news
Spammer Abuse of Free Google Services
Over the past year, Spamhaus has noticed a surge in spam that abuses free resources belonging to Google. This is becoming a serious concern, because a significant and growing amount of that spam is avoiding use of IP addresses and domains belonging to spammers....
Over the past year, Spamhaus has noticed a surge in spam that abuses free resources belonging to Google. This is becoming a serious concern, because a significant and growing amount of that spam is avoiding use of IP addresses and domains belonging to spammers. Instead, it deliberately uses legitimate users at Google to prevent blocklists from listing the IP addresses and domains used in this spam. In other words, these spammers are using Google's users as human shields to force their unsolicited and unwanted bulk email on recipients.
The abused resources of most concern to Spamhaus are:
- Google outbounds. A large and increasing amount of spam email is sent directly through Google's shared outbound servers.
- Gmail dropboxes. A large percentage of all dropbox email addressess used in the Reply-to: headers and message bodies of spam are free email addresses at Google's GMail service.
- Gmail senders. A considerable amount of spam is sent from free webmail accounts at Google Gmail.
- Google Groups. Spamhaus has identified several large spam operations that send spam partly or entirely through purpose-created groups at Google Groups.
- Google Docs, Drive, and Forms. A large amount of spam, including malware and phishing spam, contains URIs that point to content hosted on Google Docs, Google Drive, and Google Forms.
A few resources exist to filter this spam. The Spamhaus Hash Blocklist (HBL) is available to customers of Spamhaus Technology corporation. (See further information on the HBL here.) There are a few other blocklists that offer hash-based blocking of email addresses and URIs. Several spam filters, including rSpamD, provide their own internal signature-based protection as well.
However, most of the tools to block spam sent through major webmail providers such as Google rely on content filtering. Content filtering is inherently error-prone. It will miss spam unless the filters are extremely carefully and aggressively maintained, or will catch legitimate email (cause false positives) if the filters are too aggressive.
Spamhaus reports some of this spam to Google, and sometimes the problem spam stops or resources are taken down, especially if they involve malware or phish. However, the spammers usually just create new free services and resume spamming. Although this blog is about Google because its size makes the problem larger there than on other major webmail and hosting sites, the same issues apply to Microsoft, Yahoo, and other such services.
Spamhaus also specifically researches and shares URIs that point to malicious content with industry groups that focus on malware, fraud and other criminal activities on the Internet. In addition, the Spamhaus SBL team creates some informational (non-blocking) SBL listings for IP addresses at Google and other free providers that are used in criminal or particularly aggressive, high-volume spam to notify Google and users about that spam.
A ROKSO is now live for the largest and longest-lived of several spam operations that send spam through Google Groups. SyedsMarketing, one name (and, we think, the primary name) of this spam operation, has been on Spamhaus radar for many years. It switched to spamming through Google Groups a few years ago, but has decade-old SBL listings. In addition to information about the business, the ROKSO contains lists of Google Groups and Gmail email addresses used in this spam. Spamhaus has been able to list certain IP addresses and URI domains in SyedsMarketing spam in the SBL since SyedsMarketing moved to Google Groups. However, it cannot list the sending iP addresses or domains because those belong to Google, not SyedsMarketing, and are used by large numbers of innocent, non-spamming users.
Spamhaus hopes that the lists of Google Groups and GMail addresses in the SyedsMarketing ROKSO will be of use in blocking spam, or helpful to Google to identify and remove the spam accounts and resources from their network.
As new resources and information become available from Spamnaus, they will be announced in news releases or blogs on the Spamhaus website.