The default tracking domain for Google Apps users was listed as “deceptive” by Google over the weekend

The default tracking domain that GMass uses for open-tracking, click-tracking, and the unsubscribe link for Google Apps users, gm.ag, was deemed suspicious by Google for a period of about 36 hours this past weekend. The domain has since been cleared and is now functioning properly, but there are some points to consider.
On Friday morning, May 27, several users reported that the domain gm.ag, was redirecting to a phishing warning page that looks like:


For GMass Google Apps users, gm.ag is the domain that is used inside your email campaigns to make open tracking, click tracking, and the unsubscribe link work. A different domain is used for regular Gmail accounts, so this particular issue only applies to Google Apps Users.

What does this mean?

It means that during the time that Google had gm.ag listed as suspicious, some links to gm.ag would take the recipient to the “Deceptive site ahead” page above instead of the actual URL. For GMass users, that means that links in email campaigns that have been click-tracked and unsubscribe links may result in your recipient being taken to this page instead of the intended page. From the “Deceptive site ahead” page, the user does have the option to proceed to go to the final URL.

The issue was temporary, and Google removed gm.ag from the suspect list as of Saturday evening May 28.

As soon as we became aware of the issue, we took two steps:

  1. We disabled the redirects from gm.ag to the specific phishing site in question and reported the corrective action to Google.
  2. We switched the default tracking domain for Google Apps users from gm.ag to www.gmss3.net. It means that all campaigns sent after we made the switch would use www.gmss3.net, but all campaigns sent before the change will still have recipients clicking links that include gm.ag.

Why did this happen?

It happened because a single user, a phisher, used GMass to sending a scammy email, and activated click-tracking to obfuscate the destination URL. The destination URL, which Google determined was a phishing site, has since been removed from the Internet.

Why did GMass allow this phisher to use GMass?

GMass is not a traditional Email Service Provider like MailChimp or JangoMail, where a team of people approves and rejects accounts based on the user’s information. GMass is a fully automated system, and we intentionally do not police our users because:
  1. We rely on Gmail’s own spam detection mechanisms to terminate users that are abusing GMass, and therefore abusing Gmail.
  2. We could never build a better abuse detection system than Gmail already has. Gmail has been doing this for much longer than we have and has access to much more data than we do to make decisions as to whether accounts are legitimate or abusive.
I consider it one of the great benefits of GMass. For you the user, you get the world’s highest deliverability because your emails are being sent from Gmail’s email servers. For me, as an operator of an email marketing service, I don’t have to employ people to police users and approve/reject accounts.

What does this mean for me, a legitimate user?
It means you should take a step to isolate yourself from the behavior of other users. There’s only one step you need to take to protect yourself from the potential bad behavior of other users. You should set up your OWN tracking domain that is used in the open tracking, click tracking, and unsubscribe links. That way, instead of gm.ag appearing, your own domain will appear. Your own tracking domain can be a sub-domain of your organization’s domain. Click here to get started.
What about IP addresses? Do I need to make sure GMass’s sending IPs aren’t blacklisted?
No. GMass is built on top of Gmail, and all emails are sent from our users’ own Gmail accounts. That means that the emails are sent from Gmail’s own IP addresses, which are the highest deliverability IP addresses in the world. GMass is again different from a traditional ESP in this regard. A traditional ESP like MailChimp or JangoMail maintains its own sending servers and therefore its own IP addresses. They must police their users to keep their IP addresses clean. Because GMass is built on top of Gmail, however, we rely on Gmail to kick spammers off their network to keep their IP addresses clean, and they do an excellent job of this.

3 Replies to “The default tracking domain for Google Apps users was listed as “deceptive” by Google over the weekend”

  1. Rajeev Srivastava

    We are getting this error "Your mass email has NOT been processed by GMass. Error details: You have at least one link that has already been click-tracked for a specific email address. Modify the link so that it links to the final destination URL, not the click-tracked URL. Please help how to solve this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *