A friend of mine forwarded me an email he received from GoDaddy informing him that McAfee “blacklisted” one of his domain names. The subject of the email was, “McAfee has blacklisted [domain name redacted]” and the email had GoDaddy’s logo and branding. In the heading of the email, the message was clear in bolded font: “Security warning: McAfee blacklisted your domain. It’s important you resolve this issue as soon as possible. Contact our security team if you need any help.”
The messaging provided a bit more information, although the owner of the domain name was encouraged to call GoDaddy to rectify:
During a routine security audit of our network, we found that [redacted domain name] (hosted via ns2. redacted .com,ns1. redacted .com) was blacklisted by McAfee. This audit was performed by the GoDaddy Security Unit to ensure the integrity and trust of the network.
You can find details of why your domain was blacklisted here: https://www.mcafee.com/threat-intelligence/site/default.aspx?url=[redacted]
What this means for you.
A McAfee blacklisting means visitors with McAfee antivirus or who use Opera for browsing can’t see your website. It also means your site may be inaccessible to other networks too.McAfee flagged your website because it has identified it as a potential threat based on its own web reputation ranking system. It’s ranking system is proprietary and crawls websites looking for indicators of malware and spam.
I could tell the email was legitimately from GoDaddy because it had my friend’s name and account number at the top. However, I reached out to GoDaddy to confirm its authenticity and see if the company could share additional details about the email warning. Here’s what I was told by Tony Perez, Head of Security Business at GoDaddy:
“The email the customer received is part of a new initiative we’re testing. We are scanning any domain under management against various blacklisting services. This isn’t limited to one vendor or service, it’s a number of different blacklist providers.
When a website appears on a blacklist, it’s losing potential visitors. Many times, website owners don’t know their site has been impacted until it’s too late. We wanted to provide this notification so customers can quickly take action to reduce how long they are blacklisted.”
I asked GoDaddy if the email is an upsell, and while the company is selling services to help remedy this, “the primary motivation is to let people know their domains/websites are being blacklisted,” I was told by GoDaddy.
The domain name in question is currently parked at a major parking service, and my friend noticed it was resolving to a zero-click lander. When I asked GoDaddy if it is the zero click lander that caused the warning, a rep from GoDaddy couldn’t answer without looking into the situation more specifically.
I was told that GoDaddy is interested in hearing feedback about this email campaign. At first blush, my thought was that it was an interesting upsell opportunity for the company. Whether or not you use GoDaddy to resolve the situation, I think it is helpful to know that a domain name might be on a blacklist and something should be done to resolve the issue.
Elliot…
This is great. Thanks for reporting this. Many small businesses don’t have the resources or time to address this level of Quality Assurance for their domain(s). So this is definitely a Value Add for Godaddy. Interested in seeing this program effort evolve.
About a week ago I found that the landing pages of domains that Id registered at GoDaddy and elsewhere were being blocked on one of the major aftermarkets. The blocks were instituted by my anti-virus program F-Secure. Instead of reaching my ad-free placeholder pages, I was presented with a browser screen with text indicating that the website had been reported as having security problems.
In response, I quickly redirected all my domains to another aftermarket. The blocks immediately stopped.
The reason that my placeholder pages were being blocked could have been because their IP addresses were shared by placeholder pages that had ad feeds. Malicious ads could have triggered the blocks. The identity of the aftermarket that is being blocked by F-Secure is not something that Id like to disclose, because doing so could do more harm than good. This aftermarket needs to do a better job of QA, but theyre not the only one.
GoDaddys own blocking efforts on Afternic are also based on IP address, not domain. Similar IP-address blocks are in place at Sedo, Uniregistry, and at least until recently, NamePros. This is problematic because some IP addresses from VPNs are included in the block list(s). Anyone in this industry, or generally, who declines to use a VPN is asking for trouble.
A big lesson from the Low Orbit Ion Cannon (LOIC) attacks of 2010-2012 is that simply building an outer wall around your web assets is no longer sufficient to thwart attacks. LOICs were used for attacks up and down the stack. Applying exclusionary firewall rules to ad-free landing pages, whether by AVS vendors or the aftermarkets themselves, does not constitute the sort of defense-in-depth that these aftermarkets really need.
They mark a parked domain as blocked and charge to get it unblocked?
Donainers don’t control what goes on those parked pages so this smells like a big scam.
Seems a bit like a convenient way for Godaddy and MacAfes to make a buck while claiming that it’s a helpful thing.