[olug] Google Safebrowsing Interpretation? Can't malware status be more black-n-white?

Rob Townley rob.townley at gmail.com
Sun Jul 3 00:26:35 UTC 2011

i needed to review our list of blocked domain names.   One of the
domains that i have blacklisted in the past is openx.net.
It claims to be an open source advertising platform.
It is also the name of an autonomous network.

Sometimes, i have problems interpreting what Google safebrowsing says
about a site because the information often seems to be contradictory.
More likely it is nuanced and really means "Yes, there was malicious
software on this site, but since it requires user consent, it is not a
suspicious website even though we found suspicious content today and
was known to have infected other domains in the last 90 days."

i have found many similar safebrowsing analyses and i am sure that
some of these sites had nothing to do with advertising.  So in the
past, i thought maybe it is a bug in their system because i know
Google went to tremendous lengths to analyze websites.   Google
recognized that Anti-virus software would just not keep up.   Google
developed and runs an automated virtual machine infrastructure that
would analyze precisely what files changed by visiting each website.

Since openx.net is _supposedly_ an advertising platform which _may_
feed Google coffers, is that why Google is reluctant to say it is not
suspicious?   i doubt that Google would jeopardize its long term
income in this way.
Or is Google's safebrowsing initiative still in its infancy and this
is simply a bug?
Am i being too simplistic?  Yes, i routinely find suspicious activity
but do not have the time to really determine if it is malicious.
Regardless, automated pass/no-pass systems are needed to keep us safe
and i thought this was the idea of the 90 day period and for rebuttals
by the website owners.  It would be impossible for a sysop to read
through the analysis of thousands of websites to determine whether
each one should be reachable at this time, but from my experience,
that is what i would have to do.

Content from the following URL copied and pasted:

Advisory provided by
Safe Browsing
Diagnostic page for openx.net
What is the current listing status for openx.net?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 2 pages we tested on the site over the past 90 days, 0 page(s)
resulted in malicious software being downloaded and installed without
user consent. The last time Google visited this site was on
2011-06-30, and the last time suspicious content was found on this
site was on 2011-06-30.
Malicious software includes 96 exploit(s), 21 trojan(s).

This site was hosted on 1 network(s) including AS36089 (OPENX).

Has this site acted as an intermediary resulting in further
distribution of malware?

Over the past 90 days, openx.net appeared to function as an
intermediary for the infection of 38 site(s) including
hotschoolbabes.com/, ieatvegas.com/, solterosenlared.es/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It
infected 2 domain(s), including dapurpacu.com/, ayacucho-bsas.com.ar/.

Next steps:

Return to the previous page.
If you are the owner of this web site, you can request a review of
your site using Google Webmaster Tools. More information about the
review process is available in Google's Webmaster Help Center.
Updated 3 hours ago©2008 Google - Google Home

More information about the OLUG mailing list