McAfee SiteAdvisor Blog

Suggestions From An Expert: Self-Denial

Let’s say a friend or family member planned a vacation in a large city you know well, and they asked for some practical advice on how to make it a safe family trip. One answer could be: “Don’t leave your hotel room and don’t talk to anyone." Effective? Probably. Worth the trip? No way.

How about this advice: “Only go to places you’ve already seen, and only eat at national chains which you immediately recognize." What’s the fun in that?

The conventional methods suggested by most security experts to avoid online annoyances and precarious threats are a buzz kill. Check out this "what not to do" spyware preventative checklist by computer security consultant, Joel Dubin. Here are a few of his recommended spyware aversion techniques:

1) Never deliberately download software to your workstation or desktop from the Internet, no matter how helpful or interesting it may appear.
2) Stay away from any questionable sites, including pornography, gambling, hacking or other off-beat sites.
3) Run a native pop-up blocker and block Active X objects.

This restrictive advice, while well intentioned, removes an immeasurable amount of choice and possibility. We don’t believe that your browsing experience has to be this way. What good is the Internet if the only way to remain safe is to prohibit searching for and discovering constructive applications and entertainment content?

At the same time, these guidelines continue to place much of the burden on the user. How is the average Internet user supposed to know if a site is ‘questionable’ or ‘off-beat’? The Web is too large and constantly changing to place this burden on individuals.

Advice From Major PC and Software Companies

Given how many calls they get from customers frustrated by spyware infected machines, I wanted to find out what advice some of the major PC manufacturers have for preventing Web-based security threats, so I called customer service representatives at HP, Dell, and Gateway.

The HP representative recommended I do frequent scans using paid spyware detection and removal utilities. When I asked what pre-emptive recommendations he could provide, expecting typical answers like "turn off your cookies" and "don't steal music," he said running a system check is "the only way" to avoid spyware. One HP Web page said a lot about the bad things spyware can do to a computer (with frequent plugs again for their featured Anti-Virus subscription package), but nothing regarding what could be done to prevent infection. Another page gave the following advice, which seems to imply a need for endless patience by end-users to carefully read every word of legal disclosures, and also omniscience to know the origin and safety of every potential link the user encounters.

The Dell sales representative I spoke with would only refer me to a $79.99 paid virus product subscription. A case of déjà vu ensued when I called Gateway; their sales rep sang the same tune. She pushed a paid subscription and told me running spyware checks was again "the only way" to eliminate spyware. Gateway's Spyware FAQ only mentions symptoms and definitions. None of the reps or sites were able to suggest a single Internet surfing practice I could follow to try and avoid getting spyware on my computer in the first place.

We’re not suggesting for a moment that anyone shouldn’t have anti-spyware programs in place. Web safety is so complex that it requires multiple levels of defense. The advice from the manufacturers is also understandable: the fact that these “clean-up" methods are recommended is largely because until now there haven’t been effective and reliable ways to prevent these types of problems in the first place.

Besides advice on cleaning up the mess after it happens, the other advice frequently given is still “be careful." Dell offers the following advice on their security page:

"Use caution while downloading and installing free software programs found on the Internet. Make sure you only download software from known reputable sources. Read user agreements and privacy statements to get a clear understanding of other software that may be bundled."

Microsoft’s advice is similar: "Only download programs from Web sites you trust. If you're not sure whether to trust a program you are considering downloading, ask a knowledgeable friend…"

That's their way of effectively recommending you never try a new program from any source you haven't already tried. Seems pretty unpractical to me – and it completely ruins the chances of fortuitously discovering something useful, like Firefox, Open Office, or even small but efficient applications like Trillian, SlickRun, and Print Screen . Wasn’t every Web site, Internet service, and computer application you've tried unfamiliar at one time? How can you expect to utilize the maximum potential of the Internet if you're constantly restricting yourself to your immediate comfort zone?

To review, the best how-to avoid Web security threat advice you can get often consists of the following suggestions:

1. Don't use the Internet.
2. If you have to use the Internet, only go to sites you know.
3. If you have to go to sites you don't know, buy software to protect yourself in case your computer is infected.
4. Barring all else, use extreme caution.

The SiteAdvisor Approach

At SiteAdvisor, our mission is to provide you with straight-forward disclosures about the consequences of online actions, especially ones taken at Web sites that aren't forthcoming about their spammy, spyware-installing, or flat-out malicious intentions.

Like many of the Web safety advisors above, we believe that knowledge is power. When properly guided, users can make smart, safe browsing decisions. Where we depart from our friends at Dell or Microsoft is that we simply believe it is our job, not the average consumer’s, to find out whether a new site or service is going to compromise a computer’s safety.

We believe that by taking this burden off of the user's hands, SiteAdvisor inspires confidence to explore the Web again, to discover new services, vendors, programs, activities, and communities. Imagine an uninhibited hippie dancing in the rain at a Grateful Dead concert – that could be you, or at least your online state of mind.

The Web is a vast expanse that's continually getting bigger, and we believe, worth traversing with a sense of confidence and adventure. So, empowered with an advisor by your side, we encourage you to get out there and explore it.

As always, let us know what you think by giving us feedback or by commenting below.

Permalink | Comments (5) | TrackBacks (4)

One of the great things about online shopping is that you can purchase items from far away places. Whether you're searching for a rare Baule Tribe Monkey Fertility Figure or a Microsoft Xbox 360 that is sold out at your local Best Buy, the Internet lets you expand your marketplace beyond your city, your state, and even your country. No travel is necessary; you don’t have to deal with crowds; you can shop during your 3 a.m. bout of insomnia; and there's a market for pretty much anything your heart desires -- even, say, a piece of property on the moon. Wait… really?

Our thanks to a SiteAdvisor user for pointing out the site LunarFederation.com (SiteAdvisor Analysis: LunarFederation) by posting a comment on its SiteAdvisor site report. It looks like there are some people who would like to extend the real estate market to the moon and Mars. (Is buying property on Earth really so “last millennium" already?)

According to Lunar Federation Inc., self-proclaimed as “Earth's Official Lunar & Mars Real Estate Agency," over two million people have already purchased property on the moon and on Mars. The Lunar Federation's prices start at $29.95 for one acre of lunar or Martian property. Prices soar to $2.35 million for a lunar state (105,000 acres), which the Lunar Federation describes as “the opportunity of a lifetime." Obviously, there’s not much chance that you will actually be able to visit your new real estate investment in your own lifetime, but you will receive tangible documents including a lunar deed and a lunar constitution that you can display on your bedroom wall to impress friends and family.

At first I thought, this must be a joke. It must be a novelty site where consumers can find a silly gag gift to give to family members or coworkers. A certificate of extraterrestrial property ownership was not exactly something I had on my wish list, but I can appreciate the wit. However, the Lunar Federation purports to take their goal of colonizing outer space very seriously. They acknowledge that fraudulent sites might just take your money and provide “a worthless piece of paper." But the Lunar Federation claims to stand out as a legitimate outer space property broker.

Interestingly enough, the other lunar real estate Web sites make nearly identical claims of being the only true vendors of moon property. For example, LunarLandOwner.com (SiteAdvisor Analysis: LunarLandOwner) warns users to “Beware of other ‘Lunar’ companies selling Moon property. They might seem legitimate but the Lunar Embassy is THE ONLY COMPANY in the world to possess a legal basis and copyright for the sale of Lunar and other extraterrestrial property within the confines of our solar system since the year 1980." They also assure potential customers that their site is neither disreputable nor a joke. So, now, who are we to believe?

Don’t read all this and think we have no sense of humor. We have no problem with gag gifts, and we found one site, BuyUranus.com which is very funny (if a bit risqué) and openly admits that it’s just for fun.

BuytheMoon.com also discloses on its homepage that it’s a novelty site, and mentions that it donates a portion of proceeds to charity. While our automated tests for these two novelty sites are still under way, we have no problem with their business disclosures, and we anticipate these sites will end up with green ratings.

But some of the other extraterrestrial property sites are trying to take themselves so seriously that we feel they have the potential to mislead some people. The sites even walk through shaky legal (and financial) arguments explaining that the legality of their property sales is built on the premise of collecting enough money to fund the first lunar colony government. Presumably, that government’s first order of business would then be to parcel out crater deeds for the lucky early property investors. We're concerned, to put it generously. So we’ve given these sites yellow ratings.

Our ratings for these sites reflect our best judgments after taking a closer look at what they promise consumers. If you disagree with our assessments, let us (and other) users know by posting a comment on our site reports. Your user comments can meaningfully impact our ratings.

At least for this decade, we think the safe real estate ventures are right here on planet Earth. But we invite readers to flag other sites that seem a bit out of this world.

--Hannah Rosenbaum

Permalink | Comments (3) | TrackBacks (1)

This Week’s Lesson: Use Caution with Guestbooks

We wanted to share (with permission) some feedback we recently received from Brian Tiemann, the owner and webmaster of lionking.org (SiteAdvisor Analysis: LionKing.org), an unofficial fan site not associated with Disney. This tale starts a little scary, but it has a happy ending.

Lionking.org is a classic example of the Web’s promise: collecting and sharing information about a common interest, and building a community of like-minded surfers. This is the place to debate who rocks more: Simba or Timon?... or to submit your own Lion King art for others to see. The site boasts 200,000 pieces of user-submitted art already. What could be safer than this?

When Brian first e-mailed us, he was irritated. We had rated lionking.org red because we received, on average, 15 spammy e-mails per week after our bots signed up there with a unique e-mail address. Brian knew he wasn’t a spammer, so he was perplexed.

We began receiving 15 spammy e-mails per week after we signed up.

"I would like to know where on my site you entered your e-mail address or signed up. The only place I can think you might mean is the guest book, and the only required field on that is the name," Brian wrote.

There’s the rub. We had signed the guest book, and we entered an e-mail address in the e-mail field. (Brian is right -- it wasn’t required, but it wasn’t discouraged either.) Then that e-mail was posted in full glory on the Web. It didn’t take long for spammers to visit the site’s guest book and screen scrape our address.

That’s when the deluge began:

A sample from our in-box, after we signed lionking.org’s guest book.

Pharmaceutical discounts and Thai Ladies were among the classy e-mails we received. We also saw some classic phishing e-mails purporting to be from eBay and PayPal.

As you might expect for this genre of site, a fair number of guest book comments come from kids. Here’s a typical guest book comment from 12-year-old Katharina from Norway:

I am a 12 years old girl from Norwegian who likes The lion king very much... I go on theatre and there we play "The lion king". I am a fan and The lion king is the most funny thing(theatre) =D And i like it so much...

The original posting included Katharina’s full name and e-mail address. In another posting, a 13-year-old posted a complete street address, open for all for the world to see. Plus, we couldn’t find any kind of privacy policy on the site. That’s scary.

Lionking.org's guest book contained 10 years worth of monthly entries -- about 6,000 e-mail addresses for spammers to steal. That’s enough to be worth their while.

But our story takes a turn for the better. We responded to Brian’s e-mail, and we pointed out these issues. Brian couldn’t have been more cooperative in fixing the problem. Within two hours of receiving our reply, Brian had masked all 10 years’ worth of e-mail addresses, and he changed his guest book form to discourage posting of e-mail or physical addresses. Brian also added a privacy notice in the guest book area.

Lionking.org's guest book now discourages users from leaving full street addresses,
and requires explicit opt-in before posting e-mail addresses.

Given Brian’s cooperation and his prompt change, we’ve modified our rating of his site from red to yellow. Our bots will continue to perform periodic random tests on his site, just like they do with every other site. When we’ve verified that e-mail addresses submitted to lionking.org don’t get too much e-mail, or e-mail with high SpamAssassin scores, the rating will change to green.

Now, some might argue that posting e-mails in the guest book was bad practice to begin with, and they'd be right. But you might want to give Brian at least a little bit of a break -- he says he coded the site himself 10 years ago in the Web’s infancy, when he was in college. The site grew organically since then -- he says it’s just a side hobby. So even as he added some whiz-bang features in other areas of the site, Brian just didn’t update the guest book’s functionality to keep up with the new threat of economically-motivated spammers. Live and learn.

There are a few lessons here for all of us:

1) For ordinary Internet users: Take caution with guest books and user review areas which request an e-mail address. Check the existing postings to be sure that e-mail addresses are not publicly posted. Spammers love these areas.

2) For Web site owners and developers: You are the first line of defense for protecting user data. The default posting of e-mail addresses, particularly of minors, is very bad practice and could cause all kinds of problems. If e-mail addresses must be posted, always require an explicit opt-in. Consider “Address Munging" to help prevent address harvesting by spammers.

3) For all of us: Working together, we can continue to make the Web safer by quickly fixing problems as they are uncovered. Brian Tiemann and his lionking.org site are a great example.

Permalink | Comments (4) | TrackBacks (0)

3 quick things we'd like to share on this Friday afternoon:

1) It’s been exciting hearing from so many of you with suggestions, comments, encouragement and questions. We review every comment submitted to us, and we’re working to respond to every e-mail and comment as well. Our apologies if we haven’t gotten to them all yet. We’re working to catch up.

2) We're hiring. We'll be posting a jobs section soon on our site with specific openings. But we always have a need for first class software engineers and IT professionals in our Boston office. So if you just can't wait to tell us how much you'd like to help make the Web a safer place, you can e-mail a resume to: jobs at siteadvisor.com. Please put a job title in the subject header.

3) We'd like to thank download.com for blogging about us this week. We're taking small steps toward our general release in a few months. If you like our Firefox extension, you can check it out or even write a review on download.com.

Safe surfing this weekend.

-- Chris Dixon

Permalink | TrackBacks (0)

Friends have told me that when they start using SiteAdvisor for the first time, they enjoy looking up our profiles of their favorite Web sites. But in some cases, they’ve been unpleasantly surprised to learn that their favorite sites’ e-mail practices are less than stellar.

Most Web users have given up trying to figure out the origins of their inbox spam and commercial e-mail. Some think it just spontaneously appears. More practiced users know about dictionary attacks, wherein a spammer sends e-mail to JohnSmith@, and JohnASmith@ and JohnBSmith@ and so on. Others might imagine that their address was sold, or maybe a site was bought by someone else who then changed the e-mail privacy policy. But there's no easy way to figure out who sold a user's address, or exactly how a user went wrong.

SiteAdvisor cuts through this confusion by signing up at every Web form our crawlers find using a unique, single-use e-mail address. That way, we can actually track commercial e-mail back to its roots. We've registered at more than 800,000 websites so far. For any piece of e-mail we receive, we know the original form where we signed-up that caused us to receive that e-mail. (You can see a more detailed explanation of how we perform this analysis.)

Today, I want to focus on some examples of Web sites where sign-ups resulted in a significant amount of commercial e-mail. In fact, like the download round-up last week, I’d like to make this a regular feature. (Let me know what you think.)

To be clear, we're not necessarily talking about sites that send spam in the legal sense. Many of the tested sites include language in their privacy policies which says that they may send commercial e-mail and that they may share users' addresses with third parties who will send more mail of their own. Now many sites aren't that clear about what they'll do, but a few are, and some even make these admissions on the Web page where you sign up. Still, we think most sites' disclosures are inadequate to let users make fully informed decisions. Among other important factors, users need to know how much e-mail they'll actually get before they can decide whether a site's offer is worth the price.

Let's start the rest of this discussion with a thought experiment. Suppose you're at a Web site that offers a "free product" in exchange for signing-up at their site. The freebie could be an on-line game or perhaps a chance at a sweepstakes. And let's assume that the Web site makes it clear that by signing up, you're agreeing that they can send you commercial e-mail and share your information with their third party affiliates.

Now, what if we told you that in order to get that game you'd end up receiving 1 commercial e-mail offer per week? Reasonable people might say that’s ok. What if we told you that, instead of 1 e-mail per week, it would be 1 e-mail per day? 2 per day? 10 per day? How about 20 e-mails per day? Is that game still worth it? SiteAdvisor strives to give you the facts to let you decide for yourself.

BullseyesGames (SiteAdvisor Analysis: BullseyesGames) describes itself as “one of the oldest online arcade gaming sites." Members can play games for free, submit high scores and rate games. Fair enough.

But in exchange for these games, BullseyesGames members could receive, on average, as many as 20 commercial e-mails per day. 142 per week. (At least, that's how much e-mail SiteAdvisor received when we signed up.) Now, do people say ‘yes’ to that? Bullseyes’ privacy policy is certainly easy to find and appears to be written for regular people as opposed to lawyers.

Our mission at BullseyesGames.com is to build users' trust and confidence in the Internet by promoting the use of fair information practices. Because this web site wants to demonstrate its commitment to your privacy.

That certainly sounds like a good start. From this intro, you’d think Bullseyes was a pretty good deal. But the next paragraph made our hair stand on end:

The personal information you provide BullseyesGames.com will allow us to alert you of new features, contests, prize fulfillment or special offers. BullseyesGames.com may also provide your personal information to other companies or organizations which offer products or services which may be of interest to you. In such cases, we will notify you that the information will be shared and provide you with an opportunity to opt-out and/or clicking a link that says "no thanks".

We think that paragraph raises more questions than it answers. For example, when will the user receive notification? When will he get the opt-out option? Can the site continue to give out the e-mail address in perpetuity? Is it the user's responsibility to keep track of which opt-outs are honored? How many "alerts" are we talking about anyway, and how many "other companies"? Those are questions I'd like answers to before I sign up. Here's hoping.

When SiteAdvisor looks at topics like commercial e-mail practices, we try to understand the economics behind the subject. And there’s a lot of economics behind e-mail address harvesting. Companies will pay $0.05 and more for a valid opt-in e-mail address. Generate enough e-mail addresses, and these nickels start adding up to real money.

The person who owns SweepAndVacFree.com (SiteAdvisor Analysis: SweepAndVacFree) seems to make money by subjecting visitors to a barrage of special offers, co-registrations, and surveys, all the while dangling the prospect of a free Swiffer at the end of this process. Each time a user submits his e-mail address to one of these offers, the site owner receives his “bounty."

In the Swiffer case, the user must flawlessly get through a minimum of 29 screens covering a massive 234 offers to get his free Swiffer, something that retails for $19.54 at Wal-Mart.com. As you can see, these are big brands being advertised. I saw offers from AOL, Nokia, Sprint, Gevalia, Ladies Home Journal, Disney and ADT during a recent visit I made.

Typically with sites like this, if a user fails to complete the process perfectly -- if he “breaks" the process in any way -- he doesn’t get the gift. But you can be pretty sure that the Web site keeps using his e-mail address.

Does the site disclose these practices? Sort of. This is an issue of “technical" disclosure which doesn’t really explain the full practical implications of what’s going to happen.

The site's privacy policy explains that the site “may use the personal information that you supply to us and work with other third party businesses to bring selected retail opportunities to our members." Read that, and you might think you'd get a few e-mails per week, or at most a couple per day. But it's far worse than that.

In our testing, signing up at SweepandVacFree resulted in a stunning 108 e-mails per week on average. Shouldn’t a user be told that? Shouldn’t “informed consent" be defined in such a way that the impact of a registration is quantified to the user in a way that's understandable? If, after being told that he will get 15 e-mails per day, a user still wants to go for the Swiffer, so be it. But in its current form, this site doesn't tell users the one fact they most need in order to assess the site's value.

A lot of expert Web and computer users fault consumers for failing to use their common sense. “Don’t go to sites you don’t know," is one typical bit of advice.

Uproar.com has been around since before the bubble burst. Alexa ranks them at 2,511. By any measure, this is a major Web property with significant traffic, a long Web life, and plenty of press coverage. Owned by Flipside, Uproar (SiteAdvisor Analysis: Uproar) offers on-line and downloadable games, contests and i-coins, Uproar's own online currency. Games are free for a short time. After a trial period, users must register to keep playing.

So how does Uproar make its money? It rents a lot of its real estate to advertisers, but it also runs its new members through a gauntlet of sign-ups. These are similar to the co-registrations we examined in the Swiffer example above.

Here’s SiteAdvisor’s post-sign up inbox:

119 e-mails per week. Now, look more closely at the rules and privacy policy:

Uproar.com never sends SPAM to your e-mail inbox. While we do send e-mails to our users, they are always permission-based emails, which means they require your consent. By sending you information about our most attractive offers we can offer Uproar.com's great games and prizes for FREE.

Uproar has been around for a while and it may seem safe. But I suspect that an extra 119 marketing e-mails per week -- whether they're "permission based" or just plain spam -- just isn't what most users are looking for.

Whatever you call commercial e-mail, whether it’s “solicited" or not, consumes time. (And if you're looking for a great laugh about e-mail nomenclature, watch, or re-watch, the Daily Show's profile of Scott Richter, a "high volume e-mail deployer.") Reading, deleting, unsubscribing, shouting at your inbox – it all takes time. In an ideal world, Web sites that ask for e-mail addresses would be required to disclose the volume, frequency and type of e-mail they or their partners would send. Barring that, the next best fantasy world would give each of us the time to read privacy policies and to sign up using disposable e-mail addresses. At a minimum, sites' policies should be written so that regular people can understand them.

But of course we don't live in that ideal world. So what SiteAdvisor has been doing since last spring is allowing ourselves to be spammed. We've tested these sites, and hundreds of thousands more, so you don’t have to find the hard way what will happen to your inbox when you entrust your e-mail to someone else.

As with our download tests, our e-mail material is available under Creative Commons License 2.5. We’d love to see e-mail researchers using this dataset in interesting ways. And please keep giving us feedback. It's super useful.

Permalink | TrackBacks (1)

When we first started crawling the Web looking for bad downloads last year, we weren't sure what we'd find. Today, a million Web sites and 140,000 download tests later, I can say with confidence that there are some great programs to be downloaded out there. I can say with equal confidence that there's also plenty of train wrecks waiting to happen to your PC.

I blogged about how we conduct our download tests a few weeks ago when we opened SiteAdvisor for preview. Since then, a lot of people have asked me to clarify what our “nuisance score" means. I usually explain that it represents a synthesis of all the data we collect about a particular download. For example, a download which resets my default home page is annoying, but not fatal. Low score. A download which calls on well known ad-servers or installs multiple contextual ad programs gives me great angst. High score. Do a bunch of bad things and the score goes up. (The question was asked often enough that I put a description in our FAQ.)

But I think another more useful way to help explain the score is to look at some examples. In fact, today, I am inaugurating what will become a regular blog feature – a look at five downloads which really tip our nuisance meter. I’ll focus on software with nuisance scores of 9 or 10. Just how much of a nuisance are these downloads in practice? Read on and decide for yourself.

I'm starting this inaugural list with a screensaver called “aaliyahremembered2.zip" that I saw in SiteAdvisor's database. I happen to be a fan of the late singer so I went to EntertainmentWallpaper dot com (SiteAdvisor Analysis: Aaliyah Remembered) to download a copy for myself. I let my virtual PC click yes, yes, yes. Big mistake. The install starts mysteriously with a dialogue from WebDevAZ . But that’s just an appetizer before the main event. This nine course meal is positively medieval in its gluttony. It puts me through nine dialogue screens. Nine.

Included in my bounty: New dot Net, Accoona, TopRebates, Hyperlinker, a free ringtone from Jamster and an offer to reset my home page to Freeze.com.

In exchange for that, I got the following. It isn’t even pretty:

Who names a site RatLoaf anyway? SiteAdvisor has a lot of experience with these guys. We've tested more than 140 downloads from them and more than a dozen contain software most people would prefer to avoid. With so much to chose from, it's hard to decide. Here's SiteAdvisor's summary of our first few tests:

I'll focus on their Dog Days screensaver. The six screen install process is hardly a record and the ad bundles are actually reasonably well disclosed. So what do I get for clicking 'Yes' to New dot net, Relevant Knowledge and WhenU?

To SiteAdvisor, the whole world sometimes smells sketchy. Like when we look into the 7,987 word EULA and discover that our Dog Days are numbered. In fact:

The entire Evaluation period for the Software product may be no longer than 30 days, at which time the End-User must register the software and provide the accompanying payment in order to continue using the Software.

It's not even free! I have just put three pieces of software on my PC so I can try out a screensaver for 30 days. Grrrr.

Now, folks who go looking for warez are heading into the dark alleys of the Web by definition. But the “Warez P2P Client" (SiteAdvisor Analysis: Warez Client) really likes to go exploring. Lucky for me I clicked on the ‘+’ symbol to see what kind of “extras" I’d receive:

I was not disappointed. New dot Net is an old friend by now. Since they didn’t tell me which “contextual advertisement" I was downloading, I decided to double check by running Webroot’s Spy Sweeper after the Warez install. It found this nugget:

Warezclient ranks pretty high on Alexa too (20,342). Popularity, it turns out, is no defense against sketchiness.

Adroz dot com is a Smiley’s site – a place to get icons for your IM client. I was hard pressed to find anything safe to click there.

I downloaded one cocktail called Buddy Icons Direct (SiteAdvisor Analysis: Buddy Icons Direct) and just to make sure I wasn’t dreaming, I had PC Tools’ Spyware Doctor give my virtual PC a check-up. Buddy Icons Direct is bad many times over.

Their Dragonball Z “blurscreen" screensaver (SiteAdvisor Analysis: Dragonball Z) is a real bundle of joy. If you read through the EULA and pay attention during their eight-screen install process, here’s what they admit to bundling:

* Ezula’s Toptext
* NetPal
* New dot net
* Quicksearch toolbar
* An option to set your home page to Freeze.com

Was there anything else they neglected to tell me? I ran Webroot to double check. Here’s what I saw:

FavoriteMan? AdServerNow? KeenValue? ShopAtHomeSelect? TimeSink? I went back to the EULA and found no reference to them. According to Webroot’s handy and understandable descriptions, FavoriteMan has a “very high risk" rating. It monitors which Web pages I view and what data I enter and then serves targeted ads to me. ShopAtHomeSelect takes it to a higher level: it “redirects visitors to merchant Web sites via its own servers in order to increase its affiliate commissions." Turns out TimeSink is a “defunct advertising delivery mechanism." That’s new. They’re bundling adware for companies that don’t even exist anymore.

Let’s review. 10 pieces of advertising related software in exchange for one screensaver. Objectively, that's a bad deal: Users' computers will be far slower, less reliable, and less private, all in exchange for a piece of software users don't actually need.

That's it for now. You should feel free to use this for your own research if you find it helpful. We've also made our data available under Creative Commons License 2.5. In the meantime, please nominate your own favorites by going to our Feedback page. I'd love to check them out. Till next month.

Permalink | Comments (60) | TrackBacks (4)

As we all know, it’s only a matter of time before every great new Internet invention starts getting hijacked by spammers, scammers and other disreputable characters. First it was Usenet and e-mail, now it is blogs and search engine results.

It happens that one of our developers was looking at Video iPods on Amazon this morning and came across these two cases of “comment spam".

Having nothing better to do on a sunny Saturday afternoon, I thought I’d sit in my dark office in front of my computer and do a little research.

As I write, you’ll find these comments on Amazon's page for the video iPod:

Notice that each of these comments contains a reference to a Web site. If you go to those Web sites you are redirected to freepay.com (SiteAdvisor analysis) in the first case and consumerrewardzone.com (SiteAdvisor analysis) in the second. (I was pleased to see that we rated these sites Yellow and Red respectively).

Now someone might say: “Isn’t it ok for a company to post a comment and include a reference to their site?"

First, we should note that this is hardly authentic commentary. As with almost all of this spam, they stole the text from elsewhere. (Fun game to play when you find coherent spam comments like that: take about 10 words and enter them into Google surrounded by quotes).

Secondly, you aren’t going get a free iPod. Well, I should qualify that. You might get a free iPod, just like you might win a million dollars if you buy a Powerball lotto ticket. But the odds are almost as long. We’ll write a lot more about these “sweepstakes" sites later, but for now suffice it to say that the business models of these companies relies on the fact that they make it really, really hard to actually get the product. Most of them have what they call “breakage" rates (meaning the percent of people who sign up, get bombarded with marketing messages, but fail to get the prize) near 95-99%.

One interesting thing to look at when you follow the links above is the parameters in the destination URL. Here you’ll almost invariably see an “affiliate id" number of the person actually doing the spamming. In the case of the first comment spam the URL is http://premiumipods.freepay.com/?r=26078854. Click on that link and the bell will ring and affiliate number 26078854 will smile (apparently, some affiliates are smiling a lot). Unfortunately, we have no way to find out the true identity of mysterious number 26078854, but freepay.com certainly knows and could do something about it, if they were so inclined.

Blog spam

Amazon spam seems pretty rare and we’re not really suggesting it’s a serious problem. Presumably, Amazon has the resources to clean this stuff off when they want to.

A closely related but more serious problem is blog comment spam. All the blog comment spam I’ve ever seen contains a link to a Web site. That is apparently because the primary purpose of blog comment spam is not to get users to click but instead to get “credit" for inbound links to increase their site's search engine rankings.

I admit I haven't really studied blog comment spam very intensely, but I'll conjecture that a database like the one we are building could be helpful in fighting it. For example, had Amazon checked those links in the comment spams against our database then they could have seen that they led to sites we marked as suspicious.

There are all sorts of technical problems to overcome and I don’t mean to suggest that this would be a silver bullet. I suspect that as with e-mail spam, fighting blog spam will require a variety of different methods including some that have already been introduced (“nofollow" tags, authentication). Using our database would fall into the “blocklist" category of solutions (although perhaps a better implementation would be the opposite -- a whitelist approach... long discussion).

Fighting blog spam unfortunately isn’t on our main product roadmap right now. We are solely focused on building a database to protect Web users from suspicious Web sites. That said, if there are any readers who'd like to work on it, we’d be happy to supply the data (at no charge -- we’ve put our database under a Creative Commons license (for non-commercial use) for cases just like this).

Just drop us a note. Or leave a comment on this blog. You can even comment spam us - we turned off all comment security. We enjoy observing the little critters.

[tags: Comment Spam Security]

Permalink | Comments (4) | TrackBacks (0)

We’ve gotten a number of questions from our Preview Version users questioning our decision to classify some sites as “red" because those sites link heavily to sites that distribute spyware or adware, or collect information in order to send spam. These are sites that you’ll see where our system says they “link to red sites" (in the future, we are probably going to change the wording to say these sites are “affiliated with red sites.")

Here at SiteAdvisor, we strongly believe in the importance of this feature. But we admit that so far we’ve done a mediocre job explaining our motivation and our initial implementation.

Here, I’ll try to explain it better.

First, it’s important to note that most spammers and spyware/adware distributors are economically motivated. People make money from this stuff -- lots of money. For example, Claria (formerly Gator) is said to have made as much as $90 million in revenues in 2003 (the last year they publicly reported their numbers) distributing what many consider to be adware, and there are dozens of major spyware/adware companies out there, not to mention all the “below the radar" companies doing it.

Second, it’s important to understand that most of these companies don’t get users to their sites all by themselves. Instead, they get traffic to their sites through what, in the Internet advertising business, are called “affiliates." Affiliates are Web sites that get paid by other Web sites for some “action" like driving users to a site, collecting personal information like e-mail addresses, or getting users to download software with adware/spyware installed.

The point of our link analysis feature is to identify these affiliates and warn users about them before it’s too late.

Case Study: Freeze.com

A good way to illustrate this is to look at a company called Freeze.com. Freeze is one of many Internet businesses today that makes money by distributing free programs like screensavers that come bundled with what many anti-spyware companies consider to be adware. The way Freeze loads this stuff on users’ PCs is primarily by announcing to the world: "We'll pay anyone $1 for every time they get a user to download our programs." Check it out yourself.

This kind of affiliate marketing is extremely prevalent on the Web today. It is done all the time by well-known companies like Netflix and Citibank, but is also the preferred marketing method for companies selling less desirable products like adware.

Here’s how it works in practice. Suppose you are the savvy person who had the foresight to buy the domain name screensaver.com way back in, say, 1995. Now it’s 2005, and your site screensaver.com gets lots of traffic. Some of the users come to your site because they just type “screensaver.com" directly into their browser when they want to download a screensaver. Others come through search engines that rank your site as a top result for terms like “screensaver". So you’ve got lots of visitors, but you’re not quite sure how to make money.

Enter Freeze.com. Freeze says to screensaver.com (and anyone else who cares to listen): "All you have to do is get your visitors to download our screensavers, and we’ll pay you $1 for each download." According to Yahoo!'s Overture service, Internet users searched for the keyword “screensaver" more than one million times on Yahoo! in November 2005. If you also include other search engines like Google and consider similar keywords like “free screensavers," you get many millions of searches for screensavers every month. And when you type these keywords into Google and Yahoo!, screensaver.com is one of the top natural results. While we don’t know what percentage of visitors to screensaver.com actually download their software, we think it’s safe to assume that at $1 per download, they are making a lot of money.

So you can see why affiliate marketing can be so lucrative. One side brings the users. The other side brings the “business model."

For adware vendors and their distributors, this is a win-win bargain. The vendor gets more downloads and therefore makes more money (you can rest assured they earn well more than what they pay affiliates per download). The affiliates get a way to “monetize their traffic." But users are big losers: they end up with adware all over their computers.

By the way, screensaver.com is a real example. As we showed in a previous blog entry, downloads on screensaver.com actually come from freeze.com.

Our linker analysis identified with “high confidence" a total of 127 affiliates of freeze.com (and many more sites that link to freeze but where the relationship isn’t strong enough for the system to call them “affiliates" with high confidence).

Our Approach to Red Linkers

We presume that users who download SiteAdvisor software wish to avoid spyware, adware, and spam. The primary purpose of these affiliates’ sites is to give you precisely those things, and they are often very effective at doing just that. This is why we classify these affiliates as “red" in our system.

We should also point out that, in many cases, what we call “links" aren’t what people in honest neighborhoods of the Web (for example, in the “blogosphere") think of as links. On spyware/adware/spam affiliate sites, link destinations are often obscured, and in many cases the browser URL bar doesn’t change to display the target links since the “links" are actually embedded frames or direct links to downloads on other domains.

When considering how to rate sites, we often ask ourselves: "What advice would we give a family member who is a typical, casual Web user?" Would we tell that family member to avoid spyware/adware affiliates like screensaver.com? The answer we always come up with is: emphatically, yes.

Accuracy, Corrections, and Future Plans

Obviously, given that the Web is full of links between sites of all kinds, there is some "art" to deciding which ones are closely linked enough to be considered "affiliates". We're constantly improving our algorithms to try to capture sites that we think are really trying to get you to go to other sites that we've rated as "red". But if you see cases where you think our judgments are incorrect, we encourage you to leave a comment on that sites's profile page. We'll review your submission and make appropriate adjustments.

We hope this helps explain our approach to affiliate or link analysis. Please keep your feedback coming.

Permalink | TrackBacks (1)

Today I wanted to write a kind of ode to the incredible richness of the world economy. I know because one of my jobs here at SiteAdvisor is to open our mail. And, well, that’s a bigger job than it sounds.

One of our key goals here is to help people reduce unwanted mail, whether it’s e-mail or snail mail. When we first started crawling the Web last spring, we made a decision to be very thorough. So when a Web site’s registration form asks us for a name, address and phone number, we had one of our people oblige. I won’t tell who he or she is (going forward, she’ll be a she). I will tell you that of the byproducts of signing up for things online is that she, and therefore we, receive lots of snail mail. And I mean lots.

My Baby, She Wrote Me A Letter
Once Ms. Mail joined us, we set her loose on the Web. Among other things, she enabled us to build a great data set in the form of our Web site e-mail profiles (described in an entry last month). She also ended up bringing us a less anticipated bounty.

A few weeks after she started working for us, we got a call from her mailbox owner asking us to come pick up her mail. You think your mailbox is overflowing with junk? Here’s what a corner of our office looks like after collecting a few months of mail sent to us.

When visitors come to our office and see the pile, they often ask if we track which individual pieces of mail are attributable to which original sign-up forms, like we do for e-mails. We don't do it yet, but this is something we’re considering implementing in the future.

Junking the Mail
This fall, when we moved into bigger offices, we threw out the summer’s opened mail and started again. In fact, the picture above is just our mail since September. Before we toss this bunch (we need the room for more desks) I thought it might be fun to introduce you to the snail mail economy in all its raging diversity. For example, Pumper, a magazine “Dedicated to the Liquid Waste Industry," covers McGovern, a regional waste hauler on an acquisition binge.

People for the Ethical Treatment of Animals vies for the CosmoGirl audience by splashing a teen heartthrob on the cover.

I receive a last minute Christmas catalog with a certain ennui.

In fact, after going through this month’s mail call, I’m feeling pretty tired. Old even. That’s why I’m looking forward to reading geezerjock.

After all, I’ve got a lot more mail to open next month. See you then for SiteAdvisor Mail Call.

-- Shane Keats

Permalink | Comments (6) | TrackBacks (0)