Back to Top

Sunday, December 02, 2007

Google spam - aka I'm back

My workload has lightened a little and hopefully I can continue to blog more frequently. But enough of this, let's get to our main subject:

Recently I've been seeing a growing number of spam which links to Google instead of the spam site. The idea is (probably) to avoid filters which check the link targets to determine if the message is spam. The links looks like the following:[some query unique to the site]&btnI=I=Im+Feeling+Lucky

What this does is does a query for which the spamvertized site comes in at the top of the results and simulates a click on the I'm Feeling Lucky button, making Google act as a redirector.

IMHO Google could fix this easily by refusing to redirect from links if the Referer header doesn't point to a Google domain. While in general basing security decisions on the Referer header is not a very secure option and it can break clients which don't send Referer headers (for privacy concerns for example), in this case it would be a very transparent solution:

  • if the users has a desktop based mail client, the Referer header will be empty, preventing the redirection
  • if the user has a web-based mail client (Hotmail, Yahoo Mail, GMail, etc), the Referer header will point to that instead of a Google domain, preventing the attack (or, if the user has disabled the sending of the Referer headers, it will be blocked as in the previous case)
  • if the user copy-paste's the link (because some SPAM comes as text mail), it will have no referer link again.

There are two potential things which get broken by this: (a) people who have Referer headers turned off and (b) third party software / sites which rely on this service. For (b) the answer is pretty clear: this is a functionality provided by Google as is with no guarantees (ie. it's not a documented interface). As for case (a), if they use the I'm Feeling Lucky button, they are SOL. There might be the possibility to work something out by using cookies, but maybe the number of people who have both the Referer header turned off and want to use the special button is so small, that the tradeoff (less SPAM / inconvenience a few people) is worth it.


  1. "if the user has a web-based mail client (Hotmail, Yahoo Mail, GMail, etc), the Referer header will point to that instead of a Google domain,"

    umm - if it's gmail the referer will be a google domain...

    i don't remember the story behind the "i'm feeling lucky" button (i know there was one) but maybe it's time to get rid of it... i can't imagine it's really that useful and frankly, my gut tells me that visiting a site without at least knowing the url beforehand is potentially a security risk (much like the criticisms that have been leveled against tinyurl recently)...

  2. Yes, but it's not hard to filter that out :-).

    If I recall correctly there was a recent story where Google said that they were keeping the "I'm feeling lucky" button to show that they're "hip".