The information on the rating for angiev's site -- as far as spam received after signing up -- is pretty damning. There's no way you should be getting penile enlargement spam after registering at a real estate site.

The question that occurs to me is, can a spammer have randomly guessed the email address that McAfee entered on angiev's site? I assume there is some unique identifier McAfee uses to tell which site is responsible for which spam. Is there a pattern to it that can be guessed, given the fact that spammers don't care how many non-existent addresses they guess? After all, the bounces go to the forged "from" email addresses, not back to the spammers. Anyone on aol knows that spammers don't hesitate to send to every possible permutation of addresses on popular domains.

When angiev sends out her emails to users who have signed up on her site, does she use blind carbon copy (bcc)? Or like so many small businesses, are all the emails of all the recipients visible in the headers, so every recipient's address book will have a copy? If any one of those users gets an email worm, every email address recorded will start being used as a "to" or "from" address on emails as the worm is sent to new machines. Or if angiev's email newsletter is particularly informative, a recipient may forward it to other people with all the other recipients' email addresses included. A lot of people could end up with that secret McAfee email address that way.

The other possibility is that the addresses are stored on a machine that has been compromised. I have been submitting to VirusTotal some of the malware from links I'm spammed with. If 50% of the antivirus programs detect a malware program, that's considered pretty good. I submitted two yesterday: one was detected by nine of 32 programs, the other by only six, and it wasn't just the free antivirus programs that were missing them. The malware was from sites that the antivirus folks can find just as easily as I can, but the fully updated programs still can't detect it.

The point is, malware is constantly changing and there is a delay between when a new variant arises and when it can be added to updates of AV programs. You can have a fully updated antivirus program and still get infected, and once infected, malware programs may download their own updates to continue to avoid detection. Some load themselves early enough in the Windows boot sequence that basic antivirus programs don't see them at all (rootkits). So angiev does need to consider the possibility even if she has been a responsible user. And if the information is stored on a computer not under her control, such as her website server, there are even more possibilities for mischief.

For your own computer, you can get free help with a full evaluation of your systems at Castlecops, starting at http://wiki.castlecops.com/MRP . Once that basic cleaning procedure is completed, if there is still any problem, specially trained volunteers will help on the forum, also for free.

What is McAfee's methodology for testing? Their 'detailed analysis' indicates that,

"We typed our e-mail address into the forms we encountered while surfing crye-leike.com's web site. Since then, we've been receiving an average of 5 e-mails a week, with an average SpamAssassin score of 12."

This to me sounds like there may be a person sitting behind a desk and actually manually going out and 'testing' sites. There are all types of room for error here. If McAfee wants to be the authority on this, they should have reproducible, automated testing. They should also be more transparent with how the testing is carried out and what the re-testing process is etc. They should also have at the ---minimum--- basic support... such as responding to email, taking phone calls etc.

Sounds like this whole program was just slapped together. Little thought given to accuracy of the results and how such a product would be supported. Better to just be able to say they have it.

On the thought that the computer possibly being comprimised, the machines that have this data are directly under our control and there is no indication that the machines have been comprimised.



When we email customers who contact the company through the web site... we do not use blind cc, we do not put all the email addresses in visible headers either. We send individual correspondence to each person as necessary to help them with their transaction. The scenarios of someone seeing another's email address in the to field etc would not apply.

I maintain that McAfee has made an error of some type. If they are going to give a site a 'bad reputation' with a big red warning sign, they need to produce a program with more legitimacy - proven results - methods for correction - and support.

It is absolutely wrong what McAfee is doing to damage reputations of web sites with total abandon and disregard.

angiev: "This to me sounds like there may be a person sitting behind a desk and actually manually going out and 'testing' sites. There are all types of room for error here. If McAfee wants to be the authority on this, they should have reproducible, automated testing."

There are two aspects of SA: Automated testing. And human reviewers.
But the reviewers cannot change a rating, only suggest it...