The email security vendor MessageLabs published a report about the increasing number of spam messages originating from Gmail. "Analysis of spam shows that 4.6 percent of all spam originates from Web mail-based services and the proportion of spam from Gmail increased two-fold from 1.3 percent in January to 2.6 percent in February, mainly promoting adult-oriented websites. Yahoo! Mail was the most abused Web mail service responsible for sending 88.7 percent of all Web mail-based spam."
Spammers create accounts at free mail services like Yahoo Mail or Gmail, but to make the process more efficient, they need to automatize it. The major challenge is that most web mail providers use CAPTCHAs ("Completely Automated Public Turing test to tell Computers and Humans Apart") and they are difficult to solve automatically. Last month, Websense Security Labs discovered that spammers managed to create bots that automatically sign up for new Gmail accounts with a success rate of 20%.
We discovered that the CAPTCHA breaking process for Gmail is sophisticated when compared to the Live Mail CAPTCHA break up which was reported in our recent blogs. It is observed that two separate hosts active on same domain are contacted during the entire process. These two hosts work collaboratively during the CAPTCHA break process. Unlike Live Mail CAPTCHA breaking, which involved just one botted host doing the entire job (signing up, filling in details, getting the CAPTCHA request), the Gmail signing process involves two botted hosts (or CAPTCHA breaking hosts).
Jeff Atwood thinks that "there's simply too much money to be made in email spam for the commercial CAPTCHA algorithms, regardless of how good they may be, to survive forever." He suggests to diversify the tests and use more difficult tasks like
distinguishing dogs from cats or
solving failed OCR inputs, but making the test more complicated will frustrate users.
Update: there's a program called
Jiffy Gmail Creator that promises to automatically create Gmail accounts. "Normally, the average amount of time it takes to create a GMail account on a fast connection is approximately 4 minutes. With this software you can create a single account in under 10 seconds, and 10 accounts in under 2 minutes. Obviously this saves you loads of time," explains the site (I think you need less than a minute to create a Gmail account manually). The program costs $57, but I'm sure it's not the only one.
Labels: Gmail, Spam
Aditya said on March 11, 2008 6:43 AM PDT:
Apart from CAPTCHA's ,they could follow simple AI techinques like what picture do u see,mathematics questions etc.
Andrew said on March 11, 2008 7:41 AM PDT:
I suspect gmail has developed a false sense of security because they are so good at catching [b]incoming[/b] spam.
One step gmail could take tomorrow would diminish the sending of spam [i]and[/i] be a major improvement in Google Groups:
Change the gmail TOS and immediately close the gmail account of anyone spamming via google groups.
This would - overnight - make a very significant improvement to google groups (and be very easy to achieve), and would also reduce the overall spammer-friendliness of gmail.
Better policing of the 'little things' tends to bring benefits across the board, and is usually low cost and easily achieved.
I rely on gmail - and don't want to see its reputation as low as h*tma*l's!
Why not have two CAPTCHA passes - one with the "choose an image - dog, cat, bird, etc" and one with the traditional. Doesn't matter if done in two steps...start & end or both end...or done on the same page. Just something to help the process.
As to frustration, I get frustrated when it takes me three times to post a comment because I can't read the darn CAPTCHA. LOL! But I do it anyway...
Michael said on March 11, 2008 9:27 AM PDT:
Google could make the tests as complicated as they like... people are still going to sign up to Gmail. My friends are kinda amazed at how easy it is to use after migrating from Yahoo! and the likes.
grawity said on March 11, 2008 9:34 AM PDT:
It's not so bad actually. I already get spam as Google Calendar invitations.
daniel said on March 11, 2008 10:07 AM PDT:
The amount of spam my gmail account get amazes me. I've never signed up for any company or website with this email address and yet I still get spam.
What's really weird is that occasionally I get spam emails that show that they are actually sent from my own gmail account. A few people have lately reported that my emails have ended up in their spam folders. I'm worried that by marking the messages I get that are "from me" as spam, I've added myself to Google's list of spam email addresses.
Andy Wong said on March 11, 2008 3:44 PM PDT:
Spammer John may have two ways of using Gmail to sent spams.
Manual way: employ dozens of cheap labors each of who will register hundreds of Gmail accounts daily.
Semi-Auto way: employ dozens of cheap labors each of who will analyze thousands of CAPTCHA images daily sent by the bots.
I am pretty sure Google was well aware of this. This is not a false sense of security. I regard Google has kept good balance between anti-spam and usability.
Technically it is not too difficult for Google to detect those spam account which share common characteristic: Tens of thousands of Email sent out, rarely get replies back.
Andrew said on March 11, 2008 3:56 PM PDT:
I agree that technically, if there's a will, it should not be too difficult to spot agmail account being used to send spam.
No quarrel there.
As gmail is set up to be a 'personal' mail system, it should be possible to instantly close any account trying to send spam -
before the spam gets sent.
My worry is that Google is not stopping the spam being sent. Why not?
Andy Wong said on March 11, 2008 6:20 PM PDT:
Andrew. Google does not act now, because, I guess:
1. The situation is not yet severe to damage Gmail reputation. To spammers, using Gmail accounts may still be more expensive than other spam solutions in most scenarios, because many Gmail's restrictions.
2. Google is actually acting, but just not telling you with great publicity. I heard people complaining about Google blocking their accounts because of suspected spam activity. So, I am sure those real spammer accounts get blocked much more often.
Google somehow had tradition of keeping users in the dark. So, all we can do now is to guess, and try to be a guess-expert of Google.
said on March 12, 2008 7:07 AM PDT:
Why the link is not working?
Because some people don't understand that links should be permanent. I updated the link.
said on March 13, 2008 2:03 PM PDT:
>>Semi-Auto way: employ dozens of cheap labors each of who will analyze thousands of CAPTCHA images daily sent by the bots.
Actually, the simplest way is to set up a porn site and allow access for free as long as they fill in the CAPTCHA text (which had been pulled from the gmail sign up process and the responses then fed back in). The only cost is the bandwidth of the site. This would defeat any of the other suggestions as well since any test you devise would be shown to actual humans.
Andrew said on March 13, 2008 2:45 PM PDT:
You had me convinced for a moment.
But on 30 seconds reflection, I can think of two, maybe three ways to stop that working, and I'm sure there's others.
2tech said on March 31, 2008 4:51 AM PDT:
just tell me how to get rid of it. It the last week I have had over 100 messages, I use gmail because it was safe
Report the messages as spam, don't delete them. Gmail is not perfect, but it has a better spam filter than other free webmail services.
Andrew said on March 31, 2008 5:04 AM PDT:
Many of us DO report them, and I claim to be the Phisher King - because I refuse to believe that anyone has reported more phishes than I have.
But - and I mean no disrespect - we've been getting the same advice, from ALL emailers, for ten years.
That is no solution, it's 'after the event' - surely, by now, Google and the others should be working on prevention?
And if Google won't, who will?
This thread started as 'spam FROM gmail' - and as we've siad, they could stop that, DEAD, NOW!
So why don't they?
