Well, no, it wasn't, but you're right, I was extremely frustrated, especially since I couldn't get the verification to work for over two weeks.
Anything that is filled in on any of my sites comes to me and I've never gotten anything from SiteAdvisor (that I know of) and it was looking very much like an error on their part. I absolutely loathe spam and I was very irritated when it seemed as if no one was listening or taking note. For example, I received notice from my host that mail that was sent to me from people commenting on my weblog wasn't sent because I was exceeding the 200 messages per hour. I immediately sent in a support ticket, because I was horrified that someone might be spamming using anything on my website. It turned out that the CP included with my hosting had recently been updated and a needed patch hadn't been installed. There wasn't any mass email going out, but if there had been, I wanted to put a stop to it as soon as I could.
I was also going through some stuff with my mom (she wasn't doing well on Christmas, she hadn't been eating for some time, I got her to the doctor after New Year's, she was admitted to a skillled nursing facility where she died on the 20th of last month, she was only 76) and this problem with SiteAdvisor's rating was just icing on the cake.
Maybe if they clarified the retesting process in more detail, like the length of time it took to rectify and gave more ways of what the problem might be (I don't consider a guestbook a mailform; it was the "mailform" that threw me), the webmasters out there who feel as if they've been incorrectly rated, wouldn't be so frustrated when trying to get some help and cooler heads might prevail. I know I'd certainly have not been so upset.
Your website has been retested and rated green. Thank you for your posting and bringing this to our attention. I've made sure the correct people have been made aware of your concerns and experience with the feedback system. The SiteAdvisor team strives for excellence but your experience has exposed some areas where improvement is needed.
angiev: "This to me sounds like there may be a person sitting behind a desk and actually manually going out and 'testing' sites. There are all types of room for error here. If McAfee wants to be the authority on this, they should have reproducible, automated testing."
There are two aspects of SA: Automated testing. And human reviewers. But the reviewers cannot change a rating, only suggest it...
The information on the rating for angiev's site -- as far as spam received after signing up -- is pretty damning. There's no way you should be getting penile enlargement spam after registering at a real estate site.
The question that occurs to me is, can a spammer have randomly guessed the email address that McAfee entered on angiev's site? I assume there is some unique identifier McAfee uses to tell which site is responsible for which spam. Is there a pattern to it that can be guessed, given the fact that spammers don't care how many non-existent addresses they guess? After all, the bounces go to the forged "from" email addresses, not back to the spammers. Anyone on aol knows that spammers don't hesitate to send to every possible permutation of addresses on popular domains.
When angiev sends out her emails to users who have signed up on her site, does she use blind carbon copy (bcc)? Or like so many small businesses, are all the emails of all the recipients visible in the headers, so every recipient's address book will have a copy? If any one of those users gets an email worm, every email address recorded will start being used as a "to" or "from" address on emails as the worm is sent to new machines. Or if angiev's email newsletter is particularly informative, a recipient may forward it to other people with all the other recipients' email addresses included. A lot of people could end up with that secret McAfee email address that way.
The other possibility is that the addresses are stored on a machine that has been compromised. I have been submitting to VirusTotal some of the malware from links I'm spammed with. If 50% of the antivirus programs detect a malware program, that's considered pretty good. I submitted two yesterday: one was detected by nine of 32 programs, the other by only six, and it wasn't just the free antivirus programs that were missing them. The malware was from sites that the antivirus folks can find just as easily as I can, but the fully updated programs still can't detect it.
The point is, malware is constantly changing and there is a delay between when a new variant arises and when it can be added to updates of AV programs. You can have a fully updated antivirus program and still get infected, and once infected, malware programs may download their own updates to continue to avoid detection. Some load themselves early enough in the Windows boot sequence that basic antivirus programs don't see them at all (rootkits). So angiev does need to consider the possibility even if she has been a responsible user. And if the information is stored on a computer not under her control, such as her website server, there are even more possibilities for mischief.
For your own computer, you can get free help with a full evaluation of your systems at Castlecops, starting at http://wiki.castlecops.com/MRP . Once that basic cleaning procedure is completed, if there is still any problem, specially trained volunteers will help on the forum, also for free.
What is McAfee's methodology for testing? Their 'detailed analysis' indicates that,
"We typed our e-mail address into the forms we encountered while surfing crye-leike.com's web site. Since then, we've been receiving an average of 5 e-mails a week, with an average SpamAssassin score of 12."
This to me sounds like there may be a person sitting behind a desk and actually manually going out and 'testing' sites. There are all types of room for error here. If McAfee wants to be the authority on this, they should have reproducible, automated testing. They should also be more transparent with how the testing is carried out and what the re-testing process is etc. They should also have at the ---minimum--- basic support... such as responding to email, taking phone calls etc.
Sounds like this whole program was just slapped together. Little thought given to accuracy of the results and how such a product would be supported. Better to just be able to say they have it.
On the thought that the computer possibly being comprimised, the machines that have this data are directly under our control and there is no indication that the machines have been comprimised.
When we email customers who contact the company through the web site... we do not use blind cc, we do not put all the email addresses in visible headers either. We send individual correspondence to each person as necessary to help them with their transaction. The scenarios of someone seeing another's email address in the to field etc would not apply.
I maintain that McAfee has made an error of some type. If they are going to give a site a 'bad reputation' with a big red warning sign, they need to produce a program with more legitimacy - proven results - methods for correction - and support.
It is absolutely wrong what McAfee is doing to damage reputations of web sites with total abandon and disregard.