Google AppEngine abuse

Like death and taxes, one of life's little certainties is that if you offer anything for free on the Internet, spammers will find a way to abuse it. Free webmail accounts become spammer dropboxes, free web pages end up hosting Viagra ads and phishing sites, and blog services end up hosting more splogs than real blogs.

Google, who have their finger in a great many pies, are not immune. In fact, some recent articles claim that Google is the 4th most spam-friendly provider. Part of that is no doubt due to Google's sometimes rather laissez-faire attitude to the use of their services by spammers. A little digging will eventually turn up a rather complicated form for reporting abuse of Google's Gmail service, for instance, but I've never seen much evidence to suggest that Google act on reports of spammers using Gmail drop-boxes. The same addresses keep appearing over and over again.

They seem to have been a bit quicker to shut down abuse of the Google Docs system. From time to time, we see a brief flurry of spam touting Google Docs URLs, but it usually tails off rapidly. My guess would be that behind the scenes Google is doing what it's good at, which is to say indexing data and looking for patterns. That's why Google's own Gmail spam filters are first-rate, but their control over the use of Gmail addresses in outgoing spam is much weaker.

Now they have a new challenge, as spammers are beginning to abuse their AppEngine web application hosting service. The first example I've seen was from what appears to be a fake-storefront scammer — one of those places that offers you expensive goods at low low prices but insists that you pay by Western Union or some similarly untraceable means and then accidentally forgets to ship you your laptop or your motorcycle. Their website, at gmailbaidu.appspot.com (do not even think of buying anything from that site, unless you feel that Chinese con-men deserve your money more than you do), is a fairly conventional example of the kind, similar to dozens of others that are more conventionally hosted (in fact, it seems to be a simple clone of their site at scock.com). Nevertheless, they've demonstrated that AppEngine can be abused. More will follow.

Google don't seem to have a mechanism in place yet for reporting AppEngine abuse, but perhaps this post will catch their eye before the misuse of AppEngine becomes endemic.

UPDATE: 21 January 2009 — Two readers have mailed me to point out that Google do provide a form for reporting Google AppEngine abuse. Thank you both.

Posted by spamnation on January 20, 2009 07:37 AM |

Tags: , , , , ,

« 2009 | Main | Evergreen »

weblognewsstocksstatstoolsnoteslinksmisc