UPDATED: An examination of spam originating from the major free e-mail providers shows that like consumers, spammers prefer Google.
In a three-week period from mid-June to this month, e-mail filtering firm Roaring Penguin said it saw an explosion of spam originating from Gmail, while Microsoft Hotmail and Yahoo Mail remained flat.
The company attributes this meteoric rise in Gmail spam to the cracking of Google’s CAPTCHA. A CAPTCHA
In Gmail’s case, the CAPTCHA was designed to prevent automated programs from signing up for thousands of e-mail accounts. But according to David Skoll, CEO and CTO of Roaring Penguin, spammers developed an optical character recognition scanner smart enough to read the Google CAPTCHA, and programming to enter in the information to make e-mail addresses on Gmail for spamming.
Earlier this year, company spokespeople told InternetNews.com in an e-mail that the online search leader was aware of efforts to defeat its CAPTCHA and that it disables the accounts of spammers on its service.
When asked for comment on the Roaring Penguin findings, a Google spokesperson issued the following statement: “We expect spammers to use every means possible to try to send spam. That’s why we have a robust spam-fighting effort at Google. We disable these accounts immediately and will continue to do so.”
If Google (NASDAQ: GOOG) responds by changing its CAPTCHA, Skoll figures the spammers will simply break it again.
“Spammers have an economic incentive to keep spamming, so they have an economic incentive to keep breaking Google’s CAPTCHAs,” he told InternetNews.com. “Even if Google came up with something extremely difficult to crack, spammers can get around that.”
During the period from June 13 to July 3, spam from Google grew from 6.8 percent to 27 percent of all outbound e-mail detected by Roaring Penguin. At the same time, spam from Yahoo and Microsoft rose between 2 percent to 4 percent, the company found.
Spammers are also now taking advantage of Google’s reputation. While most spam comes from botnet-infected
“They could block it if the same IP is making accounts, but it’s like an arms race,” he said. “For every measure Google can take, there’s a countermeasure the spammer can take. You can’t really stop it — you can slow it down a bit.”
Skoll added that Google needs to start getting a little tougher and looking more closely at its signup process and outgoing mail.
“They could do something like require stronger proof of identity, like a credit card, but that would hurt,” he said. “Lots of people might say ‘forget it.'”
“They could also start filtering their outbound mail,” he said. “Google has good filters for Gmail customers. They could start applying to outbound mail, so any account scoring high can have its outgoing mail held until they check it out.”
Google would certainly seem to have the wherewithal to filter outbound mail, since it owns Postini.
Gartner security analyst Peter Firstbrook also felt that Google needed to filter its outbound mail and monitor newly created accounts for unusual activity, like high activity.
“The thing is, they own Postini, so they could put mail through it through their own filters,” Firstbrook said. “They are filtering it on the inbound traffic, but are they on the outbound? I bet they don’t do much on the outbound traffic for consumer issues.”
They are going to have to turn Postini around and turn on the outbound filter, but that’s going to be a volume issue for Google,” he added.
(Update adds comment from a Google spokesperson.)