Companies Struggle To Reverse McAfee's False Positives On Yahoo Search

McAfee and Yahoo broke new ground in the online security space at the beginning of this month with a partnership that provides Yahoo users with red alerts when they're visiting sites that contain spyware, adware, malicious code or are otherwise considered "risky." SearchScan also identifies spamming sites or sites with questionable e-mail practices.

The combined technology, launched in beta form May 6, enables Santa Clara, Calif.-based McAfee to scan numerous well-trafficked Web sites with its SiteAdvisor technology and flag them with red or yellow security icons. Yahoo then displays this information on its search engine results page.

However, some businesses with a Web presence on Yahoo, such as e-commerce site AnyCoupons, say that the security measures have gone too far and, in some cases, have been downright inaccurate. AnyCoupons executives say that the company, which offers deals from major brands and box stores, was falsely labeled with a red security warning indicating that the site produces spam shortly following Yahoo's announced partnership with McAfee.

"I hate spam. I hate it to the point that my company does too little e-mail marketing. We do not and will not ever spam," said David Lewis, CEO and founder of AnyCoupons, on his blog.

In a series of subsequent e-mail communications between Lewis and Yahoo, posted on Lewis' revenew.com blog between May 12 and May 15, Yahoo repeatedly maintained that the search engine company was not responsible for the designation and had no control over the security rating powered by McAfee's scanning technology.

Priyank Garg, director of product management for Yahoo Search, said that there was an escalation process to evaluate false positives that could take days to a matter of weeks, depending on the nature of the detected security threat.

Garg added that security data came from McAfee and encouraged users who have experience false positives on their Web site to first contact McAfee to get a more timely response.

"If it's a site that has to fix the issues observed on their site, they get the data from McAfee and address the issues and then ask for a retest," said Garg. "They're welcome to work with (Yahoo) and we'll work with McAfee to get the right rating."

While Garg said that he couldn't reveal exact figures, the amount of false positives equaled a "small, countable number."

"It's not like hundreds of sites are seeing false positives. But any false positives are not ideal. We don't want any publishers to have a bad experience like that. The number is small and we're working to make it even smaller," he said.

Garg said that the company was learning from AnyCoupons' experience and planned to make the process easier for reversing a false positive by looking at methodologies, and working through support issues.

However, for Lewis the proposed changes aren't coming fast enough.

"Beta means they know there are problems and they're willing to fix them," said Lewis in an interview with ChannelWeb. "If they're telling us they have no responsibility for what's on their site, that's not beta."

Lewis said that the red alert exclamation point that appeared next to his site on Yahoo's search page earlier this month resulted from a faulty test McAfee conducted in October.

In a May 13 e-mail message between Lewis and McAfee that was posted on Lewis' blog, Shane Keats, research analyst for McAfee, admitted that the security company had erred and agreed to retest. The AnyCoupons site was subsequently relabeled with a yellow warning icon last week after researchers read Lewis' blog post and re-evaluated the site. The yellow security warning indicates a potential as a spamming site pending further testing.

In the case of AnyCoupons, Keats said the October test resulted in a high volume of spam from the AnyCoupons' site, which led to a red flag that didn't get re-evaluated before the collaborated launch of Yahoo's SearchScan service.

"Occasionally it's our fault. We absolutely do have false positives. And we're very proud of our ability to respond quickly and fairly to those concerns, and when we make a mistake, we admit it and correct it and do our best not to do it again," said Keats.

Next: McAfee Outlines Risk Designation Process