Google's Picasa and Yahoo! Groups used to spread spam

Filed Under: Featured, Google, Spam, Vulnerability

No spam mailboxOne of the most effective techniques anti-spam products have to block spam messages from reaching your inbox is reputation filtering.

Yes, to a degree, anti-spam solutions may still look for v1@gr@ and Mrs. Gaddafi offering you $40 million, but the biggest bang for your buck comes from reputation.

What do you do if you are a spammer? Figure out a way to get a legitimate mail provider to deliver your messages for you...

Picasa Web Albums spam

Here is an example. You can see I have received six emails, all from "Picasa Web Albums" offering me some very spammy subjects. How do they do this? They are simply creating bogus accounts on Google Picasa, uploading a photo of their product, then "sharing" this photo with a personalized spammy message.

Even worse is the abuse of Yahoo! Groups. It has been standard practice for many years that mailing lists require you to confirm you want to subscribe.

Yahoo! Groups seems to have a mechanism built for the convenience of spammers, the ability to add anyone to a group without their permission. Here is an example invitation from a spammer:

Yahoo! Groups spam invitation

Upon receiving something like this you might think you could safely ignore it and not be subscribed. Instead when you read the fine print it explains you are already subscribed to this group and you have to opt-out to not receive messages.

Every time the spammer wants to reach you he can now depend on Yahoo! to send his message, digitally sign it with DKIM, have valid SPF records and successfully evade reputation-based spam filters.

Yahoo! Groups spam messages

I'm not sure what Yahoo! or Google were thinking when they created systems that allow people to arbitrarily use their email systems to spam people, without any confirmation that the recipient is interested in communicating with the sender.

You can opt-out of receiving these messages, but you shouldn't have to. To test this I clicked the link Yahoo! says will allow me to prevent future spams. I clicked it and got to a page that read:

"Sorry, that link has expired. We do this to prevent abuse."

Huh? I am the victim and you are preventing me from opting out of your ill thought policy? I tried again on a newer spam and was successful in opting out.

Yahoo! Groups opt-out page

Oddly they make me confirm my decision not to let them spam me, very strange workflow here. I expect that Google and Yahoo! should seek our permission before allowing third parties to abuse their systems for sending spam.

, , , ,

You might like

3 Responses to Google's Picasa and Yahoo! Groups used to spread spam

  1. ddhirobo · 1126 days ago

    Maybe the link to unsubscribe to the older Yahoo spam group was "expired" because Yahoo discovered the smappy nature of the group and put it out of commission.

  2. Raul B. · 1123 days ago

    I have found, some months ago, that Google Groups allowed me to add my friends emails and it doesn't asked them for any confirmation at all.

    Lately, I found some incoming spam in my company, that arrives and eludes anti-spam filtering, thanks to Google groups.

    I reported the groups and sent samples everyday to spamcop and nothing changed. Manual filtering works for a while until spammer changes again the groups.

    Big companies like Yohoo! and Goolge reacts as slow as a lazy mammoth.

  3. MikeyC · 1123 days ago

    This seems to be happening to me from Hotmail too. Over the weekend and yesterday, someone seems to have hacked into my hotmail or cloned my email or whatever, and sent out hundreds of emails to addressess in France (yahoo.fr) that are written in French and makes me look like I'm a prostitute soliciting sex online. My hotmail account was blocked and I had to reactivate with a code. I ended up having to change my password, but what more can I do to prevent this happening again??

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.