On December 8th I woke up, went through my usual morning routine, grabbed my coffee, and sat down at my Mac to start the work day. As it was a Tuesday, I scanned my email for TidBITS #1006 and was slightly surprised that it wasn’t in my Inbox. Since I had recently added another spam filter, I assumed the issue had been blocked, so I planned on pulling it out of quarantine later.
But the mystery deepened when a reader sent me an email message saying that his copy of the issue had been flagged as containing malicious software. Since I had been engaged in an intense Twitter debate a few days earlier claiming that Mac-based malware was rarely encountered by the average user, I immediately went into panic mode and started investigating.
I checked my frontline spam and virus filter (Google’s Postini service), and the TidBITS issue wasn’t flagged for anything there. However, when I checked my second filter, a special appliance on my network, I found the issue had been flagged as containing malware.
According to my anti-spam appliance, TidBITS #1006 contained “Email.Faketube”, and when I reported this to Adam and the other TidBITS staffers, it came out that we were all receiving sporadic reports of this particular issue triggering a similar alert for readers.
I quickly searched on the Internet for details about Email.Faketube and found that it’s a link that pretends to be from YouTube, but in fact redirects a browser to a Web site that attempts to download a Trojan horse (for Windows, not Mac OS X).
When I viewed the raw text of the TidBITS issue, I discovered that there was indeed a YouTube link in it, pointing at the trailer for the World of Goo game (see “TidBITS Gift Guide 2009,” 7 December 2009).
By checking the link manually using one of the systems I have for security research of risky sites, it became clear immediately that the link was fine and did not redirect users to malware. Not that I expected it would; we check all links that go into TidBITS articles, so a link would have to change between the time we checked and when the issue was published for something untoward to happen. But then why the false alarm?
TidBITS Contributing Editor Mark Anbinder noticed that the string “www” appears at the end of the YouTube-generated link. The YouTube engine probably generates its links randomly, and the virus filters triggered upon seeing the “www” at the end of the YouTube link, thinking it was indicative of an attempt to redirect users. Attackers use a variety of techniques to mangle Internet addresses, one of which is adding characters to the end of a seemingly legitimate address to cause the redirection.
As a result, it’s clear that I, and our readers who saw the alert, are all running a malware filter with a badly written rule set. It’s likely that the rule is “flag any message containing a YouTube link with “www” after the ‘watch?’ portion of the address.” Unfortunately, that’s not necessarily indicative of malware and is thus a poor choice for a malware signature. (If nothing else, there’s no requirement to redirect to a page whose domain includes “www” – such a filter is guaranteed to fail on any other domain.)
So the good news is that TidBITS #1006 wasn’t infected in any way, and our apologies for any worry the false alarm may have caused. The bad news is that I now have to wonder about the quality of the company providing my email filter rules.