The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


The problem with website threat scanning

Posted on April 19th, 2013 at 4:38 PM EDT

info

I’ve been blacklisted. Well, not me, per se, but The Safe Mac website has been, by a number of website threat scanning services. How that happened is a bit of a disturbing story, and I know that I, for one, will never look at such services in quite the same way again. We’ve had discussions of trust before. This time, I’m going to ask you to aim a critical eye at the services you may be counting on to keep you from visiting malicious websites.

It all started a little more than a month ago, when a reader alerted me to the fact that McAfee was blocking access to my site, calling it a malware site, and that WebSense was also categorizing it as malicious. VirusTotal can check a site against number of different threat engines, and sure enough, the VirusTotal page for The Safe Mac was showing that these engines were blacklisting me.

I sent off a few e-mails, saw those errors get corrected, and thought it was all over. Unfortunately, I was not to be so lucky. Last week, I was alerted to the fact that McAfee was still blocking my site, by someone who was understandably suspicious of me and the content on my site. Sure enough, McAfee’s site still had me flagged. When I checked VirusTotal again, now Fortinet had also flagged my site as malicious. I did a bit more scrambling around, sending e-mail messages and submitting web forms. From there, I kept a daily watch on VirusTotal, and a game much like Whack-A-Mole ensued. Each day, I’d be clean again with some site that had considered me malicious the day before, but a new site would pop up that said I was malicious. And all the while, although BitDefender called me clean, the Additional Information link on the VirusTotal page revealed that BitDefender claimed that my site “was seen to host badware at some point in time.”

All of this was extremely puzzling to me. Although one should never have the hubris to say one’s site is invulnerable, I’ve got my site locked down pretty tightly. I keep the blog software updated, use a strong password with a non-default administrative username and have it configured to block repeat failed login attempts. I’ve been over the site with a fine-toothed comb, and cannot find any evidence that it is, or has ever been, hacked. Site scanners that download files from a site and scan them, like Quttera, back me up on that. So, why was I being blacklisted?

Eventually I hit a company at which I had a contact, and so I asked him what was going on. The response I got back revealed that there is a channel of communication between many security companies, through which they share not only malware samples, but also URLs. Apparently, someone (he didn’t say who) submitted my site as potentially malicious on that mailing list. In addition to that, he told me:

The level of suspiciousness depends on many factors, the domain age being one of them, the popularity of the site, how many sources of suspect URLs we’ve seen it from and trustworthiness of those sources.

So, the newness of the URL was also working against me. (Although the site has been around for a while, at www.reedcorner.net, I only just switched over to thesafemac.com two months ago.) He was also able to confirm for me that the issue was a false positive.

In the end, all false positives have been corrected except one. (CleanMX.com is a German site, and Chrome has failed completely in its efforts to translate it, so I’ve had a hard time trying to find contact information. Perhaps a German-speaking reader could help with that? :-) ) However, my site’s reputation will probably never be as spotless as I’d like it to be. Ironically, reedcorner.net has a squeaky clean reputation, despite the fact that the content is exactly the same. (Both thesafemac.com and reed corner.net resolve to exactly the same IP address, in fact.)

The CleanMX issue is, unfortunately, not particularly unique, in a way. Although the other sites I had to deal with were written in English, that didn’t make it much easier to find a way to alert them to a problem with their results. In some cases, I searched for half an hour before finding a way to do so. This doesn’t make it easy for a site owner to address these kinds of false positives.

What lesson can we take away from all this? Think back to trust. Remember, trust has to be earned. When it comes to automated site scanning and blocking technology, you simply cannot count on being able to believe what one site tells you. As with all such attempts to hand off decision making to some kind of software, it can be useful in many cases, but is prone to error. If a particular tool tells you that a site is malicious, don’t take that for granted. Do some investigation on your own.

There are many different ways of checking a site’s reputation. If one tool gives you an unexpected result, check with another. Check with a site that bases their results on user feedback, such as Web of Trust. (Keep in mind that any user-based tool like this can be similarly prone to error, thanks to things like users “gaming” the system or posting negative results to intentionally harm a competing site’s reputation.) Check with Google’s Safe Browsing service, which is used automatically by Safari, Firefox and Chrome. Scan a site with something like Quttera, which actually scans the pages on your site for exploits right then and there.¬†Use VirusTotal to scan a site and get the results of many different engines at one time.

And if you happen to notice that a site you think should be legitimate is being blocked by a few of these engines, consider alerting the site owner to the problem, so that it can be fixed.

Post to Twitter


16 Comments

  • Gerard says:

    I for one will not stop reading your very informative pages and really do appreciate your work.

    Keep up the fantastic work you do and I recommend to anyone to follow your site on Twitter as well.

    Thanks again

    • Someone says:

      Agreed. I don’t care what anyone else says; this site is great and gets info out faster and better than Apple themselves. Kudos to you.

  • Ralf says:

    Hi, thanks for your excellent site. You mentioned CleanMX above – well, I’m German, I’m a translator. What is your problem and how can I help you (if still necessary)?
    Best,
    Ralf

    • Thomas says:

      I just need to find contact info on their site (www.clean-mx.de) for whoever needs to be notified of false positives. Of course, I also don’t know whether an e-mail message in English would be easily readable for them.

      • Ralf says:

        What a strange website, that – looks like one of those I tend to avoid/ignore because it simply looks so dodgy/unprofessional. You’ve probably noticed yourself that the only mode of contact (apart from “booking” or “testing” whatever it is that they’re offering) is at the bottom of the page in the “impressum”: info@netpilot.net
        Sorry, but that’s all I can find. They sit in Munich, and English messages shouldn’t be a problem these days, especially for companies who have anything to do with the Internet.

        • Thomas says:

          Yeah, from what I’ve heard, the website suits the company. :-( But it’s worth a try. Thanks for the address, I hadn’t located that.

          • Thomas says:

            Well, I have to say, reports I had heard about CleanMX appear to be false. I got a personal reply from Gerhard Recher, less than two hours after e-mailing the company, and he says my site is clean. He wasn’t sure why VT showed it as being malicious according to CleanMX, and added a comment to VT indicating that it was clean. Very helpful!

            Unfortunately, I seem to be back on the McAfee blacklist for some reason! :-( And they’re far more difficult to talk to.

          • Someone says:

            Thomas, do you think that someone that’s gotten bad press from your articles (like the people behind MacKeeper, for example) are trying to give you a bad reputation?

          • Thomas says:

            I would be reluctant to toss around such accusations without proof.

          • Someone says:

            Could that be a possibility? It seems perfectly plausible to me, albeit very underhanded… Wouldn’t expect any better from folks like those behind MacKeeper :)

          • Someone says:

            Absolutely. I was just wondering if that could be a possibility.

        • Jen says:

          So someone can report a website and then they end up on some security blacklist for (seemingly) ever?

          Interesting.

          • Thomas says:

            I don’t think that just anyone would have that kind of credibility. But it certainly seems to be difficult to remove that stain, once you’re marked by it!

  • Joe Scholtz says:

    This is the best article I have ever read concerning this. It gave me an entirely new perspective on websites and blacklist reports. Your article was extremely knowledgable and at the same time informative, a trait that is rare in the computer world. Thank you so much for your contributions to the Apple community!

  • aalien says:

    For me? Answer is: marketing!

    I bought a website address and minutes after I bought it, the company and Google (yes google account with the same name and linked to the website address I bought) blocked my account (5 minutes later). I email both and I figure out it was the name only… Somehow target has suspicious. LOL

    Will not say the name of my site neither the company from whom I bought, but this is marketing and “conspiracy”…

    After my complain (I was very very very rude and even used very very bad words) in 24h everything went ok in all aspects…

    Maybe someone don’t like your straight point of views :)

    • Someone says:

      I was thinking the same thing. Thomas does not tend to pull punches, and perhaps someone who was “punched” in an article on this site wanted some sort of revenge. It’s only a guess, and there’s no evidence, so I’m not saying this is what happened, but it could be plausible.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.