Spammers Choose GMail

EdwardLAN writes "A study by Roaring Penguin has discovered that during the past three weeks, the amount of spam originating from Gmail has risen sharply." My spam has been pretty ridiculously high for the last few weeks, although I have no idea if this is part of it. It really does seem like gmail's spam filters are declining these days.

Invite-Only

[Anubis_Ascended]

Maybe they should have just kept the system invite-only, instead of opening it up to everyone -- that would help, the way I see it.

Re:Invite-Only

[betterunixthanunix]

It's still in beta. Bugs like massive amounts of spam originating from the service are bound to turn in up in beta software.

Re:Invite-Only

[damuhatori]

Maybe they should have just kept the system invite-only, instead of opening it up to everyone -- that would help, the way I see it.

Sure that would help, but it would mean less ad views for Google.

Re:Invite-Only

[funaho]

Two years of beta in the OSS community isn't unheard of. Wine was in an alpha/beta state for what...16 years?

Re:Invite-Only

[dontmakemethink]

Wine was in an alpha/beta state for what...16 years?

It took forever to work out the tannins...

Gmail's spam filters

How does spammers creating gmail accounts to send spam from imply that gmail's spam filters for inbound mail are declining? (if that is indeed what the summary is supposed to say).

Re:Gmail's spam filters

[HardCase]

Now listen, if you've waited this long to complain about Taco's reading comprehension skills, you're way too late to get into the game.

Re:Gmail's spam filters

[spikedvodka]

I find it interesting that gmail's spam filters are in-bound only (If that is in fact the case [citation needed])

on the e-mail system I run, every message gets sent through our spam/virus-detection system. I don't care if it's inbound, or outbound, it gets scanned. period.

yes my site is much smaller than gmail, but still... isn't the first rule "Don't trust the users!"?

Re:Gmail's spam filters

[gravis777]

I definately agree. I have had no issue with increased spam in my inbox, and as I never check the spam box, I cannot say one way or the other. Me getting one or two spam messages in my inbox every couple of weeks does not say to me that there is an issue with their spam filter.

Re:Gmail's spam filters

[TheSeventh]

I've often wondered this as well. Why not put sending limits on accounts, plus spam check outgoing mail? An account is used to send spam? disable it (permanently or temporarily.)

I also think ISPs should be forced to do this. If they have a customer who sends massive amounts of email, they should have to investigate the nature of those emails. If they have an IP that is sending out spam, disable that customer's account until the problem is fixed. It would really disrupt a botnet if every time they acquire control of a new computer, the ISP shuts down the connection.

The ISPs claim that P2P software takes up too much bandwidth, but what about all of the spam and other botnet activities?

Re:Gmail's spam filters

[bds1986]

I love Slashdot. One minute everybody is all pro net-neutrality, and insisting that ISPs shouldn't prioritize or monitor customer traffic because it's none of their business what someone does with their connection. Then somebody mentions the word spam, and all of a sudden the attitude turns completely around and ISPs should be held responsible for customers private communications and behaviour on the internet. Kicking people off the net is fine, as long as you're only breaking spam laws. But kicking people off the net for breaking copyright law is bad, how dare those evil corporations!

I'm not necessarily expressing an opinion either way, I just think it's interesting.

Re:Gmail's spam filters

[KlausBreuer]

Actually... I think (even ;) Slashdot is right on this one.

ISPs should not check your email. It's noe of their damn business.
ISPs should check to see if you're generating an excess of emails, slowing the net down for everybody (hey, over 80% of email traffic is spam).

Thus, yes, even I would allow them to have a look at email contents if the amount of generated emails exceeds a certain (very large) amount.
However, they are most certainly not allowed to check the content every time, (even if) looking for spam or the usual eeeeevil terrarist.

One thing Google could do about incoming spam...

[tgd]

Half of the spam I get on my gmail account that actually gets past the filter is in some language other than English... in fact its almost always in Cyrillic as well.

Give me a damn drop down that says "I speak English, anything not in English is not to me".

Won't solve their outgoing problem, but adding "this is my language" support would be a big help on the incoming, at least with my spam patterns.

Companies blocking Gmail?

[mgkimsal2]

The IT staff at my dad's company blocked all communication with Gmail servers a few months ago, on the grounds that it was 'insecure'. Locking down an MS shop (XP/Exchange/etc) from the 'insecurity' of Google (while still accepting hotmail.com emails) still strikes me as a bit odd, but I've been hearing more reports of lax Google security with respect to spam/spammers. Perhaps they (dad's company) were on to something?

Anyone else having issues with people blocking Gmail?

Re:Companies blocking Gmail?

[mgkimsal2]

MS takes security seriously? Perhaps nowadays, but that's a relatively recent trend (last few years), and they've got a lot of mindshare to win back on that score.

If you're going to adopt a policy re: mail, blocking all webmail accounts would make more sense than *just* gmail, especially making that policy months ago. There was more evidence to point to spam originating from compromised Windows boxes than from Gmail.

What the heck does Google Docs have to do with this conversation? But I'll bite anyway... You really think *security* has anything to do with why Google Docs hasn't taken off in the corporate world? Nothing to do with requiring people to be connected (increasing bandwidth costs) and having to use browsers to do work they weren't meant to do (document editing)? No, Google Docs simply can't replicate the functionality corporate workers need right now. Maybe some day it will, but I'd say it's far more likely functionality is keeping it out of business rather than security.

Re:Companies blocking Gmail?

[Noexit]

Taking his mom was the first mistake.

It's still not much of a problem

[stinerman]

I've got maybe 3 a week, which is up from the normal of 1 per month, but it's not really too big of a deal.

IIRC, marking an email as spam or moving the message to the spam folder (if you're using Gmail's IMAP function as I am) helps to train the filter.

Why not apply spam filters on outgoing messages?

[mgkimsal2]

Gmail used to be touted as the best spam filtering service. Certainly it's good, but apparently they only feel the need to filtering incoming messages. Why not filter outgoing messages as well? Can't quite be a CPU problem, because outgoing has be be just a small fraction of incoming, right?

Is it just tradition? People never expect anything they send to ever have anything done to it? Google could set another precedent in webmail by introducing outgoing filters which would block or slow down mail appearing to be 'spammy'.

Re:One thing Google could do about incoming spam..

[Kadin2048]

Yeah I've thought the same thing, too. It wouldn't be that hard to filter. You could just select a charset (like Latin-1) and if less than 90% of the characters in a given message aren't representable in your chosen charset, automatically kill it. That wouldn't require figuring out the actual human language it was written in; it's a pretty trivial automatic test.

It's a big problem for gmail users!

[argent]

It's the outgoing spam from Gmail that's the problem, not the incoming spam, and there's been messages on the Gmail forums about Gmail servers being blocked for spam. If Google doesn't do something about it, then Gmail accounts will end up "read only".

And having Google themselves impose outgoing spam filtering is something else to worry about, if you're a Gmail user.

Google Groups

[Yusaku+Godai]

I haven't noticed any particular trouble with spam originating from Gmail, and Gmail has still been pretty good at filtering most of my spam.

But if you really want Google to do something about spam, go after them for their negligence on google groups. They've allowed the service to become almost unusable due to the amount of spam they allow through. For actual Google Groups it's not a big problem, but for USENET groups it is. Most people on USENET are just dropping anything coming from Google Groups outright. Any legitimate posts from Google Groups are considered an "acceptable loss" given the amount of godawful spam they allow through. It really cheeses me off that Google won't do something about it.

Re:Google Groups

[Lincolnshire+Poacher]

> Most people on USENET are just dropping anything coming from Google Groups outright.

Google Groups is well overdue for an active Usenet Death Penalty; in my opinion it is the only sanction which will make them take note. It was sufficient to bring Erols and UUNet to their senses. ( There is a conspiracy theory that Google is deliberately flooding Usenet; a UDP would disprove this in addition to forcing action ).

Similarly, widespread blacklisting of Google Mail may be the only means of controlling the huge increase in spam. At present, a few individuals and companies are blacklisting but this is inadequate to make Goliath pay attention.

Real summary: spammers have cracked the CAPTCHA

[argent]

The summary implies that there's something wrong with the GMail spam filters. Actually, the problem is with the GMail spammer filters... the CAPTCHA.

Also, both Google and spammers are being overly complacent about people blocking GMail:

spammers also find Google attractive because of their strong reputation, which makes it highly unlikely the gmail.com domain would ever be blacklisted.

Actually, several sites have blocked Google SMTP hosts that show large spam outflow (it seems to be specific hosts, as if specific accounts are allocated to specific servers or clusters of servers). Including, and I know the irony is thick enough to cut with a knife, MSN Hotmail. There have even been a number of posts to Google's help forums complaining about mail not being sent because Google servers are being blacklisted.

Re:One thing Google could do about incoming spam..

[tgd]

Yeah thats why I mentioned the Cyrillic thing.

In reality doing it via language matching should be pretty trivial. I'd hazard a guess if you had a list of 30 languages and you pulled out the top 50 most common words in each language you'd probably have near 100% success in detecting the primary language in an e-mail. I'm sure an algorithm either purely based on that word set or based on a larger dictionary choosen based on that matching could be done to determine with a very high confidence what language an e-mail is in and if there's more than one or two languages in it.

They also know my white list of contacts. In my case I'd bet 90% of my e-mail comes from them so those can be immediately put in the inbox, reducing the number that need to be scanned at all.

Re:No spam for me.

[Chrisq]

Good I'm safe... It just asked for my credit card number.

Re:One thing Google could do about incoming spam..

[jeiler]

CAPTCHA is broken: it's not just various implementations that are compromised, but the entire theory.

Spew from an unblockable

[redelm]

However warped or rapacious, spammers are not stupid. They think that GMail is an unblockable address and its mail will get through. They want their "messages" to get through, so they will use it.

Perhaps the GMail mailadmins will try to stop some, but they probably won't get it all. And they too will rely on GMail being "too big to block" for most mail recepients.

This just highlights how the burden of anti-spam efforts often gets transferred to legitimate email senders by simplistic blocking. The unacknowledged false-positive problem. I have seen these come to a sudden stop when the company loses an important order because it false-positived the prospect.

Re:One thing Google could do about incoming spam..

[antifoidulus]

Google already does that for their ads. I'm an American living in Germany who also has friends in Japan that I coorespond with in Japanese. I get ads in English, German, and Japanese(in fact I get ads in Japanese offering to teach me English and/or German....) so if they can determine the language for the ads, then they should be able to use it for spam.... at least if you get an email in a language that isn't in your outbox it should trigger something..

Require digital signing; people will catch on fast

[betterunixthanunix]

Here's a quick way to solve the problem: require digital signatures for "important" emails. Want to sign up for Facebook? Digitally sign your reply to the "verify" email. It is quick, effective, and people who don't know what signing is will catch on really fast.

Re:The usual slashdot response to..

[ricebowl]

bad news about Google will be: *insert fingers in ears* NA NA NA NA NA NA NA NA NA! I can't hear you! NA NA NA NA NA NA!

When has that ever been true? From what I can tell from reading the comments to most Google stories, certainly in the past six months, the groupthink seems to be more along the lines of cynicism and criticism. I can't recall any company that gets unanimous praise regardless of its actions. The opposite used to be true, that scorn was heaped onto some companies regardless of their actions (Microsoft is probably the most obvious target of that group-disgust), but even that seems to be waning, there's still the hard-bitten MS-haters, but the view seems to be more balanced and critical these days.

Even the Mac fanboys aren't quite so unfettered any more.

Google should hire hit squads

[spidercoz]

Start assassinating some of these fucking degenerate spammer asshole motherfuckers and watch the junk disappear. Seriously, these cocksuckers need to be burned at the stake. Blackwater would prally do it.

Re:Google should hire hit squads

[Animats]

Blackwater would probably do it.

There's something to be said for this. Many of the major spammers have been identified (see ROKSO). The anti-spam community needs "boots on the ground" to do something about them. There are private companies in that business. Blackwater is one; Kroll is another. Spammers today are part of larger criminal enterprises, which makes them vulnerable to private investigators.

I wrote the release...

[dskoll]

Well, I did this study and our results are here.

We in no way imply that Gmail's inbound spam filtering is bad. It's probably excellent. It's just difficult or impractical for Google to filter outbound mail without either human review or complaints because of false-positives.

What we're saying is that spammers are trying to evade IP reputation systems by hijacking organizations with good reputations or which would be impractical to block. There will be a CAPTCHA-cracking arms-race, but unfortunately I think the system will reach equilibrium with spammers quickly breaking CAPTCHAs and continuing to abuse free e-mail systems.

The real issue: Gmail considered secure

[scorp1us]

With most big name email players like gmail, yahoo, etc, now using DomainKeys, the value of having an email address on any such system has skyrocketed. Gmail addresses are also usually even more respectable addresses. So being on gmail and a getting through because DomainKeys work makes it is a privileged domain.

What the proper response should be:

1. Gmail makes signing up harder
2. Gmail scans all outgoing mail (and between its own servers)
3. mail receivers don't skip the spam screening even if there is DomainKeys

What should really happen is SenderKeys, which augments DomainKeys. You will get your own domain key when you can become "verified" like at Ebay and elsewhere. SenderKeys is implied by DomainKeys.
 

Re:CAPTCHA is broken

[javilon]

Well, as you increase the level of intelligence meeded to go through the CAPTCHA, you start to leave humans out. And this only gets worst as CAPTCHA breakers get better and better, so in that sense, the CAPTCHA is broken, and also in that sense, we have artificial intelligence that is at least as good as the worst humans.

Re:One thing Google could do about incoming spam..

[maxume]

Spelling checkers is not the compete salutation.

Re:Actual Origin? Don't blame service provider.

[dedazo]

the continued failure of M$ to protect their customers

You linked to the usual "time to pwn" stories, but the reality is that botnets grow nowadays by means of email attachments. Very few (that I know of) trojan attacks are over remotely-exploited vulnerabilities, with patches or not. You are implying that botnets are created when unsuspecting Windows users install nine-year old copies of an unpatched operating system. That's not true, is it?

The previous wave of trojan attacks (with those "admirer has send you a message" subjects) grew botnets dramatically, I think. How do you account for that? Sobig is the fastest spreading trojan ever, and it requires user interaction to infect a machines. It's a proven fact that infections are spread thanks to vulnerabilities with available patches. How do you account for that?

How is that a "continued failure" of "M$" to protected their customers again?

If your Windows machine is in a botnet herd, you probably did something you shouldn't have, or failed to patch your machine. Even the actual remotely-exploitable vulnerabilities like Blaster have had patches available a month before the exploits were seen in wild.