Edits to this article appear at the end (Nov. 4, 2007)
Well, this will stir things up a bit.
A few hours ago Google launched “Google Pages”:http://pages.google.com/. If you have a “Gmail”:http://mail.google.com/ account you can create your own web site on Google using a very nifty AJAX interface.
The application itself is great, although the standard templates leave something to be desired.
Some of the nicest features:
* An “undo” button
* Ability to add images, links and pages easily
* Testing links while in edit mode
* 100MB of storage
* Simple, memorable URL
You should really try it out. But you might want to *think twice before you hit “publish”.*
See that last feature (simple memorable URLS) is also the greatest weakness of Google Pages and I think it is going to cause a *huge* headache for Gmail users. And *a potential PR nightmare for Google.*
Why?
When you hit publish your site goes live at username.googlepages.com.
Nothing wrong with that. In fact it looks like a feature – if you can remember your Gmail address you can remember your “Gpages” address.
The problem is it is now trivial to reverse engineer your Gmail *e-mail address*. If you see a Google Pages site and want to e-mail the author – just replace googlepages.com with gmail.com.
I was all set to tell my kids and my 85 year-old mother (all Gmail users) that they could now post a web page or two super easy, but I’m not going to. I’ve worked very hard to make sure -they’re- their addresses are not easy to find online and with *one click of the publish button Google will make their e-mail addresses available to every stalker, sexual predator, phisher, and spammer out there!*
I suggest you tell those non-technical users you know and care about that they should NOT use Gpages at this time. Right now I’d have to say that Gpages users are just setting themselves up for a whole heap of spam if they decide to post a site.
How long will it take spammers to get Gmail harvesters out in droves searching for URLs that can be converted into valid Gmail addresses?
(Note, if you already published a Googlepages site and are now worried about having exposed your personal information to the world, there is an “unpublish” option that you can use to take down the page.)
I hate to say this but *shame on Google* for not seeing that the bad guys could abuse this new service so easily. Given all the flack they’ve received about Blogger becoming a haven for spammers you would think they’d have learned to build some level of secure thinking into new products from the get-go.
UPDATE (kt – Nov 2007)
We’ve received a number of comments that this article is not correct. Below are the steps on how to actually create an anonymous Googlepage.
When you are logged into your pages account (pages.google.com) with your Google ID, choose “Create a New Site”.
When you are setting up your new site, you will be able to choose a new (anonymous) URL for your pages.
49 Comments
Comments are closed.
This is a great point! I’m glad somebody brought it up.
Perhaps users should be able to pick the subdomain they want, within certain limits.
There is no way Google didn’t notice it. They are probably working on an anti-spam filter which knows how to identify this problem and want people using other email providers to switch to Gmail because of that.
Nir Ben-Dor
I read & write @Linkadelic Magazine
“working on an anti-spam filter”
What good is that to anyone now? They shouldn’t have released it at all (beta or not) with such a clear spam / privacy issue.
They need to get it changed asap to a name that you could choose yourself. I also thing that .googlepages.com is a little long. Could they do .gpages.com ?
How is this any different than if you’re using SBC Yahoo, and you get a http://www.sbcglobal.net/~username webspace? That’s still the same as your e-mail address.
Good point. I never thought about this.
Hey, thanks for dropping by! Yeah, like I said, phishing could be a serious issue. There’s no way MomNPop Co are hosting their business catalog on this!
This is stupid. Gmail already has a great spam filter. I’m not worried about some bot scraping my email off the web, it’s emailmarshall@gmail.com and I put it up everywhere. I get 100+ emails a day in my inbox and MAYBE 2 of them are spam.
Good spam filters already exist, complaints like this drive me nuts.
Some more tid-bits for you… Click here
And more here…
Your expert comments please.
Regards,
Shri.
Marshall, you don’t seem to get it, the author isn’t that worried about spam as much as real people emailing kids etc since it’s trivial to get their email address from GPages.
you do realize that the site title/URL can be changed in the prefs, right?
There is no perfection in the world. Therefore there is no perfect spam filter in the universe.
Hey Nick,
Do you really see a way to change the URL? I see the setting for changing the Page Title and I see the URL listed below it, but I don’t see any way to edit the URL. If they did this it would create a god-awful mess wouldn’t it. If I chose a site name that was someone else’s username Google would lose the default name when that user first attempts to use the Page Creator.
If anybody sees a way to change the URL (not just the page title), let me know.
Livejournal uses the exact same setup of username.livejournal.com and “username” @ livejournal . com is the email address of the person who holds the livejournal. With 9,628,741 users, I havent ever heard of any livejournal user getting any massive ammounts of spam.
Correct me if I’m wrong, but for Yahoo’s Geocities, doesn’t it default to your account name, which would be the same as your Yahoo e-mail address? It’s been a while since I’ve used it, but I believe that’s the way it was. Which would make this nothing new.
I totally agree about the spam problem. As a matter of fact earlier today I created a new gmail acct. and published a page with google pagemaker. The only purpose of the page is to track how much spam I get and how quickly the spammers get to using this as a method of getting email addresses. Visit the page to track it with me.
http://arbyntest.googlepages.com/home
Or, you can waste a little more of google’s resources, get a new gmail account, and set up Gpages with that account?
This is a really good point.
I person could simply say for example your name is BobSaget. (lol)
So http://bobsaget.googlepages.com all a spammer has to do is mass produce a search query and simply remove the http:// since its not required to access the url, and replace “.googlepages” with “@gmail” and bobsaget@gmail.com, that could add up to tons and tons of emails done at mass quanities.
Thanks for pointing it out I would not have thought this up!
You’ve been dugg. 🙂
Why not just spend the 3 bucks and use your own domain?
yeah you know because spammers dont randomly go through gmail addresses with porn ads and penis pills you idiot
please stop being an idiot and raising up issues that have no real bearing on anything like the 10 o’clock news
YEAH PhillAholic is RIGHT! it’s the same with Geocities BUT the fact that this service comes from GOOGLE makes it a total error or BIG PROBLEMS as the title of this post says! Google is growing and so their detractors… this isn’t something new either…
I really do not think this is a big problem. Google already have a pretty solid spam filter. I never get a spam email sent to the inbox.
I’ve had a geocities account for quite a while. Incase you don’t know, they are geocities.com/username and I’ve never been spammed because of this. I don’t see it as a problem.
They can get it websites. They can randomly enter millions of potential names. They can buy them in bulk. They can write programs so that guy you emailed 3 years ago about nothing gets infected and gives up your address.
Honestly, at some point we need to answer the spam question another way.
Don’t you think it means something that Google spends a fair amount of time making their spam filters work properly in gmail before they unleash this situation upon themselves? If they are opening themselves up for spam to email addresses they host, they’ve figured out how to prevent this from being a problem. And “sexual predators” is just FUD and you know it. Shame on *you* pal.
This isn’t really a valid point. Sure they can go and see if its a real page, and then they’ll know they’ve got a real address – but spammers deal in bulk. TONS of addresses. Its easier for them to dictionary attack then it is for them to verify all these individual email addresses. Sure its not the best idea, but it isn’t really that bad when you think of how a spammer operates, besides gmail isn’t the only email service, spammer target everyone – its the nature of the business.
I wonder if Gmail can recognise when the same spam email has been sent simultaneously to thousands of accounts who all use GooglePages? Surely this is possible using the same indexing technology that identifies duplicate/similar pages in search results. The upside is that this would work as a nice honeypot for identifying spammers so they could further refine Gmail’s anti-spam features.
I agree w/you on the points and good article but why “shame on Google?” They’re providing a free service. If you don’t like it then don’t use it. If you have feedback then by all means give them the feedback, write an article, let people know and maybe they’ll change it to allow someone to configure the subdomain. But saying “shame on Google” is sort of unfair. Also, the spam filters are excellent but I agree that overall this opens you up to TONS of spam. Also, doesn’t a spammer have to find your site first to spam you? If your site is grandmajones.googlepages.com unless grandma is posting her site all over the place it shouldn’t be an issue. If it’s a site for family then it may not even be found.
—
Derek Hampton
SouthBeachCasa
http://www.southbeachcasa.com
Ummmm, how about opening a gmail account, using it to “publish” a page and don’t use the gmail account for anything, easy solution to a dumb problem.
you could just make a separate gmail account for the website and never look at the email for that account.
http://www.google.com/search?q=inurl:googlepages.com&hl=en&lr=&client=safari&rls=en&start=0&sa=N
524 e-mails and counting.
You have to remember that it would be a moot point to enforce some sort of IP throttling or filter if an IP keeps hitting googlepages.com. A spam harvester is going to try a bunch of different addresses, xyz.googlepages.com. So, just create a filter that dumps traffic or slows it down after X amount of attempts are made to a nonexistant address. And like someone else said, how is this any different than harvesting address from http://www.comcast.com/~username?
Re: 524 and counting
My guess is that a spammer’d have to be able to harvest thousands or even hundreds of thousands of emails before it would be worth their while. Isn’t mass-mailing the aim of the game?
So basically, this means you can’t really publish a googlepage without giving people a way to contact you. Let’s face it, most web pages have a way to contact the author anyway. This just restricts our options as a web author.
For the record, I have a test googlepage – I’m not really bothered to take it down, even though it’s not very useful. And it seems those 524 pages found don’t include mine.
Yeah, as other said, this is *exactly* the same with absolutely any other hosting service… and even if you get your own domain name, spammers will spam you all the same… (even if you don’t use a catchall, you probably defined adresses like postmaster@, hostmaster, webmaster, contact, etc.).
Someone here wanted some hits and/or don’t know anything about the Web…
It should be noted that even if you ‘unpublish’ the url username.googlepages.com will still exist, it will just have a Sorry…
…but that beautiful web page you’re looking for isn’t here yet. Stay tuned!
Yours, The Google Page Creator Team, message, so once you’ve signed up your email address is out there.
Its a free service so stop your bitching about it.
If you dont like it. Dont use it!
Simple.
Of course, you can have a dud-GMail account just for the GPages. I know I already have at least two GMail accounts, just so I can post the other as a spambox.
Excellent catch. Thanks tons for posting it.
There’s a long history in the email service provider space of associating http://www.somewhere.com/~username/ with username@somewhere.com. In the past, it cost money to purchase a second ‘username’ – sometimes at business rates. Nowadays, a new ‘username’ can be acquired online instantly, free of charge.
Send a Gmail invite to a bogus email address. Open the ‘Sent Mail’ folder and click the signup link in the invitation email. Select a new ‘username’ to create a Gmail account.
Once the new Gmail account has been created, you can associated a GPages account with it. This addresses your concerns about publicly available information.
The ultra-paranoid should be aware that Google most likely retains information about which invitations resulted in Gmail accounts, and who they were from. The method described in the previous paragraph is NOT recommended for those concerned about Google privately retaining such data.
This was the first thing that came to my mind, when I saw the subdomain=gmailusername thing.
Oops, Google is goofing a lot these days.
Yeah, http://www.google.com/pages/239082/23897/1283723h8hfuehbner.html is MUCH better.
*rolls eyes*
this is why email programs have spam filtering.
Thanks for the heads up. Great post!
I disagree. You bring up a good point, and are rightly concerned. However, I do not think that “unpublishing” is the right response. The problem lies with the spammers and scammers. Don’t allow them to stop you from publishing. So what if people can find your email address? Most people use the same (public) username for everything. It would be silly to use different names for everything. Most people’s Gmail addresses are simply firstname.lastname.
The solution is not to avoid discovery, but to avoid spam. Gmail’s spam filters are good. If GooglePages is abused to send spam and scam emails, Gmail’s spam filters will have to step up the challenge. It is spam blocking and filtering that will solve the problem. Do not hesitate to publish. The world needs to your expertise.
You should all note that if you already have a page published or if you already have a GPC account, there is no way you can stop the spammers.
If you visit a page for an account that doesn’t exist, like fafhdafdahl.googlepages.com, it says “The site you have requested could not be found. (404)” Otherwise, it says:
“Sorry…
…but that beautiful web page you’re looking for isn’t here yet. Stay tuned!
Yours,
The Google Page Creator Team
Is this your page?
If you’re looking for a page that you created in Google Page Creator, please remember to press the Publish button. We can’t wait to see your pages.”
Big Problem!
Your point is valid, however you must still remember this is a beta version. With Google being where it is today, I am more than sure they have already thought of this.
grow up. google is providing a service. and a free one at that. don’t use it if you don’t like it.
It’s interesting to see that everyone has jumped on the spam issue, but not on the stalker issue that you’ve raised. This is the one that I think is more serious, especially for kids growing up in a digital age. Sometimes when we choose our email addresses, we use something “anonymous” (e.g. cybergrrrrl) and sometimes we don’t (e.g. kate.trgovac) … but the choice should remain ours and the control over it should remain ours as well.
My assumption from this post is that your kids likely have a less anonymous email rather than a more anonymous one. So the issue is that Google has now (on some level, intentionally or not) exposed those addresses.
So there is a question of reaponsibility here … do we assume that email addresses are always at risk and we only have anonymous ones, especially for our kids? Obviously, the level to which we go to cyber-proof our kids also needs to be considered. Regardless, I do think this raises a great point for parents who are trying to keep up/protect their kids on the Internet. Be aware that email addresses may get exposed (or exposure) in ways you didn’t originally consider.
Oh .. and slightly off topic .. I’m disappointed to see that the tone of a number of these comments is so antagonistic. It’s a good issue, Ken. Thanks for raising it.
Ken, my mistake. I’ve been reading up on Google pages that past few days, and saw the “Change Site Title” box on a different article. Since by default the site name is also your username, the author must have drawn the conclusion that changing the title changes the URL. When I saw the screen shot, that conclusion made sense. I did think about that “it’ll make a mess” argument, but what’s simple logic against a (slightly) incorrect caption?
Since finding this article I’ve been looking around – you’ve got some interesting articles. I’ll be staying around for more!
Gmail also provides one of the better spam filters…