Monthly Archives: October 2008

Microsoft IE 7 Anti Phishing Filter – Is Internet Explorer Blocking Your Site?

Microsoft Anti Phishing Filter in Internet Explorer 7 Can Display False Positive Warnings. Here is how you can tell if you are being blocked by a Internet Explorer Anti Phishing False Positive Warning

In a further effort to help legitimate businesses, here is how you can tell you have a Microsoft Internet Explorer 7 or 8 blocking your site issue.

I am going to do a series of articles on exact terms that someone that was in my position with a anti virus false positive phishing entry so you can hopefully find this article and begin to clear your name.

This is about the only way you will be able to tell that an anti virus is blocking your site. The real problem occurs when your listing in the AV database spreads to other major networks.

Google Analytics Saved my Butt

You can tell that Internet Explorer is blocking your site if you have goal conversions set up in Google analytics. Check to see if you are selling any products to visitors using Internet Explorer 7.

If you have some type of block in a database it will be possibly consumed by the IE 7 anti phishing filter database and you will have almost 0 sales occurring in Internet Explorer. At the same time you will have a way higher sales success rate in Firefox.

That is the only thing that saved me was finding that FF had a 14% sales success rate and IE had a 0.26% rate.

This is not guessing on my part. This is the findings of the Trend Micro investigation.

Sudden drops in newsletter subscribe rates, abandoned payments, email click thru rates and sales in general are all indicative of this kind of blocking.

The only reason I got a few emails delivered was that I was highly whitelisted in Gmail due to my Google social network friends list.

Please tell anyone you know to look into this so that this does not happen to them. If I can help anyone do not hesitate to call me.

Still alive and kicking,
– Chris Lang

Lyris Add DKIM, About Time

DKIM authentication now supported by Lyris HQ online marketing suite, one step closer to wide adoption

Lyris UK www.lyris.co.uk , today announced the availability of DomainKeys Identified Mail DKIM technology within the Lyris HQ online marketing suite. By making DKIM authentication more widely accessible to organizations of any size, Lyris is helping marketers build and sustain their online reputations with Internet Service Providers ISPs. Now if shared hosting would just provide us with the abiliaty maybe my shared SMTP server would deliver something besides spam folder fodder.

Trend Micro Blocking My Site

Due to Trend Micro blocking my site, my PalPal redirect forms, my emails in Trend Micro spam filters and my URLs in emails and web traffic requests I can now advise you on how not to make this mistake. Don’t let this happen to you.

Trend Micro will block your site in the browser, block your web traffic at the server level, your URLs in any emails and send your emails to the Trend Micro spam folder if you make the mistakes that I did. It was not Trend Micro’s fault, my payment software or anything I did. Trend Micro blocked me because I was at the wrong place at the wrong time.

NOTE: This is NEW information that no one else has. Read this thourghly!

When Trend Micro blocked my site

In September an affiliate sent a recommendation of my product, book to her email list. We had a very poor response rate and and I began to think her email was not getting past spam filters.

Then one of her subscribers sent me this screen shot of Trend Micro wrongly blocking my site.

Click the image to see it full size, this will shock you.


image of trend micro blocking my site in the browser

I was stupid enough to ignore this and simply believed it was a very minor issue due to the redirect to PayPal in my payment software. Big mistake. More like a $20,000 mistake.

Trend Micro is currently the most purchased Window software there is as reported by Cnet just last week.
As time went by it got WAY worse. More and more payment attempts were being abandoned and comments on my blog and email click thru rates plummeted. Two, then three week periods passed without a sale and I began to really worry. At the same time my mind really went to work on this.

Meanwhile I was using all the skills I have to track down what I believed was a new spam filter blocking my emails. I enlisted the aid of even more experienced email pros to help me and they could not find the source. Neither could my GoDaddy host or AWeber, my email list provider. No bounce messages, no FBL reports, no nothing.

That was when I began to think it was a client side spam filter and something new to boot. Then about a week ago I remembered the screen shot, in the end that Trend Micro blocking screen shot was my savoir.

Trend Micro says keywebdata.com and Chris Lang are innocent of any phishing, undesirable, dangerous or malicious activity or wrong doing.

Chris,
Just saw you called sorry I am in a meeting on various things at the moment. Either way I figured I would email you as I saw your email this morning when I logged on. I quickly read over the questions but will go over in more detail later and answer those that I can for you.

As for our analyses of your URLs we found no malicious activity so it looks to just be a False Positive.
The two entries that we found for being blocked where from the web traffic on our side the weird part is we only see the 2 and without the logs from an actual user we can’t determine what exactly happened.
For your blog you can put that it was a false positive by Trend Micro and that we have verified that no malicious activity was found.

Again I will go through each question a little later and reply to those that I can.

This is the email I received back today.

Below is the synopsis of what the next phone conversation produced. I want to stress that these are facts as told to me by my Trend Micro contact in charge of the team that investigated the keywebdata.com blocking.

Why did Trend Micro block my site and how can you avoid it

First off the best indicator of something going on, are subscribers clicking the spam button in web email. Why are they doing that? Because they just saw a big freakin huge banner like the screen shot above. What else are they going to do when their anti virus software just screamed and yelled at them to never go to your site again?

After 8 straight days of working 20 hours a day, today, October 27th, I have gotten to the bottom of why Pc Cillin warnings were displayed and Trend Micro Internet Security and Trend Micro anti virus blocked my site.

I just got off the phone with my Trend Micro contact.

“Keywebdata.com was flagged in the browser, in Internet Explorer 6 or 7 and blocking began.”

At that point my site and payment forms were reviewed by Trend Micro.

Due to a unsecured form, submitting to my server, then redirecting to a PayPal CGI bin URL my site was deemed indicative of a Phishing site and blocking occurred. This did create global blocking of my domain at both the server level and the end users of all Trend Micro Internet Security products.

Any email with my URL in it was blocked by TM and possibly Yahoo, Gmail and Microsoft, both at the browser and email server level.

Also any web traffic passing through a data center with Trend Micro filtering software installed would have blocked the traffic right there too. This may be why so many of my emails never arrived. Any http request from a browser resulted in the screen shot image being displayed.

Any traffic crossing the Trend Micro server level software resulted in the request not being passed and the request to my server was not completed. In other words if a link to my site was clicked it would not result in the request either going thru to my server and no HTML would be displayed.

No footprint of this blocking is visible in server logs because the http request (http link click) was denied at either the home user end client or at the server leval. So, even if you do pull your server logs there is not footprint to show that you are serving lots of pages and getting no browser page views.

It would do no good to pull server logs because no request for a page would ever make it to the server.
Trend Micro is looking into if they will release numbers as to the end user blocking numbers for keywebdata.com

Basically I am going to have to pick myself up, dust myself off, learn from this and move the heck on.
TM does agree and is willing to suggest that using any HTML form that is submitting to any payment provider without using HTTPS protocols will draw the ire of anti phishing software. This also means Microsoft Internet Explorer anti phishing filters.

What can you do if Trend Micro PC Cillin blocks your site?

Step #1

First of all, I now have extreme knowledge of this and can check your site to see if it is blocked. To learn how to get your site unblocked and protect your new sites from being blocked, I have detailed instructions at this link.

If you are being blocked I can navigate thru the process of getting and investigation started and if you are innocent, get the blocking removed. Do not email me to death just to see if the site is blocked. If you experiencing problems I will help you.

Step #2

First of all, stop sending any emails with your domain URLs in it, don’t send any email to your email lists and pull access to any payment forms.

If someone tries to buy and gets a phishing warning you have just lost any possibility of a future sale.
If your list gets an email from you and anyone has seen the phishing warning on a previous visit you can bet your last dollar they are going to mark your email as spam and any others they may get.

Lost sales now are nothing compared to losing most of your list and further email blocking. I did not catch this early enough on and lost a list with 2500 hard earned subscribers on it.

Currently there is no feedback loop from Trend Micro and my contacts tell me they are considering adding this so that we are directly contacted should a new script on our site suddenly trip a Trend Micro red flag.

You will also want to keep your hosting provider in the loop so that there are no issues with your domain or site. Call them and create a help desk case number. Then email the abuse@YOUR HOSTING address and document every step of the way using the case number. It can come in handy if anyone sends false accusations their way.

Save every email, document everything and keep records of everything that occurs.

Step #3

If you are using payment forms generated by IPN scripts that submit to PayPal for payment then get them changed to using HTTPS protocols in the form tag. Don’t worry about forms created by PayPal, they are sending to PayPal URLs. The problem lies in forms that submit to your domain and then the server redirects to PayPal. That is what started my tale of woe.

You will need to add a SSL certificate to your site and your host can take care of this for you. Just give them a call.

Step #4

Then we will need to get Microsoft, Yahoo and Gmail to remove any blocking as well. I can get this underway for you as well.

Step #5

Once you get this cleared up and your site free of any negative indicators you can resume mailing to your list and you should be in good shape. I am.

Above all handle yourself professionally and calmly.

I want to thank John McGowan who dealt with the yelling and screaming portion of this little odyssey.