back to article Spammers dive into Google's lucky dip

Google's "I'm feeling lucky" button was designed to save web searchers time by automatically opening the first page of a query. It turns out the feature, and similar ones from other search engines, are increasingly helping junk mailers get around anti-spam products. That's one of the findings from a January Intelligence report …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Boffin

    Simple solution

    Block all URLs in emails that contain a Google search string.

    If you want to show someone a site, send them the site URL. If you want to show a humorous Google search (French military victories, miserable failure, whatever the fad of the month is), just send the words and tell them to Google it.

    Easy.

  2. Greg Jebb

    Or...

    Have the I'm feeling lucky switch stored as a cookie or something else local to the user, so the links point to a search page instead.

  3. adnim

    Thanks to spam.

    My bank account is empty, I have hundreds of useless shares that are quickly losing value, I also have hundreds of little blue pills and my PC sends out thousands of emails a day, to where I do not know. I have heard nothing from the nice African prince who's fortune I helped to recover for a mere £5,000 whilst promising me £50,000 in return, on top of that my new gold Rolex is gettting rusty. On the plus side I am now hung like a horse.

    Anyone who clicks on any link from an unsolicited email gets exactly what they deserve, regardless of the clarity of url.

    Seriously, always use a web based provider for those sites that want an email address to send a password to before allowing one to access content. And set the filters on your proper mailbox to automatically delete all messages that hit your proper mailbox which do not have your correct name before the @. I find nearly all spam contains the correct domain name for the email account but the part before the @ is usually ascii nonsense. I just don't get spam emails in the inbox of my ISP account. My trash folder however usually gets a hundred plus emails a week, which is emptied regularly without me looking into the contents.

    I guess I am teaching grannies to suck eggs with the above paragraph seeing as the majority who visit the Reg are IT professionals. Still, I leave it in, just in case there are some "paper professionals" out there.

  4. Jolyon Ralph
    Boffin

    Simple for GOOGLE to fix!

    Block links to the 'i'm feeling lucky' redirect unless the HTTP_REFERER is google.

    Paraonid people who block referrer information might not be able to use the button then. I'm so sad for you all!

    Jolyon

    ps. Oh alright, if you really do insist on being paranoid, Google could instead randomize the name/id of the button and have some way of checking this on the referrer page, but that would be a right bloody pain to implement reliably.

  5. James Dodd

    Even simpler solution

    Google blocks access to the redirect pages unless the referring domain is actually part of google

  6. Kieron Wilkinson
    Boffin

    Simple solution # 2

    Get the search engines to only do a lucky dip if the referrer URL is their own. Therefore any external activation of the URL will just dump you to the search page, but the i feel lucky button will work unchanged.

  7. Gavin Ayling

    Google URLs

    Unfortunately Google URLs are used for lots of useful purposes like sharing documents, links to Google Maps etc. Nice idea though Mr Coward.

  8. Anonymous Coward
    Anonymous Coward

    Re: Simple solution

    Or make the spam engine query the page, and if it gets a redirect, use *that* URL against the spam db.

    But then you're making the spam engine "hit" every page that goes through the engine, and if you've got your company URL in your sig, that's a hit on your website every time someone sends a mail or receives a reply.

  9. Chris

    Or even easier...

    Above is easy, but relies upon all antivirus / malware vendors making the change. I'd hazard a guess that there are still enough unprotected PCs out there for the tactic to still be worthwhile persisting with.

    Far simpler (for the public anyway) way is to Include a simple random-number key that is generated at the time the google home page is opened, and store it in a server session variable. Have it submitted with the search form as a hidden form field, then compare the two values on the server.

    If the two values match, then the "I'm feeling lucky" button will go to the normal place, but if the two values don't match (i.e. they hadn't visited the google home page first), then display an error page instead.

    A simple way of ensuring that your browser HAS to have gone to the google home page in the same session before the button will work!

  10. Anonymous Coward
    Anonymous Coward

    Simple - Remove the "I'm feeling lucky" button...

    ...does anyone actually use it?

  11. matt
    Thumb Up

    RE: Simple solution # 2

    Do you mean:

    Referer == Google: Behave normal

    Referer != Google: Display search page

    If so, I think your idea is best :)

  12. Eddie Johnson
    Thumb Up

    Simplest Solution

    The solution that has worked great for me is to block google entirely and use scroogle.org, a sanitizing front end that removes all paid links. This avoids the potential of users accessing nasties from the google cache too.

  13. Ian
    Unhappy

    @adnim re: Thanks to spam

    "Seriously, always use a web based provider for those sites that want an email address to send a password to before allowing one to access content. And set the filters on your proper mailbox to automatically delete all messages that hit your proper mailbox which do not have your correct name before the @."

    All good advice until your ISP gives away the entire contents of their email database containing every email address you've ever sent mail to or received mail into.

    I was spam-free for years until Plusnet kindly pulled my trousers down, bent me over and gave me a good seeing to by giving away my own domain name email addresses in addition to the plusnet-based ones.

    You can look after yourself only so far. When other idiots give your details away, there's not a lot you can do.

  14. nobby

    i had a really really good idea

    then i remembered that the "i feel lucky" button is a waste of screen space and no one older than seven uses it.

  15. Anonymous Coward
    Paris Hilton

    You want to solve this?

    Send the police to catch the scum that do the spamming... instead of having them harrass motorists...

    The govt has billions spare to spend of ID cards and CCTV cameras etc, but nothing to spend on catching, prosecuting, convicting REAL criminals...

    Even Paris could work that out.

  16. john doe

    are you feeling lucky punk?

    what is the purpose of it anyways? save a click after searching? Just remove the damn thing and be done with it. Also give the most useless idea award to whoever came up with the idea!

  17. Anonymous Coward
    Anonymous Coward

    It's a feature not a bug

    'I am feeling lucky' is not really a lucky dip - it just goes to the top ranked site for that search.

    The spammer has got to find a rare word combination, normally some gibberish and then make a site with those words on it. Google will know this is spam, as the numbers of people searching for the gibberish spike, are using I am feeling lucky, and there are very few results for the search.

    'The Register' example was a bit off, as www.theregister.co.uk tends to get searches for 'the register' as number one, though feasibly someone could aim for the big domains it would take a lot of effort to usurp them.

    I am fairly sure they are working on it now, it is not really a clever scam, as it brings the Google trademark into disrepute and Google are the ones who can identify which domains they are, through quite a few channels actually, when you bear in mind they have gmail.

    Google is multi national, so can probably sue for abuse of service and abuse of their trademark wherever the spammers maybe, I think a lot of spammers are going to get a rude awakening with this ill thought out approach.

  18. Bob

    Not Just Google...

    This isn't just a Google problem. TinyURL could be used for similar purposes. I'm sure there are plenty of places that do URL redirection. And if not, the spammers could start making their own.

  19. Anonymous Coward
    Anonymous Coward

    How to stop spam

    AC said "Send the police to catch the scum that do the spamming".

    Spam reporting organizations like KnujOn.org can actually help the bobbies do this. Try it, instead of deleting it and pretending it doesn't exist.

  20. Inspector_Morse
    Thumb Up

    @ Eddie Johnson

    Thanks for reminding me of Scroogle. I have now added this to my search engine options in Firefox.

    http://mycroft.mozdev.org/download.html?name=scroogle&sherlock=yes&opensearch=yes

  21. adnim

    @Ian

    I have had the same ISP for around 6 years, OK so far. But I do understand what you are saying. One has to place at least a modicum of trust somewhere, thing is I can place anything in front of the @. it will still reach me if I set the address up in my mail account and Thunderbird. If I ever get spammed using my current name I will just change it, inform those in my address book and set the old name for deletion.

    If your trousers were pulled down after the 30th of Jan 2007, it was BT that did it after purchasing PlusNet and sacking the CEO and Finance officer.

  22. Anonymous Coward
    Anonymous Coward

    @Eddie Johnson

    Or if you're environmentally sensitive, use http://www.blackle.com/

    Supposed to consume less energy then google. :-)

  23. Laurie Brown
    Linux

    Spam levels

    We (http://www.spammunize.com) haven't seen anything like a drop in spam for our customers. 94% of incoming email is deemed spam by our filters. I know messagelabs is bigger, but we don't see a drop in anything.

  24. Chris
    Thumb Up

    I use "I'm Feeling Lucky"....

    It gives me a warm feeling that I'm using Google's service, but without looking at any of their ads (where did I read recently that it was estimated they lose tens of millions $/year in potentials ads?).

    It's mostly for Gmail - my home page is Google so I type those 5 characters, tab twice, enter and it takes me there. It's just the habit I've got into; I'm sure I'll get 101 suggestions of how a Firefox extension could do it better.

  25. Anonymous Coward
    Anonymous Coward

    Email address giveaway

    >>"All good advice until your ISP gives away the entire contents of their email database containing every email address you've ever sent mail to or received mail into."

    My old ISP (Freeola) merely gave away all my email addresses, including addresses that had never actually been used for sending or receiving anything other than a test mail from me.

    Of course, their slithering excuse for tech/customer support denied it could possibly be them, but that wasn't exactly convincing, since other customers I knew of theirs had the same thing happen at exactly the same time (same peculiar spam started arriving at every single email address).

  26. Kevin McMurtrie Silver badge
    Flame

    Google is the spammer

    Google is definitely a spam-friendly corporation because they seem to pride themselves on not having live customer support. Their published abuse contacts of abuse@gmail.com, abuse@google.com, and groups-abuse@google.com are not read. I've sent Google hundreds of complaints about criminal Usenet spammers using Google Groups. The criminals are still flooding Usenet a year later. I've sent dozens of GMail complaints to Google. Google auto-replied saying that GMail wasn't the spam source because it can't spam. Getting spammed for Google's Blogspot? Good luck with that.

    Lets see how bad it gets when Google owns some wireless bandwidth. I'd be impressed if they can keep the level of legitimate traffic above 5%.

  27. Mike

    Trust and precautions

    "Not clicking on links in email" is only possible to those who do not use Outlook, or who do not allow Outlook (or Outlook Express) to use its preview pane.

    As for trust, Adobe shared my "registration" spam-trap email address with a porn-spammer within 30 minutes, so I have to presume it is an automated process.

    (N.B. there is/was apparently no abuse@adobe.com. You have to send registered physical mail to a law-office behind an P.O.Box in Los Angeles to complain. Or that was the case when this happened. Dunno if it is still that way because I will certainly never buy another Adobe product.)

  28. Jon

    @Chris

    "It's mostly for Gmail - my home page is Google so I type those 5 characters, tab twice, enter and it takes me there. It's just the habit I've got into; I'm sure I'll get 101 suggestions of how a Firefox extension could do it better."

    Aside from the obvious use-a-bookmark (which I assume you've tried and rejected), you could always try Launchy: http://www.launchy.net/

    I can get to gmail in 5 keystrokes (without necessarily having my browser-of-choice open): Alt+Space, gm, Enter

  29. Andy Worth

    So...what's the difference.....

    Between getting a mail offering viagra with a link to www.keepithard.com and a mail offering viagra with a link to Google and an "I'm feeling lucky" spam scam? Well anyway, people who click on either generally should be supervised at the keyboard at all times.

This topic is closed for new posts.