge team. For a product that can block a legitimate business's own
domain, a simple "report a false positive" submission would save everyone a lot of time. Looking through your forum, I have seen customers saying resolving this type of issue take 4-6 WEEKS, that is life or death of a business in 2026.
With no usable way to report this and a business to run, I ultimately had to disable SecurityEdge entirely on my account just to function — which removes that protection from my whole network and should never be the only option left to a customer. The underlying SecurityEdge/Akamai classification is still flagged, which affects every SecurityEdge customer, so it still needs to be corrected at the source. Could a moderator help escalate this to the SecurityEdge team for a proper reclassification? I'm happy to verify domain ownership and share my account details by private message.
Comcast_Orlando
Official Employee
•
86 Messages
4 days ago
@cluebattery
Thank you for reaching out. We apologize for any inconvenience you’re experiencing. If you’ve already contacted an agent, they likely opened a support ticket for you. These tickets typically take 24 to 72 hours to review, and an agent will follow up with you once there is an update.
1
0
cluebattery
New Contributor
•
7 Messages
4 days ago
Also, if you could ask your devs to make a proper SSO or buy one off the shelf that doesn't log your customers out every 5 minutes... that'd be great.
0
0
cluebattery
New Contributor
•
7 Messages
4 days ago
And stop sending me emails about the "Badges" I have earned posting - we are trying to conduct business not get Steam achievements.
2
0
cluebattery
New Contributor
•
7 Messages
3 days ago
So far, after more than nine hours on the telephone with Comcast constantly being re-routed from department to department, it appears no one in Comcast's entire tier one support knows what a block list is, how Security Edge works, understands what Akami's list is, or who at the company can report to Akami. I was able to get a ticket ID, tier 3, Akami Threat Intelligence group, in less than 15 minutes once a third-party pointed me to a phone number for them.
Comcast still is telling me "just turn off security edge and everything will be fine."
0
0
cluebattery
New Contributor
•
7 Messages
18 hours ago
It has now been more than 72 hours. Akami themselves have responded saying they will have a resolution sometime today. Comcast has still not responded to me in the "within 24 hours" that I have been assured would happen by 4 different representatives.
In this time, I have had human review and removal of the block by 17 different security vendors that added my domain to their blocklist on the existence of my domain on the Akami block list thanks to "Security Edge"
It is also clear, no one, and I mean no one in your company even remotely understands how Security Edge filtering works by poisoning the user DNS.
1
0