Why am I getting warnings from your newsletter and site links?

by

A recent newsletter surfaced warnings from a couple of security services. As a result, we'll look at what false positives are, and what to do.
Question:

When I click some of the “continue reading” links in today’s
newsletter McAfee SiteAdvisor warns me that:

mm.chitika.net/minimall?w=300 may cause a breach of browser
security. Why were you redirected to this page? When we tested, this
site attempted to make unauthorized changes to our test PC by
exploiting a browser security vulnerability. This is a serious security
threat which could lead to an infection of your PC.

What is going on with this?

AVAST POTENTIAL VIRUS ALERT was received when your newsletter was
coming into my mailbox. Here is what the alert said:

“Sender: “Leo Notenboom – Ask Leo!” <leo@ask-leo.com>
Recipient: *****
Subject: Leo’s Answers #179 – May 19, 2009

***
Target of remote iframe:
(You can permit them using “Permitted URLs” button)
rcm.amazon.com

WHAT DOES THIS MEAN? Has someone put a virus in your stuff and you
don’t know it?

I got those two questions in response to a recent newsletter.

First, there is no malicious code involved at all. Period. I want to
be very clear on that. My site’s not been hacked and my newsletter’s as
safe as always. In fact, there’s actually nothing wrong.

But in making two changes this week, we expose one of the
frustrating side effects of some security software: the dreaded “false
positive”.

Let me explain what I did, why some security software might be
alerting on it, why this can happen to any site or provider,
and finally … what you should do about it.

]]>
<![CDATA[

Let’s start with the first one:

mm.chitika.net/minimall?w=300 may cause a breach of browser security.

This week I began running a trial of a new advertising provider, Chitika. Chitika has been around for a long time, and I trust them completely. In researching this issue I heard from their Vice President who also assured me that there was simply no way that their ads would have or involve malware of any form.

“My site’s not been hacked and my newsletter’s as safe as always.”

And, as I said, I believe them.

They were the victims of what’s known as a “false positive” – a trustworthy site or service being erroneously flagged as suspicious by security software.

Why?

There are two typical reasons:

  • Errors in the database. It’s often unclear how services like SiteAdvisor make their determination, but it’s not unexpected that they might make mistakes. Typically, these errors get cleaned up fairly rapidly, but while they’re out there they’re … well, they’re out there – falsely flagging safe sites as suspicious.

  • Out of date databases. Much like anti-malware software, some of these services cache their databases on your machine. That means that even if the “master” database controlled by the service is up to date, the local copy on your machine may not be. How you ensure that it is (or even if one is used) depends entirely on the specific service you’re using.

Now, about that second one:

Target of remote iframe: … rcm.amazon.com

In this week’s newsletter I added a new feature, “What I’m Reading”, which includes a small box off to the right with an image of the book, and a link to Amazon. The problem is that the technique used to generate that box (in HTML terms, an “iframe”) is apparently considered a possible attack vector by avast!.

In my case, it’s not. Period.

But I suppose it’s a valid thing to warn about, though screaming “POTENTIAL VIRUS ALERT” seems a tad excessive. So while I might quibble with avast!’s approach, the logic they’re using is at least plausible.

What I’ve done.

  1. I’ve temporarily removed Chitika from my site. I trust them, they’re a good advertising service, but my reputation is more important. It’s more important that you trust me, and sadly that means that even false positives can lead me to this action. It’s not fair to Chitika, but it’s the only real recourse I have at this point.

  2. I’ll not be using an “iframe” in my next newsletter to show you what I’m reading. I can use other techniques that shouldn’t cause avast! any further fits.

What you should do.

I’m not a big fan of McAfee’s SiteAdvisor, for the very reasons you might expect. This isn’t the first time I’ve experienced false positives from people using the tool, and I do periodically hear from others experiencing similar.

There are other technologies out there, such as Web of Trust that perform similar services, though I do not have any data that says how good they are or aren’t. (Though lack of hearing about false positives is a good start.)

I tend to run without either, and typically suggest relying on common sense and healthy skepticism instead. However, I realize that common sense isn’t always common, and healthy skepticism is rare.

So.

Much as it pains me the conclusion I’m forced to come to is simply this: pay attention to the tools anyway, even if they steer you away from safe sites. Yes, even if that means mine.

I’d rather have you be safe than sorry.

And if you run across a site that you’re shocked would be considered malicious (like, say, this one), then let the site owner know. (As many of you did, for which I thank you.)

The site owner can often take action, as I have, to mitigate the impact of false positives, and if needed contact the offending parties to hopefully resolve the issue.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

11 comments on “Why am I getting warnings from your newsletter and site links?”

  2. My windows live hotmail flags your e-mails as questionable.

    Specifically how do I permanently fix this.

    I have already clicked on the warning that your site is safe – still get warning.

    In Hotmail: Options, More Options, Safe and blocked senders, Safe senders – add leo-at-ask-leo.com (replace -at- with @) to that list.

    – Leo
    28-May-2009
    Reply

  3. I received the same warning about Chitika causing browser problems. I had previously used the site with no problems. I just waited about 2 or 3 days and clicked on the site again with no warnings or problems of any kind.

    Reply

  4. This is somewhat off topic, but I need to add that I don’t trust McAfee… no how, no way. A botched installation of a McAfee upgrade resulted in my spending over $300 to have my PC repaired. I went round and round with McAfee about it and they finally just stopped responding.

    My point here is that anything (capital ANY THING) that gets so deeply intertwined with your system software that it needs special software and procedures to fully remove it should itself not be trusted because if it (i.e. McAfee) makes a mistake, it’s YOUR headache.

    Reply

  5. I use and have sworn by AVG Anti-virus for years. Having a PC repair business, I’d say 30% to 50% of the problems I see are virus-related. With that said, I’ve heard many, many people complain about false-positives when using AVG. By default, AVG employs ‘Hueristic scanning’, which doesn’t only scan for particular ‘known’ threats, but also Hueristic threats, or any code that acts similar to known malicious code like .exe, .dll’s etc. You can turn off this feature by unchecking the ‘use hueristics’ box under e-mail scanning in the advanced settings under ‘tools’. I imagine many other anti-virus programs have a similar feature.

    Reply

  6. Ya, I run the McAfee site advisor too and it seems to be very picky. I had a few false positives on sites like howtogeek.com/forum which I visit daily and where I have nearly 9000 postings. Even on a site of a big German computer mag. So as you said, take it with a grain of salt and use common sense.

    Reply

  7. I used to have Nortons but it got to the point everything was considered a threat. I switched to Trend and it is somewhat better except they keep disabling 2 of my games I bought from a very reputable site EA. Seems like all of them are flawed.

    Reply

  8. Since iFrames are a threat only to IE users just switch to a different browser. I use Opera and Avast and i never had a warning relating to Leo, of any kind.
    Chitica was flagged because they used to employ tracking cookies – don’t konw if they still do it, i’ve blocked them in my url filter – but his is practically harmless.

    Reply

  9. I am using Mozilla Thunderbird, and for every newsletter email I have got a warning that it could be a possible fraud – up to this last newsletter where I got no warnings! Even If I trusted Leo the changes in the newsletter removed this irritating warning for me 🙂

    Reply

  10. Interesting Reading with reference to Leo’s site being flagged- False/Positive. If a service is employed and that service uses Tracking Cookies
    then I would regard that as a serious breach to my privacy. Leo I must congratulate you for taking immediate and positive DECISION to withdraw
    the use of IFrame.Incidentally,I use Avast on one of my PC and I have had no problems. Good to be security aware, but end user must also try and learn a little bit beyond the warnings.
    Keep-up The Good Work, Leo.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.