Categories
josephscott

Google Docs Spam

One of the neat things about Google Docs is the ability to share the document with others. You can do this with anyone just by knowing their email address. Google will then send an email out that looks something like:

I’ve shared a document with you called “Spam sharing test”:
http://docs.google.com/a/example.com/Doc?id=xxxxxxxxxxxxxx&invite=

It’s not an attachment — it’s stored online at Google Docs. To open this document, just click the link above.

Shared this doc with you.

Which is a really handy way to collaborate with others on a document. And it seems the spammers have discovered this as well.

I’ve recently started seeing emails for documents that I’ve been invited to, which turn out to be just a bunch of spam. They’ve taken Google Docs and are using it in an attempt to mask their spam from email filters, by providing link to a service you might normally trust. I suspect that Gmail is unlikely to mark any doc invites as spam.

Currently this seems to be pretty limited, the spammers have to paste in the email addresses into an invite box. Google could do some basic things to prevent spammy looking invites from going out (do you really mean to invite 3.78 million people to share your document?). I’m not aware of a Google Docs API that allows you to script doc invites, but if there is one (or if they come out with one later) then you can bet the spammers will make use of that as well.

This will turn into another wack-a-mole situation, where Google will (hopefully) revoke accounts and API keys for users who are sending out spam in this way. Then the spammer will just start using another one of the 324,834 accounts that they’ve already created at Google until it gets blocked too. Rinse, lather and repeat.