McAfee SiteAdvisor Blog

(Thanks go to our tech team for spearheading this inquiry.)

Look around the SiteAdvisor team, and there’s always someone with a furrowed brow. We’re constantly discovering new scams and surreptitious online behavior. Today we'll explore a hosting practice we call “IP bunkmating." (Others call it “host multiplexing" or “IP sharing.")

Web sites are all stored on servers, and each server has an IP address. When more than one site is located at the same IP address, it could mean one of two things:
1) The hosting company decided not to allocate a unique address to each of their clients. (This isn’t a bad idea for many sites, and it’s required by some IP registries’ rules.)
2) One organization is running multiple sites on the same server. This is easier for them – fewer physical servers mean less to set up and less to maintain.

In the first case, there’s generally no relationship between the sites that happen to share a server. If you care to learn more about Web sites sharing IP addresses, you can read spyware researcher Ben Edelman’s related article. But in the second case, there’s an increased likelihood that sites will be similar. After all, a company with one “red" site might well have other bad business practices too, possibly extending into unrelated ventures. Below are some examples of sites we found based on their similarities with sites we already rated as red.

The IBIS Umbrella

IBIS is a known provider of what many people would consider adware, spyware or other unwanted programs. According to spywareguide.com, the IBIS Toolbar logs URLs of webpages, shows ads, changes browser home pages, and overwrites affiliate tracking. Many, but not all, of the sites hosted on the ip address 146.82.109.220 are registered to or have business partnerships with IBIS. Some of these sites are: (links go to respective SiteAdvisor site details pages)

IBIS Bunkmates

404-errorpage.com
bestjobsguide.com
bestphonesguide.com
bigromantic.com
financeadvisor.com
fitnessandhealth.com
guideforyou.com
internetandcomputers.com
mp3radio.com
seekerbar.com
spywarelinkcentral.com
travelandyou.com
ways2business.com
websearch.com
websecurityguard.com

Though the labels of Web destinations like financeadvisor.org, fitnessandhealth.us, and bigromantic.com imply a specific site focus, all these sites act as poorly executed placeholders for an IBIS-operated search engine, websearch.com. This certainly isn't illegal, but it is misleading. You won't see Google redirecting to its search engine from "timetoeatthedonuts.com".

The designers at Websearch.com seem to be big fans of Yahoo!’s layout. Is it possible that websearch.com is mimicking Yahoo!’s familiar front page design in order to trick users into feeling confident about interacting with their site? Archived front-page images for Websearch.com indicate this is a recent design change.

Websearch.com and Yahoo! feature similar layouts. Red, Blue, Green, & Purple Rectangles are superimposed to highlight similar regions.

Seekerbar.com, another IBIS site, features an identical front page to Websearch.com. We've examined this phenomena before: it's cheap to register new domain names, and even new ip addresses. Redesigning complete Web sites is much more expensive. So profit-minded toolbar and adware distributors tend to re-use design, text, and programming code to save time and money.

Websearch.com may look like Yahoo! on the surface, but don't try to compare the reputations of the two sites in terms of safety. According to Websearch.com, they have "seized distribution" (from their Toolbar page, we think they meant ceased) of the IBIS-developed Websearch toolbar, which received an 8 out of 10 nuisance score from SpywareGuide.com because it "Logs activity, uses stealth installation and removal is difficult." Besides developing the ruthless Websearch toolbar, SpywareGuide.com awarded two other IBIS products (Huntbar and IBIS Toolbar) 6 out of 10 nuisance scores for showing ads, stealth tactics, and logging Web page URLs.

Currently, websearch.com and seekerbar.com are redirecting all toolbar queries and top-navigation bar links to a toolbar from Crawler, which is also developed by IBIS. Crawler.com is currently rated red by SiteAdvisor because of its relationship to IBIS, but it will likely earn a yellow rating in the future barring software or EULA policy changes. (Our tests of the Crawler toolbar indicate a yellow rating would apply because the toolbar automatically opts users in to a homepage switch during the install sequence.)

Linda Tripp Has Something In Common With SheMales

There are plenty of instances where Web sites share an IP address even though they actually have no business relationship and nothing in common. For example, FamilyCareGiversOnline.com is bunked with smut and adware hawker Portale93.com. We see no sign of any relationship between these two sites; rather, they’re both just renting server space from Lunarpages.com.

Some of our history teacher readers may have come across the helpful resource HistoryTeacher.net. This site shares an IP address with sexybabesx.com, which is loaded with videos that conceal adware. There’s no apparent connection between these two sites beyond their host and IP address.

Speaking of an obscured motive, recall Linda Tripp, who uncovered the Lewinsky/Clinton affair in 1998. Her Web host paired LindaTripp.com with beautyshemale.com on the same ip address (67.15.35.182) together with another site that is too outrageous for us to reference. We assume this is all an unfortunate coincidence.

Unexpected consequences can result from a Web site sharing its IP address with sketchy neighbors. For example, when major mail providers detect spammers, the spammer’s IP address is frequently added to a “block list" that prevents delivery of future e-mail originating from the same IP address. Sounds great – until you consider multiple servers all sharing an IP. IP-based blocking can cause blocking of legitimate e-mail sent from an unaffiliated entity that merely happens to share that same IP address.

For example, HistoryTeacher.net is an excellent educational resource that shouldn’t be grouped together with pornographic content by spam filters that check for IP addresses. Furthermore, we assume Linda Tripp would like to have her e-mails delivered. (She probably sends thank you e-mails to everyone that sends “legal fund donations" via her site’s online form.) For the highest level of reliability, a Web site will want to ensure it has its own IP address.

The moral of this tale is twofold:
• IP address mapping can help uncover groups of related sites that are trying to mask their affiliation. This is one of SiteAdvisor’s many research tools for hunting down related "red" and "yellow" sites.
• If you’re sharing an IP address, get to know your neighbors. Having a legitimate site located on the same server as a crass or dishonest Web venture can be embarrassing and might restrict your ability to reach the widest possible audience.

Make Us Laugh, Get A SiteAdvisor T-Shirt

We’d love to hear your own discoveries about ‘strange bedfellows’ sharing the same IP address. We'll send a SiteAdvisor t-shirt to anyone who submits an entry that makes us laugh out loud.

Permalink | Comments (4) | TrackBacks (1)

We’ve gotten a number of questions from our Preview Version users questioning our decision to classify some sites as “red" because those sites link heavily to sites that distribute spyware or adware, or collect information in order to send spam. These are sites that you’ll see where our system says they “link to red sites" (in the future, we are probably going to change the wording to say these sites are “affiliated with red sites.")

Here at SiteAdvisor, we strongly believe in the importance of this feature. But we admit that so far we’ve done a mediocre job explaining our motivation and our initial implementation.

Here, I’ll try to explain it better.

First, it’s important to note that most spammers and spyware/adware distributors are economically motivated. People make money from this stuff -- lots of money. For example, Claria (formerly Gator) is said to have made as much as $90 million in revenues in 2003 (the last year they publicly reported their numbers) distributing what many consider to be adware, and there are dozens of major spyware/adware companies out there, not to mention all the “below the radar" companies doing it.

Second, it’s important to understand that most of these companies don’t get users to their sites all by themselves. Instead, they get traffic to their sites through what, in the Internet advertising business, are called “affiliates." Affiliates are Web sites that get paid by other Web sites for some “action" like driving users to a site, collecting personal information like e-mail addresses, or getting users to download software with adware/spyware installed.

The point of our link analysis feature is to identify these affiliates and warn users about them before it’s too late.

Case Study: Freeze.com

A good way to illustrate this is to look at a company called Freeze.com. Freeze is one of many Internet businesses today that makes money by distributing free programs like screensavers that come bundled with what many anti-spyware companies consider to be adware. The way Freeze loads this stuff on users’ PCs is primarily by announcing to the world: "We'll pay anyone $1 for every time they get a user to download our programs." Check it out yourself.

This kind of affiliate marketing is extremely prevalent on the Web today. It is done all the time by well-known companies like Netflix and Citibank, but is also the preferred marketing method for companies selling less desirable products like adware.

Here’s how it works in practice. Suppose you are the savvy person who had the foresight to buy the domain name screensaver.com way back in, say, 1995. Now it’s 2005, and your site screensaver.com gets lots of traffic. Some of the users come to your site because they just type “screensaver.com" directly into their browser when they want to download a screensaver. Others come through search engines that rank your site as a top result for terms like “screensaver". So you’ve got lots of visitors, but you’re not quite sure how to make money.

Enter Freeze.com. Freeze says to screensaver.com (and anyone else who cares to listen): "All you have to do is get your visitors to download our screensavers, and we’ll pay you $1 for each download." According to Yahoo!'s Overture service, Internet users searched for the keyword “screensaver" more than one million times on Yahoo! in November 2005. If you also include other search engines like Google and consider similar keywords like “free screensavers," you get many millions of searches for screensavers every month. And when you type these keywords into Google and Yahoo!, screensaver.com is one of the top natural results. While we don’t know what percentage of visitors to screensaver.com actually download their software, we think it’s safe to assume that at $1 per download, they are making a lot of money.

So you can see why affiliate marketing can be so lucrative. One side brings the users. The other side brings the “business model."

For adware vendors and their distributors, this is a win-win bargain. The vendor gets more downloads and therefore makes more money (you can rest assured they earn well more than what they pay affiliates per download). The affiliates get a way to “monetize their traffic." But users are big losers: they end up with adware all over their computers.

By the way, screensaver.com is a real example. As we showed in a previous blog entry, downloads on screensaver.com actually come from freeze.com.

Our linker analysis identified with “high confidence" a total of 127 affiliates of freeze.com (and many more sites that link to freeze but where the relationship isn’t strong enough for the system to call them “affiliates" with high confidence).

Our Approach to Red Linkers

We presume that users who download SiteAdvisor software wish to avoid spyware, adware, and spam. The primary purpose of these affiliates’ sites is to give you precisely those things, and they are often very effective at doing just that. This is why we classify these affiliates as “red" in our system.

We should also point out that, in many cases, what we call “links" aren’t what people in honest neighborhoods of the Web (for example, in the “blogosphere") think of as links. On spyware/adware/spam affiliate sites, link destinations are often obscured, and in many cases the browser URL bar doesn’t change to display the target links since the “links" are actually embedded frames or direct links to downloads on other domains.

When considering how to rate sites, we often ask ourselves: "What advice would we give a family member who is a typical, casual Web user?" Would we tell that family member to avoid spyware/adware affiliates like screensaver.com? The answer we always come up with is: emphatically, yes.

Accuracy, Corrections, and Future Plans

Obviously, given that the Web is full of links between sites of all kinds, there is some "art" to deciding which ones are closely linked enough to be considered "affiliates". We're constantly improving our algorithms to try to capture sites that we think are really trying to get you to go to other sites that we've rated as "red". But if you see cases where you think our judgments are incorrect, we encourage you to leave a comment on that sites's profile page. We'll review your submission and make appropriate adjustments.

We hope this helps explain our approach to affiliate or link analysis. Please keep your feedback coming.

Permalink | TrackBacks (1)

When we started SiteAdvisor last spring, we thought that our job would be relatively straightforward: sign up for stuff and download stuff and tell you the results. We knew it would be hard to do in practice, but at least it was a relatively predictable problem to tackle. Along the way towards implementation, we realized that the nature of the Web’s sketchy and suspicious practices was more complex, less transparent and more dangerous than any of us first thought.

Michael Kearns is a computer science professor at the University of Pennsylania. Before he joined UPenn, he spent a decade doing artificial intelligence and machine learning research at AT&T Labs and Bell Labs. He’s one of a handful of true pioneers in these fields.

Now, one of the byproducts of the millions of tests our Web bots conduct is an enormous data set we’ve built, not just of adware bundles or spam factories, but of relationships between Web sites. Michael and his grad student Jenn Wortman helped us approach this data in a novel way. Take a look at Screensaver.com for a second.

We initially rated screensaver.com ‘Green’ – safe to use for browsing, signing-up and downloading. Yet after downloading screen savers from here, our PC started popping up contextual ads.

Here’s what’s really happening:

From my user perspective, I’m on a site called screensaver.com, downloading a piece of software from them. From a technical perspective, however, my PC is actually calling a host computer run by freeze.com. Not only don’t I notice this, but even if I do, it won’t help. As an average user, I don’t know anything about freeze.com.

But our database does. What Michael and Jenn helped us realize is that we could use the data from our Web crawl to help users understand where they really are on the Web. This guidance will in turn help users make better, more informed decisions about whom and what they can trust online.

Defining Links
Enter Matt Gattis, a young developer who joined us from MIT. “What defines a ‘bad’ link?" Matt asked. He developed an algorithm for measuring the degree of association between two sites by looking at their linking relationships. And because machines running Matt’s code can’t be fooled by link obfuscation and other social engineering tricks, SiteAdvisor is able to see patterns and relationships that were effectively invisible to the human eye. What we’ve done with link analysis is make the Web more transparent. In fact, we think we’ve created something kind of cool.

The Weakest Links
Here’s how SiteAdvisor’s link analysis works in practice. Take a look at our link diagram for Screensaver.com:

Among many other things, our link analysis shows some basic relationships between sites. For example, the short arrow to freeze.com documents that the biggest ‘target’ for screensaver’s out-bound links is freeze. (In fact, freeze bought screenscaver.com in 2003 from risoftsystems, another red flagged friend. According to a freeze.com press release the sale included a five year “sponsorship contract highlighting RISS products.")

Improving the Odds
In an ideal world, users get full disclosure. Web sites not only tell the user what’s being installed, they disclose where the install is coming from in a way that’s meaningful to the non-technical user. I for one am not holding my breath. As a practical matter, without our link data, users are effectively browsing while blind. Clicking through to an unknown site is like betting it all on black. Heaven forbid if the marble lands on red. I’m not here to argue against aimless browsing; I love the serendipitous Web discovery. The problem with surfing blindly is that within three or four clicks, you can find yourself in places where all safety bets are off.

With SiteAdvisor, I know if the site I’m on engages in link practices that can land me in hot water. Browsing with our link analysis data is like going to a party where the only person you know happens to be the most social person in the room. He can tell you who’s friends with whom, who’s hooking up and who has trouble holding their liquor. Good person to know.

Permalink | Comments (5) | TrackBacks (0)