June 5, 2010
Google Groups: "This site could harm your computer"

Have you gotten something like this?

Do NOT follow that link. It will take you directly to a dangerous Trojan horse file, a type of malware (bad software) that allows criminals to have access to the contents of your computer. Like the mythical horse, it needs to get you to allow it through your defenses, but then the little soldiers come out and open the gates to your computer when you're not looking. Such a program could steal your identity, record all the keystrokes you type (so it can find out your usernames and passwords), or use your computer as a platform for carrying out criminal activity (so when law enforcement tries to find out who did it, they find you, not the real criminals).

Obviously, 123Greetings.com has their own website address and servers. They don't need to start a Google Group to have a place to store greeting cards.

What's not so obvious is why Google is allowing criminals to use its good reputation for distributing dangerous programs. The same Google that will add a line to search results, "This site may harm your computer," is allowing its own Google Groups to do exactly that.

Criminals are devious and persistant, and there are no websites safe from their attacks. But there is a large network of internet volunteers who monitor spam instead of blocking it, and who will send reports to sites warning them of such a breach.

That's where it gets really frustrating. While Google has the required "[email protected]" address, reports sent there merely receive an autoreply with a couple links in it. Those links are for reporting gmail users, which is not the problem here, or to tell you how to avoid internet scams. There is no link to allow abuse reporting volunteers (who are already quite well informed about internet scams, thank you) to report an emergency situation where Google is actually the proximate cause of people's computers being infected with malware.

If you do follow the link in the spam email, you don't go to the Google Group. You go directly to the a page linking to the stored malware file:

There's no link on that page for reporting abuse.

Well, okay, you look at the URL and say, I'll find the main page for the group called "ecard-greetings-com" and look for a reporting button there. And there is a reporting button on the group's main page.

But how are you to find the group's main page?

There is no link to the main group on the spammed page. And the obvious URL, http://ecard-greetings-com.googlegroups.com isn't right, either. That will redirect you to this page:

(The results would be the same if you were logged into Google at the time, but would have displayed a username and gmail address on the page.)

So how can you tell Google that their site may harm your computer?

You have to know about the directory structure of Google Groups. Rather than "ecard-greetings-com.googlegroups.com," the actual URL of the group ecard-greetings-com is "groups.google.com/group/ecard-greetings-com." (Notice the directory is "group" and not "groups.") There is an abuse reporting button there -- as well as another link to the malware download.

The reporting button takes you to http://groups.google.com/groups/abuse?group=ecard-greetings-com&type=group&url=http%3A%2F%2Fgroups.google.com%2Fgroup%2Fecard-greetings-com for reporting. Easy to remember, right? -- NOT! And when you do try to report, there is no button for "dangerous malware." This is a much more urgent issue than "Nothing but spam" or "Illegal in my country."

Hey, Google: People are trying to help you protect your brand. For free. Because we respect your company and the services it provides. And because we understand that your positive brand reputation can lead people to trust links and downloads that are dangerous. Cut us a break here.

There needs to be an abuse reporting mechanism that criminals can't bypass by spamming a different URL, and there needs to be a means for people to provide the kind of technical information that clicking a button can't accomplish.