# Google's New Malware Dashboard: Incero's on the Top 10



## manacit (Jun 26, 2013)

I was checking out Google's new Malware Dashboard when I found this:







Looks like someone needs to go through and do some cleaning! 

Check the link earlier though, the malware dashboard is a pretty nice tool!


----------



## jarland (Jun 26, 2013)

Looks like a lot of people have cleaning to do. I wouldn't say Incero is worth highlighting though. High on the list because it's sorted by percentage but the number of scanned sites is fairly low. Although I'm certain Gordon won't be terribly pleased by the result regardless


----------



## kaniini (Jun 26, 2013)

The most annoying aspect of Google's security efforts is that, at least in my experience, they don't notify the netblock operator of the compromised/attack sites, so you find out about them later.

I really wish they would do that, it doesn't seem like it would be too difficult for Google to send out a notification mail when it encounters a hacked site.


----------



## drmike (Jun 26, 2013)

Wait... wait... but...

Google says they've only scanned 7% of Incero's ASN.

Of that, 19% of the sites scanned therein contain malware --- that's 1-in-5.  Quite high. 

Not Gordo's fault, but certainly needs some top down house cleaning.

Does Google offer some more details on this --- like the specific sites, IPs, etc.?


----------



## drmike (Jun 26, 2013)

kaniini said:


> The most annoying aspect of Google's security efforts is that, at least in my experience, they don't notify the netblock operator of the compromised/attack sites, so you find out about them later.
> 
> I really wish they would do that, it doesn't seem like it would be too difficult for Google to send out a notification mail when it encounters a hacked site.


Google is like that... They love making messes, banning people, breaking things, etc.  It's all about big, fat, ugly piles of data.

Providing email notifications, well that might be deemed providing a service and people might then complain they weren't mailed in the future or more likely, that when nothing turns up on site/IP and they can't get it delisted and the auto-bots continue, no one is home for support at Google.


----------



## manacit (Jun 26, 2013)

kaniini said:


> The most annoying aspect of Google's security efforts is that, at least in my experience, they don't notify the netblock operator of the compromised/attack sites, so you find out about them later.
> 
> I really wish they would do that, it doesn't seem like it would be too difficult for Google to send out a notification mail when it encounters a hacked site.


Yeah I'm surprised they don't just file a notification to [email protected] or whatever the registered contact is - you'd think it would be in everyone's best interest.

Despite their entire ASN not being scanned, as of now they are one of the top malware providers (by %) in the USA, according to Google. Whether or not that's actually true, however, would require a bit more data.


----------



## jarland (Jun 26, 2013)

manacit said:


> Yeah I'm surprised they don't just file a notification to [email protected] or whatever the registered contact is - you'd think it would be in everyone's best interest.
> 
> Despite their entire ASN not being scanned, as of now they are one of the top malware providers (by %) in the USA, according to Google. Whether or not that's actually true, however, would require a bit more data.


I mean, if I had 2 IPs and 1 had malware I'd be #1 on that list 

Still a lot though you're right. I wish it gave more detail.


----------



## drmike (Jun 26, 2013)

True Jarland, true.

Google shaming providers now.  Hopefully they don't go banning ASNs like they do with search engine results where malware found.  Too much power welding by the G'men.


----------



## HalfEatenPie (Jun 26, 2013)

Title has been revised due to merge with a different thread of similar discussion.


----------



## maounique (Jun 26, 2013)

Well, we are having problems with Spamhaus.

After years of successful cooperation they deem us spam heaven and escalate every incident to block even further without even notifying.

So far /23 is blocked and next time probably the whole ASN.

Too much power to those people, nobody to actually check what their motivations are, whom they hate and why.

Prometeus spammer heaven, cool, last time I checked at reputable lists we didnt have more than a handful of IPs and we eliminated them all the time.

Did Spamhaus stop spam ? No, this is like the war on islam or drugs, it will never be won, just some guys will make some cool dough because of it.

At least something good is coming out of this, we no longer have spammers signing up already 

Hosting emailers is a bad business, even legit ones, most ppl "mark as spam" instead of unsubscribing what they subscribed, is faster that way and then this never stopped real spammers.

When the war on something makes more colateral damage than the actual good and helps some ppl get a lot of power instead, then it is just another kind of a religious/ideological war. Good for the government, bad for the people.


----------



## jarland (Jun 26, 2013)

Mao said:


> Well, we are having problems with Spamhaus.
> 
> After years of successful cooperation they deem us spam heaven and escalate every incident to block even further without even notifying.
> 
> ...


That's terrible. I second that these organizations need to be given less power or they need to be more transparent in providing details for their actions. It's them who decided this was the service they want to provide, and it's the ISPs who decide if they're worth giving power to. Perhaps it's time for people to start massively lobbying the ISPs to demand a change.


----------



## drmike (Jun 26, 2013)

jarland said:


> That's terrible. I second that these organizations need to be given less power or they need to be more transparent in providing details for their actions.


 

+1 for transparent... and...

They need to staff humans for support to deal with problems and get quick resolution/steps to resolve matters when needed.


----------



## Aldryic C'boas (Jun 26, 2013)

Seems to be hit and miss, I suppose. Several of the Spamhaus techs know me on a first name basis, and I've never had any issues getting listings dealt with _*shrug*_


----------



## maounique (Jun 27, 2013)

jarland said:


> I second that these organizations need to be given less power or they need to be more transparent in providing details for their actions.


The detail they gave was that their "customers" are annoyed by what comes from our customers (which is what, both incidents were from spamvertized sites, not actual spam, we catch port 25 junk pretty quick) and we need to work much harder, probably a canned reply. I doubt anyone actually checks there and they have autoresponders lately.

For 5 k IPs with 5 at most IPs listed in various lists that expire them after 1 week, which actually means some 5 a week is a very good result if you ask me.

We wont pay them anything (nor did they ask, to be honest, unlike other lists that have "delisting" prices), it is actually better to be blacklisted, as I said, hosting emailers is bad business and I will write a tutorial on how to use the free mandrill to send a few mails that forums and similar software need as well as monitoring tools. Customers know (and if they dont, we can prove it all the time with reputable lists) that we are not hosting spammers. We even delete DNS of those when we get notified.


----------



## maounique (Jun 27, 2013)

Strange, we were removed from the list of spammer heavens...

I wonder what made them change their mind


----------



## rds100 (Jun 27, 2013)

It seems you can sing up with google to receive alerts about malware hosted inside your AS - http://www.google.com/safebrowsing/alerts/

edit: i signed up, let's see if they actually send anything.


----------



## H4G (Jun 27, 2013)

I asked Gordon about it, he says:



> Thanks, we actually follow that religiously as well as "clean mx", both pipe into our abuse system automatically. If you look at historical data you will see the spike lines up with the wordpress exploit that happened recently. Our abuse system automatically notified affected clients, and the "malware rate" is now below 2%, one of the lowest in the industry. Feel free to check the current stats for yourself, and feel free to post my reply on that forum also. Cheers.


----------



## Steven F (Jun 27, 2013)

We don't know what Google's methods are. They may specifically only target sites that they believe are malware, meaning that 30% of the domains they scanned may have malware, but that's 19% of sites they suspected which is 2% of Incero's overall network. That would mean it's closer to .5% of Incero's servers are malware, which may seem a bit high, but it's not so crazy. Think hundreds of servers, possibly thousands of VMs.

Just a thought.


----------



## maounique (Jun 27, 2013)

rds100 said:


> It seems you can sing up with google to receive alerts about malware hosted inside your AS - http://www.google.com/safebrowsing/alerts/
> 
> edit: i signed up, let's see if they actually send anything.


Cool, signed up too.

This is a plague, even our forum has been targetted by malware, somehow the attacker managed to load a script instead of a picture as avatar taking advantage of improper sanitization. As such any folders where user content can be uploaded have been made readonly 

However, wordpress is a disaster, probably bigger than kloxo or zpanel in terms of exploits.


----------

