Network News

X My Profile
View More Activity

Spamhaus: Google Now 4th Most Spam-Friendly Provider

Google's free services are being heavily exploited by spammers to redirect visitors to sites touting knockoff designer drugs and scams, according to the latest rankings from, a group that tracks unsolicited commercial e-mail.


Last month, Security Fix called attention to Microsoft's persistent ranking on Spamhaus's running list of the "Top 10 Worst Spam Service ISPs". Now that Microsoft has cleaned up its act, it appears the bad guys are moving on to Google, which is now ranked #4 on the list (#1 being the worst).

"Microsoft got rid of the bad guys, and off they went to Google, which is now hosting a lot of the stuff that was on Microsoft's domains," said Richard Cox, Spamhaus's chief information officer.

Other Internet providers, including Sprint and Verizon, currently round out the #8 and #10 slots on the Top 10 list, respectively.

According to Spamhaus, spammers are using Google Documents to host pages that redirect to rogue pharmacy sites. The anti-spam group also documents a number of Google e-mail accounts being used to further so called "advance fee" or Nigerian 419 confidence scams.

A spokesman for Google said the the relevant accounts indicated in the Spamhaus report as sources for 419 scams had already been disabled. The spokesman said Google also is aware of the Google Docs spam issue, and that is has begun "implementing improvements to minimize the impact of the issue."

By Brian Krebs  |  January 5, 2009; 6:25 PM ET
Categories:  Fraud , From the Bunker , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Phishers Now Twittering Their Scams
Next: Caveat Emptor: Watch Out for Phantom Stores


Google has long been non-chalant about abuse originating from their systems. They are (have been?) flying a lot of their systems unsupervised, and are not responding to complaints at all.

Good for Spamhaus and SercurityFix to highlight the problem.

Posted by: gorbachev | January 5, 2009 11:45 PM | Report abuse

Your article must have had some effect. Users on our antispam forum had set up a system for opening the spammed blog windows so that we could click the "report" buttons quickly, as it seems to take many, many reports before Google believes a blog is a problem. Suddenly, people found the links to be dead. We were wondering why until we saw your article.

Of course, it probably wouldn't require flashmob reporting if Google had some reasonable method of reporting, like being able to forward the original spams to an email address so they can see for themselves what the problem is. Having to click a button -- with no ability to explain the reason the blog is a problem -- is just stupid.

Posted by: AlphaCentauri | January 6, 2009 7:40 AM | Report abuse

Why would Google have systems to deal with this? All their applications are still in "beta", remember?

Posted by: hoos3014 | January 6, 2009 10:14 AM | Report abuse

Why would Google have systems to deal with this? All their applications are still in "beta", remember?

Then Beta apps should be banned from the internet if they promote criminal activity. If you're not prepared to deal with the possible problems that could occur from the beta apps then the public shouldn't be subjected to you're junk. These problems are the result of poor programming.

Posted by: askgees | January 6, 2009 10:49 AM | Report abuse

So, practically speaking ....

what can a Verizon subscriber do to let Verizon know we want them to get their act together and clamp down?

Posted by: fendertweed | January 6, 2009 11:20 AM | Report abuse

Hoos3014 seems to be in beta him or herself, if he or she really believes that all Google applications are still in «beta». Take, for example, one not unimportant application - Google Chrome - which, if memory serves, was in beta för approximately three months, before being released to the general public (i e, not as a beta). For comparison, one might wish to ask how long Internet Explorer 8, which is getting pretty hoary by this time, is going to remain in beta ?...

This being said, there's no doubt that Google must get its act together and work to reduce the vulnerability of Google applications to being used for spam. While generally it is no 1 on a list, rather than no 4 that makes the headlines, kudos to Brian for covering this matter - let us hope that his blog inspires Google to do even more to bring this scourge under control....


Posted by: mhenriday | January 6, 2009 11:32 AM | Report abuse

Google FAILS as a search engine...

It seems over the last couple years google search has taken a downturn and yahoo an upturn. I am also surprised that for something so BIG in so many peoples lives (Internet searches) that so little attention has been paid to the quality of search sites by the tech pundits.

Two issues about google (and other search engines less so).

1. Google indexes (captures) web content including ads (many are google ads). When you do a search you may end up with a result that includes the (captured) ad as content, but the ad has since gone (ads are temporarily on pages)... so much for search accuracy. Your search results are contaminated with old ads that were captured as content..

2. I searched this morning on google and the fourth link listed sent me to a web page of nothing but google ads on a parked domain web page. I looked into this and found out that google has teamed up with domain hosting companies to put google ads on parked pages... then google includes these pages in it's database so when you search for X you get some X and some parked pages with google ads, which makes google and the domain company money but does little to help me.

Posted by: kkrimmer | January 6, 2009 4:34 PM | Report abuse

@kkrimmer: I'll tell you why people haven't switched to Yahoo, even though its results are sometimes better: the clutter on Yahoo's home page, and the preponderance of annoying ads that appear on all of the company's web pages.

Google's text ads are annoying, but they're less in-your-face than Yahoo's animated ads. Google's simple, clean start page is also much more welcoming than Yahoo's.

Unless Yahoo addresses these matters, they will never re-overtake Google as the place most people conduct their Internet searches.

Posted by: Heron | January 6, 2009 6:12 PM | Report abuse

In order to find the source of your spam in an E-mail open that message and then click on File / Properties / Details tab and then Messages Source. It will bring up the entire message and much of it is in HTML form. On about the fourth to 6th line will be a Safe pages E-mail server info. Within that will be the source of that E-mail and the actual IP that sent it. You then need to use the "WHOIS" feature on any of the services that cover the world. An easy start is from Network Solutions which handles the US IP info. I just use my mouse to highlight the entire message and then do a CTRL C to copy it. I then create a new Email message and Paste via Ctrl V the entire copied message into the new e-mail. I then do a WHOIS lookup of the source and look for the line that tells you where to send ABUSE messages. Most of them will be abuse@ and the administrator email address. I just ask them to shut down that IP. I then do a save of that message in my Spam Notices folder.

By the way the majority of the Spam E-mails have Embedded URL's that send you to a China IP. If the users of the entire E-mail world want to be serious about cutting back on spam and spoofed web sites it is real easy. All E-mail scanning programs will check to see if the message is in HTML. Many list servers don't allow HTML. After that just insert a CHECK IF to see if an HTML message has an HREF in it. If it does then mark the message as spam and delete it. In case you don't know it using an HREF allows a person to embed a URL into a message that is not the real URL or web site you wanted . It also is used to disguise the source of the message. The reality is most companies want you to know what there web site URL is so why hide it as an Embed URL. That will kill the majority of spam that spoofs web sites and gets the gullible users a break. This fix is up to you programmers out there.

By the way just yesterday I had Spam that was spoofing my web site E-mail and the source was an AT+T URL from PACBELL. When I tried to notify AT+T of it I found I could not find any way for me to send them a notice of an abuse problem so I would say that AT+t fully condones and allows the spread of all spam and information stealing web sites.

Posted by: cavman1 | January 6, 2009 6:56 PM | Report abuse

"what can a Verizon subscriber do to let Verizon know we want them to get their act together and clamp down?"

I'm not sure how Spamhaus and Verizon got to be on such bad terms. Maybe it's the Gevalia Coffee issue. (Gevalia is a notorious spammer, and Spamahaus wants Verizon to not only terminate their account, it wants Verizon to terminate the account of its parent, Kraft Foods.)

I took a look at the incidents Spamhaus is citing as reasons for listing Verizon in the top ten. Right away I saw one for a domain I had personally reported and which I knew was shut down with hundreds of others when HKDNR cracked down on spam domain registrations in June 2007. Verizon was cited because the domain was observed on a hijacked Verizon server. Since the domain is dead, unless Spamhaus knows of some other domains on the same IP, the issue should have been closed. And I'd been tracking that particular brand of spamvertised sites and looking up the IP addresses of the hijacked servers over the last year as part of Castlecops' SIRT program, and I had not seen any Verizon IP's come up during that time. So it looked like pretty stale news.

So I checked out the other listings. Without going into all the details here, there's no way Verizon would be on the top ten list if their listing were kept up to date. And in addition to Gevalia and Kraft counting as two issues, there are other incidents where a single spam was counted as more than one incident. So either Spamhaus is going out of their way to make sure Verizon stays numerically in the top ten (no matter how many other ISP's are tied for the same number of incidents), or else Verizon doesn't care what Spamhaus thinks and doesn't bother trying to get negative listings removed when they have been resolved. Probably both.

Posted by: AlphaCentauri | January 6, 2009 11:03 PM | Report abuse

In response to "Heron", your very detailed instructions assume the reader uses Windows and your same email program (Outlook?). The keystrokes you mention don't apply to those of us who choose Linux or Apple.

Posted by: koset1 | January 7, 2009 3:25 AM | Report abuse

@koset1: To what instructions are you referring? I believe you have me mixed up with cavman1.

@cavman1: There's one major problem with your instructions: Opening a spam message sends a signal to its sender that you've opened it, and you'll end up getting more spam since they now know your address is "live."

I asked BK about reporting spam to Spam Cop in a recent chat, and here's how the conversation went:

"Brian, is it safe to open spam messages in order to forward them to Spam Cop? Does just looking at a message open myself up to getting more spam, or malware? My husband thinks it is safer to delete the messages without opening them, but I say it's all right to open a message as long as I don't click on any of the links embedded in it. Who's right?

Brian Krebs: I applaud your dedication to doing your part to fight the battle against spam, but the truth is that your husband is probably right on this one. In all likelihood, it's probably safe, but is it really not worth it?

Especially if whatever you use to read your email is set up to display HTML automatically, as HTML can include code that downloads content from other sites. This content may do nothing more than let the spammer know they found a live one, or it may try to download malicious content.

In any event, don't be a hero. It's generally best just to delete it."

I wish there were a way to forward spam messages to an ISP or spam reporting agency without having to open the message.

Oh, and BK: Why isn't there a direct link to a list of all of the live discussions offered by the WaPo on its home page? It'd make them much easier to find. Having to click on "News," then "Discussions" to pull up the list simply isn't intuitive, in my opinion. Thanks.

Posted by: Heron | January 7, 2009 10:19 AM | Report abuse

Hi Heron. In answer to your question, there IS a direct link to the archive of Security Fix Live Online chats directly from this page.

Look on the left hand side, the second link under the Related Links box. "Security Fix Live: Web Chats."

I realize it's a bit easy to overlook. We're getting close to a blog redesign to make stuff like that more intuitive to find, so hopefully that will help.

Posted by: BTKrebs | January 7, 2009 10:23 AM | Report abuse


Yes, I know about that link. But wouldn't it make sense to have a direct link to a list of discussions on the WaPo home page as well? I'm looking at this as someone new to the site might view it, not as an experienced WaPo blog commenter. If more "newbies" were able to find such a list more easily, they might be more likely to take part in your live chats. Do you see where I'm coming from?

I'd send a suggestion about this via the "Contact Us" link at the bottom of the home page, but I know I'd just get a boilerplate "thank you for visiting our page" answer in reply. So, I thought I'd post the idea in here instead. If there's a better way to submit ideas like this, please let us know. Thanks for reading.

Back to the subject at hand: the post on the Times' Bits blog about Google today ("Google Trends Falls Victim to Disturbing Stunt") is an eye-opener! Are you going to cover that?

Posted by: Heron | January 7, 2009 10:58 AM | Report abuse

We have only ourselves to blame for beliving Google is he be all, and end all. They are just a bunch of humnans just like the rest of us, and young ones at that. People can miss things. Anybody see a better option?

Posted by: mymymichl | January 7, 2009 3:34 PM | Report abuse

"I wish there were a way to forward spam messages to an ISP or spam reporting agency without having to open the message."

@Heron: MailwasherPro is designed to allow you to view email in text view on your server, so no remote content loads and no javascript runs. No one will know you opened the email, and any malware remains harmless, though you won't see the pictures. It also allows you to forward all the spam in your inbox to spamcop in one click. That might be what you're looking for.

Back on topic: A number of antispam volunteers has been coordinating efforts to report these Google docs spams. Google can see the links that are still alive here:

The volunteers have done the hard work, and Google's paid staff ought to be able to delete these promptly. Yet despite multiple reports, they live on.

More importantly, Google needs to develop systems for identifying other postings based on the patterns of known spam. It's important to remove spammed documents, but even a few hours survival can make it profitable for spammers. Google has to remove them before the first spam is sent, and they need to continue to do so long enough for spammers to give up and move on. Already the spammers have had enough encouragement that they will be sending spam with dead links long after Google gets the problem in hand.

Posted by: AlphaCentauri | January 7, 2009 5:32 PM | Report abuse

@AlphaCentauri: I'll take a look at MailwasherPro. Thanks for the tip!

It looks like Google has grown complacent, and is ripe for search engine competition.

Posted by: Heron | January 7, 2009 6:35 PM | Report abuse

We also see this a big issue for forum spam on our company's website so much were we have had to block out

Once they get that corrected with Google, I'm sure it will just bounce to somewhere else. Very cat and mouse.

I think most personal email has moved to social netowrking these days though.

The best choice is a good spam filter like




But that's still no real cure as it looks like things are back up to volume since MyColo was knocked offline last year

Posted by: starburst1199 | January 8, 2009 4:34 PM | Report abuse

This is no surprise. It affects multiple Google properties, include this recent spam attach on Google Trends- and the continuing abundance of spam within Google Groups - and
For a company so bent on stopping spam from appearing in their search results, they need to be putting some resources into managing their internal properties.

Posted by: Pavlicko | January 9, 2009 1:49 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company