Press "Enter" to skip to content

Big Problem With Google Pages – EDITED

Edits to this article appear at the end (Nov. 4, 2007)
Well, this will stir things up a bit.
A few hours ago Google launched “Google Pages”: If you have a “Gmail”: account you can create your own web site on Google using a very nifty AJAX interface.
The application itself is great, although the standard templates leave something to be desired.
Some of the nicest features:
* An “undo” button
* Ability to add images, links and pages easily
* Testing links while in edit mode
* 100MB of storage
* Simple, memorable URL
You should really try it out. But you might want to *think twice before you hit “publish”.*
See that last feature (simple memorable URLS) is also the greatest weakness of Google Pages and I think it is going to cause a *huge* headache for Gmail users. And *a potential PR nightmare for Google.*

When you hit publish your site goes live at
Nothing wrong with that. In fact it looks like a feature – if you can remember your Gmail address you can remember your “Gpages” address.
The problem is it is now trivial to reverse engineer your Gmail *e-mail address*. If you see a Google Pages site and want to e-mail the author – just replace with
I was all set to tell my kids and my 85 year-old mother (all Gmail users) that they could now post a web page or two super easy, but I’m not going to. I’ve worked very hard to make sure -they’re- their addresses are not easy to find online and with *one click of the publish button Google will make their e-mail addresses available to every stalker, sexual predator, phisher, and spammer out there!*
I suggest you tell those non-technical users you know and care about that they should NOT use Gpages at this time. Right now I’d have to say that Gpages users are just setting themselves up for a whole heap of spam if they decide to post a site.
How long will it take spammers to get Gmail harvesters out in droves searching for URLs that can be converted into valid Gmail addresses?
(Note, if you already published a Googlepages site and are now worried about having exposed your personal information to the world, there is an “unpublish” option that you can use to take down the page.)
I hate to say this but *shame on Google* for not seeing that the bad guys could abuse this new service so easily. Given all the flack they’ve received about Blogger becoming a haven for spammers you would think they’d have learned to build some level of secure thinking into new products from the get-go.
UPDATE (kt – Nov 2007)
We’ve received a number of comments that this article is not correct. Below are the steps on how to actually create an anonymous Googlepage.
When you are logged into your pages account ( with your Google ID, choose “Create a New Site”.
When you are setting up your new site, you will be able to choose a new (anonymous) URL for your pages.


  1. physio
    physio February 23, 2006

    This is a great point! I’m glad somebody brought it up.
    Perhaps users should be able to pick the subdomain they want, within certain limits.

  2. Nir Ben-Dor
    Nir Ben-Dor February 23, 2006

    There is no way Google didn’t notice it. They are probably working on an anti-spam filter which knows how to identify this problem and want people using other email providers to switch to Gmail because of that.
    Nir Ben-Dor
    I read & write @Linkadelic Magazine

  3. samd
    samd February 23, 2006

    “working on an anti-spam filter”
    What good is that to anyone now? They shouldn’t have released it at all (beta or not) with such a clear spam / privacy issue.
    They need to get it changed asap to a name that you could choose yourself. I also thing that is a little long. Could they do ?

  4. T R
    T R February 23, 2006

    How is this any different than if you’re using SBC Yahoo, and you get a webspace? That’s still the same as your e-mail address.

  5. Matt
    Matt February 24, 2006

    Good point. I never thought about this.

  6. antrix
    antrix February 24, 2006

    Hey, thanks for dropping by! Yeah, like I said, phishing could be a serious issue. There’s no way MomNPop Co are hosting their business catalog on this!

  7. Marshall Kirkpatrick
    Marshall Kirkpatrick February 24, 2006

    This is stupid. Gmail already has a great spam filter. I’m not worried about some bot scraping my email off the web, it’s and I put it up everywhere. I get 100+ emails a day in my inbox and MAYBE 2 of them are spam.
    Good spam filters already exist, complaints like this drive me nuts.

  8. Shri
    Shri February 24, 2006

    Some more tid-bits for you… Click here
    And more here
    Your expert comments please.

  9. Dave
    Dave February 24, 2006

    Marshall, you don’t seem to get it, the author isn’t that worried about spam as much as real people emailing kids etc since it’s trivial to get their email address from GPages.

  10. Nick
    Nick February 26, 2006

    you do realize that the site title/URL can be changed in the prefs, right?

  11. Junseok
    Junseok February 27, 2006

    There is no perfection in the world. Therefore there is no perfect spam filter in the universe.

  12. Ken Schafer
    Ken Schafer February 27, 2006

    Hey Nick,
    Do you really see a way to change the URL? I see the setting for changing the Page Title and I see the URL listed below it, but I don’t see any way to edit the URL. If they did this it would create a god-awful mess wouldn’t it. If I chose a site name that was someone else’s username Google would lose the default name when that user first attempts to use the Page Creator.
    If anybody sees a way to change the URL (not just the page title), let me know.

  13. Josh
    Josh February 27, 2006

    Livejournal uses the exact same setup of and “username” @ livejournal . com is the email address of the person who holds the livejournal. With 9,628,741 users, I havent ever heard of any livejournal user getting any massive ammounts of spam.

  14. PhillAholic
    PhillAholic February 27, 2006

    Correct me if I’m wrong, but for Yahoo’s Geocities, doesn’t it default to your account name, which would be the same as your Yahoo e-mail address? It’s been a while since I’ve used it, but I believe that’s the way it was. Which would make this nothing new.

  15. arbyn
    arbyn February 27, 2006

    I totally agree about the spam problem. As a matter of fact earlier today I created a new gmail acct. and published a page with google pagemaker. The only purpose of the page is to track how much spam I get and how quickly the spammers get to using this as a method of getting email addresses. Visit the page to track it with me.

  16. Helen
    Helen February 27, 2006

    Or, you can waste a little more of google’s resources, get a new gmail account, and set up Gpages with that account?

  17. Jesse
    Jesse February 27, 2006

    This is a really good point.
    I person could simply say for example your name is BobSaget. (lol)
    So all a spammer has to do is mass produce a search query and simply remove the http:// since its not required to access the url, and replace “.googlepages” with “@gmail” and, that could add up to tons and tons of emails done at mass quanities.
    Thanks for pointing it out I would not have thought this up!

  18. Ryan - RFD
    Ryan - RFD February 27, 2006

    You’ve been dugg. 🙂

  19. roomba
    roomba February 27, 2006

    Why not just spend the 3 bucks and use your own domain?

    daDSADSASDA February 27, 2006

    yeah you know because spammers dont randomly go through gmail addresses with porn ads and penis pills you idiot
    please stop being an idiot and raising up issues that have no real bearing on anything like the 10 o’clock news

  21. Alfred
    Alfred February 27, 2006

    YEAH PhillAholic is RIGHT! it’s the same with Geocities BUT the fact that this service comes from GOOGLE makes it a total error or BIG PROBLEMS as the title of this post says! Google is growing and so their detractors… this isn’t something new either…

  22. Luis
    Luis February 27, 2006

    I really do not think this is a big problem. Google already have a pretty solid spam filter. I never get a spam email sent to the inbox.

  23. Cameron
    Cameron February 27, 2006

    I’ve had a geocities account for quite a while. Incase you don’t know, they are and I’ve never been spammed because of this. I don’t see it as a problem.

  24. rJonesX
    rJonesX February 27, 2006

    They can get it websites. They can randomly enter millions of potential names. They can buy them in bulk. They can write programs so that guy you emailed 3 years ago about nothing gets infected and gives up your address.
    Honestly, at some point we need to answer the spam question another way.

  25. orphex
    orphex February 27, 2006

    Don’t you think it means something that Google spends a fair amount of time making their spam filters work properly in gmail before they unleash this situation upon themselves? If they are opening themselves up for spam to email addresses they host, they’ve figured out how to prevent this from being a problem. And “sexual predators” is just FUD and you know it. Shame on *you* pal.

  26. W. Andrew Loe III
    W. Andrew Loe III February 27, 2006

    This isn’t really a valid point. Sure they can go and see if its a real page, and then they’ll know they’ve got a real address – but spammers deal in bulk. TONS of addresses. Its easier for them to dictionary attack then it is for them to verify all these individual email addresses. Sure its not the best idea, but it isn’t really that bad when you think of how a spammer operates, besides gmail isn’t the only email service, spammer target everyone – its the nature of the business.

  27. Mark W
    Mark W February 27, 2006

    I wonder if Gmail can recognise when the same spam email has been sent simultaneously to thousands of accounts who all use GooglePages? Surely this is possible using the same indexing technology that identifies duplicate/similar pages in search results. The upside is that this would work as a nice honeypot for identifying spammers so they could further refine Gmail’s anti-spam features.

  28. Derek Hampton
    Derek Hampton February 27, 2006

    I agree w/you on the points and good article but why “shame on Google?” They’re providing a free service. If you don’t like it then don’t use it. If you have feedback then by all means give them the feedback, write an article, let people know and maybe they’ll change it to allow someone to configure the subdomain. But saying “shame on Google” is sort of unfair. Also, the spam filters are excellent but I agree that overall this opens you up to TONS of spam. Also, doesn’t a spammer have to find your site first to spam you? If your site is unless grandma is posting her site all over the place it shouldn’t be an issue. If it’s a site for family then it may not even be found.

    Derek Hampton

  29. meohmy
    meohmy February 27, 2006

    Ummmm, how about opening a gmail account, using it to “publish” a page and don’t use the gmail account for anything, easy solution to a dumb problem.

  30. Daz Honey
    Daz Honey February 27, 2006

    you could just make a separate gmail account for the website and never look at the email for that account.

  31. bc
    bc February 27, 2006

    You have to remember that it would be a moot point to enforce some sort of IP throttling or filter if an IP keeps hitting A spam harvester is going to try a bunch of different addresses, So, just create a filter that dumps traffic or slows it down after X amount of attempts are made to a nonexistant address. And like someone else said, how is this any different than harvesting address from

  32. aihtdikh
    aihtdikh February 27, 2006

    Re: 524 and counting
    My guess is that a spammer’d have to be able to harvest thousands or even hundreds of thousands of emails before it would be worth their while. Isn’t mass-mailing the aim of the game?
    So basically, this means you can’t really publish a googlepage without giving people a way to contact you. Let’s face it, most web pages have a way to contact the author anyway. This just restricts our options as a web author.
    For the record, I have a test googlepage – I’m not really bothered to take it down, even though it’s not very useful. And it seems those 524 pages found don’t include mine.

  33. Meya
    Meya February 27, 2006

    Yeah, as other said, this is *exactly* the same with absolutely any other hosting service… and even if you get your own domain name, spammers will spam you all the same… (even if you don’t use a catchall, you probably defined adresses like postmaster@, hostmaster, webmaster, contact, etc.).
    Someone here wanted some hits and/or don’t know anything about the Web…

  34. scott
    scott February 27, 2006

    It should be noted that even if you ‘unpublish’ the url will still exist, it will just have a Sorry…
    …but that beautiful web page you’re looking for isn’t here yet. Stay tuned!
    Yours, The Google Page Creator Team, message, so once you’ve signed up your email address is out there.

  35. Adam
    Adam February 27, 2006

    Its a free service so stop your bitching about it.
    If you dont like it. Dont use it!

  36. Reed
    Reed February 27, 2006

    Of course, you can have a dud-GMail account just for the GPages. I know I already have at least two GMail accounts, just so I can post the other as a spambox.

  37. TR
    TR February 27, 2006

    Excellent catch. Thanks tons for posting it.

  38. Richard Soderberg
    Richard Soderberg February 27, 2006

    There’s a long history in the email service provider space of associating with In the past, it cost money to purchase a second ‘username’ – sometimes at business rates. Nowadays, a new ‘username’ can be acquired online instantly, free of charge.
    Send a Gmail invite to a bogus email address. Open the ‘Sent Mail’ folder and click the signup link in the invitation email. Select a new ‘username’ to create a Gmail account.
    Once the new Gmail account has been created, you can associated a GPages account with it. This addresses your concerns about publicly available information.
    The ultra-paranoid should be aware that Google most likely retains information about which invitations resulted in Gmail accounts, and who they were from. The method described in the previous paragraph is NOT recommended for those concerned about Google privately retaining such data.

  39. Bunty Gill
    Bunty Gill February 27, 2006

    This was the first thing that came to my mind, when I saw the subdomain=gmailusername thing.
    Oops, Google is goofing a lot these days.

  40. Jimmy Yin
    Jimmy Yin February 27, 2006

    Thanks for the heads up. Great post!

  41. Elliot Lee
    Elliot Lee February 27, 2006

    I disagree. You bring up a good point, and are rightly concerned. However, I do not think that “unpublishing” is the right response. The problem lies with the spammers and scammers. Don’t allow them to stop you from publishing. So what if people can find your email address? Most people use the same (public) username for everything. It would be silly to use different names for everything. Most people’s Gmail addresses are simply firstname.lastname.
    The solution is not to avoid discovery, but to avoid spam. Gmail’s spam filters are good. If GooglePages is abused to send spam and scam emails, Gmail’s spam filters will have to step up the challenge. It is spam blocking and filtering that will solve the problem. Do not hesitate to publish. The world needs to your expertise.

  42. Erik
    Erik March 1, 2006

    You should all note that if you already have a page published or if you already have a GPC account, there is no way you can stop the spammers.
    If you visit a page for an account that doesn’t exist, like, it says “The site you have requested could not be found. (404)” Otherwise, it says:
    …but that beautiful web page you’re looking for isn’t here yet. Stay tuned!
    The Google Page Creator Team
    Is this your page?
    If you’re looking for a page that you created in Google Page Creator, please remember to press the Publish button. We can’t wait to see your pages.”
    Big Problem!

  43. Jeff
    Jeff March 1, 2006

    Your point is valid, however you must still remember this is a beta version. With Google being where it is today, I am more than sure they have already thought of this.

  44. Russ
    Russ March 2, 2006

    grow up. google is providing a service. and a free one at that. don’t use it if you don’t like it.

  45. Kate Trgovac
    Kate Trgovac March 2, 2006

    It’s interesting to see that everyone has jumped on the spam issue, but not on the stalker issue that you’ve raised. This is the one that I think is more serious, especially for kids growing up in a digital age. Sometimes when we choose our email addresses, we use something “anonymous” (e.g. cybergrrrrl) and sometimes we don’t (e.g. kate.trgovac) … but the choice should remain ours and the control over it should remain ours as well.
    My assumption from this post is that your kids likely have a less anonymous email rather than a more anonymous one. So the issue is that Google has now (on some level, intentionally or not) exposed those addresses.
    So there is a question of reaponsibility here … do we assume that email addresses are always at risk and we only have anonymous ones, especially for our kids? Obviously, the level to which we go to cyber-proof our kids also needs to be considered. Regardless, I do think this raises a great point for parents who are trying to keep up/protect their kids on the Internet. Be aware that email addresses may get exposed (or exposure) in ways you didn’t originally consider.
    Oh .. and slightly off topic .. I’m disappointed to see that the tone of a number of these comments is so antagonistic. It’s a good issue, Ken. Thanks for raising it.

  46. Nick
    Nick March 3, 2006

    Ken, my mistake. I’ve been reading up on Google pages that past few days, and saw the “Change Site Title” box on a different article. Since by default the site name is also your username, the author must have drawn the conclusion that changing the title changes the URL. When I saw the screen shot, that conclusion made sense. I did think about that “it’ll make a mess” argument, but what’s simple logic against a (slightly) incorrect caption?
    Since finding this article I’ve been looking around – you’ve got some interesting articles. I’ll be staying around for more!

  47. Worldcoast
    Worldcoast March 8, 2006

    Gmail also provides one of the better spam filters…

Comments are closed.