Update on ThePlanet and Hostgator

Last month we started an investigation into the massive numbers of infections we saw on ThePlanet’s AS21844 network. Last week we discovered the Rwhois server at ThePlanet and were able to get a more fine grained view of the infection distribution. 10% of the infections were attributed to Skenzo while 40% were attributed to HostGator resellers.
The infections we thought were attributed to Skenzo turned out to be abandoned badware domains. We think this problem will largely work itself out as Skenzo has no interest in monetizing from domains marked as badware.
The infections at HostGator were a bit more challenging. I communicated with several members of the HostGator team over the course of the last few weeks. They voiced some valid complaints that I will talk about in this post. The most important of which is the way infections are counted.
One domain, nyalines.com, had something like 1000 infections attributed to it. This is pretty unusual for our data partners to do. If there are more than a handful of infections at the same domain they will usually just list the entire domain. When we asked Google, the data partner responsible for that particular listing, they said the automated system they have in place thought it was better to list it that way.
Here is a sample of what they were talking about:

    10 vadakarapally . org
    10 websitecoders . org
    11 e-sense . tv
    11 malayalamwallpapers . net
    12 attorney2traffic . org
    15 kingvip . com
    17 niftysensex . com
    18 fountain.fountaintips . com
    19 findluxurywatch . com
    19 freewallpapershere . com
    20 quitsmokingtips4u . com
    21 shorthandlogic . com
    23 dir10 . net
    91 freenewdownload . com
   116 moviemark.com . br
   987 nyalines . com

We didn’t get any further explanation from Google so I am at a loss for why there was a need to mark the same domain 1000 times. The senior security tech at HostGator I spoke with felt that our report unfairly characterized HostGator and I would like to address that. We at StopBadware simply follow the data. We take what is in front of us and interpret as best we can for public consumption. When we are shown errors in our methodology we adapt it. Figuring out how to more accurately represent infections on the Internet is a giant part of what I do and over counting of a particular domain will be at the top of my list (along with Rwhois resolution). However ThePlanet is still at the top of the infection charts for US based web hosting providers. And even if we count each domain only once HostGator resellers accounted for 6655 of the infections within that network. I am very grateful for their team’s willingness to work with us to eradicate those infections.
It also bears mentioning that I don’t particularly think Google did anything wrong here either. They produce a list of URLs believed to contain badware on it and release it to their partners. We made the move to quantify this list so we could get some sense of whether things were getting better or worse. Both in terms of overall infections and infections within particular networks. Those metrics allow us to prioritize hubs of infection on the Internet and spend our scarce resources attacking where it counts.
We will begin the bulk appeal process to get the URLs HostGator has cleaned unmarked as badware. With some luck the high numbers of infections on AS21844 will start coming down.