Categories
Google Security Spam

Google Used For Spam

This happened a few weeks ago. I kept it quiet and reported it. Hasn’t happened again, and I haven’t heard anything, so I presume it’s fixed.

It appears spammers have learned to hijack Google Alerts for spamming purposes. By setting up an alert with a spam text, the email is sent through Google’s mail servers. Because it’s plain text, most Email clients will parse the link in an email to make it clickable. Effectively Google is running an open mail server. Here’s what I saw when I visited Google’s site to see if it really was in my account:

Google Spam

So apparently a spammer was smart enough to realize they could hijack this functionality to send spam through Google. I emailed Google a few week ago about this problem, and didn’t hear back. I haven’t seen another, so I presume they fixed this problem by now. From what I’ve read Google is pretty prompt with this stuff.

This just shows how careful you need to be with security of web forms. Even something innocent sounding like this can be hijacked to send nasty payloads. A spammer could have used this to send links to infected files, etc. All looking like legitimate Google emails (because they are from Google).

Here’s what the email looks like (slightly sanitized by me):

From - Fri Jun 01 19:37:17 2007
Return-path: < ---------------------@alerts.bounces.google.com>
Envelope-to: r-----@---------.com
Delivery-date: Fri, 01 Jun 2007 11:39:09 -0500
Received: from mail by g---n.m-------t.com with local-bsmtp (Exim 4.42)
	id 1HuA9c-0001PM-6U
	for r-----@---------.com; Fri, 01 Jun 2007 11:39:09 -0500
X-Spam-Step: 10
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on 
	s----------n.m-------t.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=5.0 tests=AWL,BAYES_00,DRUGS_ERECTILE,
	URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL autolearn=no 
	version=3.1.7
Received: from [209.85.132.130] (helo=an-out-f130.google.com)
	by g---n.m-------t.com with esmtp (Exim 4.42)
	id 1HuA9c-0001PF-3l
	for r-----@---------.com; Fri, 01 Jun 2007 11:39:08 -0500
Received: by an-out-f130.google.com with SMTP id d10so118678and
        for <r -----@---------.com> Fri, 01 Jun 2007 09:39:07 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
        d=google.com; s=beta;
        h=domainkey-signature:received:message-id:mime-version:content-type:x-sender:subject:to:from:date;
        b=FGPzqa4A/uwrY9R4eE5zc7aWGSLWLoJNdzneqDb3y6JoK6bORFreaSIcMM18ju8X11Q4Yz46WS0CyILKEQuNjQ==
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=google.com; s=beta;
        h=received:message-id:mime-version:content-type:x-sender:subject:to:from:date;
        b=scui0PgQGL5lSJQnFaSsGAJZV62EWfW8kjWfyt1LJc4C4DyEK1Yd2ZM80BmWnUqk5MEC5yGk0WmL1DjUvGIT8Q==
Received: by 10.70.74.1 with SMTP id w1mr2256151wxa.1180715947494; Fri, 01 Jun 2007 09:39:07 -0700 (PDT)
Message-ID: < ----------------------@google.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
X-Sender: HwAAAC491XMCve-7EImb_MgE7FP_5F7kb0mu3Tw3l5pegz4N
Subject: Click to confirm your Google Alert
To:r-----@---------.com
From: Google Alerts <googlealerts -noreply@google.com>
Date: Fri, 01 Jun 2007 09:39:07 -0700
X-SA-Profile: 5693

Google received a request to start sending Alerts for the search
[ *] Viagra as low as $2.81! See http://SPAMSITE/ for more info. EXPRESS DELIVERY! ULTIMATE QUALITY! [* 51078155988.654 ] to r-----@---------.com.

Verify this Google Alert request:
http://www.google.com/alerts/verify?Cancel this Google Alert request:
http://www.google.com/alerts/remove?

Thanks,
The Google Alerts Team
http://www.google.com/alerts

6 replies on “Google Used For Spam”

I got a lot of spam sent through google email servers. I sent two email to Google security teams, but they ignore my mail. I do have a barracuda spam filter, but unless I block google’s ip address or gmail domain these spam keeps going through. Do you know where and how to get google security team to take a look at the problem.

i want to stop google alerts on my email-id ….plz let me know how can i do that…..i will appreciate if u do the needful as soon as possible.

I know this is a year later but I’m getting spam off one of my alerts mostly titled something like ‘ Amanda Dunn Adam Fletcher wedding’. It’s an alert based on my late wife’s name and this will be there in the first few lines. However, when you click on the link you get a big red circle which says ‘Do Not Press’ and a small underlined ‘Skip’ at the top of the page. Yesterday, as I was about to install Win 7 over XP I decided to take the risk of clicking, something I would never normally do. It just went on changing to ‘witty’ things like ‘Oh, so you’re being tough’ and ‘Told you not to press’ Tried Skip. That led nowhere. Closed down and wiped the drive as I installed the new OS. It’s irritating as I’m now getting 3 or 4 of these alerts a day. When I tried to find somewhere on the Google site to report this I got led round and round the bush, as always. How did you get through to them?

It only seems to affect the one alert. Have you had anything similar, and is there anything, short of deleting the alert (which I don’t want to do)?

I have never signed up for google news alerts but I am being spammed by about 5 thousand news alerts and google groups E-mail in less than a 24 hour period I am recieving about 7 per minute. And like you can find no way to get a hold of google for any assitance with this. It appears to be an occasional on going issue. I do not understand why they have not found a way to safe gaurd against this. Any return E-mail will simply be lost among the thousands that are invading my computer. If anyone can help maybe you can call us at (619) 448-2927. Thanks Frank

I have loads from google.com as spam and its getting a bit worse, it google who will suffer most from peoples and and lose trust

Leave a Reply to deepak Cancel reply

Your email address will not be published. Required fields are marked *