Google Docs Hosts Viagra Spam

We’ve certainly seen a lot of spam come out of the Google mail servers in the past, and now we’re seeing even more spam content hosted by the popular Goggle Docs applications as well.

Emails typically have simple subject lines, with intentional misspellings used as an attempt to evade spam filtering.

Examples include:

  • Subject:      We ship direc7 to you
  • Subject:      From Canada4t5 you
  • Subject:      all medic6tions ar3 on S3le
  • Subject:      ricrac7 sue
  • Subject:      See 2uge dis64unts now

The content of the spam emails usually contain not much more than a link to Google Docs or Google Sites with perhaps some added random characters, again in hopes of getting past spam filters. Messages look like:

KL120es85B3cLEWHiHA32G8Q2u8pc42

https://doc.google.com/edit?id=dczqmmds_28gbn5h7d2

and,

KAcKi8oUgAi7nOxu86uvm8Yegaf0Er4E1GzI1eUQPra53IT0l1FIEusa2Y

https://doc.google.com/edit?id=dcqttkwh_29hnhttjgj

Get your Discoun8ed med8cations with us

and,

Canad1an medications are cheaper

https://doc.google.com/View?id=dhq46zh9_29fdpzxfg7

and,

http://sites.google.com/site/fov09xnm2ka/jled4t

and

M8AK5QV7U3euzODtOjku62D42M6ypV0y8UOoL1aB02yt7e3820Orv6x

https://doc.google.com/edit?id=dpzh7dd_31cbrv9kf5

Stop by and 8ave

Each of these “Google Doc” sites load simple pages that actually contain the “Spam” payload, primarily pushing Viagra, Cialis and other ED medications.

The Google hosted spam pages themselves are pretty boring in content as each is only intended to redirect the spammed recipient to the actual web sites that are selling the products.

Examples of the Google hosted spam messages:

Google Docs Hosted Spam

Click for Larger Image

and

Google Sites Hosted Spam

Click for Larger Image

These examples of spam content hosted by Google redirects to sites such as:

  • http://healthproductstabletsonline.net/
  • http://oxygenread.com/

Google's Healthproductstabletsonline Viagra Spam

Click for Larger Image

and

Google's Oxygenread Viagra Spam

Click for Larger Image

While the hosted landing pages on Google are disposable, the spammers main sites can stay up for quite some time, which has two implications:

First, from the spammer’s perspective, using Google sites and docs to host and redirect visitors is an ideal solution.

  • This tactic keeps their actual web site addresses (URL) out of the spam emails, which greatly increases their delivery rates.
  • If and when one of these Google hosting pages is taken down (as the examples above likely will be after we publish this) they can simple substitute new Google pages.
  • Meanwhile, the actual web sites selling the spammed products remain completely uninterrupted.

Second, from Google’s perspective it should be trivial to stop this practice because each of the hosted pages contains links to known spammer web sites.

Given the volume and consistency with which spammers use this tactic, it’s clear that stopping their hosting of spam isn’t much of a priority for Google. That might sound harsh at first, but consider that Google has the technology to:

  1. Constantly scan, organize and rank every page, image and file on the entire Internet, all in real time.
  2. Read, analyze and interpret every single inbound and outbound email they host throughout their entire network so they can aim targeted advertising to their email users.
  3. Scan, organize and analyze documents on any computer via Google Desktop.
  4. Analyze images through Picasa.
  5. Read books though it’s virtual library program,
  6. Etc., etc., etc

Plus, they’re one of the richest companies on the planet, but we’re supposed to believe that they can’t analyze their own Online Docs looking for obvious links to know spam sites like “healthproductstabletsonline.net” and “oxygenread.com” and remove the docs that link to them?

Maybe Google intentionally ignores the problem because it actually drives traffic to their own sites?

Or, maybe they turn the other cheek because there is no way to generate ad revenue from addressing the issue?

Who knows, perhaps they don’t mind enabling spammers because it makes it easier to sell upgraded spam filtering services to their hosting clients?

Whatever the reason, they’re clearly and continually allowing and enabling spammers to not only hide, but to thrive.

For abuses within Google Groups, see:

http://blog.onlymyemail.com/you-have-received-a-greeting-card-virus/

Updated 10/8/2010

Here’s another example:

Subject: <Name Redacted> refill information

From: www ClientMeds.com <weniberasu@hotmail.com>

Refill Alert
Patient Information:

•Name Redacted
•Number Redacted
•Address Redacted
•City Redacted
•State Redacted
•USA

Instant Refill here Fill Date: Nov 2nd
NEWS

We are shipping to all states.

PRODUCT CHANGE

We have added many new medications to our product line You can browse our new product line here

Update in shipping

Some changes were made on certain products with shipping
With our new arrival of many new products our shipping policy has changed, please read the update when visiting the site

Refill PolicyFresh New look return customers only

We have put together this new refill site, for returning customers, you are not required ot login with your previous login details, place a new order, and upon placing a new orders, our system will automatically detect your status, and give you a new special REFILL customer ID, which you can use from now on to take advantage of our new product line.

Follow here to place your next order with us

Always remember to double check your order information before placing an order

QUESTIONS

Contact us via the website, if you have any questions or concerns.

Client Refill Network

This one looks pretty legit. The email is well formatted and they have tons of information about the recipient. It’s possible that this recipient has done business with them, however, the information is not passed to the web site when any of the links are clicked which makes this seem more generic. Maybe they just bought a good mailing list.

The links in this message go to the following URLs:

http://www.google.com/url?q=https://docs.google.com/document/pub?id=10wQWK9EhkkpmktKw9qmcN3mrmiW7d60fx5xGNSU16U0

http://www.google.com/url?q=https://docs.google.com/document/pub?id=1cx_NV2pizkozbzByoJKh-1iUUAmt3JyDWJQh1jZ73Kc

The most notable thing here is that they’re using two different misdirection techniques that may or may not be redundant.

  1. First, using google.com/url?q=https://another_url.com used to just redirect you to the supplied URL. Testing this just now with a non Google Docs URL got us a redirect notice.
  2. Hosting your spam site on Google Docs allays suspicion because people don’t expect spam on Google Docs.

We’re not sure why they used both of these together. Maybe the spammer thinks people are less likely to trust Google Docs sites so they’re using the redirect trick. Maybe Google takes longer to detect spam sites that are referenced by Google URL redirects. Maybe they just like the irony of using Google to redirect to a spam site hosted by Google. (Google doesn’t warn about redirects to Google Docs BTW.)

Whatever the case. Please don’t buy from these people. It only encourages them.

- -

OnlyMyEmail is an award winning hosted spam filtering service and business email hosting provider. Our enterprise cloud computing anti-spam solution, the MX-Defender, has the highest capture rate of any spam filter ever tested in the VBSpam Challenge, blocking a record setting 99.9993% of all malicious and junk email.

Our Personal spam filtering system is also a Software as a Service (SaaS) solution and has won both the PC World "World Class Award" and also the PC Magazine "Editor's Choice Award."

OME-Kids is a webmail solution that protects children from spam and other harmful emails. OME-Kids offers unique Parental Controls that allow you to choose the level of security and oversight that's right for your child.

Tags: , ,

Comments are closed.