Gmail - The Spammers Paradise | Anti-Forensics


Jun

5

Gmail – The Spammer’s Paradise

Filed Under Anonymity, Email Anti-Forensics 


Google Mail is a powerful engine for spammers. You might have had spam hit your inbox from a gmail address at some point. So what makes this email service from Google such a great staging platform for mass mailing?

Well, when an email is sent from most web mail providers, the origin IP address (the IP address where the service was accessed from) is usually included in the email’s header. However, email sent through Google’s web mail contain no origin IP address in the email’s header. This means that spammers do not have to deal with rotating or masking their sending IP address which will get blacklisted fairly quickly when mass mailing. The usual filters still need to be bypassed to send mass amounts of email to inboxes.

Some of these filters include:

  • Strings of words and phrases that appear in the bodies of many emails
  • Similar email subject lines
  • URLs included in emails which direct recipients of spam to landing pages or offers

These filters can generally be bypassed fairly easy as well. Mailing software exists that will allow someone to craft emails that pull URLs from a large list at random. This allows a spammer to generate many domains and URLs which all redirect to their offers landing page. This keeps anti-spam filters from marking messages as spam based on the URLs in the email subject and body as the URL may be different for over 100 emails or more.

This same mailing software usually includes the ability to generate email subjects and body’s dynamically. Such as allowing unlimited variations of words and phrases so that there may be up to a million different variations of the same basic email template.

Combine these dynamic emails with no origin IP address and you’ve an excellent engine to send spam email.

Gmail will enable a “CAPTCHA” on accounts which have tripped Google’s outgoing spam filters. This means that the account will need to be logged into with the CAPTCHA solved correctly before anymore email can be sent from this account.

So you think it would be harder to really send a lot of spam? Well not so much. There are automated services which allow automatic CAPTCHA solving. Such as the service provided at decaptcher.com. The FAQ on decaptcher.com states:

DeCaptcher CAPTCHA solving is processed by humans. So the accuracy is way more better than an automated capctha solver ones.

The CAPTCHA’s solved by this service generally take between 10 and 30 seconds and CAPTCHA’s can be sent to decaptcher for processing through API provided in many different languages. This makes coding software to use this service very easy and profitable for both programmers and those who dabble in mass mailing or using any other service which requires a CAPTCHA.

A tool which can automate the process of logging into Gmail accounts, solving CAPTCHA’s when needed, and sending email can be very expensive. Mailing software like this can sell for over a thousand US dollars but in the hands of the right person that is just the result of a few hours of work.

Google has also implemented limits on outgoing email. Gmail caps its web mail at 500 outgoing messages per day and their SMTP service will deliver 250 outgoing email messages per day.  So to get around this you can simply purchase Gmail accounts by the thousands or make them yourself with automated software (or manually if you’re crazy) which can also have the DeCaptcher service implemented. Typically, Gmail accounts are sold in packs of 1,000 for between $15 and $20.

Computer forensic examiners should keep all of this in mind when they’re working a harrassment case or equivalent where the offending email was sent from Gmail. You won’t find the originating IP address in the headers of those emails as long as they were sent via the web interface of Gmail.

To test this:

  1. Log into your Google mail account and send an email to one of your Yahoo or Hotmail email addresses
  2. View the source of the email (right-click on email in the inbox and view source – in Hotmail)
  3. Notice the IP in the header is one of Google’s and not yours

Now if the one who sent the email used an IP address not associated with them in any way to create and then access the Gmail account, then you’re pretty much out of luck. You’ll notice I haven’t cited any sources for purchasing Gmail accounts and Gmail mailers. You should be able to find these yourself with… Google.

  • Share/Bookmark


Comments

13 Responses to “Gmail – The Spammer’s Paradise”

  1. Rishan on June 6th, 2009 1:18 pm

    5/10.

    I like the other posts WAY better. This was sub-par. (IE: Not of any use, anti-forensics wise, this is COMMON KNOWLEDGE)

    But. Keep them posts coming. I like more technical/unconventional/encryption/steganography related posts.

  2. Yar on June 6th, 2009 1:53 pm

    Haha yeah, I agree with you Rishan.

    Unfortunately it was the only post I had fully written and the time since the last post was getting a bit long. I agree though, every tech site and their blogs have posted about this.

    I’ve a few more unconventional articles in the queue but I just need time to do more research and testing.

  3. Anonymous on June 8th, 2009 8:29 am

    mass mailing should not be a crime. i saw where this guy got like 12 eyars in federal ass-pound prison for mailing. Just think about it you are sending offers to people who can just delete it. No different then junk snail mail/fax spam and all the others that still happen.

    btw dont spend too little on gmail addresses because usualy they were made in india or something and will be deactivated in a few days. ;)

  4. Ben on June 12th, 2009 9:36 am

    I wonder why gmail does this? I tested this and did not realize that only internal Google mail servers and an external Google mail server show in the email header.

    No wonder it is being abused.

    That decapcher service thing is crazy lol

    Thanks for the article I did not know this stuff. I guess I am more ignorant then the first commentor =P

  5. Cyclops on August 16th, 2009 1:55 am

    Suggested topic for future posts.

    Printer Staganography

    From Wiki:

    Many modern color laser printers mark printouts by a nearly invisible dot raster, for the purpose of identification. The dots are yellow and about 0.1 mm in size, with a raster of about 1 mm. This is purportedly the result of a deal between the U.S. government and printer manufacturers to help track counterfeiters.

    The dots encode data such as printing date, time, and printer serial number in binary-coded decimal on every sheet of paper printed, which allows pieces of paper to be traced by the manufacturer to identify the place of purchase, and sometimes the buyer. Digital rights advocacy groups such as the Electronic Frontier Foundation are concerned about this erosion of the privacy and anonymity of those who print.

  6. John Boy on August 16th, 2009 3:25 am

    An interesting .pdf on Gigatribe forensics.
    Would be interesting to see something even more in depth.

  7. scurfmerg on August 21st, 2009 11:46 am

    I don’t think I ever get gmail based spam… it is not the only provider to “mask” ip address (i.e. using a proxy). Why doesn’t anyone point out that it is also a layer of security for the user (albeit a thin one, depending on what you use your email for).

    AOL has always had a proxy and that is where a large amount of my spam comes from. Out of all the free providers out there, I get the least amount of spam on my gmail and I barely had to train it’s filters. I have it fetch my external email addresses too and it filters all the spam that those providers miss with their own filters.

    I may be mistaken, but didn’t hotmail change now also not reveal the true IP origins?

  8. None on August 27th, 2009 4:21 am

    You might want to cover disabling recent document history, Not just in the start menu but actually stop the files from being cached. It’s an easy way to view recently opened documents & file names from flash drives that are no longer connected. C:\Documents and Settings\User Name\Recent

    It’s covered on the link on my name, I was born without one. ;)

  9. Yar (Admin) on August 29th, 2009 11:20 pm

    I’ve thought about this as well. This is very good information and I really can’t think of a way to get around it off of the top of my head. Other than using a printer not connected to you in any way to print off your “special letters” or maybe a hardware mod. I don’t know how feasible the mod would be though.

  10. Yar (Admin) on August 29th, 2009 11:22 pm

    I’ve not a lot of experience with Gigatribe. It would be nice to see more research done on various p2p file sharing software. It’s so tedious though!

  11. Yar (Admin) on August 29th, 2009 11:35 pm

    Excellent suggestion. This type of history can be extremely helpful to a forensic examiner depending on the situation. Such as a top executive bailing on the company and taking schematics for some product with him or maybe someone viewing contraband images from their stash of thumb drives or sD cards.

    I will put together an article on disabling recent document history as well as some other methods and tips to be aware of to get minimize the creation of recent activity.

  12. Hémorroïde on December 11th, 2009 5:00 am

    Is that why they have started to require a phone- number when you create an e-mail?

  13. Yar (Admin) on December 13th, 2009 1:07 am

    Yes, it sure is. One way to get around this is to sign up using a proxy which is on a range that has not been “softblocked”, or whatever you’d like to call it, yet. Also, clearing your browser cache and cookies.

Leave a Reply




Search

Subscribe