[hsivonen]

I have been at the receiving end of German authorities reporting an uninfected server of mine to the hosting company as Avalanche-infected based on Shadowserver information. It was unpleasant, particularly because it happened a day before a family holiday, so my spouse was annoyed when instead of participating in preparations, I was researching what had happened and explaining my innocence.

Although my server wasn't infected, it had connected to a Shadowserver sinkhole.

While it's good that there are folks who work to sinkhole botnets, the next step of accusing others of being infected based of what the sinkhole sees needs more care. I'm disappointed that, evidently, my expression of these concerns to the German authorities three years ago hasn't lead to a substantial change at the Shadowserver end.

As can be seen from your case (and mine), you can get blamed even if the software at your end of the connection wasn't the botnet software. Considering how a basic premise of the Web is that it's safe to dereference a URL and everyone runs software that does so (Web browsers!), it's a bad idea that Shadowserver doesn't require a narrower indicator of compromise.

There'd be less chance of folks weaponising this system against bystanders by framing them as botnet-infected if the Shadowserver Foundation sinkhole required the other end of the connection to exhibit more specific hallmarks of the botnet software.