Google Used For Spam
This happened a few weeks ago. I kept it quiet and reported it. Hasn’t happened again, and I haven’t heard anything, so I presume it’s fixed.
It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:
So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.
This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).
Here’s what the email looks like (slightly sanitized by me):
From - Fri Jun 01 19:37:17 2007
Return-path: < ---------------------@alerts.bounces.google.com>
Envelope-to: r-----@---------.com
Delivery-date: Fri, 01 Jun 2007 11:39:09 -0500
Received: from mail by g---n.m-------t.com with local-bsmtp (Exim 4.42)
id 1HuA9c-0001PM-6U
for r-----@---------.com; Fri, 01 Jun 2007 11:39:09 -0500
X-Spam-Step: 10
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
s----------n.m-------t.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=5.0 tests=AWL,BAYES_00,DRUGS_ERECTILE,
URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL autolearn=no
version=3.1.7
Received: from [209.85.132.130] (helo=an-out-f130.google.com)
by g---n.m-------t.com with esmtp (Exim 4.42)
id 1HuA9c-0001PF-3l
for r-----@---------.com; Fri, 01 Jun 2007 11:39:08 -0500
Received: by an-out-f130.google.com with SMTP id d10so118678and
for <r -----@---------.com> Fri, 01 Jun 2007 09:39:07 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
d=google.com; s=beta;
h=domainkey-signature:received:message-id:mime-version:content-type:x-sender:subject:to:from:date;
b=FGPzqa4A/uwrY9R4eE5zc7aWGSLWLoJNdzneqDb3y6JoK6bORFreaSIcMM18ju8X11Q4Yz46WS0CyILKEQuNjQ==
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=google.com; s=beta;
h=received:message-id:mime-version:content-type:x-sender:subject:to:from:date;
b=scui0PgQGL5lSJQnFaSsGAJZV62EWfW8kjWfyt1LJc4C4DyEK1Yd2ZM80BmWnUqk5MEC5yGk0WmL1DjUvGIT8Q==
Received: by 10.70.74.1 with SMTP id w1mr2256151wxa.1180715947494; Fri, 01 Jun 2007 09:39:07 -0700 (PDT)
Message-ID: < ----------------------@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-Sender: HwAAAC491XMCve-7EImb_MgE7FP_5F7kb0mu3Tw3l5pegz4N
Subject: Click to confirm your Google Alert
To:r-----@---------.com
From: Google Alerts <googlealerts -noreply@google.com>
Date: Fri, 01 Jun 2007 09:39:07 -0700
X-SA-Profile: 5693
Google received a request to start sending Alerts for the search
[ *] Viagra as low as $2.81! See http://SPAMSITE/ for more info. EXPRESS DELIVERY! ULTIMATE QUALITY! [* 51078155988.654 ] to r-----@---------.com.
Verify this Google Alert request:
http://www.google.com/alerts/verify?Cancel this Google Alert request:
http://www.google.com/alerts/remove?
Thanks,
The Google Alerts Team
http://www.google.com/alerts
Tags: email, Google, Security, Spam
January 22nd, 2008 at 2:28 pm
I got a lot of spam sent through google email servers. I sent two email to Google security teams, but they ignore my mail. I do have a barracuda spam filter, but unless I block google’s IP address or gmail domain these spam keeps going through. Do you know where and how to get google security team to take a look at the problem.
May 26th, 2008 at 7:36 am
This hasn’t been fixed so far by Google - I just got spammed by this.