Google Blogoscoped

Forum

Google linked spam

Achille [PersonRank 2]

Saturday, June 17, 2006
12 years ago2,710 views

I get a spam message come through about once in a month, I just got a spam message that used an interesting technique:

-----------------------------------------
From: bolsterwinters[put at-character here]winnipegflooring.com
Subject: sufficient
Date: June 17, 2006 6:11:35 PM EDT
To: achille[put at-character here]XX.XXXXX.edu

Have you ever considered of saving thousands on your health?
If you are already paying hundreds, then you should check Google:

google.com/url?q=%68%74%74%70% ...

Sincerely,
Weldon Chin
Google Service Team
-----------------------------------------

Is this unique?

Philipp Lenssen [PersonRank 10]

12 years ago #

Interesting abuse of the Google brand.

Milly [PersonRank 10]

12 years ago #

Perhaps the important issue is that, unlike (I believe) all current browsers, Google's redirector doesn't employ any anti-phishing safeguards to block or unmask obfuscated URLs.

For example, just entering the obfuscated tail of that URL into IE, Firefox or Opera : %68%74%74%70%3A%2F%2F%77%77%77%2E%67%
65%6F%63%69%74%69%65%73%2E%63%6F%6D%
2F%67%69%67%67%69%70%65%73%63%61%72
%6F%2F%65%67%2E%68%74%6D%6C *wouldn't* navigate to the spammers page (nor if the http:// and/or www bits are not obfuscated).

[[ you will have to concatenate these lines yourself – Sam]]

But when 'washed' through Google, browsers see the initial valid (Google) domain and so (rightly) think the URL is good, and Google's redirector makes no similar sanity checks of its own.

Maybe you should call upon Google to tighten that up, Philipp?

Google could have their redirector decline to forward to obfuscated URLs. Or it could display an interstitial page showing the original and de-obfuscated URLs as clickable links – like most of the URL shortening services do – so that surfers could choose (and/or be auto-redirected after a short 'no thanks' pause). Hey, they could even put adverts on the display page ...

------

Oops, looks like I've borked your page formatting :)

(And I don't mean the URL shortening services show de-obfuscated URLs; only that they show an interstitsial page. Google could do both, it seems to me).

Milly [PersonRank 10]

12 years ago #

On a slightly different issue, the spam might also have said :-

-----------------------------------------
If you are already paying hundreds, then you should check Google's Trusted Partners Program :

www.google.com//Trusted_Partne
rs/url?&q=%68%74%74%70%3A%2F%
2F%77%77%77%2E%67%65%6F%63%
69%74%69%65%73%2E%63%6F%6D
%2F%67%69%67%67%69%70%65%73
%63%61%72%6F%2F%65%67%2E%6
8%74%6D%6C

Sincerely,
Weldon Chin
Google Service Team
-----------------------------------------

And anti-obfuscation at the Google redirector wouldn't help much there, since sloppiness in Google's server configuration would (and does) allow the same URL in plain text :-

www.google.com//Trusted_Partners/
url?&q=http : // www.geocities.com/gig
gipescaro/eg.html

More details/examples of that quirk here :-

blogoscoped.com/forum/10977.ht ...

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!