In this month, MessageLabs released a report about spam. It states that spam is accounting 76.8 percent of all email in May 2008. Spam mail increased by 3.3% since April with 1 in 1.3 emails being spam. This is the first time I read this kind of statistic analysis, I cannot imagine that there are so many spam flowing around the Internet!
Why there is such a big jump? According to the report, the spammer trying to contain links to spam content contained in documents hosted on Google Docs, and Microsoft’s SkyDrive environment. It is because the domain names they previously bought were getting blacklisted quickly, but it is difficult to block Google and Microsoft applications because they are widely used by normal users. On the other hand, “the spammers are also taking advantage of Google Analytics to gauge their success with each spam run.” from the report.
Here is a simple example:
Click the following link and win the big money!!
http://docs.google.com/View?docid=dgmszc7x_312xstksmgn
After constructing the above example, I discovered that Google Docs has a “Report spam” link on the page above, I think it should be a quick response to this new type spam. I will give a try to SkyDrive later.
Spammers are always seeking for ways to bypass spam filters, which for the most spam filters, it is not reasonable to block links to Google Docs or Microsoft’ SkyDrive, according to the report. On the other hand, the report mentioned that spammers insert a URL in an email that leads the victim to a Google Docs-hosted page. The content of the spam contains only the link to free hosting services, but it will lead you to what the spammer want you to visit.
Besides, another things that shock me in the report is that, the most spammed country is Hong Kong with levels reaching 85.9% of all email. How many spam you received everyday?
I am thinking that if this technology (eg. Google Docs) can be used to perform CSRF or XSS by sending an email to a gmail user, saying that I have shared a document with you, but the document is going to still sensitive information from you. But the key thing is Google Docs allow you to write client-side scripting on it or at least make client-side scripting executable in the document. A quick demo in SkyDrive.
This link will execute a javascript alert function.
XSS demo in SkyDrive
Should you have any idea or comment about this stuff, please feel free to leave a comment.
Reference:
Filed under: news, spam , google, hong kong, microsoft, skydrive, spam
