Google is helping spammers get to your inbox

Pretty much all major anti-spam applications and appliances use URL Blocklists as one of the components in fighting spam. Basically, the first time a piece of spam comes through, it's analyzed, and the spam URL in the email is entered in the database. Now, every other piece of mail that comes through with that URL in it, can quickly be flagged as spam and blocked.

Well, spammers are smart people (though dishonest). They've now figured out a new way to use Google as a means of keeping off the blocklists. Yesterday I received a piece of mail at my gmail address from in plain text, and this is most of the mail envelope:

Received: from 10E5E470 ([])
by with SMTP id 16si1789149hui.2007.;
Sun, 22 Jul 2007 13:18:58 -0700 (PDT)
Received-SPF: fail ( domain of does not designate as permitted sender)
Message-Id: <>
From: "Hendrix, Arnulfo"
To: ********, ********, ********, ********, ********, ********
Date: Sun, 22 Jul 2007 16:16:22 -0500
Subject: Your Refinace Approval
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Please respond to your loan application Sun, 22 Jul 2007 16:16:22 -0500

Would you like to reduce your mortgage payment?

Refinancee with us 4 lower rate.

"Be thankful we're not getting all the government we're paying for." Will Rogers

Two points of interest:
1. All the email addresses are gmail addresses.
2. The URL is to a Google search!

At first I wondered if they had created their spam/phishing page with a specific phrase that would ensure it was the only search result, or maybe just #1 for that search query. So I clicked on it, and to my surprise, it didn't take me to a Google search result page, it took me to the spam site!

So I looked at the querystring again. Look at the end, it contains this little piece: "&btnI=f2Slj237l41Ww"

It only took me a second to realize what that was. If you go the Google homepage, you'll see the "I'm feeling lucky" button. The name of that button is "btnI". Clicking it takes you to the first result for your search query. Basically, the spammers realized that by including this in their search query string, they could *hotwire* Google to redirect people to their spam page/site!

I clicked on the link again today, and now it's redirected to Checking the Whois record doesn't give me much detail, it's registered by someone in China.

Anyhow, the biggest problem with this is that no anti-spam system is going to start blocking links to Google results. Really, I can see only two possible solutions:

1. Either anti-spam vendors block URLs with the "btnI=" variable, but that's not reliable
2. Google will need to fix their 'lucky' functionality, and only allow it on POSTs, not GET requests.

Anyhow, if someone doesn't fix it soon, we'll be seeing a lot more spam in the near future!



  1. I received it too. But this time it got to my spambox.

    You are right they are smart people.

    Thanks for explanation.

  2. I have been reciving these types of email for about 2 weeks now. I keep on unsubscribing but that doesn't seem to make any difference. The unsubscribes message always says "please allow 7 to 10 days for this to take effect" and by then there are a hundred more. I check the return path info but I did not find the name of the button. That does not mean it isn't there, just that I didn't find it. Does anyone know how to stop getting this type of mail? If so please leave a post and I will contact you. Here is the return path info:

    Received: from ([])
    (InterMail vM. 201-2186-121-20061213) with ESMTP
    for ; Sun, 23 Nov 2008 14:06:18 -0700
    Received: from ( [])
    by (BorderWare Security Platform) with ESMTP id 6D1E0414350C6763
    for ; Sun, 23 Nov 2008 14:06:18 -0700 (MST)
    Received: by with SMTP id l33so2273733rvb.58
    for ; Sun, 23 Nov 2008 13:06:18 -0800 (PST)
    Received: by with SMTP id m6mr1487240rve.29.1227474378201;

  3. Because they send it as you and to you. Click on the drop down arrow at reply and click "show original" and look at the return path…LOL your address should show up as delivered-to: and the return-path. No need to reply. You are just replying to yourself

Leave a Reply

Your email address will not be published. Required fields are marked *

To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image