"I see where you are coming from Ted. I still think thats between Google and Webmaster, not Google and the public."

The fact is, not everyone logs into Webmaster Tools obsessively to see if they have any messages. So we needed to find a way to surface this potential risk so that site owners would find out more quickly if they've been hacked.

We now have two different responses for sites with malware vs. sites that we think may be hacked. When we detect malware, we try harder to let users know that they may be stepping into a dangerous part of the web (e.g. an interstitial so that users really need to be sure they want to visit that page).

In contrast, a hacked site might not be immediately dangerous to users. But we still want to alert site owners, because if a site is hacked right now, in practice it's not too much harder for a bad actor to add malware to the hacked page.

Hi Matt - Good to see you participating in the discussion.

So we needed to find a way to surface this potential risk so that site owners would find out more quickly if they've been hacked.

Don't you think that simply removing the site from search results would get their immediate attention? It immediately preserves the safety of the potential visitors, and gives the website owners the opportunity to fix and prevent this kind of malicious behavior going forward.

Instead, putting up a "This site May Be Compromised" type message can cause very permanent damage to an innocent website owner.

I think the Google intent is GREAT, but the trail of skinned knees on (many times innocent) website owners is going to be long and far.

MattCutts:

In GWT, provide up to three email slots for us to fill in. When you find malware on our sites, send out an email immediately listing all pages that you believe are infected. Give us at least 72 hours to assess, and to fix.

If the issue is not addressed in that 72 hour period, then REMOVE THE PAGES out of the index. It is wrong to place a label on our entire website generalizing that the entire website is bad.


There is a lot of liability here on your assessment. This label can have devastating effects on the reputation of our sites. And all of this not due to our intentions.

Realize there can be websites who monitor this kind of activity, publish a list and that list will stay permanent in "complaint board" type pages. Those pages aren't going to go away and your reporting of it makes it even worse on website owners. This, including our competitors can use this information against us. This is an extremely important point because now these pages and reputations will be permanently marked.

I hope that your team will be fully responsive over this issue and turn around and remove the flag quickly. Every person who searches through our sites has potential to be turned away for every minute you fail to process our response. For ecommerce sites, this would serve as terrible PR and may also leave long lasting damage to our businesses.

I have strong reservations about asking Google to de-index pages that don't pass some beauty test.

I do wish Google would hammer hacked pages harder and faster. For a different view of the problem, one that looks at SERP rankings rather than indexed pages, search for "buy widget" where widget might be a popular but expensive graphics program. A temporary -950 on a lot of those pages wouldn't be out of place.

The fact is, not everyone logs into Webmaster Tools obsessively to see if they have any messages. So we needed to find a way to surface this potential risk so that site owners would find out more quickly if they've been hacked.

That is the truth. In fact many webmasters such as myself refuse to use anything associated with Google anymore.

So displaying a warning for those of us who never use the webmaster console and never will is probably a good thing.

There is a New York Times article about this today called "New Security Features From Google"
[gadgetwise.blogs.nytimes.com...]

I'm not seeing how this notice is a black eye or a reputation problem. It's something like saying someone caught a cold. It doesn't mean they're a bad person.

"This site may be compromised"

It doesn't mean they're a bad person.

Tedster, You may be more of an optimist than I am.

I think you may be seeing this too much from the viewpoint of a very accomplished internet professional.

The clueless surfer may not even notice this warning, or understand it if they do see it.

It's what I suspect are the majority who I worry about. I suspect they'd see this and think, "Uhhh, why go there when there's 9 or more other choices right here on this page".

Time will tell I guess.

Here's another thought.

As a webmaster, if I saw that warning attached to a site I was thinking about linking to, there is no chance I'd link to it.

If I found the warning on a site I linked to when rechecking my outbound links, I'd be deleting that link as fast as possible.
.

You're right, I may have a case of tunnel vision here. I'll get a reality check when I visit with family over the holiday. My suspicion is that some of the concern posted above is its own kind of tunnel vision - essentially wounded site owner pride. I'll see what my clan of VERY ordinary Google users has to say.

I do agree that clicks will go down - way down - as long as the notice appears. And well they should, IMO. But they'd go down even further if the URL was dropped from the SERP until repairs are made.

I'll be curious to hear what your panel of ordinary Google users has to say, tedster. The people that I've talked to have appreciated it.

"Don't you think that simply removing the site from search results would get their immediate attention?"

You would think, but people who don't patch their servers are often the sort that don't notice if they're not in the search results. Another problem is that site owners wouldn't know why they weren't showing up.

In fact, your proposal was the previous approach that we were using. At the same time, we would leave a message in the webmaster console and often try to email the site using email addresses that we could find on the site. What we found was that we weren't reaching the site owner as often as we wanted to. Many sites remained hacked for days, weeks, even months despite our best efforts to alert the sites through other methods.

Once a site gets overrun with parasite hosting spam beyond a certain point, Google already does delist the site for 30 days, and sends the webmaster an email explaining why. They've been doing that for a long time.

So unless something has changed, these new warnings must be in addition to that. Maybe they're what happens before the situation gets so severe that they delist it.

When they delist a site for 30 days, the site gets back into the SERPS after the 30 days has passed, if the problem has been resolved.

From what Matt said, maybe the behavior has indeed changed completely and this is a replacement for the previous Google response.

My perspective is that clicking on a Google SERP link and ending up on a fake pharmacy page for Cialis, etc. is the worst possible thing that can happen, short of actual malware. It gets the adrenaline going, and a person is going to remember that for a long time.

Seeing the warning, or not seeing the page at all because the site is delisted, are both far preferable. A web surfer won't remember that, or at least not with anywhere near the vividness.

MattCutts: "You would think, but people who don't patch their servers are often the sort that don't notice if they're not in the search results. Another problem is that site owners wouldn't know why they weren't showing up."

The problem is that these webmasters (the ones that won't notice their site has been removed from the results) won't notice the new warning either, and your average users not paying attention (which seems to be a lot these days, judging by how many people simply click "yes" to everything, including malware prompts), can ignore the warning and click on the result anyway. So nothing has been accomplished in this kind of situation.

I say just do a temporary delist straight way, send warning via WMT and/or admin email found via whois, and if the webmaster doesn't notice a severe traffic drop, then I don't think they are the kind to care about not being listed in the SERPs anyway (so everyone's happy, sort of). De-listing instantly (well, almost) removed when the site has been fixed.

As for webmasters not knowing why their site has been removed, that is a problem. Could Google do some kind of "Webmasters Tools lite" where you can get a quick diagnosis of the domain without having to have a full account? Sort of like the safe browsing diagnostic page, but easier to find (should be linked to from somewhere visible, with a link that maybe says "Webmasters: diagnose your website", and from the "why is my page not listed any more" FAQ page or something), and includes details about suspected problems on the domain (like malware infection, or suspected hacking).

Was searching for info on how much people trust their webhosts meaning the cs/level 3 techs etc. that have access at their host company. Its one of the reasons i use pro hosts. I'd rather pay more for established companies than startups or cheap hosts.
As i was searching, this old thread was at the top.

[webmasterworld.com...]



@MC
How about an opt-in for an automated phone message from Google rather than an email.

2 points i havnt seen clarified, or i missed

How many sites does Google see as infected at any given time?

Is there a rough percentage of how many innocently hacked sites VS malicious.

In fact, your proposal was the previous approach that we were using. At the same time, we would leave a message in the webmaster console and often try to email the site using email addresses that we could find on the site. What we found was that we weren't reaching the site owner as often as we wanted to. Many sites remained hacked for days, weeks, even months despite our best efforts to alert the sites through other methods.

You're not the internet police. It's not your responsibility to clean up the internet.

If the concern is the USER, then remove the site from the serps immediately. that fixes the problem doesn't it? And that's Google determing on their own what they want to serve to visitors.

Deciding you have some need to alert webmasters to problems, for sites that are no longer in the serps has nothing to do with the user. In addition, you are providing clearly negative commentary about someone's site. That's got nothing to do with a positive user experience, not when the alternative is to just remove the page/site.

In short, if the problem is in fact to look after the user, remove the site. If the problem is to notify the webmaster, well, why is Google making that their problem again?

Which is why some may be led to believe that Google's not doing what it's doing for the best interests of their visitors.

I just want to be sure and say I am not against the reasons Google is doing this, its great. The way its doing it however... just kinda wrong. I too will ask friends what they think of it, without bias. Most users, I'm sure, will think it's a great idea! They trust Google. Don't you agree?

In fact, if Google told me right now, false positive or not, that WebmasterWorld itself "Might Be Compromised", I would probably find a different place to read webmaster news and talk with other webmasters for a while. If I knew the owner personally and had a way to contact them, I would tell them immediately... If not, I would try to reach out to other webmasters and warn them, as well as tweeting and posting about it warning others of the possible danger, and the need to get the news to the owner.

But... I'm not your average user. Most will either etch the information in their mind and walk away forever, or completely ignore it and move on to the next site in the list. Either way, its a sum loss for the website owner. I'd also think its a sum loss for Google as well, since every site you DON'T have a warning message on, gets your unwritten Stamp of Approval!

Just imagine if a trusted guide in mobile phones, like AT&T or Samsung, listed all phones available, but put a small caveat next to Google Android phones that said: "Using This Phone May Compromise your Privacy". As a user, I would somewhat assume that the others didn't present any risk!

What then?

Great Idea, protecting your customers... but why not do it right? Remove the infected page links from your index (or at least strip out the hyperlink from serp's, since the exploits seem to be triggered by referrer), and if the webmaster doesn't figure out their site is compromised by the lack of visits, maybe it doesn't care to be indexed in the first place?!

MH

If Google is so concerned about it's users welfare and website owner's who's pages which "have been hacked and contain spam or malware" then explain this:

"Warez". 113,000,000 pages with no warning message.
"Torrent". 320,000,000 pages with no warning message.

No, this isn't about spam or malware and caring about Google users. This is about having the option of censoring a website for the made up reason of "spam" or "malware".

Because if that was true, Warez and Torrent sites would already be flagged with a warning, if not delisted.

Chew on that if you believe in the First Amendment.

QUESTION
Is it reasonable that Google is concerned to inform/protect users of/from potential problems?

ANSWER
I think most people would say yes - those that would say no need not participate in this discussion other than to voice complete opposition.

So that just leaves a decision to be taken best course of action.

I would say the first course of action should be to attempt to contact the webmaster (and from what Matt Cutts has said, Google seems to share this opinion) but if contact cannot be made some further action must be taken. So the argument should be broken down into several parts

1) How should Google you contact the webmaster (or host in some cases)?
2) How should Google protect users?
3) How should Google allow webmasters to contact them in order to ask questions and inform them that the problem has been solved.

Issue 1) has been discussed but it would be helpful if Matt told us definitively what methods Google uses otherwise it's impossible to know what other methods to suggest.

Issue 2) is guaranteed to be contentious but I'll throw in another suggestion...
From time to time we see a notice that results have been removed as a result of a DMCA complaint. Why not remove the results but put up a notice to that effect? This could include a link to a detailed explanation that also provides a link for webmasters.

Issue 3) is straightforward - but the method needs to be clearly visible.

Question for Matt Cutts
If Google can identify spam/hacked pages why not
a) negate any benefit the target might receive
b) publicise that you intend to do this automatically in future

This would remove the motivation of hackers/spammers to use these tactics. Surely that has to be worth doing.

Kaled.

Kaled. You're mixing two different goals.

Goal 1, the stated intent. Protect USERS.
Goal 2, the one you're talking about, notify webmasters.

They are not the same.

If the first one is the real goal, then there's no good answer that I've seen as to why they don't just remove the site from the serps. That protects users the best. Oh, and it incidentally is a pretty good way to notify webmasters.

They seem to have some other motivation to be doing what looks to be a shell game, claiming one goal, but focusing on something completely different. They're muddying the waters. I don't believe they're doing it deliberately, but I do believe they're suffering from hubris, that's why they can't differentiate between the two.

I must say that this initiative by Google is a very good one. I really don't understand the whole talk of "providing clearly negative comments on a site": how is that wrong? This is exactly the idea, to warn users that a site might compromise the system.

And I am saying this from two points of view :
(1) as a webmaster, if my site was hacked I want to know immediately and not wonder about why I am gone from the listings or have -950, that just creates confusion.
(2) as a user, I am tired of re-installing Windowses on about 10 different machines around me because they've gotten compromised.

Have you even looked at the service and the "safe Browsing diagnostics page"? It is genius, it tells you exactly what threat to look for. As an independent webmaster, I would have never discovered some of these threats.

However, I do agree that this solution of flagging sites can not be the only action taken. And from what I read here it probably isn't.

I think that G should do a combination of all we say here:
1) Immediately inform website through all available communication channels (Analytics, WMT, whois entries, hosting info, emails retrieved on the site...)
2) After informing, wait a few days. If no action, then flag site in SERPS.
3) After flagging site in SERPS, if still no action for a longer time, apply -YYY penalty. Keep flag in SERPS and advise through all channels why penality was applied.
4) After even longer time (like a year maybe), if site is still compromised, remove all together from SERPS and again advise through all channels.

That's got to be a good compromise, protecting both users and webmasters.

I really don't understand the whole talk of "providing clearly negative comments on a site": how is that wrong?

You'll figure out how wrong that comment is when Google mistakenly slaps that sticker on your listing.