Spammers hide behind Google’s “I’m feeling lucky” button

Spammers often use clever tricks to disguise the actual link of the site they are trying to fool the recipient into visiting. The latest trick is to construct a Goggle search link which utilizes Google’s “I’m feeling luck” feature.

Clicking such a link is identical to manually entering a search query on Google and clicking the “I’m feeling lucky” button. Google will run the query and automatically redirect your web browser to the top most result matching that query. For a spammer this is quite easily exploited. All he needs to do is to construct a Google query which returns the spammer’s site at the top of the result. One way to achieve this is using Google’s inurl search operator. E.g. inurl:E87ABD4CB56 will only return pages which contain E87ABD4CB56 in the address. It shouldn’t be hard for the spammer to come up with something unique.

So why would a spammer do this? Well, some spam filters use addresses in e-mails to determine if they are spam or not. By using Google addresses, some spam filters could get confused because Google is usually a trusted site. For a spam filter which only cares about the host name in the addresses (i.e. www.google.com) this could be a problem. Other spam filters, which look at the entire address, shouldn’t be affected by this trick.