return to table of content

Notepad++: Help us to take down the parasite website

skilled
24 replies
6h13m

At least in its current state, notepad.plus does redirect to the official website when clicking the download button. The site itself is mostly an AI generated mess, on top of that - its rankings are manipulated by articles like this,

https://mycours.es/gamedesign2016/2023/03/21/quick-and-easy-...

https://www.bacsitannhang.com/how-to-install-notepad-on-ubun...

There are a few hundred of them but nothing overly crazy. Most of these articles look like a traditional "link pyramid" network.

But I am surprised that the site hasn't been penalized by Google yet. All the signs are there that it is a bullshit site. Looking at the current rankings[0], it appears that the site is surging also. That's around 120,000~ Google clicks monthly based on my own estimates. Don probably has the numbers himself also as far as referrals go.

[0]: https://i.imgur.com/SvOjalu.jpeg

nebulous1
9 replies
5h49m

So the site is clearly parasitic, doesn't add anything and detracts from security. The term "malicious" does imply a little more to me though, like it's actually serving me altered software.

I guess the question is whether doing this (injecting yourself into the download flow for an open source piece of software and profiting via ads while doing so) is "malicious". I can see an argument that it is, as at the very least the site very much looks like it's the official site unless you read the small print.

I don't get the ads on that site at the moment. I assume they are the fake download button type of ad?

In any case, we can fight this particular site, but as you point out if this is generated content then I don't see how we're going to manually fight the coming onslaught of similar endeavours, so if the search engines can't keep generated content off their results (and so far they haven't been able to), it's going to be an interesting few years.

cnity
2 replies
5h40m

Your definition of maliciousness is basically user-centric, rather than provider-centric. It is malicious from the perspective of the maintainers of N++ because it robs them of the ability to control their image for the users who find the product through the parasitic page (which is obviously a worse UX).

benlivengood
1 replies
5h29m

In light of the long-term effort to subvert xz and get a backdoor into sshd it's feasible that these kinds of malicious sites have a second agenda; become popular enough as search results for a Free product to serve backdoored download links selectively or wholesale once they get enough traffic.

Regardless of intent, the low-quality ad networks sites like that serve routinely serve fractional malware ads anyway (focus-stealing alert()-style "you are the 100,000th visitor" or "malware detected on your device" garbage).

cnity
0 replies
5h15m

Yes, though I was trying to expand the definition of malicious to include GPs own terms. Even if that never happened, the current situation is already malicious because the site erodes at the trust factor of the victim site in exchange for ad revenue.

cbozeman
2 replies
5h43m

I guess the question is whether doing this (injecting yourself into the download flow for an open source piece of software and profiting via ads while doing so) is "malicious".

Yes. It's malicious. You're trying to earn money - in this case, ad revenue - on a piece of software with which you have nothing to do whatsoever. It's not only malicious, it's disgusting. I would state how I really feel, but dang would ban me.

baobabKoodaa
1 replies
5h35m

Yes. It's malicious. You're trying to earn money ...

No, please stop trying to redefine words. That's not what "malicious" means.

I agree with you that this website is disgusting and needs to be taken down (as in "down from google") because there's a very real risk that the unscrupulous owners of the website _will eventually serve malicious software_ to juice their profits. But simply serving ads is not what the word "malicious" means.

birdman3131
0 replies
5h28m

Given the number of full screen ad's claiming my computer is infected I have ran across just serving ad's is often enough to count as malicious. (Not saying all sites do that but I have seen it often enough.)

mirekrusin
1 replies
5h41m

It may redirect for 99.99% of users for example. Or only for ip ranges that are not relevant targets.

Flammy
0 replies
5h30m

Yeah my thought was similar: One day in the future its current behavior changes once it has built up enough traffic...

afavour
0 replies
5h13m

The term "malicious" does imply a little more to me though, like it's actually serving me altered software.

Just because it doesn’t today doesn’t mean it won’t tomorrow. Be “legit”, get links to your site, rise in the SEO ranks. Then maliciously alter the software.

throw_m239339
4 replies
6h6m

How did you find the backlinks?

skilled
3 replies
6h4m

Using this,

https://ahrefs.com/backlink-checker/

I use it a lot. It's great to find dev resources, hidden gems, sites that talk about a specific topic, etc. It does have a limit (100 links), but for purposes such as this one - it is an absolute must-have bookmark for me.

nolok
1 replies
5h56m

There used to be a link:url thing in google itself but it doesn't seem to be working that well anymore, like many thing on google search beside classic casual user search.

paledot
0 replies
3h7m

Casual user search works well on Google these days? That's news to me.

candiddevmike
0 replies
5h40m

Very neat tool, and I'd love to pay for the actual product but $100/month is too much unfortunately.

2-3-7-43-1807
1 replies
5h54m

But I am surprised that the site hasn't been penalized by Google yet.

I'm not really surprised at all.

DaiPlusPlus
0 replies
5h48m

A site like that surely can’t be doing more than $50/day in Adsense revenue - methinks - probably less given how the same audience will be using adblock

rpigab
0 replies
5h27m

I love that you can find other adjacent s[cp]ams by looking at the other articles on mycours.es by the same author. Learn "Why you should play at a mobile casino", read reviews on cialis, viagra, ivermectin, in italian, also there's some code that looks like actual Brainfuck (but that might be obfuscated js) at the end of one of these articles, because why not.

https://mycours.es/gamedesign2016/2023/04/20/miglior-prezzo-...

This ivermectin article from april 2023 looks legit, it seems to be part of a section labeled "gamedesign2016". Might be a small mistake.

They say the internet's dead, I say it's flourishing, look at how easy it is, you can upload anything, make mistakes, it still "works". Some LEDs are blinking, everything looks alright to me.

larschdk
0 replies
5h39m

You don't know that they do. They did redirect when you tested, but they may not for everyone. They could easily selectively download-snipe anyone they have identified by IP address or even regional. Big security threat.

krisoft
0 replies
6h0m

At least in its current state, notepad.plus does redirect to the official website when clicking the download button.

I’m sure you know this, so i will just state the obvious: the concern is that it might change in the future, or alternatively it might serve a different link if and when some finger printing indicates it.

forgotpwd16
0 replies
5h33m

But I am surprised that the site hasn't been penalized by Google yet.

I am not. Google searches nowadays suck.

dylan604
0 replies
4h54m

Does Google actually punish sites that are generating clicks? From a layman's point of view, Google only punishes sites that do not play the SEO game and tries to live organically.

callalex
0 replies
5h45m

The site is down now so I can’t confirm, but I assume the site serves ads, which means Google is happy to have people visit it and profit.

Lockal
0 replies
46m

The earliest Web Archive snapshot of this website is from 2020, and back then it looked almost the same, so it is not a "new era" AI generated garbo.

However in 2020 it the same `/download` link returned some executable. Probably it still does the same (because there is no point to make such links, when you can make a direct link), but it returns different content based on geography/cookies/etc.

danpalmer
11 replies
6h12m

This sucks and I hope the website can be taken down. However I'm not sure reporting it as malicious is the right option here, it depends. This post doesn't indicate whether the site is distributing malware, and the point of the Safe Browsing report is specifically to identify malware, not just sites doing shitty things.

I suspect a trademark based appeal to the hosting provider would go further towards getting the site taken down.

That said, the offending site appears to currently a) return an invalid certificte, and b) return no content even if certificate warnings are bypassed. If these continue I doubt the site will be listed on search engines for much longer.

unstatusthequo
10 replies
6h6m

A lookalike site carefully curated to rise in search result ranking over time can trivially start delivering malware at any point. It happens enough that it’s warranted here. No reason not to report it for many things. It’s illegitimate and has no right to protection.

gunapologist99
3 replies
5h48m

Any website can deliver malware at any point. Should we report them all?

If we start predicting that they will, we've turned the internet into minority report. Just because people are jerks and making money off deceptive ads doesn't specifically mean they're going to start serving malware.. it just means they're jerks.

earthnail
1 replies
5h29m

No, but in this instance it’s so clearly targeted at a particular program that it really starts becoming dangerous for the makers of said program.

Not all third party download sites are evil. But this one is in the veru dark gray area. It is correct to report it now as a threat before something bad actually happens.

danpalmer
0 replies
5h5m

Report it as what, and to who?

If you report it as distributing malware when it doesn't it's just crying wolf, and will only take up time from actual malware reporting, or make this less likely to be classed as malware in the future if/when it does distribute it.

Reporting it as trademark infringement to the hosting provider under the DMCA is most likely the best course of action, the one most likely to lead to a take down. That's assuming there's a trademark on Notepad++.

PurpleRamen
0 replies
4h50m

It's a matter of probability. It's unlikely that an original project will start becoming abusive on its own, especially if it has a long history of trust. Someone unrelated, who is just high jacking other's fame and has built no trust on its own? More likely. And if it's just a throwaway ad-farm that was set up once, it's likely not receive much care. So there is a higher chance that a hack of the site will go under for a long time, or that the owner will just sell it at some point to a malicious actor.

Anyone being long on the internet has seen such things happen more than enough, so many people have a legitimated lack of trust against those sites.

danpalmer
2 replies
5h54m

It can also... not deliver malware. The point at which it would be of interest to Safe Browsing would be the point at which it starts delivering malware, and reporting it before then is only going to create false positives that could make it harder to report if/when it did start distributing malware.

The Safe Browsing project is not about judgement calls on whether a website is a good citizen or not. The whole point is to have a global database of obviously bad stuff that is not about any sort of editorial control, curation, etc. That way it's a clear win for browsers to implement, and there's little criticism that can be levelled against it for preferential treatment etc.

Cloudflare's Radar seems to have a different scope, and may be a more appropriate place to report this site.

Chabsff
1 replies
4h48m

Fraudulently pretending to be a trusted authority (trusted enough to click a download link clears the bar) is sufficient to get flagged as Social Engineering, under the deceptive content category, by Safe Browsing. See https://developers.google.com/search/docs/monitor-debug/secu...

danpalmer
0 replies
4h32m

Ah, interesting, this is still under Safe Browsing, but it's distinct from the malware reporting that the blog post directs people to. Reports for this would get the site classed as deceptive (which it sounds like it is), but not for malware distribution. That sounds like a good option, perhaps the best option for the Notepad++ blog post to direct people to.

Fortunately/unfortunately I still can't load the site on any device or browser so I'm not actually sure what it looks like or how obvious it is.

Zambyte
1 replies
5h51m

notepad-plus-plus can also trivially start delivering malware at any point btw.

baobabKoodaa
0 replies
5h33m

Sure, but we both know the odds of the scam website delivering malware is about 10000x higher than the odds of the real website delivering malware.

EasyMark
0 replies
2h48m

reporting it to google as a shitty link is one thing, reporting it some place that is used for reporting malicious (aka dangerous) software sites seems wrong to me.

vbezhenar
5 replies
5h49m

I don't understand what's wrong with that site and why should it be taken down. It does not claim being an official website. Notepad++ is open source so anyone can distribute it.

duxup
1 replies
5h45m

I think the concern is that it climbs the search rankings and then decides to redirect elsewhere. Unfortunately this is not an usual pattern / been seen before.

It already is pushing malicious ads on it. THAT is a problem already.

HDThoreaun
0 replies
5h42m

How are the ads malicious?

baobabKoodaa
1 replies
5h31m

A mysterious man ringing your doorbell at night while holding a knife has not done anything illegal, but the odds that they do something bad is high enough to warrant action.

datavirtue
0 replies
5h23m

That's provocation.

bilekas
0 replies
5h46m

It's deceptive and there is no reason to believe that after some more backlinks are generated by being deceived, that the owners of the fake site wouldn't change the download to their own modified version.

It's a security nightmare and overall just scummy behavior.

hermitcrab
4 replies
6h9m

Reported. Down with parasites.

BTW I've used Notepad++ for years. Great piece of software.

jmkni
3 replies
6h3m

Definitely one of the main things I miss from Windows

That and Paint.Net

joshstrange
2 replies
5h51m

Not sure if you saw this posted a week or so ago but you might be interested:

NotepadNext - A cross-platform, reimplementation of Notepad++

https://news.ycombinator.com/item?id=39854182

jmkni
0 replies
5h47m

Nice I'll check that out

hermitcrab
0 replies
2h57m

Thanks. Currently I use Notepad++ as my general text editor on Windows and Brackets on Mac. Brackets is fine for my use, but a Mac version of Notepad++ is definiately worth a look.

Maxious
4 replies
6h15m

Asked chatgpt

To determine the real websites for downloading Notepad++, you should primarily rely on the official website and reputable sources. The official website for Notepad++ is "notepad-plus-plus.org." Be cautious of websites that may mimic the official site or offer downloads from third-party sources, as they could potentially be scam websites or distribute malware. It's always safest to download software from trusted sources to avoid any security risks.

Google could do this. They don't. How the mighty have fallen.

mkoryak
1 replies
6h7m

Gpts hallucinate, imagine the uproar if Google did this and gave fake results..

joshstrange
0 replies
5h53m

And how would that be different from the shovel blogs or sites that scrape and repost stuff from SO/Github issues already?

I mean I understand how it’s different but what I’m trying to say is Google often returns trash as-is. Even their quick answers/answer box thing is wrong from time to time.

lukan
1 replies
6h3m

"Google could do this"

Do what exactly? Offer a llm answer to every prompt that might be correct or not? No worries, soon they will, but I do not see how it will solve the problem.

LeonB
0 replies
5h53m

They already use LLMs to generate the questions other “people” are asking — and blatantly lie that the source of these is from real people.

They (google) also claim to be the source of the MC Hammer song “U Can’t touch this” (amongst countless other falsehoods)

Google has slipped from “slightly worse than it used to be” into a nosedive toward being AOL.

ClassyJacket
4 replies
6h2m

Part of the problem is that the spam website has a less spammy sounding domain than the legitimate website

djur
3 replies
5h52m

What makes you say that?

bool3max
2 replies
5h47m

Dashes ("-") have a bad reputation when it comes to domain names. How many official domain names for big established products can you think of that have dashes in the domain?

robin_reala
0 replies
5h25m

www.experts-exchange.com have been around for ages, although originally without the dash to be fair.

Also, www.harley-davidson.com is redirected to from www.harleydavidson.com

SapporoChris
0 replies
5h42m

I would guess that some see dashes as a negative.

master-lincoln
3 replies
5h27m

Is there any moral difference to this practice compared to distributing affiliate links for online shops?

navane
1 replies
5h18m

A moral difference? What even is that? Amazon wants you to put out affiliate links, npp wants you not to. So one is with concent, the other without. Consent is the moral difference?

master-lincoln
0 replies
5h2m

Apparently you understood what I meant with moral difference, so I don't think it needs to be explained. Consent from the vendors is a good moral difference from the perspective of the right owner, thanks.

robjan
0 replies
4h4m

The analogy would be creating a site called amazon.org, providing an e-commerce like experience then redirecting people to the real site once you go to the shopping cart.

smcdiggles
2 replies
5h37m

So, I just googled notepad++, then scrolled down to just the link. I didn't click it. However, I enable regional blocking for my home router which blocks traffic for certain countries and I just got a notification that it blocked traffic from notepad.plus. Without even clicking on it.. I am guessing this is Google's fault with fetching some sort of data while loading the search page, but thought it odd.

gordonfish
0 replies
5h20m

It could make sense if it's checking for robots.txt or so, though I'm not sure if it does that each time search results and I would have thought that that would be conducted from the server side rather than client side.

Are you sure you don't have some browser extension that does some checks/inspection/etc of links?

max-m
2 replies
5h56m

The bsnes emulator has a similar problem. The official "website" is the Github repository at https://github.com/bsnes-emu/bsnes/ but some unknown entity has snagged bsnes.org and is now also publicly linking to SNES ROMs they host on Github (Github doesn't care, you can report those repositories as much as you want. If you're not a rights holder they won't do anything).

cbozeman
1 replies
5h32m

Another part of this is the rise of search, period.

Back in the Ancient Times, when "search" sites were in fact, directories of sites, not unlike the Yellow Pages, you had a categories and listings.

I've been using The Emulator Zone since 1997. Long before Google, and found them under Yahoo's "Games" category. Since they've been around for over 25 years, I trust them. The often do grab the software from repositories and make it easily available. The site does have ads, but I haven't encountered a malicious one. It's all for stuff I actually use (Microsoft Azure, fragrances from House of Creed, and Hertz Car Rental right now), so I have a little leeway with these people, but TEZ has never actively attempted to obfuscate or confuse the reader unlike this site and others like it.

max-m
0 replies
4h41m

Pages like TEZ or the "Awesome XYZ" list repositories that have become rather popular on Github are perfectly fine. Those are great hubs to get a grasp of what's available. Sometimes they are a little out of date, but if you're interested enough you'll find the up-to-date information by yourself :)

But these parasitic pages that pretend to be official (project) pages should be purged. :/ For now they might link to original releases, but they could very well switch to malicious downloads from one second to the next after having gained enough "trust" and traffic.

And that *unofficial* bsnes site reflects poorly on the emulation community because they actively promote downloads of game ROMs hosted (practically) on their website because they control the Github repository the games are uploaded to.

emXdem
1 replies
6h10m

Cloudflare typically doesn't do anything unless you get lawyers involved in my experience.

baobabKoodaa
0 replies
5h33m

...unless the website happens to become a pet peeve of the higher ups at Cloudflare

zzzeek
1 replies
5h29m

Ironic that an app whose name itself was co-opted from the Microsoft product name now has to deal with someone else re-co-opting that same name.

earthnail
0 replies
5h26m

That’s not a fair comparison. The notepad++ owners wrote a piece of software (and an amazing one too). This owner did not write a new notepad fork.

pixelpoet
1 replies
5h21m

Funny thing, after you report the ad-riddled site, you get taken to a spartan confirmation page which reads:

~~~

Thanks for sending a report to Google. Now that you've done your good deed for the day, feel free to:

1. Take a second to rejoice merrily for doing your part in making the web a safer place.

2. Make sure you have upgraded your web browser to the latest version, and that you have applied the latest patches for your operating system.

©2007 Google

~~~

Yeah, that really does sound like old-Google, before they (and advertisers, and mobile phones) killed the internet. RIP :(

doublerabbit
0 replies
5h7m

On the chances that your report has probably been sent to the year 2007 to..

Caused by the timeless time holes Google creates by not archiving creation dates of an article.

jacamera
1 replies
6h9m

Did the site owner remove the malicious ads since this was posted? I wanted my report to count so I didn't use the link in the blog post and instead googled for "notepad++ download" and clicked on the offending website which was ranked third for me. I didn't see any ads on any pages. I don't doubt the complaint but some screenshots and timestamps would be helpful since it's so easy for the site owner to cover their tracks.

la_fayette
0 replies
5h57m

Looking into dev tools it seems the code for ad display is there, but a 403 is currently blocking loading it from google...

forgotpwd16
0 replies
5h26m

That explains why putty.org has links to Bitvise. At least they aren't serving ads (though the links are essentially ads) and Bitvise kinda good.

deron_cs
1 replies
5h52m

On that Domain.

If you Google-search for OpenOffice in Germany you get a Website distributing Badware. It used to be the first result, now its the second. (openoffice.de) I always wonder why that site is still up.

RNAlfons
0 replies
5h34m

IrfanView has the same problem.

cm2187
1 replies
6h0m

Avoiding murky download websites is the biggest benefit of using a package manager like chocolatey (along the ease of setting up a new machine or updating all packages).

throwaway290
0 replies
5h7m

Yep. For all people say there are benefits to centralization & trust

EasyMark
1 replies
2h50m

I can see why this site is a net negative and a distraction from the real site, but how is it malicious? Is it taking users to places to download spyware/viruses? We've had ad farm pages for easily 20 years. I can't get to it now, so I guess the DNS guys took it down, but malicious to me implies that it intends to do harm to one's computer or "person" ? Do I have an antiquated take on the word? Has Gen Z revised the definition? Also, it absolutely shouldn't be on the first 10 pages of a Google search, lol

orev
0 replies
2h25m

Step 1: Build an imposter site that delivers safe files

Step 2: SEO optimize to get good Google rankings

Step 3: Build a good reputation that many people start to think is the real site.

Step 4: Wait

Step 5: Swap the legit download links to malicious ones.

A tool like Noptepad++ is used by IT admins and developers, so just like xz it’s a juicy target for malicious actors.

pipeline_peak
0 replies
4h54m

In a world of bloated Electron apps, Notepad++ is truly something to be admired.

Yeah it’s not “sexy” like emacs or vim. But every company I’ve worked for, every school I’ve learned to code, people have praised it.

It definitely speaks to the millennial Windows programmer.

iJohnDoe
0 replies
3h42m

Google loves situations like this. They want you to spend advertising dollars to make sure your brand is up top. They do this to all major brands. It’s extortion. Article on HN before.

boo-ga-ga
0 replies
5h59m

Done!

batch12
0 replies
5h58m

Some larger companies have good luck taking control of domains that use their branding or impersonate their services via a brand protection offering. I wonder if this can be done without a service if they contact the registrar or ICANN.

ameyv
0 replies
6h2m

Done. Thank you for wonderful software!!

Springtime
0 replies
6h1m

Reminds me of the malicious site for MultiPar, which the (since deprecated) official forums said linked to altered binaries, yet due to the convincing domain name fooled even various regular users linking to it on forums like Reddit.

BuildTheRobots
0 replies
5h46m

It might be worth contacting NameCheap who the domain is registered though. I'm not actually sure if they'd be in a position to (legally) act at this point though.