Cutts and many others at Google know a lot about spam because Google gets a lot of spam, in e-mail and on Web pages. The problem is, he couldn't say very much about it.
Cutts anticipated this in a blog post on Tuesday in which he mentioned his upcoming speech. "I'm struggling with what exactly to say," said Cutts. "On one hand, Google knows a lot about spam. ... On the other hand, I don't want to disclose things that would benefit people that try to spam."
While keeping Google's security cards close to the vest is understandable -- few companies are open about security issues -- Cutts' reluctance to disclose what Google knows about spam made his presentation more tantalizing than rewarding.
For instance, Websense Security Labs on Thursday echoed previous reports that spammers were having a fair degree of success in defeating Google's CAPTCHA system, which prevents spammers from registering free accounts that they can abuse services like Gmail and Blogger.
"Spammers have managed to create automated bots that are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also use these accounts as redirectors and doorway pages for advertising their products and services," said Websense security researcher Sumeet Prasad in a blog post.
Cutts made no mention of this, and Google has maintained that account abuse at its free services continues to be driven by people rather than bots. Nor did Cutts address what appears to be an ongoing flood of malware-infected porn on Google Groups pages.
Instead, Cutts focused on Web spam and how sites can avoid it.
"Web spam is when somebody tries to cheat or take shortcuts so that their Web site shows up higher [in search results rankings] than it deserves to show up," he explained.
The root cause of spam is money, Cutts said, so site owners should look for ways to deny money to spammers. (Putting an end to all free online services would effectively deny money, in the form of free spam infrastructure, to spammers. But that would interfere with Google's business model, so the onus is on site owners to do something.)
Trust and reputation systems are a great way to reduce spam, Cutts said, citing eBay's and Amazon.com's work in this area. True though that may be, Cutts made it sound as if eBay and Amazon had more or less rid their systems of abuse. There's no doubt that eBay and Amazon have top-notch security, but holding those two companies up as the answer glosses over real problems that remain.
Guillaume Lovet, a security researcher at Fortinet, recently explained that scammers know that to beat eBay's reputation system, they either have to steal accounts -- which is why, he said, eBay is phished about 20 times more than banks -- or create fake trust with bogus transactions. That's why, he says, there are so many items sold on eBay for a penny: to game the reputation system.
Given his observation that "spam will get more malicious and more dangerous in the coming months and years," Cutts is clearly aware of the trends. Yet his recommendations -- get some trust mechanism into your system, avoid being a target, and strive to frustrate spammers by not giving them what they want -- seem incomplete.
Google clearly knows a lot about spam, perhaps as much as spammers themselves know. If only it were more willing to share that knowledge, we might be able to have a more informed discussion about possible solutions.