Google’s Picasa and Yahoo! Groups used to spread spam


No spam mailboxOne of the most effective techniques anti-spam products have to block spam messages from reaching your inbox is reputation filtering.

Yes, to a degree, anti-spam solutions may still look for v1@gr@ and Mrs. Gaddafi offering you $40 million, but the biggest bang for your buck comes from reputation.

What do you do if you are a spammer? Figure out a way to get a legitimate mail provider to deliver your messages for you…

Picasa Web Albums spam

Here is an example. You can see I have received six emails, all from “Picasa Web Albums” offering me some very spammy subjects. How do they do this? They are simply creating bogus accounts on Google Picasa, uploading a photo of their product, then “sharing” this photo with a personalized spammy message.

Even worse is the abuse of Yahoo! Groups. It has been standard practice for many years that mailing lists require you to confirm you want to subscribe.

Yahoo! Groups seems to have a mechanism built for the convenience of spammers, the ability to add anyone to a group without their permission. Here is an example invitation from a spammer:

Yahoo! Groups spam invitation

Upon receiving something like this you might think you could safely ignore it and not be subscribed. Instead when you read the fine print it explains you are already subscribed to this group and you have to opt-out to not receive messages.

Every time the spammer wants to reach you he can now depend on Yahoo! to send his message, digitally sign it with DKIM, have valid SPF records and successfully evade reputation-based spam filters.

Yahoo! Groups spam messages

I’m not sure what Yahoo! or Google were thinking when they created systems that allow people to arbitrarily use their email systems to spam people, without any confirmation that the recipient is interested in communicating with the sender.

You can opt-out of receiving these messages, but you shouldn’t have to. To test this I clicked the link Yahoo! says will allow me to prevent future spams. I clicked it and got to a page that read:

“Sorry, that link has expired. We do this to prevent abuse.”

Huh? I am the victim and you are preventing me from opting out of your ill thought policy? I tried again on a newer spam and was successful in opting out.

Yahoo! Groups opt-out page

Oddly they make me confirm my decision not to let them spam me, very strange workflow here. I expect that Google and Yahoo! should seek our permission before allowing third parties to abuse their systems for sending spam.