One of the neat things about Google Docs is the ability to share the document with others. You can do this with anyone just by knowing their email address. Google will then send an email out that looks something like:
I’ve shared a document with you called “Spam sharing test”:
http://docs.google.com/a/example.com/Doc?id=xxxxxxxxxxxxxx&invite=
It’s not an attachment — it’s stored online at Google Docs. To open this document, just click the link above.
—
Shared this doc with you.
Which is a really handy way to collaborate with others on a document. And it seems the spammers have discovered this as well.
I’ve recently started seeing emails for documents that I’ve been invited to, which turn out to be just a bunch of spam. They’ve taken Google Docs and are using it in an attempt to mask their spam from email filters, by providing link to a service you might normally trust. I suspect that Gmail is unlikely to mark any doc invites as spam.
Currently this seems to be pretty limited, the spammers have to paste in the email addresses into an invite box. Google could do some basic things to prevent spammy looking invites from going out (do you really mean to invite 3.78 million people to share your document?). I’m not aware of a Google Docs API that allows you to script doc invites, but if there is one (or if they come out with one later) then you can bet the spammers will make use of that as well.
This will turn into another wack-a-mole situation, where Google will (hopefully) revoke accounts and API keys for users who are sending out spam in this way. Then the spammer will just start using another one of the 324,834 accounts that they’ve already created at Google until it gets blocked too. Rinse, lather and repeat.
Like so many other folks I’ve been routing my email through Gmail. For me this was mostly about dealing with spam. On an average day I get 300+, so off to Gmail it goes. It’s never been perfect, usually letting through less than 10 a day, but that was manageable. Now I’ve got a whole new problem.
Sometime after the new year (as far as I can tell) Gmail started marking legit emails as spam. After trolling through my spam folder I found several emails that weren’t spam, so they never made it to my inbox. Hard to make out exactly what the trend is, so far it’s about 10 a week.
I would much rather have some spam hit my inbox than to have legit email get marked as spam. I’m now left with the reality that I’ll have to dig through the spam folder at the end of every day to make sure I didn’t miss anything, not a pleasant thought. My confidence and happiness with Gmail has gone done several notches because of this.
Just in case this is a system wide issue you may want to take a peek at your Gmail spam folder and see if you are having the same problem.
Alex King had a great post last month asking people which they thought was more annoying, CAPTCHA or Challenge Response E-mail. The comments suggest that most people find email more annoying, assuming that the CAPTCHA weren’t incomprehensible.
Has anyone done any formal studies, watching regular users, to find out which one people find easier to use? Another factor to look for might be which one causes the most errors or failures to complete the process.
On January 5th, 2006 I turned on the Akismet WordPress plugin for filtering comments and trackbacks. It wasn’t perfect (one month review showed ~ 0.1875% false positives) and went down a couple of times, but after one year I’d say it is good enough. After a couple of months the volume of spam was so high that I stopped going through the spam queue, hoping that anyone with a comment that never showed up would contact me to tell me about it.
Any comments marked as spam by Akismet are deleted after 15 days. That doesn’t seem like a very long time, but on this blog that queue is over 10,000 comments lately. I can’t imagine having to review more than 20,000 comments every month. Ug.
After one year my WordPress dashboard indicates that Akismet has blocked more than 112,000 comments and trackbacks as spam.
UPDATE Sat 6 Jan 2006 @ 7:30am : Wouldn’t you know it, the next morning after writing this Akismet let some 50 or so obvious comment spam get through. Looks like they were having problems around 3am, all of these comments came in at about that time. So it isn’t perfect, but I wouldn’t even think of turning it off.
It has been about six weeks since I wrote my review of Akismet. Things had been going fine, but the last week or so has seen a large increase in the number of comment spam items that are not being caught, especially yesterday and today. I’ve asked about this via their contact form to see if this is something unique to me or if there is something going on at Akismet.
UPDATE Fri 24 Mar 2006 @ 4:30pm: I suspect the problems I’ve been having are related to Akismet database problem that was just reported. Interesting that the problem seems to involve taking too long to get a response back for free users.
Another in the line of folks who should know better, O’Reilly has web spam on some of their sites. This doesn’t appear to be quite as bad as the WordPress web spam because they aren’t using CSS to make the content invisible to visitors. The placement of these “ads” are rather out of the way though, on the bottom left hand column.
With a little bit of looking around I was able to find these ads on oreillynet.com (on the article pages also), windowsdevcenter.com (on the article pages also), macdevcenter.com (on the article pages also), ondotnet.comt (on the article pages also), onjava.com (on the article pages also), onlamp.com (on the article pages also), perl.com (on the article pages also) and xml.com (on the article pages also).
The numbers involved don’t appear to be quite as bad as the WordPress incident either, with Google finding less than 600 pages with these ads for oreillynet.com. If the other sites have a similar number of pages with ads then all told it would less than 5000 pages. A lot of these ads point to freehotelsearch.com, which seems to offer a legitimate service (I only looked up reservations, I didn’t actually place one).
I think one could argue that these ads aren’t completely wrong. The argument would come down to intent, are these links there in hopes that people will actually click on them, or are they more of an effort to trick search engines to increase their importance? They are links, so it is possible that someone might click on them, but they aren’t nearly as prominent as the rest of their ads. I’m leaning more towards the idea that these ads are there more to boost their search engine ranking than as traditional ads. Tim is going to have a tough time making this look legit.
UPDATE 8:30am 24 Aug 2005: Tim O’Reilly has a posted an initial response to the complaints about the ads. The short version: while not completely wrong (and not nearly as bad as the WordPress spam) these types of ads aren’t good for the long term.
Nothing like having 350+ comments in the moderation queue to start off the new year. This is by far the biggest comment spam attack I’ve ever had here. I’ve noticed a couple of things as a result of this attack. One, this was done from a wide range of IP addresses in a fairly short period of time, so most likely a bot. Two, I will have to got with more aggressive anti-spam methods here. Even though it looks like all of the spam was tagged for moderation, it is a paid having to go through that many, even in WordPress. Which leads me to number three, the comment moderation on my WordPress install is completely useless after more than 297 comments are in the queue. Why you ask? Because even though there are still more than 300 comments in the queue, it only displayed up to the start of 298 and then finished the page. This means that the ‘moderate’ button at the bottom of the page is never displayed. I’m not sure if this is a bug in WordPress, or a specific limitation of my install (system not beefy enough, strange MySQL problem, strange PHP problem, etc).
If I get a chance I’ll try to setup a test system to throw 300+ comments into and see what happens. In the mean time I’m definitely going to go after this problem with something more than just renaming the script that posts comments.
UPDATE 1 Jan 2005 @ 7:40pm: Ick, another 50+ spam comments. These actually got through though, because they only had 1 link in each one. I was hoping to get additional spam protection done this week, I’ll have to bump that up to the next day or two.