Tuesday, November 28, 2017

Google's phishing vigilance and the risk of blog comments

I got a notice from Google yesterday. tech.kateva.org had been quarantined as a phishing vector. Visitors would be warned away. I had a short time to fix the affected page that was listed below …

But there was nothing there. Same thing with a link to a downloadable spreadsheet of issues. That was empty too.

Elsewhere in the message a page was identified. It sure looked benign, the only link was to an Apple support site. It’s a (Google) blogger site and all the widgets were default Blogger. No extra HTML. No comments.

Also, despite Google’s warning, the blog was not quarantined.

A puzzle.

Oh, I left something out. The day before a published spam comment showed up in my comment tracking feed. I get a few spam comments every day or two, but this was the first published one in a while. I went to delete it … but by the time I got to Blogger’s post management menu the comment was gone.

This is what I think happened:

  • This blog was set to allow comments without approval from authenticated posters for posts less than two weeks old.
  • A bot created an authenticated identity and created a phishing attack comment.
  • Google spotted the comment, quarantined the site, and sent the notification email.
  • Blogger spam detection identified the comment author as a spammer and deleted all comments by that identity — including the one on my site (why it was gone).
  • Google rechecked my site and lifted the quarantine — but couldn’t retrieve the notification email.
  • The notification email was partly empty because that it was a query — that returned Null. It had one part that was written at time of email generation and that contained the link to the once contaminated page.

I changed comments on the blog to require authorization at all times — no two week window for authenticated users. Clearly authentication is no longer a sufficient barrier. I don’t want phishing attacks on my blog, and I don’t want to get quarantined.

This reminds me what a strange fish Blogger is. It works fairly well, though there’s a longstanding problem with CR/LF handling that reminds me too much of DOS 2.1. It gets very few, but still some, updates. Google has switched their blogs off Blogger, but they haven’t used their new proprietary RSS/Blog platform to replace Blogger. Blogger is neither dead nor alive, and Google RSS is similarly quantum.


Anonymous said...

I check your site/blog daily and never was provided any warning from Google. Strange!

JGF said...

I wonder if the quarantine window was only a matter of minutes. I'd think it was all a fake email/phishing attack except that I no a true phishing attack was published but then removed.