Web 2.0: Whatever Google Knows About Spam, It Isn't Saying - InformationWeek
Mobile // Mobile Applications
05:58 PM
Connect Directly

Web 2.0: Whatever Google Knows About Spam, It Isn't Saying

Trust and reputation systems are a great way to reduce spam, but Google avoids talk of an ongoing flood of malware-infected porn on Google Groups pages.

At the Web 2.0 Expo in San Francisco on Friday, Google engineer Matt Cutts, who heads Google's Web spam team, gave a keynote address titled "What Google Knows About Spam."

Cutts and many others at Google know a lot about spam because Google gets a lot of spam, in e-mail and on Web pages. The problem is, he couldn't say very much about it.

Cutts anticipated this in a blog post on Tuesday in which he mentioned his upcoming speech. "I'm struggling with what exactly to say," said Cutts. "On one hand, Google knows a lot about spam. ... On the other hand, I don't want to disclose things that would benefit people that try to spam."

While keeping Google's security cards close to the vest is understandable -- few companies are open about security issues -- Cutts' reluctance to disclose what Google knows about spam made his presentation more tantalizing than rewarding.

For instance, Websense Security Labs on Thursday echoed previous reports that spammers were having a fair degree of success in defeating Google's CAPTCHA system, which prevents spammers from registering free accounts that they can abuse services like Gmail and Blogger.

"Spammers have managed to create automated bots that are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also use these accounts as redirectors and doorway pages for advertising their products and services," said Websense security researcher Sumeet Prasad in a blog post.

Cutts made no mention of this, and Google has maintained that account abuse at its free services continues to be driven by people rather than bots. Nor did Cutts address what appears to be an ongoing flood of malware-infected porn on Google Groups pages.

Instead, Cutts focused on Web spam and how sites can avoid it.

"Web spam is when somebody tries to cheat or take shortcuts so that their Web site shows up higher [in search results rankings] than it deserves to show up," he explained.

The root cause of spam is money, Cutts said, so site owners should look for ways to deny money to spammers. (Putting an end to all free online services would effectively deny money, in the form of free spam infrastructure, to spammers. But that would interfere with Google's business model, so the onus is on site owners to do something.)

Trust and reputation systems are a great way to reduce spam, Cutts said, citing eBay's and Amazon.com's work in this area. True though that may be, Cutts made it sound as if eBay and Amazon had more or less rid their systems of abuse. There's no doubt that eBay and Amazon have top-notch security, but holding those two companies up as the answer glosses over real problems that remain.

Guillaume Lovet, a security researcher at Fortinet, recently explained that scammers know that to beat eBay's reputation system, they either have to steal accounts -- which is why, he said, eBay is phished about 20 times more than banks -- or create fake trust with bogus transactions. That's why, he says, there are so many items sold on eBay for a penny: to game the reputation system.

Given his observation that "spam will get more malicious and more dangerous in the coming months and years," Cutts is clearly aware of the trends. Yet his recommendations -- get some trust mechanism into your system, avoid being a target, and strive to frustrate spammers by not giving them what they want -- seem incomplete.

Google clearly knows a lot about spam, perhaps as much as spammers themselves know. If only it were more willing to share that knowledge, we might be able to have a more informed discussion about possible solutions.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll