Yahoo Search Security Beta Draws Complaints

A company says Yahoo's new feature incorrectly flagged its Web site and was slow to respond.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

The beta version of Yahoo's SearchScan security feature has come under fire for false positives and other mistakes.

SearchScan is the result of a partnership between McAfee and Yahoo to improve the security of Web searches. The feature, powered by McAfee's SiteAdvisor, alerts users when sites contain spam, spyware, adware or other malicious software that could damage a PC.

However, since the beta was unveiled May 6, there have been some cases of false positives. A URL mix-up by Yahoo seemed to label as a malicious site. In another case, AnyCoupons, a Web site operated by 77Blue, was classified as a spammer. Though both issues have been resolved, the latter left a bad taste in the mouth of 77Blue CEO David Lewis, who complained that Yahoo and McAfee were slow to fix the problem.

According to Lewis, he discovered the problem the week of May 5 after getting a call saying 77Blue's paid-inclusion campaign had been taken offline by Yahoo because of the rating. After contacting Yahoo, he said he was told that only McAfee could address the issue by changing the ratings.

The rating was based on McAfee's finding that it had received several spam e-mails in a week October 2007 after entering an e-mail address on the AnyCoupons site. Lewis claimed AnyCoupons did not send the e-mails or sell the e-mail address provided by McAfee.

He said AnyCoupons only takes an e-mail address and a password from members when they register, and the e-mails that came back to the McAfee inbox had subject lines that contained the word 'SiteAdvisor' in them.

"We don't have any type of form on our site that somebody could have accessed, we haven't had any security breach that we know of, [so] there's no way it could have happened," Lewis said.

"Fortunately I write at a well-read blog ... Because I wrote there, McAfee decided to re-test on Monday, [and] changed us from a red alert to a yellow alert," he said. "Yesterday morning, Yahoo said that they saw that McAfee had changed the rating to be yellow, but Yahoo's escalation procedure would take one month before they would remove the alert and before they would put us back into paid inclusion."

Yahoo relented, however, and the alert had disappeared by May 15.

Priyank Garg, director of product management for Yahoo Search, said one of the reasons the company launched the feature in beta was because it was not sure it had caught all the issues.

"I think we've done a lot of work to make sure it adds value to the user experience right off the bat," Garg said.

Site owners can contact Yahoo or McAfee if they believe a site has been given an erroneous rating. By hovering over the pop-up bubble when there's an alert, the user can click on a link for site owner support, he said.

Garg would not discuss how much time it would take to address retesting issues raised by site owners.