No Longer a Caged Twitter Bird

birds-24

Alfred Gatty, Public Domain via Reusable Art

I found out the other day that bobonbooks.com, which had been blocked on Twitter for about a month, is no longer blocked. I can post links from this blog page and when people click on links, they no longer get scary warning messages that suggest all sorts of nefarious things could happen if they went to my website (even though this never was an actual problem). I never received an explanation from Twitter as to why I was blocked, what I needed to do to get unblocked, nor that I was no longer being blocked. I simply observed that scheduled posts were now posting to Twitter.

My reaction? I was glad, sobered, and educated.

Glad. One of the main things I do on this blog is post reviews of books, particularly recently published books I’ve received from publishers to review. Tweeting my reviews to the publisher is one way of alerting them I have a review up (I often also email a link to publishers’ publicists). Publishers also like to re-tweet reviews they think will help promote the book. None of that was possible and the scary messages were wrongly discrediting my website. I’m glad all this has gone away, hopefully for good.

Sobered. I hadn’t imagined something like this could happen. I am careful to observe the Terms of Service on social media and any admin rules on pages where I post. I’d never had something like this happen before. One day, I simply discovered that although I could post tweets, I could no longer post any links, even in shortened form, from my site to Twitter. I discovered that the likely cause was a “false positive” report on my site that was filed at PhishTank, a blacklisting site used by many institutions to block “phishing” sites. These reports are not verified nor are website owners notified. I discovered that two other blacklisting sites subsequently had me on their unsafe lists, and I learned from some friends that my website came up with warnings or were blocked at their work computers. I don’t know why this happened. I do post material related to my religious beliefs. I wonder if that was the reason. Maybe it was just random. Whatever it was, it was a personal encounter with a dark side of the web.

Perhaps the most sobering experience was how long it took to get “unblocked” by Twitter. To the credit of the blacklisting sites, when I asked them to review my site, it took minutes to a day at most for them to change the status of my site to safe. I submitted a ticket to Twitter as well. It took a month for them to finally unblock the site. As I said above, I have no clue why I was blocked or unblocked. I was surprised and glad that I was able to post links to bobonbooks.com. My son had suggested I just give up, which I about had, because, in his words, “there is no upside for them.”

Educated. Here are some things I learned:

  • Technically, because my site is hosted on WordPress.com, “drive-by” attacks that post malware or phishing links cannot happen because of their security protocols. I doubt whether this is foolproof, but if someone hacks WordPress.com, there are potentially millions of us compromised. However, if an individual user is blacklisted, you are on your own.
  • If you host your own website, or it is hosted elsewhere, you do need to take the security of your site seriously. Make sure your software, virus and anti-malware software is up to date and running, and you have a good firewall. There are also companies that provide website and reputation protection. If you do business on your site, some form of this protection could be a good investment.
  • I now use Sucuri SiteCheck to check my site daily. It scans your site for malware and phishing links and also checks nine of the top blacklisting sites. It may not be foolproof, but it is a good line of defense and helped me discover blacklisting sites where I was blacklisted. Sucuri rates my site “safe” and not listed on any of the nine blacklisting sites it scans.
  • I revisited my own security practices and added dual authentication to my blog site. Anyone else logging on results in a text to my cell phone. I also clear spam comments, moderate commenting, and block spammers. Visitors to the site never see this.
  • While you can take steps to secure your site, it is still possible for your site to be wrongly blacklisted. Blacklisting sites only check your site if you ask them, and once you are blacklisted somewhere, it spreads to all who use those sites to protect their systems or end users. It can seriously affect your web traffic and your site’s reputation. It can happen to you! I’m not a big fish and it happened to me. I’ve learned it has happened to others.
  • Social media sites like Twitter currently can do what they want. They are not regulated. They have no obligation to offer live support. To have real people available for users with a problem that requires immediate attention may, in my son’s words, “have no upside.” If anything, the death of internet neutrality rules may make it worse. From what I can tell, Twitter can block any links or content it wants. Period. They have the final say. If you don’t like it, there is really no court of appeal as far as I can tell, other than public opinion. I honestly didn’t expect to get back on apart from buying a new web domain name. I’m glad something worked.

If you are a blogger or have a website, I hope this doesn’t happen to you. It can. I didn’t even know this could happen. Now I do. It is sad and disturbing that we spend much of our lives online guarding ourselves from those who might harm or defraud or troll us. If you see anything weird going on when you visit my site, let me know. You can be sure it is not intentional. I still love all that you can do and find on the internet. But it’s a far cry from when I first downloaded Mosaic and discovered the wonders of the web. I think those of us who still see this as a place for dialogue and discovery will have to fight to keep it that way. I’ve always said this site is about promoting conversations about the good, the beautiful, and the true. Perhaps what can keep us going against all the weirdness is the belief that somehow, it is the good, the true, and the beautiful that will endure.

I’m in the PhishTank

20180501_123429-EFFECTS

I learned yesterday that Bob on Books is considered a “suspicious” or “malicious” site by Twitter. I can no longer post links to the site there, although I can make other posts.

A chat session with WordPress support (who I’ve always found helpful) indicated that I’ve been listed as a “phishing” site on PhishTank.com. Here is the link to the actual listing. WordPress itself found nothing on the site that is malicious or violates its terms of service and asserts that third parties can’t embed code or links on sites they host. No one who has visited my site has reported an actual problem. Phishing involves attempts to deceive you into providing sensitive information like passwords or credit cards under false pretexts in order to defraud. There is nothing like that on my site.

Apparently, on April 10, someone going by the username “prodigyabuse” listed Bob on Books as a phishing site. This individual has submitted over 11,000 sites. I found out that others “verified” that my site is a “phishing” site even though WordPress has examined the site and found nothing wrong, and it shows up trusted on Microsoft and Chrome browsers. I subsequently learned someone on a university computer couldn’t access my site, which I suspect is not an isolated incident. It’s likely that Twitter has based its “block” of content from Bob on Books on this site.

I’ve submitted “tickets” to both Twitter and PhishTank to rectify the situation. No response so far.

I find this deeply disturbing, because the effect of this is to suppress free speech. Apparently:

  • This can be done by a few individuals, working together or in sympathy.
  • There appears to be no actual verification by PhishTank or those who use their listings of the website. They rely entirely on user reports.
  • Site owners receive no direct notice of this action.
  • I could find no way to talk, even via chat to an actual person either on Twitter or PhishTank.
  • There appears to be no protection against this.

No doubt there are actual phishing sites, but as it stands now, the burden of proof is on site owners that they are not phishing, when they learn this is going on.

If your register as a user at PhishTank and go to my link and click, “something wrong with this submission” and follow the instructions you can submit a report they say they will take “very seriously.” We’ll see, but I’d be glad for the support.

I’m wondering why this happened. There seem to be a few possibilities:

  • One is that some people just don’t like what I’m posting, which is particularly troubling.
  • A second is some spammer I’ve blocked is having his/her revenge. There is a lot of spam commenting, some of which contain links to “phish-y” sites.
  • That leads to something more sinister. It does appear that it is fairly common for hackers to hide files deep inside the WordPress software and files. I found a number of articles like this one describing the problem. Both the software in my version of WordPress’s JetPack and my own virus and malware software do not show anything, and I don’t use plug-ins that are most vulnerable to this. There are expensive services that will clean your site, and more robust security options are available with more expensive WordPress plans. WordPress.com asserts that it is not possible for malicious entities to embed phishing code or links on blogs hosted on their site (which is the case with my blog), but leave it to their end users to deal with false reports. Seems like they would have more clout than I do.
  • Maybe this has to do with the cover photo (see above) I recently posted on my Facebook page, taken at our local aquarium. Maybe my fish tank picture got me in the PhishTank! Probably not but one must maintain some humor with these things.

Needless to say, this is unsettling. I love looking at fish in a tank or aquarium, but am not particularly crazy about being in one.