No, This Site Is Not Malicious

Submitted by jbreland on Mon, 08/09/2010 - 20:53

Sorry to even have to post this, but apparently my site has been classified as "malicious" by certain parties. It all seems to have originated from this particular malware list:
http://www.malwareurl.com/listing.php?domain=legroom.net

The reason? Someone apparently doesn't like my download script for Universal Extractor. Seriously. This is the "malicious" URL:
http://www.legroom.net/scripts/download.php?file=uniextract16

Any guesses as to what that does? It lets you download Universal Extractor 1.6. Oh, the horror! I use the download script rather than link directly because I need to move the location of the actual installer file from time to time due to bandwidth concerns or other issues. By using the download script to serve up the file, I can easily point it to a new location at any given, implement load balancing if needed, etc., without anyone having to worry about dead links (well, except for people who insist on hotlinking directly to the file against my wishes, but I don't have much sympathy for them).

Apparently someone didn't like my script and reported it. I guess. I haven't been able to get any more information about the issue. I guess I can kind of, sort of, maybe understand the concern about a download script like this, as I guess it could, possible, maybe be hijacked in some way to serve up malicious content, but that's not what happened here. My script is written such a way that it'd be impractical to try to use it for malicious means (I won't say impossible because, quite frankly, anything is possible on the internet); it'll serve up the specified file from a specified URL on a specified remote server and nothing else. If anyone tried to fiddle with it by adding fake filenames, etc., it'll just return an "invalid file" error message.

So someone must've thought the script seemed somehow suspicious, but couldn't bother to do even the simplest of tests to verify it before reporting it to a malware site, and the malware site, of course, listed it without question. And even better, I just discovered that numerous other sites have lowered legroom.net's reputation as well because of this listing, because, naturally, none of them could be bothered to verify the claim either.

And finally, the icing on the cake is that this was originally listed on malwareurl.com on 12/15/2009. That's right, eight months ago. In eight months of being reported, listed, copied and listed, copied again, etc., not once was I ever notified of the dangerous, horrible malicious content on my website. It wasn't until today that a visitor noticed the problem and sent me an e-mail to give me a heads up (coincidentally, two people contacted me today - my heartfelt thanks to both of you). So, it took eight months to find out about a non-existent problem that denied access to or drove away who knows how many people from my website. Fantastic.

Some choice words are coming to mind right now, but I'll refrain because this is a (mostly) family-friendly site.

I get the need for these kinds of sites (I use a few myself for e-mail blacklists), and I can appreciate that many of them are volunteer efforts with limited time and resources. Nevertheless, I think it's reasonable to expect the site operators to:
1. attempt to verify reported content
2. notify the administrative or technical contact of the domain when the site is blacklisted

These steps are not difficult: a simple click wouldn't verified that my script was innocuous, and the notification process could be automated by simply querying whois and sending a standard form letter. If either of those had been done, this issue could've been resolved quickly and easily. Instead, I find out eight months later and I'm pissed. This is not the best way to build support for, or trust in, community-driven security projects.

OK, I'm finished my rant now. On a more positive note, I'd like to thank the operator at malwaredomains.com for a very quick and amicable response to my inquiry about removing the inappropriate listing. Hopefully I can get the source of the problem, malwareurl.com, to correct the problem soon as well.