Here's an interesting spammer trick. I received an email with the subject text 'Click to confirm your Google Alert' and the following text in the body:

Google received a request to start sending Alerts for the search [ *] Viagra as low as $2.81! See http://spamdomain/ for more info. EXPRESS DELIVERY! ULTIMATE QUALITY! [* 3152661552.51321 ] to user@domain.

(Actual addresses remove to protect the innocent and frustrate the guilty)

The message originates from a real Google host and if you go to the Google Alerts page it's not hard to see how the spammers are doing it. When you set up a Google Alert, Google will send out a confirmation message to whichever address you enter — giving spammers an easy way to send a one-line message to anyone they want.

The spammer's intent is probably just to get recipients to see that one-line message, in the hope that someone will be curious enough to go to their pharmacy store. I don't think they count on anyone actually clicking the confirm link and then getting notified by Google every time that exact string shows up on a web page.

Google will probably need to add a CAPTCHA to their page (as they should have done on any page that can generate email to an unvalidated address). In the meantime, you can protect yourself by setting up a spam filter to delete any mail that has googlealerts-noreply in the 'From:' line. If you do use Google Alerts, create a separate email address specifically for that purpose and keep it secret from spammers. Then you can accept Google's confirmation messages when they're sent to that address, and dump any that are sent to other addresses.