Spammers Choose GMail

A study by Roaring Penguin has discovered that during the past three weeks, the amount of spam originating from Gmail has risen sharply while spam originating from Yahoo and Hotmail remained flat or dipped slightly. Experts say this huge rise in spam is thanks to the cracking of Google’s CAPTCHA system. Spammers came up with an OCR scanner that was smart enough to read it and as a result were able to create large numbers of accounts to spam with.

From June 13th through July 3rd, spam from Google rose from 6.8 percent to 27 percent. Aside from the successful CAPTCHA cracking, spammers also find Google attractive because of their strong reputation, which makes it highly unlikely the domain would ever be blacklisted. Google’s response to the study was rather weak:

           We expect spammers to use every means possible to try to send spam. That’s why we have a robust spam-fighting effort at Google. We disable these accounts immediately and will continue to do so.

Simply changing their CAPTCHA won’t be enough. Google needs to take a hard look at it’s sign up process and outgoing mail and come up with better filtering and verification features. Until then, the spammers will have the advantage.

Written by Sue Walsh


  1. damien hunter · July 17, 2008

    The spam is probably flowing from accounts that were activated with the deficient CAPTCHA. Spammers don’t have an unlimited number of these accounts… they’re finite up to the point of the number accounts they could activate until the new CAPTCHA went live. So while we may be seeing a lot of residual spamming, there’s a breaking point that will put everything back to normal.

  2. David F. Skoll · July 17, 2008

    The press release, including a PDF with some charts, is here:

  3. gerald berke · July 17, 2008

    Very good. Google needs to ramp up from “do no evil” to “do good” as far as spam is concerned. they have great filters, but that’s not enough. they should absolutely not host that stuff.
    interesting that that captcha whatever got broken? wow. I can’t get through that. I notice that on lots of systems, it gets easier as you fail.
    That challenge system needs to be improved.

  4. Sam Alex · July 17, 2008

    I completely agree … When Gmail first came out you had to be referred, which i think really helped. But now anyone and everyone can create an account. Not bad per say, but being I use Gmail as my primary account I’d hate for it to get the wrap of hotmail where folks start blocking mail from the gmail servers… kinda like what they do in usenet already.

    Google needs to get their stuff fixed…

  5. Michael · July 17, 2008

    Spammers should be jailed. Spam-enabling mail domains should be shut down. Get rid of public email services – nothing should be free, including spam and the migraines they cause.

  6. l a · July 17, 2008

    I seem to have heard someone mentioning at the very least a language filter, that if a percentage of the email is not in the person’s chosen language, it gets killed, ….might help the flow a little bit more of good emails vs. bad ones.

  7. i lasered my pubes · July 17, 2008

    Getting a gmail account is too easy, either go back to the old invite system, or the old cell phone activation they once had, gmail’s signup captcha is far too easy.

  8. Yumfy · July 17, 2008

    Good story. But the answer is simple. If you had the right email address, it wouldn’t matter WHERE the spam came from or originated. You simply would not receive it. Not only that but tons of emails that you wanted to get are getting caught up and lost by filters.
    A couple weeks ago Lee Gomes in the Wall Street Journal wrote that he found out that 46 percent of email that he wanted was not making it to him because of filters. There is a simple answer that everyone is overlooking. A free email address eliminates spam without filters and eliminates lost emails due to filters. Here is a video about it:

  9. Security is not a one-company issue · July 17, 2008

    […] vulnerability has seemingly only just been discovered, however a recent study shows a 27% rise in unwanted email actually originating from Google Mail (Gmail everywhere else but […]

  10. Internet: Los spammers eligen GMail - ALT1040 · July 17, 2008

    […] Spammers Choose GMail ← Anterior | Inicio Comparte esta anotación […]

  11. Archness · July 17, 2008

    Maybe they should go back to sms verification or something like that and limit phone numbers.

  12. Spammers Choose GMail « : Malaysia’s Digital Guide · July 17, 2008

    […] study by Roaring Penguin has discovered that during the past three weeks, the amount of spam originating from Gmail has risen […]

  13. ionotter · July 18, 2008

    Gosh…wouldn’t Google be in the PERFECT POSITION to take on the Blue Security model of spam fighting? Have every Gmail user with a BlueFrog client on their machine to take down the offending websites? Oh Lordy, I get moist at the thought of it…

  14. Victor Escobar · July 18, 2008

    A big problem is that it’s not sufficient to rely on difficulty of automation to cut down on the creation of throw-away spam accounts. What a lot of people don’t realise is that a lot of spam accounts are opened not by scripts — but by Asians and Latin Americans sweating in internet cafes, getting paid pennies for every account they create. We won’t be able to make serious inroads against the spam dilemma as long as: (1) people continue to buy their products; and (2) an excess of cheap labour in developing countries provides grist for the spamming mill.

  15. Pastor Jim · July 18, 2008

    Google seems to be doing a great job of filtering the spam out of my inbox. Zero in the past 11 days! That said, their new account signup is broken and badly, urgently needs to be repaired. I’m sure they are aware and working on it, but they have shown signs of paranoia when challenged on their other foibles. Some folks have begun to forward all of their spam to They have experienced quite a jump. They can’t be happy campers right now!

  16. dualsub2006 · July 18, 2008

    Maybe you should go back and actually read that PDF. I read it and spam from Gmail is lowest in their report at 2.5%. The “probability” that a message you receive through Gmail is spam rose to 27%. BIG DIFFERENCE.

  17. Spammers Choose GMail | Kaizenlog · July 18, 2008

    […] 0. 1. Popularity: unranked [?] Listen to this podcast  Print This Post Tags: Spammers […]

  18. Trash · October 9, 2008

    Spammers should be forced to do 30 seconds of community service for each spam they send, about the time it takes us to delete the crap.

    Personally though I’m all for cutting off their hands. The shear amount of time 1 top spammer wastes of millions of people’s time is unreal. Chop off a few hands and the problem will stop.

  19. Kevin · October 14, 2008

    Pastor Jim nails it. My gmail account does not get spam. Ever. It all ends up in the spam folder and I have never seen a false positive from random checking. My gmail for domains account, however, seems to have the occasional one sneak through every week or so.

  20. David Swarbrick · March 12, 2010

    You miss the point – entirely. It is not that (we) gmail account holders have a good life, but that a huge proportion of spam now originates _from_ gmail accounts. I manage a forum. Well over 50% of spam comes from gmail accounts. I cannot remember seeing a hotmail one.

  21. Paula · March 19, 2010

    I think everyone is missing the point, either that or you are just not picky enough: I don’t get spam. Spam PREVENTION should be the goal, not spam blocking.

    Having said that, I should restate: I don’t get spam to any of my regular, non-gmail accounts. That is because I know how to avoid it. What ticks me off about Googlemail and gmail is somehow spammers have access and I don’t know how they are getting it. It is not enough for me that my spam folder fills up, I want my spam folder to be empty, without filters or blocking or third-party software. Google … DO something about this.

    Rant over.

  22. Sam Smith · August 29, 2011

    Any idea if gmail is still the preferred provider for spammers or did Google manage to deal with it? I personally don’t get much spam from gmail accounts but maybe with other admins it is a different story.

  23. Sumanish Sarkar · September 13, 2011

    What gmail is doing to stop spoofing. Gmail using a process of comparing the sender’s IP with the domain’s IP of sending ID to stop spams. But any one can spam just by registering a second level domain in or in any other dynamic dns service so. Anybody can send spams in gmail by that process.

  24. Emmanuel · June 3, 2012

    Please I can’t send mail in my yahoo account,is jst dat when ever I try to send it, its request for CAPTCHA verification and when I verify it and send it end with error mail not sent, so please I need your help,you can email me with solutions. Thanks.

Leave A Reply