Diatribes of Jay

This is a blog of essays on public policy. It shuns ideology and applies facts, logic and math to economic, social and political problems. It has a subject-matter index, a list of recent posts, and permalinks at the ends of posts. Comments are moderated and may take time to appear. Note: Profile updated 4/7/12

15 April 2009

DID GOOGLE GET PHISHED?


[For my most recent post on public policy, click here.]

Less than 24 hours ago, my Google’s Blogger control board displayed a message warning me that a Google algorithm had identified my blog as spam and had blocked it temporarily. The message said my entire blog would be deleted in twenty days unless I clicked a link requesting a review. I did so and got a message that review would occur within 48 hours and that Google would notify me at my on-file e-mail address (which the message showed) when my blog had been unblocked. A similar message appeared in my e-mail inbox.

Like a dummy, I never checked whether posting on my blog actually had been blocked. I trusted the notices because they used or displayed my correct on-file e-mail address. That fact suggested that the notices, if faked, had to come from someone who had hacked into Google’ database of e-mail addresses. Believing that to be impossible or extremely unlikely, I trusted.

So I clicked the link requesting a review. I later looked at the e-mail in my inbox, which contained a similar link. Fearful of having my whole blog (five years of work, not completely backed up by me) deleted, I clicked the link and got a message that my blog already had been scheduled for review. All comfortingly professional.

On waking this morning, I began to think that any algorithm that would identify this blog as spam would have to be terminally sloppy. So, intending to be helpful, I wrote Google the message appended below, expecting it to be blocked from publication but available internally to Google and its ’bots. Yet it published as usual, and I got no message from Google (as promised) that my blog had been reviewed and unblocked.

This sequence of events leads to two possible conclusions. First, some diabolically clever spammer hacked into Google’s Blogger database and mined its e-mail addresses, using bogus “blocking review” requests to have bloggers verify their addresses’ active status. Second, Google uncharacteristically let loose an algorithm that should have remained in alpha test for a much longer time and then failed to follow up with the promised, automated e-mail notice when it unblocked huge numbers of erroneously blocked blogs.

As between these two alternatives, I think the former more likely, simply because the latter implies a sloppiness and lack of professionalism that I have never observed in any of my many uses of Google’s services.

I am disappointed in myself for failing even to suspect a phishing scam. It will be interesting to see how quickly Google informs its users as to what really happened, and how quickly bloggers and mainstream media pick up on what is either the phishing scam of the decade or a rare lapse in professionalism on Google’s part.

Here’s my original message to Google, which now is just part of my thinking:

You have blocked my blog for almost 24 hours because your spam identification algorithm flagged it. As Mark Twain might say, that identification is “greatly exaggerated.”

My blog contains no links to commercial sites in which I have an interest because there are no such sites. My comment policy states, “I also don’t publish comments that appear to be sent for commercial purposes or just to drive traffic to another blog or website.” I have observed that policy religiously with one exception, which I explain in a counter-comment (see comments to this post). All links on my site are to my own blog, other bloggers, mainstream media, or reputable sources of information on the Internet (including Wikipedia). I don’t even use Adsense because I want to maintain my anonymity and I don’t believe Adsense can do that. So accusing my blog of spamming is a bit like accusing Mother Teresa of theft.

I can conceive of only two reasons why your spam algorithm my have flagged my blog First, shortly before you flagged it, an unmoderated comment that was obviously spam landed in my comment inbox. I intend to reject it, but I have left it there so your ‘bots or programmers can study whether it caused the flag. (I also intend to reject the other unmoderated comment for extreme length and irrelevancy, but not because I noticed any spam links in it.) An algorithm that flags blogs as spam because of unmoderated comments placed by others is neither fair nor appropriate.

The second reason might be numerous links to Amazon.com throughout my blog. When I refer readers to a book, I often include a link to that book on Amazon.com for two reasons. First, readers may want to buy the book, and Amazon.com has one of the quickest ways to get it in their hands. Second, Amazon.com provides readers with a table of contents, front matter, and a look at some interior pages, some of which may contain the text for which I’m citing the book. So linking Amazon.com is the quickest and easiest way for me to give readers a seamless citations experience.

I hope your clever programmers will see this message and be able to figure out a way to (1) avoid tarring blogs as spam because of independent commenters’ actions and (2) allow multiple links (especially if in different posts) to mainstream media and websites like Amazon’s. If not, your spam ID engine should go back to alpha test. It’s not ready for prime time.

Update: Contrary to your spam ID engine’s promise, I have received no e-mail message that my blog was unblocked. Yet this message posted nevertheless. That sequence makes me fear that someone other than Google may have caused the blocking (or the warning message without blocking), as does your warning of an (extremely rare) outage of unspecified duration at 2:00 A.M. PDT tomorrow.

I have gone to great lengths to keep this blog anonymous. Yet because your (maybe not your?) blocking message contained my non-anonymous e-mail address, I fear my anonymity may have been compromised. If that fear is unwarranted, I would appreciate your assuaging it with a general notice posted on your Blogger home page or an e-mail message directed to the address that you have (anonymously, I hope) for me on file.

I also hope this incident is not some ghastly spammer’s revenge, in which some diabolical spammer mined your database for e-mail addresses and had fearful bloggers like me foolishly verify them by clicking the link to have their sites reviewed. I only clicked that link because you are the Gold Standard in online protection. I hope I wasn’t misled.

permalink



Site Meter

2 Comments:

  • At Thu May 24, 12:47:00 PM EDT, Blogger kate salley palmer said…

    Thanks for this. I stupidly "verified" my Google email to an "Apple" post on my Blog. I know, but I'm not as tech-saavy as others...I changed my Google email: the email that Google uses to post my blog; and the name of my blog. Today, the crooks were back.
    Google is unresponsive to my "Abuse Reports."
    I can't cancel my Google account without losing the content of my blogs...and if I cancel one blog & open another, what's to keep the Phishers from getting into that one?
    In my PJ's for the 3rd day,
    Kate Salley Palmer

     
  • At Thu Jun 14, 01:04:00 AM EDT, Blogger Jay Dratler, Jr., Ph.D., J.D. said…

    Dear Kate,

    I sympathize. It’s easy to fall prey to spammers if you don’t keep your guard up.

    But don’t fret too much. You probably lost little. All you seem to have done is verify that your e-mail address is real, to a pirate service that collects millions of e-mail addresses to sell to marketers, legitimate and not.

    At most, that means you may receive a bit more spam and other phishing come-ons in the future. So you’ll have to be more on guard.

    Google’s Gmail has the best spam protection of any e-mail system I have used. I’ve virtually abandoned my University e-mail account in favor of Gmail because the latter has so much less spam, including a myriad of “legitimate” but (to me) useless intra-University e-mails that I have to spend time handling.

    In my case (noted above), I was most concerned about losing my anonymity, at a time when my blog was anonymous. Now I’ve given up anonymity, so I don’t worry as much.

    If your own blog is not anonymous, I wouldn’t worry. All the “crooks’" action has gained is knowledge that your e-mail address is real and associated with your blog. That’s not a big loss: these days it’s not too hard to find someone’s e-mail address if you know who the person is.

    As for starting a new blog, there may be ways to transfer your existing posts, and there are ways to restrict publication of the old one. Check out all the options on Google’s blog settings, especially Basic, Publishing and Permissions.

    If your blog has a known audience, one thing you might do is simply change its Blog*Spot Address under “Publishing.” (Check with Google first to make sure all your old posts will be transferred automatically to the new address. I think they will but am not sure.) Then you can notify your old readers of the new address by e-mail, and the “crooks” will have trouble finding you.

    Good luck.

    Jay

     

Post a Comment

Links to this post:

Create a Link

<< Home