Adware Report: Print This

Adware Report: Our Official Reply To StopBadware

Hello Erica,

Thank you for your response. Before addressing some of your points, let me start by announcing that as of this morning, we have been removed from Google's blacklist. This was in no small part due to the assistance of an anonymous reader who emailed us yesterday with some pointers. Had I received this kind of assistance from StopBadware or Google at the beginning, we would not be having this public discussion right now.

However, I am probably in the minority of sites who are receiving a bit of special treatment due to all of the attention being focused on this, so this is hardly a long-term solution.

This leads us to the core of the problem that I have with the current system. It punishes well-intentioned websites, while allowing blatently malicious websites to continue operating at will.

We're the first to admit that the warning system is not perfect. We do believe it's the best option we have right now to protect internet users from being victimized by badware.

"Not perfect" is an understatement - we have identified many well-known, malicious websites that Google/StopBadware have not flagged. Some of these sites are minor annoyances. Others spread dangerous and virulent forms of malware. Why aren't you focusing on them?

I believe it is fair treatment to hold StopBadware to the same standards that we would any other anti-spyware product, and right now you are receiving a very bad grade.

Our goal is to protect internet users from harmful software, not to "punish" site owners who have been victims of hacking.

This is commendable and I suppose everyone would be more sympathetic if it weren't for the hard-line "ends justify the means" attitude StopBadware employees express in your public forum. Your employees have demonstrated that they have no sympathy for innocent website owners. They have even gone so far as to label them "guilty" of spreading malicious code through neglect. You've made it perfectly clear that you aren't going to judge people by their intent. So why do you make an appeal to the internet community for sympathy based on your intent? This seems hypocritical.

As the FAQ notes, Google, not StopBadware, finds sites hosting or distributing badware and independently places the warning page in search results for the sites in question. Google sends that information to us, and we make it available through our Badware Website Clearinghouse As is noted on the Clearinghouse page for Adware Reports (http://stopbadware.org/reports/container?reportname=www.adwarereport.com%2Fmt%2Farchives), StopBadware had not yet independently reviewed that site.

It's a serious problem that a site flagged by Google doesn't get the benefit of a human review for several months. There should not be such built-in neglect. I would go so far as to say that Google should not flag a site until it has undergone a human review because we've demonstrated that their scanning algorithms suck.

Also, it is not fair to put the blame entirely on Google's shoulders. As the Google FAQ (http://www.google.com/support/webmasters/bin/answer.py?answer=45432) states, StopBadware is responsible for processing appeals. Google will not remove a site from the blacklist until this has been done. They did their job in November by flagging us. It is now February. Their FAQ says that's your fault. Please comment as to what, if anything, will be done about this in the future.

We're talking with Google about ways to notify people that their site has been flagged, but it's actually more complicated than it initially would seem. There is no standard email contact for site owners, and there is a danger that guessing on an email address could end up notifying the wrong party. If that wrong party is a hosting service, there's a possibility that the website could be shut down entirely if the hosting service so chooses. Hosting services frequently take just that route when they receive complaints about content that might infringe intellectual property, for example. We feel that accidentally notifying a hosting provider instead of a site owner would be much worse for webmasters than the warning page, which does not actually take down or block a site.

That's silly. This is a basic legal writing exercise. You could simply send an email out with the proper messaging to ensure that this does not happen. For instance, you could simply include an explicit statement that if the email is received by a hosting provider, that no action should be taken until such time as you have contacted the website owner directly.

Furthermore, a human reviewer could easily have find the "contact us" link located on most reputable websites. They could also use the email associated with a Google account, or even the verified email address associated with a Google Webmaster Tools service account (all of which applies to Adwarereport).

This raises an interesting point. Having an email address on your website is a sign of a reputable website. So sending out alerts to these email addresses is a self-policing mechanism. Reputable websites will receive them. Unreputable sites will be less likely to. It would be a significant improvement over your current processes.

Google does offer alerts about warnings to webmasters signed up through its Webmaster Tools service. You can read more in this blog post on Google's webmaster central blog: http://googlewebmastercentral.blogspot.com/2007/01/about-badware-warnings.html.

We have been regularly using the Google Webmaster Tools service since January and have never seen these alerts in the website. I have been actively looking for them since the 5th, when we discovered we were blacklisted and read this same paragraph in your FAQ. Have you ever personally seen an alert within the tool? If so, can you provide a screenshot? I have looked on every single page in the tool but have never seen it.

With regard to the specific case of Adware Report, the Google warning (and corresponding listing in our Clearinghouse) is for http://www.adwarereport.com/mt/archives, not for the full site. While the instance of badware that initially caused the site to be flagged has been removed, other instances of badware were still on the site as recently as yesterday, based on testing performed by Google.

This is true - an anonymous reader emailed us and tipped us off to the problem and provided some assistance. "Some" is the operative word. I had to manually click through 770 HTML files by hand looking for hacked javascript. This site runs on a hosted account, so I do not have access to grep or other command line tools to automate the process. Still, I am very passionate about computer security so I took the time to do this. You are telling me in the above that you had a list of files that were hacked ... and you didn't provide it to me? That's what I call a broken system.

The current system does not take into account the effort required to fix these problems and as a result is extremely unfair to less technically-sophisticated website owners. These less tech-savvy website owners are also less likely to be intentionally spreading malicious software. So again, your current system is punishing the wrong people.

Please feel free to reply directly at admin@adwarereport.com. I hope that I've come across as constructively critical here. It is my intention to point out the flaws in the system and hopefully leave you with feedback you can use to improve your service.

All articles and reviews are copyright 2004, Gooroo, Inc. All Rights Reserved.

Adware Report (http://www.AdwareReport.com) delivers objective news and reviews about the best and the worst spyware removal products.