back to article Wondering where that upcoming meeting with 'Cheap Viagra' came from? Spammers beat Gmail filters by abusing Google Calendar, Forms, Photos, Analytics...

Spammers are abusing the preferential treatment Google affords its own apps to score free passes through Gmail's spam filters, it was claimed this week. The ad giant greases the wheels so that incoming messages involving Google Calendar and other Big-G appsvslide through the filters and appear in Gmail inboxes, to ensure stuff …

  1. Anonymous Coward
    Anonymous Coward

    Verified message from The Register

    Your account has been locked due to a potential security vulnerability. If you wish to post a comment to this article please send an email containing your full name, postal address, date of birth and credit card number to account-unlock@theregister.security-team.x5f22s.bofh-phish.ng

    You verify authentic of message by confirm address bar green padlock like genuine website do.

  2. Anonymous Coward
    Anonymous Coward

    Jeez, what a colossal waste of computing power. G's response was good for a laugh, though.

  3. Shadow Systems Silver badge

    Ah, so that's where it came from.

    I don't use any of the Google services except Gmail, so when I had a calendar item in my inbox I knew right off the bat it was spam.

    Then I tried to get my screen reader to read the "email" only to have it shit itself because the "message" was a fekkin' picture with no alt text.

    Get a sighted person to describe it to me & learn the pic is "a swirly blob of colors on a white background. There's text in it obfuscated by the blobs. It wants you to click a link & visit a dating site."

    Enough said. Deleted. Next email...

    Fekkin' spammers need to die.

    1. cookieMonster

      Re: Ah, so that's where it came from.

      Fekkin' spammers need to die.

      You might be on to something there...

  4. IGotOut

    Oh no, they must be bricking themselves.

    "Quick let's try and scam people out of a few hundred thousand dollars"

    "But it's against their terms and conditions"

    "Damn, best give up then."

  5. Kevin McMurtrie Silver badge

    Earned it

    From outside of Google, Google services look like 99.999% spam. Essentially, Google filters their users from their abusers but doesn't care what happens to non-Google accounts.

    I'm glad that Google's abusive customer base has grown enough to make Google suffer from its own policy of never giving a crap.

  6. Anonymous Coward
    Anonymous Coward

    "In addition, we offer security protections for users by warning them of known malicious URLs..."

    So what about UNknown malicious URLs...?

  7. brotherelf

    Not surprised

    Somebody tried that gmail "confidential message" feature on me a couple weeks back. And what do you know, it ticks all the boxes for phishing scams: HTML mail along the lines of "X sent you a message. Click here and log in with your google credentials for yourmail@otherdomain, but be quick, this mail will self-destruct in X hours."

    I'm totally using that template next time I do awareness training.

    But more OnT: didn't the same exact effing thing happen to iWhatnots about five years ago, where calendar invitations would be automatically added to calendar etc., even from the spambucket?

    1. Chris G Silver badge

      Re: Not surprised

      About 5 years ago I wss working with a group of people who used Google calendar for everything, the set me up a gmail account so that I could be in the loop.

      After a week I noticed advertising spam related to the calendar content coming to my inbox, I assume everything on their calendar is transparent to Google and used to improve your experience ™. Needless to say I declined syncing with my other emails.

  8. Dan 55 Silver badge
    Big Brother

    "we scan content on Photos for spam"

    I bet you do.

    1. Korev Silver badge
      Coat

      Re: "we scan content on Photos for spam"

      To be fair the tins are a nice blue colour

  9. Securitymoose

    Does anyone still use GMail, or Hotmail?

    I get a mail from someone with a Hotmail or Gmail address and think...

    1. Cheapskate

    2. Scam

    3. Why?

    4. Don't you have an ISP?

    5. What are you hiding?

    6. You must like all your communications filtered and stored by the big boys.

    7. You poor fish

    1. Tony W

      Re: Does anyone still use GMail, or Hotmail?

      So, does anyone know a reliable and cheap email only hosting company?

      I wouldn't recommend ISP's email because you lose your address when you change ISP to get a better deal.

      As far as I know, to get a good and reliable host for your own domain is a significant cost and unles you pay a professional to sort it for you requires tech savvy well above most. And it might be trouble free at the start, but four hosting companies I have used in the last 25 years started well but their service became dreadful after they were swallowed by bigger companies.

      Not sure what I would recommend actually, especially to someone hard up for whom the cost of a domain means going without something else they want.

      1. Korev Silver badge

        Re: Does anyone still use GMail, or Hotmail?

        I got screwed over by another host buying out my old (good) provider and then screwing up the transition so I had no email for weeks... I'm no longer a customer of theirs for some reason.

      2. Cuddles Silver badge

        Re: Does anyone still use GMail, or Hotmail?

        "So, does anyone know a reliable and cheap email only hosting company?"

        Depends what you mean by "cheap". A few quid a month gets you Proton Mail, and I assume there are plenty of others at a similar price point. If you want to use your own domain there's a certain minimum of tech-savvyness required, but connecting said domain to an email host doesn't really add anything on top of that. If you're genuinely too poor to afford £50 or so per year, Gmail spam filters are probably not one of your major concerns, but if you're not so badly off it doesn't seem unreasonably expensive. Would everyone suddenly jump ship from the likes of Gmail if the cost was only £30 instead? I doubt it; cost really doesn't seem to be the primary issue, other than in a binary "is it free or not?" sense.

        Edit: As a disclaimer, while I do have a ProtonMail account, I don't actually use it for my domain since they're very restrictive on how you can use aliases. They seem decent if you just want basic email services, but might not be much good if you have specific needs.

        1. holmegm

          Re: Does anyone still use GMail, or Hotmail?

          Trust is a tricky thing that soon lands you in the fallacy of the false alternative.

          For most people, your recommendation sounds like "no no, instead you should trust *these* people you don't know over here!"

      3. Mike007

        Re: Does anyone still use GMail, or Hotmail?

        Many (most?) registrar's provide free email hosting with a domain name, which is suitable for personal use.

        Example: I use gandi.net for my domain registrations. £6/year for a .uk domain with up to 5 email inboxes.

        However most people are scared of a management interface with lots of options even if all they need to do is select the mail tab and add an address... so, they spend £300 writing bobtheplumber69@aol.com on the side of their van instead.

    2. sal II

      Re: Does anyone still use GMail, or Hotmail?

      From 4. I infer you use your ISP e-mail and you have the face to diss Gmail/Hotmail users...

      ROFL

  10. Pascal Monett Silver badge

    "Spammers are abusing the preferential treatment Google affords its own apps"

    Ah, the eternal battle between the sword and the shield. Except, in this case, it looks more the damn holding back the lake has sprung a leak. Or it would be, if the damn hadn't been built with a hole in it in the first place.

    In any case, the good thing that is going to come out of this is that Google is now going to have to find a way to vet legitimate messages from its own applications instead of just letting them through.

    The fight against spam continues.

    1. druck Silver badge

      Re: "Spammers are abusing the preferential treatment Google affords its own apps"

      It should be trivially easy for google to add a cryptographic hash to the headers of emails originating from their apps, and block anything purporting to be from google which doesn't contain a valid hash.

      1. Robert Carnegie Silver badge

        Re: "Spammers are abusing the preferential treatment Google affords its own apps"

        As I read it, these messages are coming from Google. The spammer sets up a Google Calendar account in the name of V.I.Agra and then sends meeting invitations to 1 millfon of V.I.Agra's friends.

        I would feel sorry for a user whose name actually is V.I.Agra. Even without this.

    2. David 132 Silver badge
      Headmaster

      Re: "Spammers are abusing the preferential treatment Google affords its own apps"

      Dam those homophones.

    3. W.S.Gosset Bronze badge

      Re: "Spammers are abusing the preferential treatment Google affords its own apps"

      > Or it would be, if the damn hadn't been built with a hole in it in the first place.

      Damn -- missing cnut

  11. antman

    "...deeply committed to protecting all of our users from spam"

    Including spammers with gmail addresses. I'm one of their users and sometimes try to browse old articles in the archive of Usenet messages in Google Groups. This becomes impossible in some groups which have become choked with spam. The spam is invariably from a google account but any complaint via their feedback mechanism is completely ignored. I don't know how they handle their own non-usenet groups.

  12. Nick Kew Silver badge

    gmail broken

    I correspond with a number of people whose addresses are gmail. Including two family members, and three with whom I've corresponded over organising music.

    For the past few months, every message I've sent any of them gets diverted to their spam folders. This problem is unique to gmail: it hasn't happened to anyone with an ISP address, an own domain or work address, or other big providers like yahoo or microsoft.

    Come to think of it, my brother probably never saw the email I sent as followup to our last exchange of text messages.

    1. holmegm

      Re: gmail broken

      Maybe your friends and relatives are marking your emails as spam but not telling you ;)

    2. Robert Carnegie Silver badge

      Re: gmail broken

      I have an Excite.com account that seems to close doors in several places. A Google user can "white list" you by setting a "filter" which directs your messages somewhere other than the spam box. I found some instructions which look intelligible although still quite complicated:

      https://www.lifewire.com/how-to-whitelist-a-sender-or-domain-in-gmail-1172106

  13. steviebuk Silver badge

    It's not new

    Happens elsewhere also. Which is why this responds is bollocks

    "In addition, we offer security protections for users by warning them of known malicious URLs via Google Chrome's Safe Browsing filters."

    Because the other day when checking the quarantined emails (I like to collect samples) one was allowed through because it was linked to Microsoft forms. So that part looked legit. They'd just exploited the fact Microsoft forms is free and shows as https. Stuck their malware crap and links on that.

  14. lvm
    Holmes

    A well-known problem with a well-known solution

    Disable 'events from gmail' in google calendar settings, it's on by default. Unless you are relying on receiving appointments via gmail, then you are screwed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019