Thalasar Ventures

Warning Mashup Builders, Microsoft thinks you are phishing

I was testing my comparison shopping engine in the latest version of IE when IE informed me that it suspected my site was phishing site and I should be very careful. The page in question was Godzilla Destroy All Monsters. Why would my comparison shopping page trigger a phishing warning from Microsoft?

In order to find out I referred to the Microsoft Phishing Filter FAQ. In response to the question “If I am a Web site owner, what can I do to help minimize the chance of my Web site being flagged by Phishing Filter?” Microsoft offers these helpful tips.

  • Use secure sockets layer (SSL) certification with a current server certificate issued by a trusted certification authority if you ask users for personal information.
  • Make sure that your Web page doesn’t expose any cross-site scripting (XSS) vulnerabilities. Protect your site by using anti-cross-site scripting attack tools
  • Use the fully-qualified domain name. All domains should reverse to actual domain names, not numeric IP addresses. This means a URL should look like “” and not “”
  • Avoid using the @ symbol before the fully-qualified domain name in your URL. The @ symbol enables phishers to concoct deceptive URLs and is therefore immediately suspicious to Phishing Filter.
  • Don’t encode or tunnel your URLs unnecessarily. If you don’t know what this means, you probably aren’t doing it.
  • If you post external or third-party hosted content, make sure that the content is secure and from a known and trusted source.

Well of those tips the only one that applies to that page is the last one. My comparison shopping engine is a meta built on top of the web services layers of four separate shopping engines. That content is certainly secure and comes from extremely well known sites unless Yahoo, Amazon, Ebay, and are blacklisted. Microsoft thoughtfully provides a form for reporting false positives. The form requires that you have a privacy policy, explain what data you collect and why. After filling out the form, I got this email about an hour later.

Thank you for contacting us about:
We have reviewed the information you provided regarding this website and removed the incorrect designation. We thank you for bringing this matter to our attention.
Please note that although we have removed the incorrect designation, it may take up to 24 hours for you to see this change reflected.
In the event that the incorrect designation persists beyond 24 hours from the receipt of this e-mail message, please let us know by replying directly to this message. Please do not reply unless the problem persists.

That’s certainly something to watch if you are designing a mashup. Mashups by definition hit quite a few external data sources so you need to keep this in mind. If your users are getting this message, it certainly can affect your adaption so have a clear privacy policy and periodically check your site.

Both comments and pings are currently closed.

Comments are closed.