I recently noticed that my Tripod web site had been suspended “because of a phishing attack and or possible identity theft attempt”. I don’t have much more to say about because a casual glance at the site should make apparent that this claim is patently false: for one, I’m pretty sure the site was last touched before the term “phishing” was even coined, and at no point has it ever contained any content that could possibly be construed as a phishing attack.

This both astonishes and bemuses me, since it should be immediately obvious to anyone who so much as glances at the site that it’s not masquerading as any kind of business or requesting any kind of personal information at all. That said, I’m mostly curious as to what kind of response this will get me, and whether anyone will be able to illuminate the doubtlessly ludicrous grounds for the suspension. I would like to see the site put back up since, after all, I didn’t take it down myself, and the idea that it facilitated any sort of identity theft is so laughable a claim that I can’t possibly believe any human could have investigated it.

Hello and thank you for contacting Lycos support. I apologize for the delayed response.

If you have an old site and the script is not up to date, it will be very vulnerable to attacks. In this case it appears as though your account had malicious code inserted, which is not always obvious when browsing the site as it is the site code itself that is the source of the problem. Unfortunately this is the case with your account which is why we have closed it.

If you would like to bring your site online again simply sign up a new account and upload a backup your web files.

I do understand your frustration in this matter but we have no choice but to close any hacked accounts as they threaten the security of all accounts on our server, as well as cause a number of other obvious problems.

If you have any further questions or concerns, please let us know.

[name redacted]
Lycos Customer Service
http://help.lycos.com

Hi [name redacted],

I appreciate your response, but I must confess that I’m confused. For starters, I was not using any server-side scripts of my own on my site. (To be sure, I would have liked to, but the particular scripts I had wanted to use were unable to run on Tripod’s servers because of—ironically enough—security concerns.) The closest anything on the site came to that, as I recall, were some pages created with FrontPage that would have used extensions installed on your servers—but those would have been maintained by Lycos, not me, as I had no access to those server-side components. Thus if there were any malicious code inserted on my site by “the script,” it would have had to have been caused by security vulnerabilities in code that was neither uploaded nor maintained (nor maintainable) by me.

Second, the notion that you must “close any hacked accounts as they threaten the security of all accounts on our server” reads like a weak excuse—I’m not sure whose policy that is, but whoever approved it appears to not understand basic principles of security. Any reasonable server configuration would isolate the security of other users’ accounts from that of my own; else there would be nothing stopping me from intentionally adding malicious code to my own site so that I could maliciously subvert the security of other accounts on your server. I don’t imagine that that would be possible, and if it is, that’s again indicative of security vulnerabilities of your own that are entirely outside my own control. If I am somehow mistaken in the assumption that my site could not actually pose any security vulnerabilities to other accounts on your servers, I would encourage you to forward my comments to whoever would be in the best position to audit your own security practices.

Furthermore, your suggested remedy that I create a new account from a backup is fundamentally flawed: if I were running vulnerable scripts on the first account, they would obviously still be on the second account, since I’ve been given no indication as to how this malicious code (which I haven’t even been able to look at myself) was allegedly added to my site. (Throw in the fact that I wasn’t running any scripts at all and it makes matters doubly confusing.) In addition, creating a new account necessitates using a new web address; since Lycos would still be hosting the site, it’s unclear to me how hosting a potentially vulnerable site at a different address would be anything other than an inconvenience for me and whatever visitors I may have had while providing no benefits to Lycos or “the security of all accounts on [your] server”. Lycos’ policy in this regard seems as though its biggest advantage is that it rewards the efforts of malicious hackers by permanently rendering their victims’ sites inoperable.

Thanks for your time.

Comments (0) | Geekish,Snark