March 11, 2008

More Spam Originating from Gmail

The email security vendor MessageLabs published a report about the increasing number of spam messages originating from Gmail. "Analysis of spam shows that 4.6 percent of all spam originates from Web mail-based services and the proportion of spam from Gmail increased two-fold from 1.3 percent in January to 2.6 percent in February, mainly promoting adult-oriented websites. Yahoo! Mail was the most abused Web mail service responsible for sending 88.7 percent of all Web mail-based spam."


Spammers create accounts at free mail services like Yahoo Mail or Gmail, but to make the process more efficient, they need to automatize it. The major challenge is that most web mail providers use CAPTCHAs ("Completely Automated Public Turing test to tell Computers and Humans Apart") and they are difficult to solve automatically. Last month, Websense Security Labs discovered that spammers managed to create bots that automatically sign up for new Gmail accounts with a success rate of 20%.
We discovered that the CAPTCHA breaking process for Gmail is sophisticated when compared to the Live Mail CAPTCHA break up which was reported in our recent blogs. It is observed that two separate hosts active on same domain are contacted during the entire process. These two hosts work collaboratively during the CAPTCHA break process. Unlike Live Mail CAPTCHA breaking, which involved just one botted host doing the entire job (signing up, filling in details, getting the CAPTCHA request), the Gmail signing process involves two botted hosts (or CAPTCHA breaking hosts).


Jeff Atwood thinks that "there's simply too much money to be made in email spam for the commercial CAPTCHA algorithms, regardless of how good they may be, to survive forever." He suggests to diversify the tests and use more difficult tasks like distinguishing dogs from cats or solving failed OCR inputs, but making the test more complicated will frustrate users.

Update: there's a program called Jiffy Gmail Creator that promises to automatically create Gmail accounts. "Normally, the average amount of time it takes to create a GMail account on a fast connection is approximately 4 minutes. With this software you can create a single account in under 10 seconds, and 10 accounts in under 2 minutes. Obviously this saves you loads of time," explains the site (I think you need less than a minute to create a Gmail account manually). The program costs $57, but I'm sure it's not the only one.

47 comments:

  1. Apart from CAPTCHA's ,they could follow simple AI techinques like what picture do u see,mathematics questions etc.

    ReplyDelete
  2. I suspect gmail has developed a false sense of security because they are so good at catching [b]incoming[/b] spam.

    One step gmail could take tomorrow would diminish the sending of spam [i]and[/i] be a major improvement in Google Groups:

    Change the gmail TOS and immediately close the gmail account of anyone spamming via google groups.

    This would - overnight - make a very significant improvement to google groups (and be very easy to achieve), and would also reduce the overall spammer-friendliness of gmail.

    Better policing of the 'little things' tends to bring benefits across the board, and is usually low cost and easily achieved.

    I rely on gmail - and don't want to see its reputation as low as h*tma*l's!

    ReplyDelete
  3. Why not have two CAPTCHA passes - one with the "choose an image - dog, cat, bird, etc" and one with the traditional. Doesn't matter if done in two steps...start & end or both end...or done on the same page. Just something to help the process.

    As to frustration, I get frustrated when it takes me three times to post a comment because I can't read the darn CAPTCHA. LOL! But I do it anyway...

    ReplyDelete
  4. Google could make the tests as complicated as they like... people are still going to sign up to Gmail. My friends are kinda amazed at how easy it is to use after migrating from Yahoo! and the likes.

    ReplyDelete
  5. It's not so bad actually. I already get spam as Google Calendar invitations.

    ReplyDelete
  6. The amount of spam my gmail account get amazes me. I've never signed up for any company or website with this email address and yet I still get spam.

    What's really weird is that occasionally I get spam emails that show that they are actually sent from my own gmail account. A few people have lately reported that my emails have ended up in their spam folders. I'm worried that by marking the messages I get that are "from me" as spam, I've added myself to Google's list of spam email addresses.

    ReplyDelete
  7. Spammer John may have two ways of using Gmail to sent spams.
    Manual way: employ dozens of cheap labors each of who will register hundreds of Gmail accounts daily.

    Semi-Auto way: employ dozens of cheap labors each of who will analyze thousands of CAPTCHA images daily sent by the bots.

    I am pretty sure Google was well aware of this. This is not a false sense of security. I regard Google has kept good balance between anti-spam and usability.

    Technically it is not too difficult for Google to detect those spam account which share common characteristic: Tens of thousands of Email sent out, rarely get replies back.

    ReplyDelete
  8. I agree that technically, if there's a will, it should not be too difficult to spot agmail account being used to send spam.

    No quarrel there.

    As gmail is set up to be a 'personal' mail system, it should be possible to instantly close any account trying to send spam -
    before the spam gets sent.

    My worry is that Google is not stopping the spam being sent. Why not?

    ReplyDelete
  9. Andrew. Google does not act now, because, I guess:
    1. The situation is not yet severe to damage Gmail reputation. To spammers, using Gmail accounts may still be more expensive than other spam solutions in most scenarios, because many Gmail's restrictions.

    2. Google is actually acting, but just not telling you with great publicity. I heard people complaining about Google blocking their accounts because of suspected spam activity. So, I am sure those real spammer accounts get blocked much more often.

    Google somehow had tradition of keeping users in the dark. So, all we can do now is to guess, and try to be a guess-expert of Google.

    ReplyDelete
  10. Why the link is not working?

    ReplyDelete
  11. Because some people don't understand that links should be permanent. I updated the link.

    ReplyDelete
  12. >>Semi-Auto way: employ dozens of cheap labors each of who will analyze thousands of CAPTCHA images daily sent by the bots.

    Actually, the simplest way is to set up a porn site and allow access for free as long as they fill in the CAPTCHA text (which had been pulled from the gmail sign up process and the responses then fed back in). The only cost is the bandwidth of the site. This would defeat any of the other suggestions as well since any test you devise would be shown to actual humans.

    ReplyDelete
  13. You had me convinced for a moment.

    But on 30 seconds reflection, I can think of two, maybe three ways to stop that working, and I'm sure there's others.

    ReplyDelete
  14. just tell me how to get rid of it. It the last week I have had over 100 messages, I use gmail because it was safe

    ReplyDelete
  15. Report the messages as spam, don't delete them. Gmail is not perfect, but it has a better spam filter than other free webmail services.

    ReplyDelete
  16. Many of us DO report them, and I claim to be the Phisher King - because I refuse to believe that anyone has reported more phishes than I have.

    But - and I mean no disrespect - we've been getting the same advice, from ALL emailers, for ten years.

    That is no solution, it's 'after the event' - surely, by now, Google and the others should be working on prevention?

    And if Google won't, who will?

    This thread started as 'spam FROM gmail' - and as we've siad, they could stop that, DEAD, NOW!

    So why don't they?

    ReplyDelete
  17. Know spammers create serial accounts like gyu1465ahs@gmail.com, gyu1408ass2@gmail.com, gyu1472bba@gmail.com,gyu1443apc@gmail.com
    gyu1481bkh@gmail.com, gyu1418aad@gmail.com, gyu1389asr@gmail.com, gyu1430akg@gmail.com
    gyu1454bsk@gmail.com to spam others...Is google doing something about it?

    ReplyDelete
  18. I just got a phish addressing me as an Adwords member (I'm not), asking me to click on a .cn link. If gmail cannot see that coming, please don't tell me they have a clue about email spam. Because they don't.

    ReplyDelete
  19. It seems wbesense blocked also docs.google.com for another reason: because it allows spammers to host directly their data on free hosted service like Google doc.:
    http://securitylabs.websense.com/content/Blogs/3101.aspx

    ReplyDelete
  20. I'm receiving strange spams in my Gmail. Some of these spams have my own email address as the sender. And inside these letters, there is an image that contains fake chinese (.cn) links. I never clicked on such links and i don't have any Keyloggers/Rootkits on my computer. Please GMail, do us a favor, close your service until you fix the current problem with these spams!

    ReplyDelete
  21. I am also receiving a number of strange spams in my Gmail reported to be sent by my gmail account. I noticed it about a week ago, I have virus checkers in place, and i've now changed my email password, still receiving them, over the past few months i've been sent a number of failed delivery emails which I have put down to spam, however now i'm thinking these were replies to the spam generated by whomever is spoofing my email address, any help would be appreciated

    ReplyDelete
  22. Correctly, this is very very strange. I think some chinese guys found out a way to bypass the "sender name" GMail.

    Google is so stup1d, they don't give support by contact, they have just a crap faq that doesn't solve any sh1t!

    ReplyDelete
  23. yes...im too receiving spam messages in gmail account apparently seemed to be sent by me...i have checked google help but there is no information about how to stop receiving those mails...need help...

    ReplyDelete
  24. Add one more on the list of people getting spam from their own gmail account address. Anyone know who we should talk to/annoy about this?

    ReplyDelete
  25. I think everybody should contact Google or yahoo or whatever and say something like this below as the more people who threaten to block out thier whole domain the more worried these providers will become:

    I think you should have a direct email address where
    users could send (forward) the spam emails they are
    getting from your websites so that you can deal
    promptly with these spammers and not rely on users
    filling out forms on your website or having to buy
    expensive software to stop something you should be
    addressing?
    The alterative is for us users to block all emails from
    @google.com or the abusive site!
    It's about time you started doing something!
    The email address mail-abuse@cc.yahoo-inc.com
    is about as much use as a chocolate teapot!
    You should be trying to stop this not ignoring it or
    even worse trying to profit from it!

    ReplyDelete
  26. And yet another person here who is getting spam send from her own gmail address. It's happening on both the accounts I have!

    ReplyDelete
  27. hello
    I am a gmail user and I do know that my account is being used for spamming as I received one myself.

    they seem to redirect to some chinese sites and therefore think they are phishing sites.

    I changed my password yesterday after the 1st spam email was recvd, but it didn't stop whoever is managing to send them as they managed to send one very similar to the one received yesterday.

    I do not know how they managed to log in (I use AVG, and a few other antivirus and none came up with infections)

    I however did notice that they showed something interesting
    instead of showing the sender name as being my 1st name, it just showed "myfullemailaddress@gmail.com "

    anyone can help me on this one?

    ReplyDelete
  28. Yes.

    Your gmail account is NOT being used in any way; the spammer who is sending TO your account is simply *pretending* to be posting from your account. Lying spammer, not a gmail issue at all (we all get them!).

    BTW, no-one at Google reads these comments, so it's not the best place to ask for help.

    ReplyDelete
  29. So, what's the best place to make them listen us about bugs/vulnerabilities reports? It's funny that many people are complaining and Google doesn't say anything and doesn't fix the problem!

    ReplyDelete
  30. My g-mail account is sending spam! In my SEND FOLDER it shows like 50 spam messages a day send to myselfe...WTF?!?!

    So it's not just "faking the from", it's actually sending from my account! Even after I changed my password.. HELP!!

    ReplyDelete
  31. Andrew: "Lying spammer, not a gmail issue at all (we all get them!)."

    It's a BullShit! The spammers are able to spoof the "Sender address" field of the mail header, so this is for sure a GMail security issue!

    ReplyDelete
  32. Exactly; they're spoofing it - that doesn't make it Google's problem (except for the damage to gmail's reputation).

    If someone spoofed your name on a check, would that be your fault? I don't think so!

    ReplyDelete
  33. qekldoz@gmail.com sent me spam to our bed and breakfast which I don't have time for Could someone check on this, Thanks

    ReplyDelete
  34. Andrew: if someone is able to spoof my name in my GMail, it's because there is a vulnerability on this service that allows an attacker to do it! Is it to hard for you to udnerstand that there is an issue in the GMail service? Or you're just an asshole that works on GMail, this pig capitalist company?
    I think so!

    ReplyDelete
  35. @Anonymous:
    Before insulting other people, learn about how email works. It's very easy to spoof the sender address and this has nothing to do with Gmail or Google. Read about email spoofing, forged email and detecting email spoofing.

    ReplyDelete
  36. No. and No again.

    Spammers have spoofed email addresses from all sources for over ten years. It's not a gmail thing it's an email software issue that dates back to pre-MS days.

    All they're doing is telling your email agent to show false info. Many insert your own address, or any address that takes their fancy.

    Time you got back to the etch-a-sketch.

    ReplyDelete
  37. Alex Chitu: Very funny, a Google worker trying to defend his service. Do you guys don't know how to fix the problem? Call Microsoft! I never received a spam in my Hotmail box from myself containing chinese spam links because that service doesn't have the same vulnerability (or bug as you wish) as GMail has!
    Andrew: It's a new and isolated different case that is occuring ONLY with GMail! It's not related to email spoofing in general. The fact is there is bug on GMail webmail service that allows people to spoof the "Sender Address" field and Google is not able to fix this issue.
    The funny thing is when I use a email client application and receive these chinese spoofed emails, the program is able to extract the correct "Sender Address" field from the header, instead of the spoofed one! This is for sure a problem on Gmail webmail that is not being able to handle correctly the emails headers.

    ReplyDelete
  38. No, I get spam email from myself in yahoo so I don't think it's only with gmail.

    ReplyDelete
  39. My best advice. Start executing those spammers. No trial, no law. No prison time as they will cost to tax payers. Simple plain execution or use them for human trials.
    I don't believe that "I didn't know local laws" reason. Yes, the lawyers represent them are also scumbags.

    ReplyDelete
  40. Gmail should have a whitelist/blacklist of countries you can send and receive mail from.

    If the user only wants emails from the european union and USA, then it "filters" all other emails. Or how about users selecting to block emails from China?

    ReplyDelete
  41. I hate spammers. I've got my gmail address Spoofed/Forged and I see no way around to get rid of this spammers. Too bad, gmail doesn't have any protection against this. It should be something like a fingerprint to authenticate your emails.

    ReplyDelete
  42. I recently sent a complaint to abuse@google.com about forum spammers, 90% of whom are using gmail accounts. The email was sent a week ago, but so far there has been no response from Google. Here is the email:

    Is there something you can do to stop forum spammers from using your
    gmail email service?

    I get hundreds of bots / scripts / whatever trying to log on to a forum and some 90% of them are using gmail accounts. As you know, many of these spammers come from proxy servers, many are already listed in certain databases (www.stopforumspam.com, etc.). A lot come from Russia, China, Eastern Europe, Indonesia, Egypt, Netherlands, Germany, Luxembourg, Brazil, India.

    I have now started to use Apache .htaccess directives to block certain
    networks, but I may also have to block anyone using gmail.com. If I can block them, why is Google not blocking them from accessing gmail accounts?

    I look forward to hearing what can be done.

    ReplyDelete
  43. Trouble is, most of them are not using gmail, simply forging a gmail address in their headers. While I agree there's problems with gmail and spam (see my previous posts), it would be a mistake to blame gmail for mass emails - it just ain't so.

    Personally, I use gmail because they are the best at identifying spam (I get very, very few in my inbox). My complaint is that they are doing little or nothing to stop spam in the spam box.

    And, rereading this thread, the one thing that is quite clear is that (a) Google does not read this thread or (b) they have given up the battle.

    Shame either way!

    ReplyDelete
  44. Andrew, I agree with you. Even blocking gmail.com did not stop them! I don't have the time to properly analyse these spammers. Instead, I have disabled the online user registration function on the forum. This has finally stopped them. Anyone who wants to register is now directed to an email form where they can send a registration request to the forum administrator.

    Are you aware that Google is now talking to the NSA spooks? See this article:
    http://www.guardian.co.uk/technology/2010/feb/07/computers-future-cyberattacks-cloud-culture

    ReplyDelete
  45. Thanks for that ... sadly, it's probably good news! I see that China has closed down a 'nest of hackers' too - with execution likely for at least three of them!

    ReplyDelete
  46. Im experiencing this at my site...how do i solve the issue?

    ReplyDelete
  47. this user: kingleechilive@gmail.com


    is running spam email using this gmail account...please look in this account activite

    ReplyDelete

Note: Only a member of this blog may post a comment.