Spammers using legitimate file sharing services to bypass traditional spam filters is not a new tactic. We have seen many examples including the outbreak of spam using Pizza Hut and CBS images…or the time when ZDNet was exploited…and CNN…and Google Docs…and, well, you get the picture.
The Commtouch Labs recently reported an outbreak of Google Spreadsheet spam, where our friends with a Canadian Pharmacy used Google Spreadsheets as a redirection point and the “from” email address of the messages were an assortment of random Gmail addresses.
The link in the email points to a Google Spreadsheet URL which redirects here:
By simulating hosting their wares on a (mostly) legitimate site like Google Spreadsheets, traditional spam filters will trust the source without catching the fact that it’s spam. In this particular case, the spammers took it a step further and encoded the end of the Spreadsheet URL in case filters attempted to check particular files. Google Spreadsheet files have a URL that always begins http://spreadsheets.google.com/pub?key=
A unique combination of letters and numbers found after the “key” is assigned to each spread sheet and if a filter found that a certain key was in any way malicious, it could block that key. By encoding the key, the spammers can bypass that rule.
What will they think of next?