Google Groups spam – abuse reporting broken

You can tell that an anti-spam tool is becoming too effective when spammers start trying to work around it.

Such is the case with Spam URL Blacklists (SURBLs), which list domains advertised via spam. Spamfilters will intercept emails that mention blacklisted domains used in clickable links. The spammers can use fake sender addresses and send email from cracked hosts and cracked third party mail accounts, but they still get caught as soon as they mention their websites. This hurts spammers because they only make money when people go to their websites and hand over their credit card details to order fake Rolexes, pills, porn, etc.

To get around this, spammers have been using pages created at free webhosting services and other third party sites where content can be uploaded. The links only mention the free hosting site, which then redirects to the final spam site.

One service abused for this is Google Groups. Other services recently seen used are Google Docs, Microsoft Spaces Live and Geocities. In the case of Google Groups the spammers create mailing lists and upload a spam link to the home page of the new group. They never use the groups for their intended purpose, i.e. mailing lists. This effectively makes it impossible to report the abuse via Google’s abuse handling procedures: Any archived posting or uploaded document on the Google Groups service has an abuse reporting link, but the home page of the group itself does not! Obviously, Google never envisaged that spammers would create groups only to have one page of web content that can be advertised via spam.

Here is an example of a spam:

Received: from host34.net215.omkc.ru (HELO host34.net215.omkc.ru) [217.25.215.34]
by mymailhost (mx077) with SMTP; 21 Jan 2009 04:21:47 +0100
Message-ID: <47940FC9.1016287@verizon.net>
Date: Mon, 21 Jan 2008 03:21:45 GMT
From: arturo <arturo.matthews1@verizon.net>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: mymailbox
Subject: Brighten Your Day
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

After trying out tooth whitening system AT NO COST TO YOU you’ll realize that your smile is irresistably contagious! 😉

http://groups.google.com/group/fkvrqzzzjckhj

(Add S+H)

The page advertises “Click Here – Free Credit Score & Debt Help” which is a spam link using the domain white-teeth2009.com hosted on IP address 220.164.144.205 in China. It is listed on four sub-lists of SURBL (WS, OB, AB and JP). Its name servers are ns1.dckfdc.com and ns2.dckfdc.com. Other domains by the same spammers are whiten-your-smile2009.com and smile-really-great.com.

At the very least Google should add an abuse reporting link to its Google Group pages. It would be even better if they were to check uploaded Google Group content and checked any URLs in it against spam blacklists such as SURBL. This would stop the spammers in their tracks.

12 thoughts on “Google Groups spam – abuse reporting broken

  1. so what’s broken? send the email with the link to abuse@google.com (its so obvious, why do they need a link for it?), and they’ll take action. They have for me, at any rate.

  2. Here is what’s broken: Most spam recipients have no idea exactly how to report such spam URLs and Google is not giving them any help.

    If they go to the help link on Google Groups and look it up, Google never tells them how to report this case. Google abuse procedures mention about how to report Google Groups postings or documents, but not a group as a whole (including its homepage), which is what the spammers take advantage of.

    The help system never mentions about abuse@google.com at all when talking about Google Groups. So how are people going to get those spam pages taken down?

    Google generally encourages people to use its web forms for abuse reporting instead of abuse@google.com and I can see why: A web form generally gives them more focused machine-readable information, which means quicker, less labour-intensive abuse handling. For example, they can make sure to always get a URL. But in this case there *is* no form and the spam falls between the cracks.

    What this means in practice is that spamvertised groups created by the spammers are likely to survive for weeks. I looked through a set of recent spam sample of spams abusing Google Groups stretching back about four weeks. I found that every single link in those spams still worked up to almost a month later.

  3. HSBC BANK OF UK
    YOUR FAVORITE BANK
    leading credit

    Direct Contact Informations
    Tel/ Fax:44 7005800127
    Email: hsbcbk@hsbcbank-lon.com

    Attn: Mr. Lloyd Sheehan

    Sir

    Go ahead and contact Mr John West today, he will loan the money to you. I have finalized and concluded all the necessary arrangement for him Mr John West the financier to give you the US$50,000 so that you can send it to our bank, for our bank to release the money into your account. Therefore, go ahead and contact him so that he could advance the loan to you, tell him to raise the sum of US$50,000 for you which you will use to claim your money from HSBC Bank London

    His contact details are as below.

    NAME: MR. JOHN WEST

    TEL: 1 6463230811

    E-MAIL ADDRESS: johnwestconsult@yahoo.com

    Contact him and get back to me with your discussion with him

    Please try and contact Mr. John West today,

    Thanks

    Dr Herman Orrin

    N/B: I am really sorry for all the difficulties you have suffered so far in the cost of receiving your fund, I promise you it will never happen again.

    ——- End of Forwarded Message ——-

  4. "George Hart" (gfhart45@yahoo.com, 41.210.23.141/Ghana) is a scammer on said:

    Scammer “George Hart” (gfhart45@yahoo.com) posted link hsbcbank-lon.com (a fake copy of HSBC) from IP address 41.210.23.141 in Ghana, West Africa and wrote:

    ====

    Dear Mr. Sheehan,

    You should go back to your source and ask him what bank the funds have been transferred to here in the USA. Do you have a Owners Funds Rights Certificate? If not can he get it for you. Do you have an anti-terrorist certificate in your possession? These are certificates that will be demanded here in the USA for any bank to make the transfer to your account. Remember these are large sums of money. You will need these proofs. These certificates are expensive. he should know that you will need them to have funds transferred to your bank —here or not. I am not aware the funds are here but they may be. If I remember the transfer is from HSBC. I will further contact to see if the funds are actually here in the USA.

    Has your counterpart, Mr. Jonathan, put up any funds during this process? Or only you!

    I will double check everything in the office Monday morning.

    Have a blessed weekend

    With regards,

    George Hart
    Financial Advocate/Counselor
    ================================================================
    ================================================================

    — On Sat, 12/13/08, llfire9fly6@aol.com wrote:

    From: llfire9fly6@aol.com
    Subject: (no subject)
    To: gfhart45@yahoo.com
    Date: Saturday, December 13, 2008, 5:36 AM

    MR HART:

    I JUST GOT AN E-MAIL; FROM BARISTER JONATHAN NORRIS AND I AM GOING TO FORWARD TO YOU. HE SAYS THE MONEY IS HERE IN THE STATES AND NOW I AM WONDERING WHAT IS GOING ON. LET ME KNOW OKAY, I AM TAKING YOUR WORD FOR IT AND NOT WHAT HE SAYS.

    MR SHEEHAN

    ====

    Remember: If you’re being asked for an anti-terrorist certificate then it is a scam!

  5. crap never ends!!!!!!!!!!!!

    http://groups.google.com/group/i5o2guzqn GOOGLE SPAM

    From Barbara Williams Fri Mar 6 01:35:28 2009
    Return-Path:
    Authentication-Results: mta689.mail.mud.yahoo.com from=hotmail.com; domainkeys=neutral (no sig)
    Received: from 65.55.111.89 (EHLO blu0-omc2-s14.blu0.hotmail.com) (65.55.111.89)
    by mta689.mail.mud.yahoo.com with SMTP; Fri, 06 Mar 2009 01:36:00 -0800
    Received: from BLU118-W44 ([65.55.111.73]) by blu0-omc2-s14.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    Fri, 6 Mar 2009 01:35:29 -0800
    Message-ID:
    Return-Path: barbaraiunomhzi@hotmail.com
    Content-Type: multipart/alternative;
    boundary=”_cc8f37db-15e8-4278-844e-17beb65d2144_”
    From: Barbara Williams
    To:
    Subject: Discuonts and perfect prices only for you.
    Date: Fri, 6 Mar 2009 09:35:28 +0000
    Importance: High
    MIME-Version: 1.0
    Content-Length: 1081

    —– Forwarded Message —-
    From: Barbara Williams
    To: frankstank22@yahoo.com
    Sent: Friday, March 6, 2009 2:35:28 AM
    Subject: Discuonts and perfect prices only for you.

    Cilais Soft Tabs. Good for you. Good for her.

    click here

  6. But Google has addressed the issue – the Google Groups pages now have a “Report this group” link at the bottom.

    If you click this, you can have the group shut down.

    In addition, I am logging groups advertised by spam seen in my spam feed. I report them to a contact inside Google in bulk.

  7. The Google groups problem has re-emerged. Google is distributing trojans on behalf the the criminals who have uploaded those files. The spam links directly to the zipped downloads, which means there are no abuse reporting buttons. And an email to abuse@google.com returns and autoack with no useful information and no indication that any sentient being will ever see the report.

    An example of one of the links is in the thread at http://ksforum.inboxrevenge.com/viewtopic.php?p=46703#p46703

  8. Pingback: Portfolio Deliverable 3 – Google Group « Linna's Infosys343 Blog

  9. Maybe you need to clean up your comments a bit? Looks like some spammers have sneaked in, e.g. “George Hart” and “seo”.

  10. The Google Group that has spammed me does NOT have a “report this group” link on its home page. Not only that, but complaints to postmaster@google.com and abuse@google.com have not gotten me unsubscribed from the group. I even tried sending postal mail to Google, and got no answer at all.

  11. I tried calling the Spanish Google branch this morning but the woman there was useless. She just fobbed me off telling me to find the answer on their help pages. The fact that she couldn’t give me an exact URL or email address just goes to show that they are not bothered in the slightest.
    What’s so annoying is that even if you block the group email, they come through as the email of the person that’s sending the crap and not the group address so they pass through the filter. The offenders in our case are: worldarabtradecenter@googlegroups.com
    The fact that Jonathan has had no reply from his emails, doesn’t fill me with much confidence either.
    I can’t understand how they manage to send you emails if you’re not subscribed though. I click on the unsubscribe link and I get an email with an “unsubscribe” link but the crap keeps piling in. Our email address doesn’t even have a Google account associated with it either. Wonderful unprofessional conduct from Google. It’s about time they were forced to obey European SPAM & Internet Information law since they operate over here.

Leave a Reply

Your email address will not be published.