The email security vendor MessageLabs
published a report about the increasing number of spam messages originating from Gmail. "Analysis of spam shows that 4.6 percent of all spam originates from Web mail-based services and the proportion of spam from Gmail increased two-fold from 1.3 percent in January to 2.6 percent in February, mainly promoting adult-oriented websites. Yahoo! Mail was the most abused Web mail service responsible for sending 88.7 percent of all Web mail-based spam."
Spammers create accounts at free mail services like Yahoo Mail or Gmail, but to make the process more efficient, they need to automatize it. The major challenge is that most web mail providers use
CAPTCHAs ("Completely Automated Public Turing test to tell Computers and Humans Apart") and they are difficult to solve automatically. Last month,
Websense Security Labs discovered that spammers managed to create bots that automatically sign up for new Gmail accounts with a success rate of 20%.
We discovered that the CAPTCHA breaking process for Gmail is sophisticated when compared to the Live Mail CAPTCHA break up which was reported in our recent blogs. It is observed that two separate hosts active on same domain are contacted during the entire process. These two hosts work collaboratively during the CAPTCHA break process. Unlike Live Mail CAPTCHA breaking, which involved just one botted host doing the entire job (signing up, filling in details, getting the CAPTCHA request), the Gmail signing process involves two botted hosts (or CAPTCHA breaking hosts).
Jeff Atwood thinks that "there's simply too much money to be made in email spam for the commercial CAPTCHA algorithms, regardless of how good they may be, to survive forever." He suggests to diversify the tests and use more difficult tasks like
distinguishing dogs from cats or
solving failed OCR inputs, but making the test more complicated will frustrate users.
Update: there's a program called
Jiffy Gmail Creator that promises to automatically create Gmail accounts. "Normally, the average amount of time it takes to create a GMail account on a fast connection is approximately 4 minutes. With this software you can create a single account in under 10 seconds, and 10 accounts in under 2 minutes. Obviously this saves you loads of time," explains the site (I think you need less than a minute to create a Gmail account manually). The program costs $57, but I'm sure it's not the only one.
Labels: Gmail, Spam
Aditya said on March 11, 2008 6:43 AM PDT:
Apart from CAPTCHA's ,they could follow simple AI techinques like what picture do u see,mathematics questions etc.
Andrew said on March 11, 2008 7:41 AM PDT:
I suspect gmail has developed a false sense of security because they are so good at catching [b]incoming[/b] spam.
One step gmail could take tomorrow would diminish the sending of spam [i]and[/i] be a major improvement in Google Groups:
Change the gmail TOS and immediately close the gmail account of anyone spamming via google groups.
This would - overnight - make a very significant improvement to google groups (and be very easy to achieve), and would also reduce the overall spammer-friendliness of gmail.
Better policing of the 'little things' tends to bring benefits across the board, and is usually low cost and easily achieved.
I rely on gmail - and don't want to see its reputation as low as h*tma*l's!
Why not have two CAPTCHA passes - one with the "choose an image - dog, cat, bird, etc" and one with the traditional. Doesn't matter if done in two steps...start & end or both end...or done on the same page. Just something to help the process.
As to frustration, I get frustrated when it takes me three times to post a comment because I can't read the darn CAPTCHA. LOL! But I do it anyway...
Michael said on March 11, 2008 9:27 AM PDT:
Google could make the tests as complicated as they like... people are still going to sign up to Gmail. My friends are kinda amazed at how easy it is to use after migrating from Yahoo! and the likes.
grawity said on March 11, 2008 9:34 AM PDT:
It's not so bad actually. I already get spam as Google Calendar invitations.
daniel said on March 11, 2008 10:07 AM PDT:
The amount of spam my gmail account get amazes me. I've never signed up for any company or website with this email address and yet I still get spam.
What's really weird is that occasionally I get spam emails that show that they are actually sent from my own gmail account. A few people have lately reported that my emails have ended up in their spam folders. I'm worried that by marking the messages I get that are "from me" as spam, I've added myself to Google's list of spam email addresses.
Andy Wong said on March 11, 2008 3:44 PM PDT:
Spammer John may have two ways of using Gmail to sent spams.
Manual way: employ dozens of cheap labors each of who will register hundreds of Gmail accounts daily.
Semi-Auto way: employ dozens of cheap labors each of who will analyze thousands of CAPTCHA images daily sent by the bots.
I am pretty sure Google was well aware of this. This is not a false sense of security. I regard Google has kept good balance between anti-spam and usability.
Technically it is not too difficult for Google to detect those spam account which share common characteristic: Tens of thousands of Email sent out, rarely get replies back.
Andrew said on March 11, 2008 3:56 PM PDT:
I agree that technically, if there's a will, it should not be too difficult to spot agmail account being used to send spam.
No quarrel there.
As gmail is set up to be a 'personal' mail system, it should be possible to instantly close any account trying to send spam -
before the spam gets sent.
My worry is that Google is not stopping the spam being sent. Why not?
Andy Wong said on March 11, 2008 6:20 PM PDT:
Andrew. Google does not act now, because, I guess:
1. The situation is not yet severe to damage Gmail reputation. To spammers, using Gmail accounts may still be more expensive than other spam solutions in most scenarios, because many Gmail's restrictions.
2. Google is actually acting, but just not telling you with great publicity. I heard people complaining about Google blocking their accounts because of suspected spam activity. So, I am sure those real spammer accounts get blocked much more often.
Google somehow had tradition of keeping users in the dark. So, all we can do now is to guess, and try to be a guess-expert of Google.
said on March 12, 2008 7:07 AM PDT:
Why the link is not working?
Because some people don't understand that links should be permanent. I updated the link.
said on March 13, 2008 2:03 PM PDT:
>>Semi-Auto way: employ dozens of cheap labors each of who will analyze thousands of CAPTCHA images daily sent by the bots.
Actually, the simplest way is to set up a porn site and allow access for free as long as they fill in the CAPTCHA text (which had been pulled from the gmail sign up process and the responses then fed back in). The only cost is the bandwidth of the site. This would defeat any of the other suggestions as well since any test you devise would be shown to actual humans.
Andrew said on March 13, 2008 2:45 PM PDT:
You had me convinced for a moment.
But on 30 seconds reflection, I can think of two, maybe three ways to stop that working, and I'm sure there's others.
2tech said on March 31, 2008 4:51 AM PDT:
just tell me how to get rid of it. It the last week I have had over 100 messages, I use gmail because it was safe
Report the messages as spam, don't delete them. Gmail is not perfect, but it has a better spam filter than other free webmail services.
Andrew said on March 31, 2008 5:04 AM PDT:
Many of us DO report them, and I claim to be the Phisher King - because I refuse to believe that anyone has reported more phishes than I have.
But - and I mean no disrespect - we've been getting the same advice, from ALL emailers, for ten years.
That is no solution, it's 'after the event' - surely, by now, Google and the others should be working on prevention?
And if Google won't, who will?
This thread started as 'spam FROM gmail' - and as we've siad, they could stop that, DEAD, NOW!
So why don't they?
said on August 4, 2008 9:45 PM PDT:
Know spammers create serial accounts like gyu1465ahs@gmail.com, gyu1408ass2@gmail.com, gyu1472bba@gmail.com,gyu1443apc@gmail.com
gyu1481bkh@gmail.com, gyu1418aad@gmail.com, gyu1389asr@gmail.com, gyu1430akg@gmail.com
gyu1454bsk@gmail.com to spam others...Is google doing something about it?
I just got a phish addressing me as an Adwords member (I'm not), asking me to click on a .cn link. If gmail cannot see that coming, please don't tell me they have a clue about email spam. Because they don't.
Xavier said on August 20, 2008 4:48 AM PDT:
It seems wbesense blocked also docs.google.com for another reason: because it allows spammers to host directly their data on free hosted service like Google doc.:
http://securitylabs.websense.com/content/Blogs/3101.aspx
said on November 20, 2008 4:02 PM PDT:
I'm receiving strange spams in my Gmail. Some of these spams have my own email address as the sender. And inside these letters, there is an image that contains fake chinese (.cn) links. I never clicked on such links and i don't have any Keyloggers/Rootkits on my computer. Please GMail, do us a favor, close your service until you fix the current problem with these spams!
Cavan said on December 1, 2008 7:28 AM PDT:
I am also receiving a number of strange spams in my Gmail reported to be sent by my gmail account. I noticed it about a week ago, I have virus checkers in place, and i've now changed my email password, still receiving them, over the past few months i've been sent a number of failed delivery emails which I have put down to spam, however now i'm thinking these were replies to the spam generated by whomever is spoofing my email address, any help would be appreciated
said on December 3, 2008 4:20 AM PDT:
Correctly, this is very very strange. I think some chinese guys found out a way to bypass the "sender name" GMail.
Google is so stup1d, they don't give support by contact, they have just a crap faq that doesn't solve any sh1t!
Balaji said on December 15, 2008 9:06 AM PDT:
yes...im too receiving spam messages in gmail account apparently seemed to be sent by me...i have checked google help but there is no information about how to stop receiving those mails...need help...
said on December 15, 2008 12:33 PM PDT:
Add one more on the list of people getting spam from their own gmail account address. Anyone know who we should talk to/annoy about this?
said on December 29, 2008 2:59 AM PDT:
I think everybody should contact Google or yahoo or whatever and say something like this below as the more people who threaten to block out thier whole domain the more worried these providers will become:
I think you should have a direct email address where
users could send (forward) the spam emails they are
getting from your websites so that you can deal
promptly with these spammers and not rely on users
filling out forms on your website or having to buy
expensive software to stop something you should be
addressing?
The alterative is for us users to block all emails from
@google.com or the abusive site!
It's about time you started doing something!
The email address mail-abuse@cc.yahoo-inc.com
is about as much use as a chocolate teapot!
You should be trying to stop this not ignoring it or
even worse trying to profit from it!
Lauren said on January 2, 2009 5:41 PM PDT:
And yet another person here who is getting spam send from her own gmail address. It's happening on both the accounts I have!
Thierry said on January 12, 2009 11:08 AM PDT:
hello
I am a gmail user and I do know that my account is being used for spamming as I received one myself.
they seem to redirect to some chinese sites and therefore think they are phishing sites.
I changed my password yesterday after the 1st spam email was recvd, but it didn't stop whoever is managing to send them as they managed to send one very similar to the one received yesterday.
I do not know how they managed to log in (I use AVG, and a few other antivirus and none came up with infections)
I however did notice that they showed something interesting
instead of showing the sender name as being my 1st name, it just showed "myfullemailaddress@gmail.com "
anyone can help me on this one?
Andrew said on January 14, 2009 3:43 AM PDT:
Yes.
Your gmail account is NOT being used in any way; the spammer who is sending TO your account is simply *pretending* to be posting from your account. Lying spammer, not a gmail issue at all (we all get them!).
BTW, no-one at Google reads these comments, so it's not the best place to ask for help.
said on January 17, 2009 4:52 PM PDT:
So, what's the best place to make them listen us about bugs/vulnerabilities reports? It's funny that many people are complaining and Google doesn't say anything and doesn't fix the problem!
said on January 23, 2009 1:21 PM PDT:
My g-mail account is sending spam! In my SEND FOLDER it shows like 50 spam messages a day send to myselfe...WTF?!?!
So it's not just "faking the from", it's actually sending from my account! Even after I changed my password.. HELP!!
said on February 9, 2009 4:43 AM PDT:
Andrew: "Lying spammer, not a gmail issue at all (we all get them!)."
It's a BullShit! The spammers are able to spoof the "Sender address" field of the mail header, so this is for sure a GMail security issue!
Andrew said on February 9, 2009 5:58 AM PDT:
Exactly; they're spoofing it - that doesn't make it Google's problem (except for the damage to gmail's reputation).
If someone spoofed your name on a check, would that be your fault? I don't think so!
linda said on February 14, 2009 12:42 PM PDT:
qekldoz@gmail.com sent me spam to our bed and breakfast which I don't have time for Could someone check on this, Thanks
said on March 10, 2009 10:02 AM PDT:
Andrew: if someone is able to spoof my name in my GMail, it's because there is a vulnerability on this service that allows an attacker to do it! Is it to hard for you to udnerstand that there is an issue in the GMail service? Or you're just an asshole that works on GMail, this pig capitalist company?
I think so!
Andrew said on March 10, 2009 11:11 AM PDT:
No. and No again.
Spammers have spoofed email addresses from all sources for over ten years. It's not a gmail thing it's an email software issue that dates back to pre-MS days.
All they're doing is telling your email agent to show false info. Many insert your own address, or any address that takes their fancy.
Time you got back to the etch-a-sketch.
said on March 10, 2009 8:45 PM PDT:
Alex Chitu: Very funny, a Google worker trying to defend his service. Do you guys don't know how to fix the problem? Call Microsoft! I never received a spam in my Hotmail box from myself containing chinese spam links because that service doesn't have the same vulnerability (or bug as you wish) as GMail has!
Andrew: It's a new and isolated different case that is occuring ONLY with GMail! It's not related to email spoofing in general. The fact is there is bug on GMail webmail service that allows people to spoof the "Sender Address" field and Google is not able to fix this issue.
The funny thing is when I use a email client application and receive these chinese spoofed emails, the program is able to extract the correct "Sender Address" field from the header, instead of the spoofed one! This is for sure a problem on Gmail webmail that is not being able to handle correctly the emails headers.
said on March 28, 2009 11:54 PM PDT:
No, I get spam email from myself in yahoo so I don't think it's only with gmail.
said on April 6, 2009 3:18 AM PDT:
My best advice. Start executing those spammers. No trial, no law. No prison time as they will cost to tax payers. Simple plain execution or use them for human trials.
I don't believe that "I didn't know local laws" reason. Yes, the lawyers represent them are also scumbags.
said on May 12, 2009 8:32 PM PDT:
Gmail should have a whitelist/blacklist of countries you can send and receive mail from.
If the user only wants emails from the european union and USA, then it "filters" all other emails. Or how about users selecting to block emails from China?
