RealTime IT News

Google Docs the Latest Spam Vehicle

UPDATED: Spammers have proven themselves as creative as they are tenacious. We've seen image spam, PDF spam and MP3 spam, and now the latest trick involves using Google Docs to get by spam filters.

Sending attachments like JPGs or Word .doc files has proven less than successful when compared to just sending the user a link in the hopes they will click on it, but spam with just a URL isn't foolproof, either. Spam filters have relied on checking the links in e-mails and blocking them based on suspicious Web addresses.

So by adopting Google Docs, spammers gain the credibility of Google's domain, since no spam blocker is going to automatically declare a Google (NASDAQ: GOOG) link to be spam. That's what they are hoping for, according to Matt Sergeant, an Anti-Spam Technologist at MessageLabs, which found the new misuse of Google Docs.

"A very popular way to block spam is with URL block lists," he told InternetNews.com. "With the name 'Google' in it, it's never going to be blocked because of all the legitimate uses."

Because hosted Google Docs have the domain "docs.google.com," it could be possible to ban that address, but Sergeant didn't think that would be feasible. "You could do it but it would certainly be a major hampering to Google's plans to make it a standard business documentation platform," he said.

A Google spokesperson noted in an e-mailed statement: "Spam is an issue for all Internet users, and we work very hard to fight it. Using Google Docs, or any Google product, to host spam content is a violation of our product policies, and we actively disable such accounts."

The way around this is checking the IP of the sender, said Peter Firstbrook, research director for security issues with Gartner. "It will be hard for companies to filter it unless they can do it based on source IP. The only way to catch it is through sender IP reputation level," he said.

A silver lining?

The silver lining to this new scam, and what may be its undoing, is that the Google Docs pages are nowhere near as dynamic as HTML. The best spammers can do is put links in the page to get victims to click through to another site. They can't embed HTML code, a malicious IFrame, or malicious JavaScript code like they do on Web pages.

Spammers might also just plain give up rather than go through the headache of constantly making new Google Docs accounts when their old ones get shut down for spam violations, said Firstbrook. "They will have to create a lot of Google accounts, and that won't be easy to do because Google has methods in place to stop automation of account creation," he said.

The page MessageLabs found was the typical sexual enhancement advertisement, that asked the recipient to click on the link to a Google Doc page. From the page, more links to purchase the little blue pills. At the bottom, Sergeant noted there is a "report as spam" link.

MessageLabs reported the page as spam to Google on May 8. As of this writing on May 23, the page is still live. Sergeant was disappointed at Google's slowness. "I assume Google has already thought about this as a possibility because of the 'report as spam' link," he said. "The page is still active after 15 days, so Google is being rather slow in their reactions and they need to step up to the mark and take action."

So far, MessageLabs hasn't seen large numbers for this method yet, but Google's Blogspot blogging service is frequently used by spammers, so the spammers may just be getting started.

"We know spammers like to try new things. They still use Blogspot as an intermediate drop page, so they may refine this method a little more and stick with it," Sergeant said. Or it could be a bust and they drop it.

Once again, Sergeant added, the best way to defeat spam is to not reply to it.

(Updated to add comment from Google.)