You can tell that an anti-spam tool is becoming too effective when spammers start trying to work around it.
Such is the case with Spam URL Blacklists (SURBLs), which list domains advertised via spam. Spamfilters will intercept emails that mention blacklisted domains used in clickable links. The spammers can use fake sender addresses and send email from cracked hosts and cracked third party mail accounts, but they still get caught as soon as they mention their websites. This hurts spammers because they only make money when people go to their websites and hand over their credit card details to order fake Rolexes, pills, porn, etc.
To get around this, spammers have been using pages created at free webhosting services and other third party sites where content can be uploaded. The links only mention the free hosting site, which then redirects to the final spam site.
One service abused for this is Google Groups. Other services recently seen used are Google Docs, Microsoft Spaces Live and Geocities. In the case of Google Groups the spammers create mailing lists and upload a spam link to the home page of the new group. They never use the groups for their intended purpose, i.e. mailing lists. This effectively makes it impossible to report the abuse via Google’s abuse handling procedures: Any archived posting or uploaded document on the Google Groups service has an abuse reporting link, but the home page of the group itself does not! Obviously, Google never envisaged that spammers would create groups only to have one page of web content that can be advertised via spam.
Here is an example of a spam:
Received: from host34.net215.omkc.ru (HELO host34.net215.omkc.ru) [217.25.215.34]
by mymailhost (mx077) with SMTP; 21 Jan 2009 04:21:47 +0100
Message-ID: <47940FC9.1016287@verizon.net>
Date: Mon, 21 Jan 2008 03:21:45 GMT
From: arturo <arturo.matthews1@verizon.net>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: mymailbox
Subject: Brighten Your Day
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bitAfter trying out tooth whitening system AT NO COST TO YOU you’ll realize that your smile is irresistably contagious! 😉
http://groups.google.com/group/fkvrqzzzjckhj
(Add S+H)
The page advertises “Click Here – Free Credit Score & Debt Help” which is a spam link using the domain white-teeth2009.com hosted on IP address 220.164.144.205 in China. It is listed on four sub-lists of SURBL (WS, OB, AB and JP). Its name servers are ns1.dckfdc.com and ns2.dckfdc.com. Other domains by the same spammers are whiten-your-smile2009.com and smile-really-great.com.
At the very least Google should add an abuse reporting link to its Google Group pages. It would be even better if they were to check uploaded Google Group content and checked any URLs in it against spam blacklists such as SURBL. This would stop the spammers in their tracks.
so what’s broken? send the email with the link to abuse@google.com (its so obvious, why do they need a link for it?), and they’ll take action. They have for me, at any rate.
Here is what’s broken: Most spam recipients have no idea exactly how to report such spam URLs and Google is not giving them any help.
If they go to the help link on Google Groups and look it up, Google never tells them how to report this case. Google abuse procedures mention about how to report Google Groups postings or documents, but not a group as a whole (including its homepage), which is what the spammers take advantage of.
The help system never mentions about abuse@google.com at all when talking about Google Groups. So how are people going to get those spam pages taken down?
Google generally encourages people to use its web forms for abuse reporting instead of abuse@google.com and I can see why: A web form generally gives them more focused machine-readable information, which means quicker, less labour-intensive abuse handling. For example, they can make sure to always get a URL. But in this case there *is* no form and the spam falls between the cracks.
What this means in practice is that spamvertised groups created by the spammers are likely to survive for weeks. I looked through a set of recent spam sample of spams abusing Google Groups stretching back about four weeks. I found that every single link in those spams still worked up to almost a month later.
HSBC BANK OF UK
YOUR FAVORITE BANK
leading credit
Direct Contact Informations
Tel/ Fax:44 7005800127
Email: hsbcbk@hsbcbank-lon.com
Attn: Mr. Lloyd Sheehan
Sir
Go ahead and contact Mr John West today, he will loan the money to you. I have finalized and concluded all the necessary arrangement for him Mr John West the financier to give you the US$50,000 so that you can send it to our bank, for our bank to release the money into your account. Therefore, go ahead and contact him so that he could advance the loan to you, tell him to raise the sum of US$50,000 for you which you will use to claim your money from HSBC Bank London
His contact details are as below.
NAME: MR. JOHN WEST
TEL: 1 6463230811
E-MAIL ADDRESS: johnwestconsult@yahoo.com
Contact him and get back to me with your discussion with him
Please try and contact Mr. John West today,
Thanks
Dr Herman Orrin
N/B: I am really sorry for all the difficulties you have suffered so far in the cost of receiving your fund, I promise you it will never happen again.
——- End of Forwarded Message ——-
Scammer “George Hart” (gfhart45@yahoo.com) posted link hsbcbank-lon.com (a fake copy of HSBC) from IP address 41.210.23.141 in Ghana, West Africa and wrote:
====
Dear Mr. Sheehan,
You should go back to your source and ask him what bank the funds have been transferred to here in the USA. Do you have a Owners Funds Rights Certificate? If not can he get it for you. Do you have an anti-terrorist certificate in your possession? These are certificates that will be demanded here in the USA for any bank to make the transfer to your account. Remember these are large sums of money. You will need these proofs. These certificates are expensive. he should know that you will need them to have funds transferred to your bank —here or not. I am not aware the funds are here but they may be. If I remember the transfer is from HSBC. I will further contact to see if the funds are actually here in the USA.
Has your counterpart, Mr. Jonathan, put up any funds during this process? Or only you!
I will double check everything in the office Monday morning.
Have a blessed weekend
With regards,
George Hart
Financial Advocate/Counselor
================================================================
================================================================
— On Sat, 12/13/08, llfire9fly6@aol.com wrote:
From: llfire9fly6@aol.com
Subject: (no subject)
To: gfhart45@yahoo.com
Date: Saturday, December 13, 2008, 5:36 AM
MR HART:
I JUST GOT AN E-MAIL; FROM BARISTER JONATHAN NORRIS AND I AM GOING TO FORWARD TO YOU. HE SAYS THE MONEY IS HERE IN THE STATES AND NOW I AM WONDERING WHAT IS GOING ON. LET ME KNOW OKAY, I AM TAKING YOUR WORD FOR IT AND NOT WHAT HE SAYS.
MR SHEEHAN
====
Remember: If you’re being asked for an anti-terrorist certificate then it is a scam!
crap never ends!!!!!!!!!!!!
http://groups.google.com/group/i5o2guzqn GOOGLE SPAM
From Barbara Williams Fri Mar 6 01:35:28 2009
Return-Path:
Authentication-Results: mta689.mail.mud.yahoo.com from=hotmail.com; domainkeys=neutral (no sig)
Received: from 65.55.111.89 (EHLO blu0-omc2-s14.blu0.hotmail.com) (65.55.111.89)
by mta689.mail.mud.yahoo.com with SMTP; Fri, 06 Mar 2009 01:36:00 -0800
Received: from BLU118-W44 ([65.55.111.73]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 6 Mar 2009 01:35:29 -0800
Message-ID:
Return-Path: barbaraiunomhzi@hotmail.com
Content-Type: multipart/alternative;
boundary=”_cc8f37db-15e8-4278-844e-17beb65d2144_”
From: Barbara Williams
To:
Subject: Discuonts and perfect prices only for you.
Date: Fri, 6 Mar 2009 09:35:28 +0000
Importance: High
MIME-Version: 1.0
Content-Length: 1081
—– Forwarded Message —-
From: Barbara Williams
To: frankstank22@yahoo.com
Sent: Friday, March 6, 2009 2:35:28 AM
Subject: Discuonts and perfect prices only for you.
Cilais Soft Tabs. Good for you. Good for her.
click here
But Google has addressed the issue – the Google Groups pages now have a “Report this group” link at the bottom.
If you click this, you can have the group shut down.
In addition, I am logging groups advertised by spam seen in my spam feed. I report them to a contact inside Google in bulk.
The Google groups problem has re-emerged. Google is distributing trojans on behalf the the criminals who have uploaded those files. The spam links directly to the zipped downloads, which means there are no abuse reporting buttons. And an email to abuse@google.com returns and autoack with no useful information and no indication that any sentient being will ever see the report.
An example of one of the links is in the thread at http://ksforum.inboxrevenge.com/viewtopic.php?p=46703#p46703
Pingback: Portfolio Deliverable 3 – Google Group « Linna's Infosys343 Blog
Maybe you need to clean up your comments a bit? Looks like some spammers have sneaked in, e.g. “George Hart” and “seo”.
Hello betabug,
thanks for the hint! I’ve taken care of both spammers.
The Google Group that has spammed me does NOT have a “report this group” link on its home page. Not only that, but complaints to postmaster@google.com and abuse@google.com have not gotten me unsubscribed from the group. I even tried sending postal mail to Google, and got no answer at all.
I tried calling the Spanish Google branch this morning but the woman there was useless. She just fobbed me off telling me to find the answer on their help pages. The fact that she couldn’t give me an exact URL or email address just goes to show that they are not bothered in the slightest.
What’s so annoying is that even if you block the group email, they come through as the email of the person that’s sending the crap and not the group address so they pass through the filter. The offenders in our case are: worldarabtradecenter@googlegroups.com
The fact that Jonathan has had no reply from his emails, doesn’t fill me with much confidence either.
I can’t understand how they manage to send you emails if you’re not subscribed though. I click on the unsubscribe link and I get an email with an “unsubscribe” link but the crap keeps piling in. Our email address doesn’t even have a Google account associated with it either. Wonderful unprofessional conduct from Google. It’s about time they were forced to obey European SPAM & Internet Information law since they operate over here.