mail from Google says "phishing notification", but Safe Browsing says "never visited"
Bennett Haselton
Internet censorship by loading content from third party sites.
Because the sites can load third-party content, they are occasionally
mistakenly flagged as "phishing" sites (although all pages loaded
through the proxy, have the proxy interface form on top, so the user
knows they're not going to the "real" site).
I got the email below on August 6th saying that Google had flagged
bravemice.com as a "phishing" site. However if you go to
http://www.google.com/safebrowsing/diagnostic?site=bravemice.com
it says that the site is not listed as suspicious and "Google has not
visited this site within the past 90 days." This seems not to make
sense -- even if the error had already been corrected since the email
was sent, and the site was no longer listed as "suspicious", it
couldn't possibly be true that Google hasn't visited the site in the
last 90 days.
Note that I am not asking about how to get the error fixed (I've
already submitted a review request), I'm mainly asking why the email
from Google and the lookup form on the Safe Browsing page appear to
give contradictory results.
Bennett
********
Dear site owner or webmaster of bravemice.com,
We recently discovered that some pages on your site look like a
possible phishing attack, in which users are encouraged to give up
sensitive information such as login credentials or banking
information. We have removed the suspicious URLs from Google.com
search results and have begun showing a warning page to users who
visit these URLs in certain browsers that receive anti-phishing data
from Google.
Below are one or more example URLs on your site which may be part of a
phishing attack:
http://www.bravemice .com/nppxjoj.php?
MobypubUQyAJvZv6jLPtQ=OjczSOp730JYuwxvNfFS3KOpYC6v4fb/
RN0Mg3FV7ZbaYZB7piJmTNfpnba2jwydpCXB8eKQYQe/
VCUGURdXPmX4QeoRwU6Y10z0UFlsNiQT4D8aN09siHwcWJX6bnBXhZDGHdj1hq9Z/
4Q4HMBOV4TMpD45puQNoCglFFQut/s=
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.bravemice.com/nppxjoj.php%3FMobypubUQyAJvZv6jLPtQ%3DOjczSOp730JYuwxvNfFS3KOpYC6v4fb/RN0Mg3FV7ZbaYZB7piJmTNfpnba2jwydpCXB8eKQYQe/VCUGURdXPmX4QeoRwU6Y10z0UFlsNiQT4D8aN09siHwcWJX6bnBXhZDGHdj1hq9Z/4Q4HMBOV4TMpD45puQNoCglFFQut/s%3D
We strongly encourage you to investigate this immediately to protect
users who are being directed to a suspected phishing attack being
hosted on your web site. Although some sites intentionally host such
attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the
content involved in the phishing attack, but to also identify and fix
the vulnerability that enabled such content to be placed on your site.
We suggest contacting your hosting provider if you are unsure of how
to proceed.
Once you've secured your site, and removed the content involved in the
suspected phishing attack, or if you believe we have made an error and
this is not actually a phishing attack, you can request that the
warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer
and reporting an "incorrect forgery alert." We will review this
request and take the appropriate actions.
Sincerely,
Google Search Quality Team
Note: if you have an account in Google's Webmaster Tools, you can
verify the authenticity of this message by logging into
https://www.google.com/webmasters/tools/siteoverview and going to the
Message Center, where a warning will appear shortly.
Oliver Fisher
malware. Phishing information is not displayed there.
Hope that helps,
O.
On Aug 11, 10:30 pm, Bennett Haselton <benn...@peacefire.org> wrote:
> I run a number of web proxy sites that can be used to circumvent
> Internet censorship by loading content from third party sites.
> Because the sites can load third-party content, they are occasionally
> mistakenly flagged as "phishing" sites (although all pages loaded
> through the proxy, have the proxy interface form on top, so the user
> knows they're not going to the "real" site).
>
> I got the email below on August 6th saying that Google had flagged
> We strongly encourage you to investigate this immediately to protect
> users who are being directed to a suspected phishing attack being
> hosted on your web site. Although some sites intentionally host such
> attacks, in many cases the webmaster is unaware because:
>
> 1) the site was compromised
> 2) the site doesn't monitor for malicious user-contributed content
>
> If your site was compromised, it's important to not only remove the
> content involved in the phishing attack, but to also identify and fix
> the vulnerability that enabled such content to be placed on your site.
> We suggest contacting your hosting provider if you are unsure of how
> to proceed.
>
> Once you've secured your site, and removed the content involved in the
> suspected phishing attack, or if you believe we have made an error and
> this is not actually a phishing attack, you can request that the
> request and take the appropriate actions.
>
> Sincerely,
> Google Search Quality Team
>
> Note: if you have an account in Google's Webmaster Tools, you can
Bennett Haselton
since Google's "Safe Browsing" is an umbrella term that encompasses
both phishing and malware, but the "Safe Browsing Diagnostics" page
only tells you about malware.)
In that case, is there an online lookup form where I can enter a URL
to see how it's classified in the phishing database? I can't find one.
I know you can do it by getting an API key and doing a programmatic
lookup, but it would be easier if there were a form...
-Bennett
>--
>You received this message because you are subscribed to the Google
>Groups "Google Safe Browsing API" group.
>To post to this group, send email to
>google-safe-...@googlegroups.com.
>To unsubscribe from this group, send email to
>google-safe-browsi...@googlegroups.com.
>For more options, visit this group at
>http://groups.google.com/group/google-safe-browsing-api?hl=en.
Beaver6813
I have an online toolkit using the Google Safe Browsing API. I've just
created a new page to check how URL's are classified according to the
Malware and Phishing lists. It tells you the results of both
seperately. Hope it helps! The page is:
http://gsbtool.beaver6813.com/ulookup.php
Bennett Haselton
write a form myself to do something like that.
Is there a test URL that's permanently on the "phishing" list, that I
can use to test this form?
I know this is a test URL that's permamently on the malware list:
http://malware.testing.google.test/testing/malware/
and the form does indeed report that as being blocked as malware.
But I can't find a working test "phish" URL. This page:
http://www.mozilla.com/firefox/its-a-trap.html
is blocked by Firefox as a "web forgery" so I thought that meant it
was on Google's anti-phishing list. But your lookup form says "no
match" for phishing. Are you sure it's working correctly for
phishing URLs?
-Bennett
Garrett Casto
Hey, thanks, that's very handy -- I was about to have to try and write a form myself to do something like that.
Is there a test URL that's permanently on the "phishing" list, that I can use to test this form?
I know this is a test URL that's permamently on the malware list:
http://malware.testing.google.test/testing/malware/
and the form does indeed report that as being blocked as malware.
But I can't find a working test "phish" URL. This page:
http://www.mozilla.com/firefox/its-a-trap.html
is blocked by Firefox as a "web forgery" so I thought that meant it was on Google's anti-phishing list. But your lookup form says "no match" for phishing. Are you sure it's working correctly for phishing URLs?
Bennett Haselton
>On Wed, Aug 18, 2010 at 2:46 PM, Bennett Haselton
><<mailto:ben...@peacefire.org>ben...@peacefire.org> wrote:
>Hey, thanks, that's very handy -- I was about to have to try and
>write a form myself to do something like that.
>
>Is there a test URL that's permanently on the "phishing" list, that
>I can use to test this form?
>
>I know this is a test URL that's permamently on the malware list:
><http://malware.testing.google.test/testing/malware/>http://malware.testing.google.test/testing/malware/
>and the form does indeed report that as being blocked as malware.
>
>But I can't find a working test "phish" URL. This page:
><http://www.mozilla.com/firefox/its-a-trap.html>http://www.mozilla.com/firefox/its-a-trap.html
>is blocked by Firefox as a "web forgery" so I thought that meant it
>was on Google's anti-phishing list. But your lookup form says "no
>match" for phishing. Are you sure it's working correctly for
>phishing URLs?
>
>
>This site is hard coded into Firefox. It's mostly meant to show you
>the warning UI. There isn't a url built into the phishing list like
>there is for the malware list.
Well then here's something weird -- go to the same page in Internet
Explorer 8 (make sure you have SmartScreen enabled under Internet
Options -> Advanced -> Security -> Enable Smartscreen Filter) and you
get the IE8 warning page with the red background:
"This website has been reported as unsafe
www.mozilla.com
We recommend that you do not continue to this website."
etc.
Where is IE getting the URL from, if it's hard-coded into Firefox?
Meanwhile, is there a known phishing site in the Google anti-phishing
database, that I can use to test Beaver6813's lookup form?
-Bennett
Garrett Casto
Meanwhile, is there a known phishing site in the Google anti-phishing database, that I can use to test Beaver6813's lookup form?
-Bennett
Bennett Haselton
>Meanwhile, is there a known phishing site in the Google
>anti-phishing database, that I can use to test Beaver6813's lookup form?
>
>
>Unfortunately no. We've meant to put one into our phishing list
>like the malware list, but there isn't one at the moment.
I meant, not a test page set up as a permanent entry in the list, but
any known "real" phishing site that's currently blacklisted, that I
can use as a test.
-Bennett
Garrett Casto
-Bennett
Bennett Haselton
>Sure,
>
><http://banking0001.t35.com/buddybb/buddybb/index.html>banking0001.t35.com/buddybb/buddybb/index.html
><http://elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.html>elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.html
><http://elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html>elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html
>
>These were blacklisted just a few minutes ago, so you might have to
>wait a bit before your tool picks them up.
Thanks. Currently, using Sam's form at
http://gsbtool.beaver6813.com/ulookup.php
the first URL:
http://banking0001.t35.com/buddybb/buddybb/index.html
gives "no match" on the phishing database, but the second two urls:
http://elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.html
http://elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html
both give a "match" on the phishing database. So, finally, I got a
positive result, which was what I was looking for :)
However, the higher-level directories on http://elspecmont.ru/ aren't
blacklisted, so requests for those directories would be approved by
the Google API.
If you find phishing content at one location on a server, wouldn't it
be fair to assume that the entire server is either (a) compromised,
or (b) untrustworthy, and blacklist the whole server?
-Bennett
Beaver6813
blacklisted. For example a blog hosted by a free web host could be
hosting malware but that doesn't mean that every site hosted by that
free web host is bad.
On Aug 20, 8:22 am, Bennett Haselton <benn...@peacefire.org> wrote:
> At 03:10 PM 8/19/2010, Garrett Casto wrote:
>
> >Sure,
>
> ><http://banking0001.t35.com/buddybb/buddybb/index.html>banking0001.t35.com/buddybb/buddybb/index.html
> ><http://elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.html>elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.html
> ><http://elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html>elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html
>
> >These were blacklisted just a few minutes ago, so you might have to
> >wait a bit before your tool picks them up.
>
> positive result, which was what I was looking for :)
>
Garrett Casto
I wouldn't agree that it should class the entire domain as
blacklisted. For example a blog hosted by a free web host could be
hosting malware but that doesn't mean that every site hosted by that
free web host is bad.
On Aug 20, 8:22 am, Bennett Haselton <benn...@peacefire.org> wrote:> Thanks. Currently, using Sam's form athttp://gsbtool.beaver6813.com/ulookup.php
> At 03:10 PM 8/19/2010, Garrett Casto wrote:
>
> >Sure,
>
> ><http://banking0001.t35.com/buddybb/buddybb/index.html>banking0001.t35.com/buddybb/buddybb/index.html
> ><http://elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.html>elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.html
> ><http://elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html>elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html
>
> >These were blacklisted just a few minutes ago, so you might have to
> >wait a bit before your tool picks them up.
>
> the first URL:http://banking0001.t35.com/buddybb/buddybb/index.html> gives "no match" on the phishing database, but the second two urls:http://elspecmont.ru/photo/usrefundportal/allaccounts/usbank/login.htmlhttp://elspecmont.ru/photo/usrefundportal/allaccounts/zions/index.html
> both give a "match" on the phishing database. So, finally, I got a> However, the higher-level directories onhttp://elspecmont.ru/aren't
> positive result, which was what I was looking for :)
>
> blacklisted, so requests for those directories would be approved by
> the Google API.
>
> If you find phishing content at one location on a server, wouldn't it
> be fair to assume that the entire server is either (a) compromised,
> or (b) untrustworthy, and blacklist the whole server?
>
> -Bennett
Bennett Haselton
>On Fri, Aug 20, 2010 at 2:09 AM, Beaver6813
><<mailto:s...@beaver6813.com>s...@beaver6813.com> wrote:
>I wouldn't agree that it should class the entire domain as
>blacklisted. For example a blog hosted by a free web host could be
>hosting malware but that doesn't mean that every site hosted by that
>free web host is bad.
>
>
>This is basically correct. We try to walk the line between
>expanding patterns to prevent bad actors from bringing up new pages
>on the same site and not blacklisting all hosting sites because some
>small fraction of their pages are bad. In this case, two sites is
>not enough evidence for us to try and expand our patterns.
I would argue that it depends on the purpose for which the
blacklisting is being used.
If the blacklist is being used as a filter to remove URLs from Google
search results, then I agree that removing an entire domain is too
draconian, because the user won't know that their pages have
disappeared, and users who are searching on Google won't realize that
their pages are missing.
On the other hand, when the blacklist is being used as a filter to
stop a web browser from accessing a certain website, it might be
beneficial to blacklist the entire domain. Because in that case, the
more pages on the site are blocked, the faster the users will realize
that something is wrong, and will notify the site webmaster about the
problem. (Whereas if only one page on the site is blacklisted, then
the webmaster won't hear about it from their users, until one of the
users happens to visit that page and then tells the webmaster about
the browser warning.) Ironically, in this case, a wider blacklisting
could actually be more helpful to the webmaster.
-Bennett