Pretty much all major anti-spam applications and appliances use URL Blocklists as one of the components in fighting spam. Basically, the first time a piece of spam comes through, it's analyzed, and the spam URL in the email is entered in the database. Now, every other piece of mail that comes through with that URL in it, can quickly be flagged as spam and blocked.
Well, spammers are smart people (though dishonest). They've now figured out a new way to use Google as a means of keeping off the blocklists. Yesterday I received a piece of mail at my gmail address from Puckett6G@photoelectricconversion.com in plain text, and this is most of the mail envelope:
Received: from 10E5E470 ([18.104.22.168])
by mx.google.com with SMTP id 16si1789149hui.2007.07.22.13.18.20;
Sun, 22 Jul 2007 13:18:58 -0700 (PDT)
Received-SPF: fail (google.com: domain of Macdonald7Crouch@hydrogenbots.com does not designate 22.214.171.124 as permitted sender)
From: "Hendrix, Arnulfo"
To: ********@gmail.com, ********@gmail.com, ********@gmail.com, ********@gmail.com, ********@gmail.com, ********@gmail.com
Date: Sun, 22 Jul 2007 16:16:22 -0500
Subject: Your Refinace Approval
Please respond to your loan application Sun, 22 Jul 2007 16:16:22 -0500
Would you like to reduce your mortgage payment?
Refinancee with us 4 lower rate.
"Be thankful we're not getting all the government we're paying for." Will Rogers
Two points of interest:
1. All the email addresses are gmail addresses.
2. The URL is to a Google search!
At first I wondered if they had created their spam/phishing page with a specific phrase that would ensure it was the only search result, or maybe just #1 for that search query. So I clicked on it, and to my surprise, it didn't take me to a Google search result page, it took me to the spam site!
So I looked at the querystring again. Look at the end, it contains this little piece: "&btnI=f2Slj237l41Ww"
It only took me a second to realize what that was. If you go the Google homepage, you'll see the "I'm feeling lucky" button. The name of that button is "btnI". Clicking it takes you to the first result for your search query. Basically, the spammers realized that by including this in their search query string, they could *hotwire* Google to redirect people to their spam page/site!
I clicked on the link again today, and now it's redirected to www.usamortgagedaily.com. Checking the Whois record doesn't give me much detail, it's registered by someone in China.
Anyhow, the biggest problem with this is that no anti-spam system is going to start blocking links to Google results. Really, I can see only two possible solutions:
1. Either anti-spam vendors block URLs with the "btnI=" variable, but that's not reliable
2. Google will need to fix their 'lucky' functionality, and only allow it on POSTs, not GET requests.
Anyhow, if someone doesn't fix it soon, we'll be seeing a lot more spam in the near future!