To make the best use of SpyBye, it’s important to understand how to interpret its output. Let’s take a simple example of using SpyBye on http://www.honeyd.org/ - click on the image to the left to get a larger picture.
Now, let’s look at another example based on one of the reports recently submitted to SpyBye. In this case, we see that SpyBye lables the result as dangerous. That by itself is not so interesting. Let’s look at the data in more detail: we see that as a result of visting the URL, four implicit HTTP fetches happen: two of them labeles as dangerous and two of them labeled as unknown.
The bottom two links are labeled as unknown. For SpyBye that means that the content comes from a third-party content provider that is unknown to SpyBye. However, the two domains are not a-priori known to be malicious and ClamAV does not find anything unusual with them either. The top two links are labeled as dangerous. One of them has been identified by ClamAV as an exploit. The other one has been labeled as dangerous because it comes from a domain known to host malicious content. You can click on the dangerous links to see their underlying source code - it’s quite interesting.
Obviously, once a link from your web page has been labeled as dangerous, you know that something is likely to be wrong with your site. However, in most cases, you are just going to see a number of unknown links. As a web master, you need to look at the source of each unknown link and determine if you know why that content might be fetched from your site. If you cannot identify the reason for a particular fetch, it’s likely that something is not quite right.
I hope everything is much clearer now. Let me know if you have any questions.