Thursday, December 20, 2012

Use Of Google+ For Networking, And Keeping Your Blogger Account And Blogs Safe

One constant activity in Blogger Help Forum: Something Is Broken involves blog owners whose blogs were deleted - either righteously or spuriously - as part of the ongoing battle against spam, in Blogger blogs. Generally, the problem comes directly from the blog content.

Sometimes, the problem is more subtle.
When I tried to login to Blogger, I got a screen that said my account needed to be verified, due to "unusual activity on my account". Having verified my account, I see that my blogs have been deleted.
This is part of one of the more intriguing episodes, in the never ending fight against hacking and spam, in Blogger.

Some Blogger blog owners participate in comment based discussions, and provide their email addresses there. Some state their email addresses openly, in the body of the comments, for the world to see when viewing the comments. Others post comments using their Blogger accounts, knowing that the blog owners can see their email address in the comment moderation / notification email messages - and can contact them using email.

Spammers use comment based networking, to their advantage. They subscribe to any comment thread, using the "Notify me" option - then wait while blog readers comment using their Blogger accounts. As the email comes in, from blog readers commenting, they scrape the email addresses from the email content. Since most people commenting either openly state their blog URLs in the comment bodies - or link to a list of their blogs - the spammer now has two essential ingredients, to be used for hacking someone's Blogger account, and gaining control of the blogs owned by the account.

Google now provides Google+, where we can network with a designated audience, and avoid spam in our email. Using Google+, our email addresses are not revealed, and spammers have less incentive to use Google+ for email address harvesting. This protects our Blogger accounts and blogs against hacking, and relieves us from email based spam.

For people who update their Blogger accounts to use Google+ based profiles, but continue to network using Blogger comments, Blogger now protects us by using anonymous email addresses in all comment generated email. This leaves people who continue to comment, using Blogger accounts with native Blogger profiles, vulnerable to ongoing email address harvesting, and account hacking.

Blogger account hacking, using email addresses harvested from Blogger blog comments, will typically involve brute force password guessing. Blogger, detecting brute force attempts against a vulnerable Blogger account, will lock the account and the blogs. Once we verify ownership of our Blogger account - and hopefully change the Blogger account password to something less vulnerable to guessing - the blogs owned by a possibly compromised account remain locked, until they can be examined for signs of tampering, by Google security / spam analysts.

We also must consider the possibility that not all brute force password guessing attacks are being detected by Google - and some Blogger accounts are being deviously, and temporarily, hijacked.

People who setup Blogger accounts based on bogus email addresses - or who have accounts based on old email addresses which they can't use - continue to present a challenge here. These people will never receive essential email advising them of a problem in either verifying their Blogger account - or their blogs. This will continue to make our initial spam lock advice relevant.
Can you login to Blogger? Do you have a dashboard link "Deleted blogs"? That's where you start.

You wait 24 to 48 hours after submitting a Restore request - then you post back here, and we take the next step.

>> Top

1 comment:

Paul Dooley said...

In the last few weeks I've been on G+ my nevertheless blog has received twice the number of anonymous emailed comments, than before I joined it. So how much longer do you think it will it be before this security fence comes about ?